Merge branch 'stand_alone_client' of https://github.com/IdentityPython/idpy-oidc into stand_alone_client

Author: rohe

example/flask_rp/views.py

@@ -244,9 +244,10 @@ def session_logout(op_identifier):
 @oidc_rp_views.route('/logout')
 def logout():
     logger.debug('logout')
-    _info = current_app.rph.logout(state=session['state'])
-    logger.debug('logout redirect to "{}"'.format(_info['url']))
-    return redirect(_info['url'], 303)
+    _request_info = current_app.rph.logout(state=session['state'])
+    _url = _request_info["url"]
+    logger.debug(f'logout redirect to "{_url}"')
+    return redirect(_url, 303)
 
 
 @oidc_rp_views.route('/bc_logout/<op_identifier>', methods=['GET', 'POST'])

src/idpyoidc/client/current.py

@@ -56,16 +56,14 @@ def get_set(
     ) -> dict:
         """
 
-        @param key: The key to a seet of current claims
+        @param key: The key to a set of current claims
         @param message: A message class
         @param claim: A list of claims
         @return: Dictionary
+        @raise KeyError if no such key
         """
 
-        try:
-            _current = self.get(key)
-        except KeyError:
-            return {}
+        _current = self.get(key)
 
         if message:
             _res = {k: _current[k] for k in message.c_param.keys() if k in _current}

src/idpyoidc/client/defaults.py

@@ -99,5 +99,6 @@
     "token": "fragment",
     "code token": "fragment",
     "code id_token": "fragment",
+    "id_token token": "fragment",
     "code id_token token": "fragment",
 }

src/idpyoidc/client/oauth2/stand_alone_client.py

@@ -11,15 +11,16 @@
 from idpyoidc.client.defaults import DEFAULT_RESPONSE_MODE
 from idpyoidc.client.exception import ConfigurationError
 from idpyoidc.client.exception import OidcServiceError
+from idpyoidc.client.exception import Unsupported
 from idpyoidc.client.oauth2 import Client
 from idpyoidc.client.oauth2 import dynamic_provider_info_discovery
 from idpyoidc.client.oauth2.utils import pick_redirect_uri
 from idpyoidc.exception import MessageException
 from idpyoidc.exception import MissingRequiredAttribute
 from idpyoidc.exception import NotForMe
 from idpyoidc.message import Message
-from idpyoidc.message.oauth2 import ResponseMessage
 from idpyoidc.message.oauth2 import is_error_message
+from idpyoidc.message.oauth2 import ResponseMessage
 from idpyoidc.message.oidc import AuthorizationRequest
 from idpyoidc.message.oidc import AuthorizationResponse
 from idpyoidc.message.oidc import Claims
@@ -193,12 +194,19 @@ def init_authorization(
         _context = self.get_context()
         _response_type = self._get_response_type(_context, req_args)
         _response_mode = self._get_response_mode(_context, _response_type, req_args)
-
-        request_args = {
-            "redirect_uri": pick_redirect_uri(
+        try:
+            _redirect_uri = pick_redirect_uri(
                 _context, request_args=req_args, response_type=_response_type,
                 response_mode=_response_mode
-            ),
+            )
+        except KeyError:
+            raise Unsupported(
+                'Could not pick a redirect_uri based on the given response_type and response_mode')
+        except [MissingRequiredAttribute, ValueError]:
+            raise
+
+        request_args = {
+            "redirect_uri": _redirect_uri,
             "response_type": _response_type,
         }
 
@@ -247,21 +255,22 @@ def init_authorization(
     @staticmethod
     def get_client_authn_method(self, endpoint):
         """
-        Return the client authentication method a client wants to use a
+        Return the client authentication method a client wants to use at a
         specific endpoint
 
         :param endpoint: The endpoint at which the client has to authenticate
         :return: The client authentication method
         """
         if endpoint == "token_endpoint":
-            am = self.get_context().get_usage("token_endpoint_auth_method")
-            if not am:
+            auth_method = self.get_context().get_usage("token_endpoint_auth_method")
+            if not auth_method:
                 return ""
             else:
-                if isinstance(am, str):
-                    return am
+                if isinstance(auth_method, str):
+                    return auth_method
                 else:  # a list
-                    return am[0]
+                    return auth_method[0]
+        return ""
 
     def get_tokens(self, state):
         """
@@ -431,7 +440,7 @@ def finalize_auth(
 
     def get_access_and_id_token(
             self,
-            authorization_response=None,
+            authorization_response: Optional[Message] = None,
             state: Optional[str] = "",
             behaviour_args: Optional[dict] = None,
     ):
@@ -663,10 +672,10 @@ def logout(
         else:
             request_args = {}
 
-        resp = srv.get_request_parameters(state=state, request_args=request_args)
+        _info = srv.get_request_parameters(state=state, request_args=request_args)
 
-        logger.debug(f"EndSession Request: {resp}")
-        return resp
+        logger.debug(f"EndSession Request: {_info['request'].to_dict()}")
+        return _info
 
     def close(
             self, state: str, post_logout_redirect_uri: Optional[str] = ""

src/idpyoidc/client/oauth2/utils.py

@@ -2,6 +2,7 @@
 from typing import Optional
 from typing import Union
 
+from idpyoidc.client.defaults import DEFAULT_RESPONSE_MODE
 from idpyoidc.client.service import Service
 from idpyoidc.exception import MissingParameter
 from idpyoidc.exception import MissingRequiredAttribute
@@ -45,22 +46,25 @@ def pick_redirect_uri(
                 try:
                     redirect_uri = _redirect_uris["form_post"][0]
                 except KeyError:
-                    redirect_uri = _redirect_uris["code"][0]
-            elif response_type == "code" or response_type == ["code"]:
-                redirect_uri = _redirect_uris["code"][0]
+                    redirect_uri = _redirect_uris["query"][0]
             else:
-                redirect_uri = _redirect_uris["implicit"][0]
+                redirect_uri = _redirect_uris[_response_mode]
         else:
             if not response_type:
                 _conf_resp_types = context.get_usage("response_types", [])
                 response_type = request_args.get("response_type")
                 if not response_type and _conf_resp_types:
                     response_type = _conf_resp_types[0]
 
-            if response_type == "code" or response_type == ["code"]:
-                _response_mode = "query"
-            else:
-                _response_mode = "fragment"
+            if isinstance(response_type, list):
+                response_type.sort()
+                response_type = " ".join(response_type)
+
+            try:
+                _response_mode = DEFAULT_RESPONSE_MODE[response_type]
+            except KeyError:
+                raise ValueError(f"Unknown response_type: {response_type}")
+
             redirect_uri = _redirect_uris[_response_mode][0]
 
         logger.debug(

src/idpyoidc/client/rp_handler.py

@@ -124,7 +124,12 @@ def state2issuer(self, state):
         :return: An Issuer ID
         """
         for _rp in self.issuer2rp.values():
-            _iss = _rp.get_context().cstate.get_set(state, claim=["iss"]).get("iss")
+            try:
+                _set = _rp.get_context().cstate.get_set(state, claim=["iss"])
+            except KeyError:
+                continue
+
+            _iss = _set.get("iss")
             if _iss:
                 return _iss
         return None

tests/private/token_jwks.json

@@ -1 +1 @@
-{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "ygvi663s6qysl0MvtSqO4EH6tBeDjOQ8"}]}
+{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "ASSv_faXjb13FYcRMP7ht8f641jIWw3W"}]}

tests/test_client_12_client_auth.py

@@ -71,6 +71,8 @@ def test_quote():
 
 class TestClientSecretBasic(object):
     def test_construct(self, entity):
+        entity.context.cstate.update("ABCDE", {'code': 'abcdefghijklmnopqrst'})
+
         _token_service = entity.get_service("accesstoken")
         request = _token_service.construct(
             request_args={"redirect_uri": "http://example.com", "state": "ABCDE"}
@@ -234,6 +236,8 @@ def test_construct_with_request(self, entity):
 
 class TestClientSecretPost(object):
     def test_construct(self, entity):
+        entity.context.cstate.update("ABCDE", {'code': 'abcdefghijklmnopqrst'})
+
         _token_service = entity.get_service("accesstoken")
         request = _token_service.construct(redirect_uri="http://example.com", state="ABCDE")
         csp = ClientSecretPost()
@@ -250,6 +254,8 @@ def test_construct(self, entity):
         assert http_args is None
 
     def test_modify_1(self, entity):
+        entity.context.cstate.update("ABCDE", {'code': 'abcdefghijklmnopqrst'})
+
         token_service = entity.get_service("accesstoken")
         request = token_service.construct(redirect_uri="http://example.com", state="ABCDE")
         csp = ClientSecretPost()
@@ -259,6 +265,8 @@ def test_modify_1(self, entity):
         assert "client_secret" in request
 
     def test_modify_2(self, entity):
+        entity.context.cstate.update("ABCDE", {'code': 'abcdefghijklmnopqrst'})
+
         token_service = entity.get_service("accesstoken")
         request = token_service.construct(redirect_uri="http://example.com", state="ABCDE")
         csp = ClientSecretPost()