Don't use a special claim for the parsed and verified JWT.

It's already present in the .jwt attribute

Author: rohe

src/oidcmsg/oidc/__init__.py

@@ -312,7 +312,7 @@ def verify_id_token(msg, check_hash=False, **kwargs):
             if idt["c_hash"] != left_hash(msg["code"], hfunc):
                 raise CHashError("Failed to verify code hash", idt)
 
-    msg[verified_claim_name("id_token")] = idt
+    msg["id_token"] = idt
     logger.info('Verified ID Token: {}'.format(idt.to_dict()))
 
     return True
@@ -459,7 +459,7 @@ def verify(self, **kwargs):
                 self.update(oidr)
 
                 # replace the JWT with the parsed and verified instance
-                self[verified_claim_name("request")] = oidr
+                self["request"] = oidr
 
         if "id_token_hint" in self:
             if isinstance(self["id_token_hint"], str):

src/oidcmsg/oidc/session.py

@@ -10,7 +10,6 @@
 from ..message import SINGLE_REQUIRED_STRING
 from ..oauth2 import ResponseMessage
 from ..oidc import clear_verified_claims
-from ..oidc import verified_claim_name
 from ..oidc import IdToken
 from ..oidc import ID_TOKEN_VERIFY_ARGS
 from ..oidc import MessageWithIdToken
@@ -66,7 +65,7 @@ def verify(self, **kwargs):
                 return False
 
             # Add the verified ID Token to the message instance
-            self[verified_claim_name("id_token_hint")] = idt
+            self["id_token_hint"] = idt
 
         return True
 
@@ -167,7 +166,7 @@ def verify(self, **kwargs):
         if not idt.verify(**kwargs):
             return False
 
-        self[verified_claim_name("logout_token")] = idt
+        self["logout_token"] = idt
         logger.info('Verified ID Token: {}'.format(idt.to_dict()))
 
         return True

tests/test_6_oidc.py

@@ -50,7 +50,6 @@
 from oidcmsg.oidc import msg_ser
 from oidcmsg.oidc import msg_ser_json
 from oidcmsg.oidc import scope2claims
-from oidcmsg.oidc import verified_claim_name
 from oidcmsg.time_util import utc_time_sans_frac
 
 sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__),
@@ -851,7 +850,7 @@ def test_at_hash():
 
     at = AuthorizationResponse(**_info)
     assert at.verify(keyjar=keyjar, sigalg="HS256")
-    assert 'at_hash' in at[verified_claim_name('id_token')]
+    assert 'at_hash' in at['id_token']
 
 
 def test_c_hash():
@@ -880,7 +879,7 @@ def test_c_hash():
 
     at = AuthorizationResponse(**_info)
     r = at.verify(keyjar=keyjar, sigalg="HS256")
-    assert 'c_hash' in at[verified_claim_name('id_token')]
+    assert 'c_hash' in at['id_token']
 
 
 def test_missing_c_hash():

tests/test_7_session.py

@@ -10,12 +10,11 @@
 
 from oidcmsg.exception import MessageException
 from oidcmsg.exception import NotForMe
-from oidcmsg.oidc import verified_claim_name
 from oidcmsg.oidc import Claims
 from oidcmsg.oidc import ClaimsRequest
 from oidcmsg.oidc import IdToken
-from oidcmsg.oidc.session import BACK_CHANNEL_LOGOUT_EVENT, \
-    BackChannelLogoutRequest
+from oidcmsg.oidc.session import BACK_CHANNEL_LOGOUT_EVENT
+from oidcmsg.oidc.session import BackChannelLogoutRequest
 from oidcmsg.oidc.session import LogoutToken
 from oidcmsg.oidc.session import CheckSessionRequest
 from oidcmsg.oidc.session import EndSessionRequest
@@ -81,11 +80,9 @@ def test_example(self):
             keyjar.add_symmetric(CLIENT_ID, _key.key)
         request.verify(keyjar=keyjar)
         assert isinstance(request, EndSessionRequest)
-        assert set(request.keys()) == {verified_claim_name('id_token_hint'),
-                                       'id_token_hint', 'redirect_url', 'state'}
+        assert set(request.keys()) == {'id_token_hint', 'redirect_url', 'state'}
         assert request["state"] == "state0"
-        assert request[
-                   verified_claim_name("id_token_hint")]["aud"] == ["client_1"]
+        assert request["id_token_hint"]["aud"] == ["client_1"]
 
 
 class TestCheckSessionRequest(object):