Merge branch 'fedservice' of https://github.com/IdentityPython/idpy-oidc into fedservice

Author: rohe

src/idpyoidc/client/entity.py

@@ -201,4 +201,3 @@ def import_keys(self, keyspec):
 
     def get_callback_uris(self):
         return self.context.claims.callback_uri
-

src/idpyoidc/defaults.py

@@ -12,4 +12,3 @@
 JWT_BEARER = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
 
 BASECHR = string.ascii_letters + string.digits
-

src/idpyoidc/message/oauth2/__init__.py

@@ -10,6 +10,7 @@
 from idpyoidc.exception import MissingRequiredAttribute
 from idpyoidc.exception import VerificationError
 from idpyoidc.message import Message
+from idpyoidc.message import msg_ser
 from idpyoidc.message import OPTIONAL_LIST_OF_SP_SEP_STRINGS
 from idpyoidc.message import OPTIONAL_LIST_OF_STRINGS
 from idpyoidc.message import REQUIRED_LIST_OF_SP_SEP_STRINGS
@@ -20,7 +21,6 @@
 from idpyoidc.message import SINGLE_REQUIRED_BOOLEAN
 from idpyoidc.message import SINGLE_REQUIRED_INT
 from idpyoidc.message import SINGLE_REQUIRED_STRING
-from idpyoidc.message import msg_ser
 
 logger = logging.getLogger(__name__)
 
@@ -582,6 +582,33 @@ class JSONWebToken(Message):
     }
 
 
+# RFC 7009
+class TokenRevocationRequest(Message):
+    c_param = {
+        "token": SINGLE_REQUIRED_STRING,
+        "token_type_hint": SINGLE_OPTIONAL_STRING,
+        # The ones below are part of authentication information
+        "client_id": SINGLE_OPTIONAL_STRING,
+        "client_secret": SINGLE_OPTIONAL_STRING,
+    }
+
+
+class TokenRevocationResponse(Message):
+    pass
+
+
+class TokenRevocationErrorResponse(ResponseMessage):
+    """
+    Error response from the revocation endpoint
+    """
+    c_allowed_values = ResponseMessage.c_allowed_values.copy()
+    c_allowed_values.update({
+        "error": [
+            "unsupported_token_type"
+        ]
+    })
+
+
 def factory(msgtype, **kwargs):
     """
     Factory method that can be used to easily instansiate a class instance

src/idpyoidc/server/authz/__init__.py

@@ -61,31 +61,39 @@ def __call__(
         request: Union[dict, Message],
         resources: Optional[list] = None,
     ) -> Grant:
-        session_info = self.upstream_get("context").session_manager.get_session_info(
+        _context = self.upstream_get("context")
+        session_info = _context.session_manager.get_session_info(
             session_id=session_id, grant=True
         )
         grant = session_info["grant"]
+        _client_id = session_info['client_id']
 
         args = self.grant_config.copy()
 
         for key, val in args.items():
             if key == "expires_in":
                 grant.set_expires_at(val)
             elif key == "usage_rules":
-                setattr(grant, key, self.usage_rules(request.get("client_id")))
+                setattr(grant, key, self.usage_rules(_client_id))
             else:
                 setattr(grant, key, val)
 
         if resources is None:
-            grant.resources = [session_info["client_id"]]
+            grant.resources = [_client_id]
         else:
             grant.resources = resources
 
-        # After this is where user consent should be handled
+        # Scope handling. If allowed scopes are defined for the client filter using that
         scopes = grant.scope
         if not scopes:
             scopes = request.get("scope", [])
-            grant.scope = scopes
+        else:
+            _allowed = _context.cdb[_client_id].get('allowed_scopes', [])
+            if _allowed:
+                scopes = list(set(scopes).intersection(set(_allowed)))
+        grant.scope = scopes
+
+        # After this is where user consent should be handled
         grant.claims = self.upstream_get("context").claims_interface.get_claims_all_usage(
             session_id=session_id, scopes=scopes
         )

src/idpyoidc/server/oauth2/token.py

@@ -33,7 +33,9 @@ class Token(Endpoint):
     helper_by_grant_type = {
         "authorization_code": AccessTokenHelper,
         "refresh_token": RefreshTokenHelper,
+        "urn:ietf:params:oauth:grant-type:token-exchange": TokenExchangeHelper,
     }
+    token_exchange_helper = TokenExchangeHelper
 
     def __init__(self, upstream_get, new_refresh_token=False, **kwargs):
         Endpoint.__init__(self, upstream_get, **kwargs)
@@ -132,7 +134,7 @@ def process_request(self, request: Optional[Union[Message, dict]] = None, **kwar
         _access_token = response_args["access_token"]
         _context = self.upstream_get("context")
 
-        if isinstance(_helper, TokenExchangeHelper):
+        if isinstance(_helper, self.token_exchange_helper):
             _handler_key = _helper.get_handler_key(request, _context)
         else:
             _handler_key = "access_token"

src/idpyoidc/server/oauth2/token_helper.py

@@ -33,6 +33,7 @@
 
 
 class TokenEndpointHelper(object):
+
     def __init__(self, endpoint, config=None):
         self.endpoint = endpoint
         self.config = config
@@ -154,6 +155,7 @@ def validate_resource_indicators_policy(request, context, **kwargs):
 
 
 class AccessTokenHelper(TokenEndpointHelper):
+
     def process_request(self, req: Union[Message, dict], **kwargs):
         """
 
@@ -341,6 +343,7 @@ def post_parse_request(
 
 
 class RefreshTokenHelper(TokenEndpointHelper):
+
     def process_request(self, req: Union[Message, dict], **kwargs):
         _context = self.endpoint.upstream_get("context")
         _mngr = _context.session_manager

src/idpyoidc/server/oauth2/token_revocation.py

@@ -0,0 +1,134 @@
+"""Implements RFC7009"""
+
+import logging
+
+from idpyoidc.exception import ImproperlyConfigured
+from idpyoidc.message import oauth2
+from idpyoidc.server.endpoint import Endpoint
+from idpyoidc.server.token.exception import UnknownToken
+from idpyoidc.server.token.exception import WrongTokenClass
+from idpyoidc.util import importer
+
+logger = logging.getLogger(__name__)
+
+
+class TokenRevocation(Endpoint):
+    """Implements RFC7009"""
+
+    request_cls = oauth2.TokenRevocationRequest
+    response_cls = oauth2.TokenRevocationResponse
+    error_cls = oauth2.TokenRevocationErrorResponse
+    request_format = "urlencoded"
+    response_format = "json"
+    endpoint_name = "revocation_endpoint"
+    name = "token_revocation"
+    default_capabilities = {
+        "client_authn_method": [
+            "client_secret_basic",
+            "client_secret_post",
+            "client_secret_jwt",
+            "bearer_header",
+            "private_key_jwt",
+        ]
+    }
+
+    token_types_supported = ["authorization_code", "access_token", "refresh_token"]
+
+    def __init__(self, upstream_get, **kwargs):
+        Endpoint.__init__(self, upstream_get, **kwargs)
+        self.token_revocation_kwargs = kwargs
+
+    def get_client_id_from_token(self, endpoint_context, token, request=None):
+        _info = endpoint_context.session_manager.get_session_info_by_token(
+            token, handler_key="access_token"
+        )
+        return _info["client_id"]
+
+    def process_request(self, request=None, **kwargs):
+        """
+        :param request: The revocation request as a dictionary
+        :param kwargs:
+        :return:
+        """
+        _revoke_request = self.request_cls(**request)
+        if "error" in _revoke_request:
+            return _revoke_request
+
+        request_token = _revoke_request["token"]
+        _resp = self.response_cls()
+        _context = self.upstream_get("endpoint_context")
+        logger.debug("Token Revocation")
+
+        try:
+            _session_info = _context.session_manager.get_session_info_by_token(
+                request_token, grant=True
+            )
+        except (UnknownToken, WrongTokenClass):
+            return {"response_args": _resp}
+
+        client_id = _session_info["client_id"]
+        if client_id != _revoke_request["client_id"]:
+            logger.debug("{} owner of token".format(client_id))
+            logger.warning("Client using token it was not given")
+            return self.error_cls(error="invalid_grant", error_description="Wrong client")
+
+        grant = _session_info["grant"]
+        _token = grant.get_token(request_token)
+
+        try:
+            self.token_types_supported = _context.cdb[client_id]["token_revocation"][
+                "token_types_supported"]
+        except Exception:
+            self.token_types_supported = self.token_revocation_kwargs.get("token_types_supported",
+                                                                          self.token_types_supported)
+
+        try:
+            self.policy = _context.cdb[client_id]["token_revocation"]["policy"]
+        except Exception:
+            self.policy = self.token_revocation_kwargs.get("policy", {
+                "": {"callable": validate_token_revocation_policy}})
+
+        if _token.token_class not in self.token_types_supported:
+            desc = (
+                "The authorization server does not support the revocation of "
+                "the presented token type. That is, the client tried to revoke an access "
+                "token on a server not supporting this feature."
+            )
+            return self.error_cls(error="unsupported_token_type", error_description=desc)
+
+        return self._revoke(_revoke_request, _session_info)
+
+    def _revoke(self, request, session_info):
+        _context = self.upstream_get("endpoint_context")
+        _mngr = _context.session_manager
+        _token = _mngr.find_token(session_info["branch_id"], request["token"])
+
+        _cls = _token.token_class
+        if _cls not in self.policy:
+            _cls = ""
+
+        temp_policy = self.policy[_cls]
+        callable = temp_policy["callable"]
+        kwargs = temp_policy.get("kwargs", {})
+
+        if isinstance(callable, str):
+            try:
+                fn = importer(callable)
+            except Exception:
+                raise ImproperlyConfigured(f"Error importing {callable} policy callable")
+        else:
+            fn = callable
+
+        try:
+            return fn(_token, session_info=session_info, **kwargs)
+        except Exception as e:
+            logger.error(f"Error while executing the {fn} policy callable: {e}")
+            return self.error_cls(error="server_error", error_description="Internal server error")
+
+
+def validate_token_revocation_policy(token, session_info, **kwargs):
+    _token = token
+    _token.revoke()
+
+    response_args = {"response_args": {}}
+    return oauth2.TokenRevocationResponse(**response_args)

src/idpyoidc/server/oidc/token.py

@@ -42,3 +42,5 @@ class Token(token.Token):
         "urn:openid:params:grant-type:ciba": CIBATokenHelper,
         "urn:ietf:params:oauth:grant-type:token-exchange": TokenExchangeHelper,
     }
+
+    token_exchange_helper = TokenExchangeHelper

src/idpyoidc/server/oidc/token_helper.py

@@ -21,6 +21,7 @@
 
 
 class AccessTokenHelper(TokenEndpointHelper):
+
     def _get_session_info(self, request, session_manager):
         if request["grant_type"] != "authorization_code":
             return self.error_cls(error="invalid_request", error_description="Unknown grant_type")
@@ -208,6 +209,7 @@ def post_parse_request(
 
 
 class RefreshTokenHelper(TokenEndpointHelper):
+
     def process_request(self, req: Union[Message, dict], **kwargs):
         _context = self.endpoint.upstream_get("context")
         _mngr = _context.session_manager

src/idpyoidc/server/util.py

@@ -169,4 +169,3 @@ def execute(spec, **kwargs):
             return _func(**kwargs)
         else:
             return kwargs
-