This method is about getting all the tokens the token endpoint provides not just the access token.

rohe · rohe · commit fac61ff87622 · 2021-10-10T08:47:49.000+02:00
diff --git a/src/oidcrp/rp_handler.py b/src/oidcrp/rp_handler.py
@@ -489,7 +489,7 @@ def get_client_authn_method(client, endpoint):
                 else:  # a list
                     return am[0]
 
-    def get_access_token(self, state, client: Optional[Client] = None):
+    def get_tokens(self, state, client: Optional[Client] = None):
         """
         Use the 'accesstoken' service to get an access token from the OP/AS.
 
@@ -499,7 +499,7 @@ def get_access_token(self, state, client: Optional[Client] = None):
         :return: A :py:class:`oidcmsg.oidc.AccessTokenResponse` or
             :py:class:`oidcmsg.oauth2.AuthorizationResponse`
         """
-        logger.debug(20 * "*" + " get_access_token " + 20 * "*")
+        logger.debug(20 * "*" + " get_tokens " + 20 * "*")
 
         if client is None:
             client = self.get_client_from_session_key(state)
@@ -699,8 +699,7 @@ def get_access_and_id_token(self, authorization_response=None,
         if not state:
             state = authorization_response['state']
 
-        authreq = _context.state.get_item(
-            AuthorizationRequest, 'auth_request', state)
+        authreq = _context.state.get_item(AuthorizationRequest, 'auth_request', state)
         _resp_type = set(authreq['response_type'])
 
         access_token = None
@@ -712,11 +711,10 @@ def get_access_and_id_token(self, authorization_response=None,
         if _resp_type in [{'token'}, {'id_token', 'token'}, {'code', 'token'},
                           {'code', 'id_token', 'token'}]:
             access_token = authorization_response["access_token"]
-            if behaviour_args and behaviour_args.get("collect_id_token", False):
-                if "id_token" not in _resp_type:
-                    logger.debug("Collect ID Token")
-                    # get the access token
-                    token_resp = self.get_access_token(state, client=client)
+            if behaviour_args:
+                if behaviour_args.get("collect_tokens", False):
+                    # get what you can from the token endpoint
+                    token_resp = self.get_tokens(state, client=client)
                     if is_error_message(token_resp):
                         return False, "Invalid response %s." % token_resp["error"]
                     # Now which access_token should I use
@@ -726,7 +724,7 @@ def get_access_and_id_token(self, authorization_response=None,
 
         elif _resp_type in [{'code'}, {'code', 'id_token'}]:
             # get the access token
-            token_resp = self.get_access_token(state, client=client)
+            token_resp = self.get_tokens(state, client=client)
             if is_error_message(token_resp):
                 return False, "Invalid response %s." % token_resp["error"]
 
diff --git a/tests/test_20_rp_handler_oidc.py b/tests/test_20_rp_handler_oidc.py
@@ -425,7 +425,7 @@ def test_get_client_authn_method(self):
                                                         'token_endpoint')
         assert authn_method == 'client_secret_post'
 
-    def test_get_access_token(self):
+    def test_get_tokens(self):
         res = self.rph.begin(issuer_id='github')
         _session = self.rph.get_session_information(res['state'])
         client = self.rph.issuer2rp[_session['iss']]
@@ -464,7 +464,7 @@ def test_get_access_token(self):
             resp = self.rph.finalize_auth(client, _session['iss'],
                                           auth_response.to_dict())
 
-            resp = self.rph.get_access_token(res['state'], client)
+            resp = self.rph.get_tokens(res['state'], client)
             assert set(resp.keys()) == {'access_token', 'expires_in', 'id_token',
                                         'token_type', '__verified_id_token',
                                         '__expires_at'}
diff --git a/tests/test_40_rp_handler_persistent.py b/tests/test_40_rp_handler_persistent.py
@@ -359,7 +359,7 @@ def test_get_client_authn_method(self):
                                                      'token_endpoint')
         assert authn_method == 'client_secret_post'
 
-    def test_get_access_token(self):
+    def test_get_tokens(self):
         rph_1 = RPHandler(BASE_URL, client_configs=CLIENT_CONFIG,
                           keyjar=CLI_KEY, module_dirs=['oidc'])
 
@@ -401,7 +401,7 @@ def test_get_access_token(self):
             resp = rph_1.finalize_auth(client, _session['iss'],
                                        auth_response.to_dict())
 
-            resp = rph_1.get_access_token(res['state'], client)
+            resp = rph_1.get_tokens(res['state'], client)
             assert set(resp.keys()) == {'access_token', 'expires_in', 'id_token',
                                         'token_type', '__verified_id_token',
                                         '__expires_at'}
