The software was not using the fact that it knew in advance which type of token that it was dealing with. This fixes that.

Author: rohe

src/idpyoidc/server/oauth2/authorization.py

@@ -528,7 +528,10 @@ def _unwrap_identity(self, identity):
             except BadSyntax:
                 return identity
         else:
-            _id = b64d(as_bytes(identity))
+            try:
+                _id = b64d(as_bytes(identity))
+            except BadSyntax:
+                return identity
 
         return json.loads(as_unicode(_id))
 

src/idpyoidc/server/oauth2/token.py

@@ -7,11 +7,13 @@
 from idpyoidc.message import Message
 from idpyoidc.message.oauth2 import AccessTokenResponse
 from idpyoidc.message.oauth2 import ResponseMessage
+from idpyoidc.message.oauth2 import TokenExchangeRequest
 from idpyoidc.message.oidc import TokenErrorResponse
 from idpyoidc.server.endpoint import Endpoint
 from idpyoidc.server.exception import ProcessError
 from idpyoidc.server.oauth2.token_helper import AccessTokenHelper
 from idpyoidc.server.oauth2.token_helper import RefreshTokenHelper
+from idpyoidc.server.session.token import TOKEN_TYPES_MAPPING
 from idpyoidc.util import importer
 
 logger = logging.getLogger(__name__)
@@ -76,7 +78,7 @@ def configure_grant_types(self, grant_types_helpers):
                 raise ProcessError(f"Failed to initialize class {grant_class}: {e}")
 
     def _post_parse_request(
-        self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
+            self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
     ):
         grant_type = request["grant_type"]
         _helper = self.helper.get(grant_type)
@@ -125,8 +127,14 @@ def process_request(self, request: Optional[Union[Message, dict]] = None, **kwar
 
         _access_token = response_args["access_token"]
         _context = self.server_get("endpoint_context")
+
+        if isinstance(request, TokenExchangeRequest):
+            _handler_key = TOKEN_TYPES_MAPPING[request["requested_token_type"]]
+        else:
+            _handler_key = "access_token"
+
         _session_info = _context.session_manager.get_session_info_by_token(
-            _access_token, grant=True
+            _access_token, grant=True, handler_key=_handler_key
         )
 
         _cookie = _context.new_cookie(

src/idpyoidc/server/oauth2/token_helper.py

@@ -2,6 +2,7 @@
 from typing import Optional
 from typing import Union
 
+from cryptojwt import BadSyntax
 from cryptojwt.exception import JWKESTException
 
 from idpyoidc.exception import ImproperlyConfigured
@@ -120,7 +121,8 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         except KeyError:  # Missing code parameter - absolutely fatal
             return self.error_cls(error="invalid_request", error_description="Missing code")
 
-        _session_info = _mngr.get_session_info_by_token(_access_code, grant=True)
+        _session_info = _mngr.get_session_info_by_token(_access_code, grant=True,
+                                                        handler_key="authorization_code")
         client_id = _session_info["client_id"]
         if client_id != req["client_id"]:
             logger.debug("{} owner of token".format(client_id))
@@ -208,7 +210,8 @@ def post_parse_request(
 
         _mngr = self.endpoint.server_get("endpoint_context").session_manager
         try:
-            _session_info = _mngr.get_session_info_by_token(request["code"], grant=True)
+            _session_info = _mngr.get_session_info_by_token(request["code"], grant=True,
+                                                            handler_key="authorization_code")
         except (KeyError, UnknownToken):
             logger.error("Access Code invalid")
             return self.error_cls(error="invalid_grant", error_description="Unknown code")
@@ -241,7 +244,8 @@ def process_request(self, req: Union[Message, dict], **kwargs):
             return self.error_cls(error="invalid_request", error_description="Wrong grant_type")
 
         token_value = req["refresh_token"]
-        _session_info = _mngr.get_session_info_by_token(token_value, grant=True)
+        _session_info = _mngr.get_session_info_by_token(token_value, grant=True,
+                                                        handler_key="refresh_token")
         logger.debug("Session info: {}".format(_session_info))
 
         if _session_info["client_id"] != req["client_id"]:
@@ -335,7 +339,8 @@ def post_parse_request(
 
         _mngr = _context.session_manager
         try:
-            _session_info = _mngr.get_session_info_by_token(request["refresh_token"], grant=True)
+            _session_info = _mngr.get_session_info_by_token(request["refresh_token"], grant=True,
+                                                            handler_key="refresh_token")
         except (KeyError, UnknownToken):
             logger.error("Refresh token invalid")
             return self.error_cls(error="invalid_grant", error_description="Invalid refresh token")
@@ -414,13 +419,17 @@ def post_parse_request(self, request, client_id="", **kwargs):
 
         _mngr = _context.session_manager
         try:
-            _session_info = _mngr.get_session_info_by_token(request["subject_token"], grant=True)
-        except (KeyError, UnknownToken):
-            logger.error("Subject token invalid.")
+            # token exchange is about minting one token based on another
+            _handler_key = self.token_types_mapping[request["subject_token_type"]]
+            _session_info = _mngr.get_session_info_by_token(
+                request["subject_token"], grant=True, handler_key=_handler_key)
+        except (KeyError, UnknownToken, BadSyntax) as err:
+            logger.error(f"Subject token invalid ({err}).")
             return self.error_cls(
                 error="invalid_request", error_description="Subject token invalid"
             )
 
+        # Find the token instance based on the token value
         token = _mngr.find_token(_session_info["session_id"], request["subject_token"])
         if token.is_active() is False:
             return self.error_cls(
@@ -511,7 +520,9 @@ def process_request(self, request, **kwargs):
         _context = self.endpoint.server_get("endpoint_context")
         _mngr = _context.session_manager
         try:
-            _session_info = _mngr.get_session_info_by_token(request["subject_token"], grant=True)
+            _handler_key = self.token_types_mapping[request["subject_token_type"]]
+            _session_info = _mngr.get_session_info_by_token(
+                request["subject_token"], grant=True, handler_key=_handler_key)
         except ToOld:
             logger.error("Subject token has expired.")
             return self.error_cls(

src/idpyoidc/server/oidc/add_on/pkce.py

@@ -99,7 +99,7 @@ def post_token_parse(request, client_id, endpoint_context, **kwargs):
 
     try:
         _session_info = endpoint_context.session_manager.get_session_info_by_token(
-            request["code"], grant=True
+            request["code"], grant=True, handler_key="authorization_code"
         )
     except KeyError:
         return TokenErrorResponse(error="invalid_grant", error_description="Unknown access grant")

src/idpyoidc/server/oidc/token_helper.py

@@ -2,6 +2,7 @@
 from typing import Optional
 from typing import Union
 
+from cryptojwt import BadSyntax
 from cryptojwt.jwe.exception import JWEException
 from cryptojwt.jws.exception import NoSuitableSigningKeys
 from cryptojwt.jwt import utc_time_sans_frac
@@ -29,7 +30,8 @@ def _get_session_info(self, request, session_manager):
         except KeyError:  # Missing code parameter - absolutely fatal
             return self.error_cls(error="invalid_request", error_description="Missing code")
 
-        _session_info = session_manager.get_session_info_by_token(_access_code, grant=True)
+        _session_info = session_manager.get_session_info_by_token(_access_code, grant=True,
+                                                                  handler_key='authorization_code')
         logger.debug(f"Session info: {_session_info}")
         return _session_info, _access_code
 
@@ -117,9 +119,9 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                     _response["expires_in"] = token.expires_at - utc_time_sans_frac()
 
         if (
-            issue_refresh
-            and "refresh_token" in _supports_minting
-            and "refresh_token" in grant_types_supported
+                issue_refresh
+                and "refresh_token" in _supports_minting
+                and "refresh_token" in grant_types_supported
         ):
             try:
                 refresh_token = self._mint_token(
@@ -162,7 +164,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         return _response
 
     def post_parse_request(
-        self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
+            self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
     ) -> Union[Message, dict]:
         """
         This is where clients come to get their access tokens
@@ -174,7 +176,8 @@ def post_parse_request(
 
         _mngr = self.endpoint.server_get("endpoint_context").session_manager
         try:
-            _session_info = _mngr.get_session_info_by_token(request["code"], grant=True)
+            _session_info = _mngr.get_session_info_by_token(request["code"], grant=True,
+                                                            handler_key='authorization_code')
         except (KeyError, UnknownToken):
             logger.error("Access Code invalid")
             return self.error_cls(error="invalid_grant", error_description="Unknown code")
@@ -211,7 +214,9 @@ def process_request(self, req: Union[Message, dict], **kwargs):
             return self.error_cls(error="invalid_request", error_description="Wrong grant_type")
 
         token_value = req["refresh_token"]
-        _session_info = _mngr.get_session_info_by_token(token_value, grant=True)
+
+        _session_info = _mngr.get_session_info_by_token(token_value, handler_key="refresh_token",
+                                                        grant=True)
         if _session_info["client_id"] != req["client_id"]:
             logger.debug("{} owner of token".format(_session_info["client_id"]))
             logger.warning("{} using token it was not given".format(req["client_id"]))
@@ -293,21 +298,21 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         token.register_usage()
 
         if (
-            "client_id" in req
-            and req["client_id"] in _context.cdb
-            and "revoke_refresh_on_issue" in _context.cdb[req["client_id"]]
+                "client_id" in req
+                and req["client_id"] in _context.cdb
+                and "revoke_refresh_on_issue" in _context.cdb[req["client_id"]]
         ):
             revoke_refresh = _context.cdb[req["client_id"]].get("revoke_refresh_on_issue")
         else:
-            revoke_refresh = revoke_refresh = self.endpoint.revoke_refresh_on_issue
+            revoke_refresh = self.endpoint.revoke_refresh_on_issue
 
         if revoke_refresh:
             token.revoke()
 
         return _resp
 
     def post_parse_request(
-        self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
+            self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
     ):
         """
         This is where clients come to refresh their access tokens
@@ -328,8 +333,10 @@ def post_parse_request(
 
         _mngr = _context.session_manager
         try:
-            _session_info = _mngr.get_session_info_by_token(request["refresh_token"], grant=True)
-        except (KeyError, UnknownToken):
+            _session_info = _mngr.get_session_info_by_token(request["refresh_token"],
+                                                            handler_key="refresh_token",
+                                                            grant=True)
+        except (KeyError, UnknownToken, BadSyntax):
             logger.error("Refresh token invalid")
             return self.error_cls(error="invalid_grant", error_description="Invalid refresh token")
 

src/idpyoidc/server/oidc/userinfo.py

@@ -48,15 +48,16 @@ def __init__(self, server_get: Callable, add_claims_by_scope: Optional[bool] = T
         self.allowed_targets.append("")
 
     def get_client_id_from_token(self, endpoint_context, token, request=None):
-        _info = endpoint_context.session_manager.get_session_info_by_token(token)
+        _info = endpoint_context.session_manager.get_session_info_by_token(
+            token, handler_key="access_token")
         return _info["client_id"]
 
     def do_response(
-        self,
-        response_args: Optional[Union[Message, dict]] = None,
-        request: Optional[Union[Message, dict]] = None,
-        client_id: Optional[str] = "",
-        **kwargs
+            self,
+            response_args: Optional[Union[Message, dict]] = None,
+            request: Optional[Union[Message, dict]] = None,
+            client_id: Optional[str] = "",
+            **kwargs
     ) -> dict:
 
         if "error" in kwargs and kwargs["error"]:
@@ -113,7 +114,8 @@ def do_response(
     def process_request(self, request=None, **kwargs):
         _mngr = self.server_get("endpoint_context").session_manager
         try:
-            _session_info = _mngr.get_session_info_by_token(request["access_token"], grant=True)
+            _session_info = _mngr.get_session_info_by_token(request["access_token"],
+                                                            grant=True, handler_key="access_token")
         except (KeyError, ValueError):
             return self.error_cls(error="invalid_token", error_description="Invalid Token")
 

src/idpyoidc/server/session/manager.py

@@ -14,6 +14,7 @@
 from idpyoidc.server.authn_event import AuthnEvent
 from idpyoidc.server.exception import ConfigurationError
 from idpyoidc.server.session.database import NoSuchClientSession
+from idpyoidc.server.token import Token
 from idpyoidc.util import rndstr
 
 from ..token import UnknownToken
@@ -559,13 +560,18 @@ def _compatible_sid(self, sid):
     def get_session_info_by_token(
         self,
         token_value: str,
-        user_session_info: bool = False,
-        client_session_info: bool = False,
-        grant: bool = False,
-        authentication_event: bool = False,
-        authorization_request: bool = False,
+        user_session_info: Optional[bool] = False,
+        client_session_info: Optional[bool] = False,
+        grant: Optional[bool] = False,
+        authentication_event: Optional[bool] = False,
+        authorization_request: Optional[bool] = False,
+        handler_key: Optional[str] = '',
     ) -> dict:
-        _token_info = self.token_handler.info(token_value)
+        if handler_key:
+            _token_info = self.token_handler.handler[handler_key].info(token_value)
+        else:
+            _token_info = self.token_handler.info(token_value)
+
         sid = _token_info.get("sid")
         # If the token is an ID Token then the sid will not be in the
         # _token_info

src/idpyoidc/server/session/token.py

@@ -273,3 +273,9 @@ def __init__(
     "refresh_token": RefreshToken,
     "id_token": IDToken,
 }
+
+TOKEN_TYPES_MAPPING = {
+    "urn:ietf:params:oauth:token-type:access_token": "access_token",
+    "urn:ietf:params:oauth:token-type:refresh_token": "refresh_token",
+    "urn:ietf:params:oauth:token-type:id_token": "id_token",
+}

tests/request123456.jwt

@@ -1 +1 @@
-eyJhbGciOiJSUzI1NiIsImtpZCI6IlNVc3dOaTFNUkZsRFQwWTJZalUxWjFSZlFsbzJTM2RFYTNGVFRrVjNMVGhGY25oRFRIRjVlbGsyVlEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICJvWkpBNTRnZTVaUndNalkwOVVLVnpwYkx5MEdNUEwwaCIsICJjbGllbnRfaWQiOiAiY2xpZW50X2lkIiwgImlzcyI6ICJjbGllbnRfaWQiLCAiaWF0IjogMTYzMzU5NTc4OSwgImF1ZCI6IFsiaHR0cHM6Ly9leGFtcGxlLmNvbSJdfQ.KVMPK6leJ5pEXnJ0jXiXu21U176IU9iwkT4FkQV_33jGYTsgdqCqXw5XHR1ciixdcH2cWf0SzTPOgIzGsI4NJiPNdR9xOusYRyYKZciXHq85nrM7fr7dEPaVntWCU6uadH0MNHWCcq2FyBdz2YYDuiFPUXoxkFbfWZoo_jVMAWLxGQtGEitniI49qo0zbeSFck4hBmEtQTUOrGQvg_CjkSZb5oNb5rt_X5T-ZSK9y3AeKru4HLSQRkWj-oD-Fgd60Sm3XqfLQXrx26lk4a8ORah01BMmMsi5jeIUbOTthhhglZhMwoI9xCZ57I4SF7870-PrinIByW8d2keA1-LipQ
+eyJhbGciOiJSUzI1NiIsImtpZCI6IlNIRXlZV2N3TlZrMExUZFJPVFp6WjJGVVduZElWWGRhY2sweFdVTTVTRXB3Y1MwM2RWVXhXVTR6UlEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICJGYVVaSm02TDdTc251d2JEbEQ0Z20wbkg2eHpBTTVlR19nWG5sRmlhX19zIiwgImNsaWVudF9pZCI6ICJjbGllbnRfaWQiLCAiaXNzIjogImNsaWVudF9pZCIsICJpYXQiOiAxNjUwMzkzMDQ3LCAiYXVkIjogWyJodHRwczovL2V4YW1wbGUuY29tIl19.ARTBLchcBOpUX5kuvZzVyfw-ad6skc498Ll93sRwGoNrxZosNdHVTP25FtrDx8GVcBoA1OSYFq7Zmx9d7DJib-uukylEQl-5widvWmC0s-14uSRfLiSulqtB43FrCji9dXl6T5uAOgGxzoNo5dVSwfeIcenjqBuiJslxuHy4AQ7S-gRi02E_uEaqWOytkUoOwaIKcMiujbpo4VWOzDv9pK4C6C89uuHSMxfWpwi27T2vFLa6icfuQuXcxOZabs1lJUJt84Aclh_mz58E1YDlowRAuUu8RkpICAnQwxgzlCGwj3mzJxxFVVUCnRVnrB-BG7e3XXQBcf536BtYOyOfCQ

tests/test_server_10_session_manager.py

@@ -364,7 +364,8 @@ def test_get_session_info_by_token(self):
 
         grant = self.session_manager.get_grant(_session_id)
         code = self._mint_token("authorization_code", grant, _session_id)
-        _session_info = self.session_manager.get_session_info_by_token(code.value)
+        _session_info = self.session_manager.get_session_info_by_token(code.value,
+                                                                       handler_key="authorization_code")
 
         assert set(_session_info.keys()) == {
             "client_id",