Collect verify arguments from specification of client behaviour.

allowed_sign_alg unnecessary.

Author: rohe

src/oidcservice/oidc/access_token.py

@@ -32,12 +32,11 @@ def gather_verify_arguments(self):
         """
         _ctx = self.service_context
         # Default is RS256
-        _allowed_sign_alg = _ctx.registration_response.get("id_token_signed_response_alg", "RS256")
 
         kwargs = {
             'client_id': _ctx.client_id, 'iss': _ctx.issuer,
             'keyjar': _ctx.keyjar, 'verify': True,
-            'skew': _ctx.clock_skew, 'allowed_sign_alg': _allowed_sign_alg
+            'skew': _ctx.clock_skew,
         }
 
         for attr, param in IDT2REG.items():
@@ -52,6 +51,10 @@ def gather_verify_arguments(self):
         except KeyError:
             pass
 
+        _verify_args = _ctx.behaviour.get("verify_args")
+        if _verify_args:
+            kwargs.update(_verify_args)
+
         return kwargs
 
     def update_service_context(self, resp, key='', **kwargs):

src/oidcservice/oidc/authorization.py

@@ -77,7 +77,7 @@ def oidc_pre_construct(self, request_args=None, **kwargs):
 
         # For OIDC 'openid' is required in scope
         if 'scope' not in request_args:
-            request_args['scope'] = ['openid']
+            request_args['scope'] = self.service_context.behaviour.get("scope", ["openid"])
         elif 'openid' not in request_args['scope']:
             request_args['scope'].append('openid')
 
@@ -221,4 +221,8 @@ def gather_verify_arguments(self):
         except KeyError:
             pass
 
+        _verify_args = _ctx.behaviour.get("verify_args")
+        if _verify_args:
+            kwargs.update(_verify_args)
+
         return kwargs

src/oidcservice/service_context.py

@@ -100,7 +100,7 @@ def __init__(self, keyjar=None, config=None, **kwargs):
 
         for attr in ['client_id', 'issuer', 'base_url', 'requests_dir',
                      'allow', 'client_preferences', 'behaviour',
-                     'provider_info', 'redirect_uris', 'callback'
+                     'provider_info', 'redirect_uris', 'callback', 'verify_args'
                      ]:
             try:
                 setattr(self, attr, config[attr])

tests/request123456.jwt

@@ -1 +1 @@
-eyJhbGciOiJSUzI1NiIsImtpZCI6ImFWODBkazlpZG1sbU1YVlBkMUJYV2xGcGIwZFdZVnBHYkRkVVYxSlFWWGRoV0cxVU9HeFNaRkZCYXcifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICJheE1QSlByalVacFdERkxUSVYxVVE3Q2RCMzVseHpOcCIsICJjbGllbnRfaWQiOiAiY2xpZW50X2lkIiwgImlzcyI6ICJjbGllbnRfaWQiLCAiaWF0IjogMTU3NDAwNTE2MiwgImF1ZCI6IFsiaHR0cHM6Ly9leGFtcGxlLmNvbSJdfQ.bohgxuuW6EslKVZk_do68TCjx7JMybcvcTFD5MYxFDi2zc0nsMO62uE1eoN_8fd7eprV9G7PJF69lRBOEpszROMsK-nOq7GM1Q8DJIabPF99SF3hKVPNPyPF5ipRLIESG0_I4KB1dY41dOnd5rSeHMLwdNiN5iakjqoeK_LpX0J0DlaCp8RZeMubN6EB1KXHXi6RpWbtprZbvtQha0dCsQ4xfXJTt61CkPH1VEV-8W2orWvmX9fFIznF0Zt06HIinK8EO1_xg88kKmg3JtMrJ9cq8RweM8G2g5xcdRvFrFcVlnBSZwWuDM01oUlowOM20X-9FeQ--I6L2r-8NPUOrw
+eyJhbGciOiJSUzI1NiIsImtpZCI6ImFWODBkazlpZG1sbU1YVlBkMUJYV2xGcGIwZFdZVnBHYkRkVVYxSlFWWGRoV0cxVU9HeFNaRkZCYXcifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICJxTEtDNmRIUlR0eUVySHhHdmx4emUwNmk4cTg1S1hRciIsICJjbGllbnRfaWQiOiAiY2xpZW50X2lkIiwgImlzcyI6ICJjbGllbnRfaWQiLCAiaWF0IjogMTU4NTg5Nzc0MywgImF1ZCI6IFsiaHR0cHM6Ly9leGFtcGxlLmNvbSJdfQ.kwg9qK9KEUjDrmL7l1Pz9jnPz7Xbtcue7WPlgce1NuX17w8E_ufUGzJoAZwlDN_zC5EQV-fWHGn_H-BfAqE0mRTh5wnQPHyhOT1v5s7FIEHzWF-ITxHIds7ENuYWV9L1RYiOwoNe9rSjrh6YSKJ-eiPTLnERqvIBaJdmwcH4NTM1A2HYGxp_vjCMBu86HRRyCbH7juJO9VIlWTWrgcxUQRM0Tp5Sb5GOZJsnjRpsnIN9dm_CSvzbX4QXk1rDp_z_MOvoQmmrMt1wofUJgpxpVtPfCkh-JHSxpcy2EwxpT6EcQoiy-mMTIOZ_G3pfnzm3pncuySJDgdvPsY4aXd0_CQ

tests/test_13_oic_service.py

@@ -2,6 +2,7 @@
 import os
 
 import pytest
+from cryptojwt.exception import UnsupportedAlgorithm
 from cryptojwt.jws import jws
 from cryptojwt.jws.utils import left_hash
 from cryptojwt.jwt import JWT
@@ -243,6 +244,24 @@ def test_update_service_context_with_idtoken_missing_nonce(self):
         with pytest.raises(ValueError):
             self.service.update_service_context(resp, 'state')
 
+    @pytest.mark.parametrize("allow_sign_alg_none", [True, False])
+    def test_allow_unsigned_idtoken(self, allow_sign_alg_none):
+        req_args = {'response_type': 'code', 'state': 'state', 'nonce': 'nonce'}
+        self.service.endpoint = 'https://example.com/authorize'
+        self.service.get_request_parameters(request_args=req_args)
+        # Build an ID Token
+        idt = JWT(ISS_KEY, iss=ISS, lifetime=3600, sign_alg='none')
+        payload = {'sub': '123456789', 'aud': ['client_id']}
+        _idt = idt.pack(payload)
+        self.service.service_context.behaviour["verify_args"] = {
+            "allow_sign_alg_none": allow_sign_alg_none
+        }
+        resp = AuthorizationResponse(state='state', code='code', id_token=_idt)
+        if allow_sign_alg_none:
+            resp = self.service.parse_response(resp.to_urlencoded())
+        else:
+            with pytest.raises(UnsupportedAlgorithm):
+                self.service.parse_response(resp.to_urlencoded())
 
 class TestAuthorizationCallback(object):
     @pytest.fixture(autouse=True)