Cleaned up.

response_type is about what's returned.
response_mode is how.

Author: rohe

src/idpyoidc/client/claims/transform.py

@@ -21,6 +21,7 @@
     "subject_type": "subject_types_supported",
     "token_endpoint_auth_method": "token_endpoint_auth_methods_supported",
     "response_types": "response_types_supported",
+    "response_modes": "response_modes_supported",
     "grant_types": "grant_types_supported",
     # In OAuth2 but not in OIDC
     "scope": "scopes_supported",

src/idpyoidc/client/defaults.py

@@ -92,3 +92,12 @@
 SAML2_BEARER_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:saml2-bearer"
 
 BASECHR = string.ascii_letters + string.digits
+
+DEFAULT_RESPONSE_MODE = {
+    "code": "query",
+    "id_token": "fragment",
+    "token": "fragment",
+    "code token": "fragment",
+    "code id_token": "fragment",
+    "code id_token token": "fragment",
+}

src/idpyoidc/client/oauth2/authorization.py

@@ -40,9 +40,9 @@ class Authorization(Service):
     }
 
     _callback_path = {
-        "redirect_uris": {  # based on response_types
-            "code": "authz_cb",
-            "implicit": "authz_im_cb",
+        "redirect_uris": {  # based on response_mode
+            "query": "authz_cb",
+            "fragment": "authz_im_cb",
             # "form_post": "form"
         }
     }
@@ -100,18 +100,21 @@ def post_parse_response(self, response, **kwargs):
                         pass
         return response
 
-    def _do_flow(self, flow_type, response_types, context):
-        if flow_type == "code":
+    def _do_flow(self, flow_type, response_types, context) -> str:
+        if flow_type == "query":
             if "code" in response_types:
-                return True
-        elif flow_type in ["implicit", "hybrid"]:
+                return "query"
+        elif flow_type == "fragment":
             if implicit_response_types(response_types):
-                return True
+                return "fragment"
         elif flow_type == 'form_post':
             rm = context.get_preference('response_modes_supported')
             if rm and 'form_post' in rm:
-                return context.config.conf.get("separate_form_post_cb", True)
-        return False
+                if context.config.conf.get("separate_form_post_cb", True):
+                    return "form_post"
+                else:
+                    return "query"
+        return ''
 
     def _do_redirect_uris(self, base_url, hex, context, callback_uris, response_types):
         _redirect_uris = context.get_preference("redirect_uris", [])
@@ -127,16 +130,20 @@ def _do_redirect_uris(self, base_url, hex, context, callback_uris, response_type
                 pass
             else:
                 callback_uris["redirect_uris"] = {}
-                for flow_type, path in self._callback_path["redirect_uris"].items():
-                    if self._do_flow(flow_type, response_types, context):
+                for flow_type in self._callback_path["redirect_uris"].keys():
+                    _var = self._do_flow(flow_type, response_types, context)
+                    if _var:
+                        _path = self._callback_path["redirect_uris"][_var]
                         callback_uris["redirect_uris"][flow_type] = [
-                            self.get_uri(base_url, path, hex)
+                            self.get_uri(base_url, _path, hex)
                         ]
         else:
             callback_uris["redirect_uris"] = {}
-            for flow_type, path in self._callback_path["redirect_uris"].items():
-                if self._do_flow(flow_type, response_types, context):
-                    callback_uris["redirect_uris"][flow_type] = [self.get_uri(base_url, path, hex)]
+            for flow_type in self._callback_path["redirect_uris"].keys():
+                _var = self._do_flow(flow_type, response_types, context)
+                if _var:
+                    _path = self._callback_path["redirect_uris"][_var]
+                    callback_uris["redirect_uris"][flow_type] = [self.get_uri(base_url, _path, hex)]
         return callback_uris
 
     def construct_uris(

src/idpyoidc/client/oauth2/stand_alone_client.py

@@ -8,6 +8,7 @@
 from cryptojwt.key_bundle import keybundle_from_local_file
 
 from idpyoidc import verified_claim_name
+from idpyoidc.client.defaults import DEFAULT_RESPONSE_MODE
 from idpyoidc.client.exception import ConfigurationError
 from idpyoidc.client.exception import OidcServiceError
 from idpyoidc.client.oauth2 import Client
@@ -17,8 +18,8 @@
 from idpyoidc.exception import MissingRequiredAttribute
 from idpyoidc.exception import NotForMe
 from idpyoidc.message import Message
-from idpyoidc.message.oauth2 import is_error_message
 from idpyoidc.message.oauth2 import ResponseMessage
+from idpyoidc.message.oauth2 import is_error_message
 from idpyoidc.message.oidc import AuthorizationRequest
 from idpyoidc.message.oidc import AuthorizationResponse
 from idpyoidc.message.oidc import Claims
@@ -33,7 +34,7 @@
 
 class StandAloneClient(Client):
 
-    def get_session_information(self,key):
+    def get_session_information(self, key):
         """
         This is the second of the methods users of this class should know about.
         It will return the complete session information as an
@@ -144,8 +145,32 @@ def _get_response_type(self, context, req_args: Optional[dict] = None):
         else:
             return context.claims.get_usage("response_types")[0]
 
-    def _get_response_mode(self, context, response_type):
-        pass
+    def _get_response_mode(self, context, response_type, request_args):
+        if request_args:
+            _requested = request_args.get('response_mode')
+        else:
+            _requested = None
+        _supported = context.claims.get_usage('response_modes')
+        if _requested:
+            if _supported and _requested not in _supported:
+                raise ValueError(
+                    "You can not use a response_mode you have not stated should be supported")
+
+            if DEFAULT_RESPONSE_MODE[response_type] == _requested:
+                return None
+            else:
+                return _requested
+        elif _supported:
+            _type = response_type.split(' ')
+            _type.sort()
+            response_type = " ".join(_type)
+            # Is it the default response mode
+            if DEFAULT_RESPONSE_MODE[response_type] in _supported:
+                return None
+            else:
+                return _supported[0]
+        else:
+            return None
 
     def init_authorization(
             self,
@@ -167,14 +192,16 @@ def init_authorization(
 
         _context = self.get_context()
         _response_type = self._get_response_type(_context, req_args)
+        _response_mode = self._get_response_mode(_context, _response_type, req_args)
+
         request_args = {
             "redirect_uri": pick_redirect_uri(
-                _context, request_args=req_args, response_type=_response_type
+                _context, request_args=req_args, response_type=_response_type,
+                response_mode=_response_mode
             ),
             "response_type": _response_type,
         }
 
-        _response_mode = self._get_response_mode(_context, _response_type)
         if _response_mode:
             request_args['response_mode'] = _response_mode
 

src/idpyoidc/client/oauth2/utils.py

@@ -27,6 +27,7 @@ def pick_redirect_uri(
     context,
     request_args: Optional[Union[Message, dict]] = None,
     response_type: Optional[str] = "",
+    response_mode: Optional[str] = ""
 ):
     if request_args is None:
         request_args = {}
@@ -36,33 +37,31 @@ def pick_redirect_uri(
 
     _callback_uris = context.get_preference("callback_uris")
     if _callback_uris:
-        _callback_uris = _callback_uris.get("redirect_uris")
-
-    if _callback_uris:
-        if not response_type:
-            _conf_resp_types = context.get_usage("response_types", [])
-            response_type = request_args.get("response_type")
-            if not response_type and _conf_resp_types:
-                response_type = _conf_resp_types[0]
-
-        _response_mode = request_args.get("response_mode")
+        _redirect_uris = _callback_uris.get("redirect_uris")
+        _response_mode = request_args.get("response_mode") or response_mode
 
         if _response_mode:
             if _response_mode == "form_post":
                 try:
-                    redirect_uri = _callback_uris["form_post"][0]
+                    redirect_uri = _redirect_uris["form_post"][0]
                 except KeyError:
-                    redirect_uri = _callback_uris["code"][0]
+                    redirect_uri = _redirect_uris["code"][0]
             elif response_type == "code" or response_type == ["code"]:
-                redirect_uri = _callback_uris["code"][0]
+                redirect_uri = _redirect_uris["code"][0]
             else:
-                redirect_uri = _callback_uris["implicit"][0]
+                redirect_uri = _redirect_uris["implicit"][0]
         else:
+            if not response_type:
+                _conf_resp_types = context.get_usage("response_types", [])
+                response_type = request_args.get("response_type")
+                if not response_type and _conf_resp_types:
+                    response_type = _conf_resp_types[0]
+
             if response_type == "code" or response_type == ["code"]:
-                _response_mode = "code"
+                _response_mode = "query"
             else:
-                _response_mode = "implicit"
-            redirect_uri = _callback_uris[_response_mode][0]
+                _response_mode = "fragment"
+            redirect_uri = _redirect_uris[_response_mode][0]
 
         logger.debug(
             f"pick_redirect_uris: response_type={response_type}, response_mode={_response_mode}, "

src/idpyoidc/client/oidc/authorization.py

@@ -47,9 +47,9 @@ class Authorization(authorization.Authorization):
 
     _callback_path = {
         "request_uris": ["req"],
-        "redirect_uris": {  # based on response_types
-            "code": "authz_cb",
-            "implicit": "authz_tok_cb",
+        "redirect_uris": {  # based on response_mode
+            "query": "authz_cb",
+            "fragment": "authz_tok_cb",
             "form_post": "authz_cb_form",
         },
     }
@@ -368,15 +368,15 @@ def _do_request_uris(self, base_url, hex, context, callback_uris):
     def _do_type(self, context, typ, response_types):
         if typ == "code" and "code" in response_types:
             if typ in context.get_preference("response_modes_supported"):
-                return True
+                return "query"
         elif typ == "implicit":
             if typ in context.get_preference("response_modes_supported"):
                 if implicit_response_types(response_types):
-                    return True
+                    return "fragment"
         elif typ == "form_post":
             if typ in context.get_preference("response_modes_supported"):
-                return True
-        return False
+                return "form_post"
+        return ''
 
     def construct_uris(
         self,

src/idpyoidc/message/oidc/__init__.py

@@ -635,6 +635,7 @@ class RegistrationRequest(Message):
         "backchannel_logout_session_required": SINGLE_OPTIONAL_BOOLEAN,
         # "federation_type": OPTIONAL_LIST_OF_STRINGS,
         # "organization_name": SINGLE_OPTIONAL_STRING,
+        "response_modes": OPTIONAL_LIST_OF_STRINGS,
     }
     c_default = {"application_type": "web", "response_types": ["code"]}
     c_allowed_values = {

src/idpyoidc/server/claims/oidc.py

@@ -21,6 +21,7 @@
     "subject_type": "subject_types_supported",
     "token_endpoint_auth_method": "token_endpoint_auth_methods_supported",
     "response_types": "response_types_supported",
+    "response_modes": "response_modes_supported",
     "grant_types": "grant_types_supported",
     # In OAuth2 but not in OIDC
     "scope": "scopes_supported",

tests/private/token_jwks.json

@@ -1 +1 @@
-{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "c5ww2m_bA2iOZXxyDJfTpxQjymMdLmqG"}]}
+{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "ygvi663s6qysl0MvtSqO4EH6tBeDjOQ8"}]}

tests/pub_client.jwks

@@ -1 +1 @@
-{"keys": [{"kty": "EC", "use": "sig", "kid": "azZQQ2FEQjh3QnVZWVdrbHJkMEZSaWR6aVJ0LTBjeUFfeWRlbTRrRFZ5VQ", "crv": "P-256", "x": "2ADe18caWWGp6hpRbfa9HqQHDFNpid9xUmR56Wzm_wc", "y": "HnD_8QBanz4Y-UF8mKQFZXfqkGkXUSm34mLsdDKtSyk"}, {"kty": "RSA", "use": "sig", "kid": "SHEyYWcwNVk0LTdROTZzZ2FUWndIVXdack0xWUM5SEpwcS03dVUxWU4zRQ", "e": "AQAB", "n": "rRz52ddyP9Y2ezSlRsnkt-sjXfV_Ii7vOFX-cStLE3IUlVeSJGEe_kAASLr2r3BE2unjntaxj67NP8D95h_rzG1SpCklTEn-aTe3FOwNyTzUH_oiDVeRoEcf04Y43ciRGYRB5PhI6ii-2lYuig6hyUr776Qxiu6-0zw-M_ay2MgGSy5CEj55dDSvcUyxStUObxGpPWnEvybO1vnE7iJEWGNe0L5uPe5nLidOiR-JwjxSWEx1xZYtIjxaf2Ulu-qu4hwgwBUQdx4bNZyBfljKj55skWuHqPMG3xMjnedQC6Ms5bR3rIkbBpvmgI3kJK-4CZikM6ruyLo94-Lk19aYQw"}]}
+{"keys": [{"kty": "EC", "use": "sig", "kid": "azZQQ2FEQjh3QnVZWVdrbHJkMEZSaWR6aVJ0LTBjeUFfeWRlbTRrRFZ5VQ", "crv": "P-256", "x": "2ADe18caWWGp6hpRbfa9HqQHDFNpid9xUmR56Wzm_wc", "y": "HnD_8QBanz4Y-UF8mKQFZXfqkGkXUSm34mLsdDKtSyk"}, {"kty": "RSA", "use": "sig", "kid": "SHEyYWcwNVk0LTdROTZzZ2FUWndIVXdack0xWUM5SEpwcS03dVUxWU4zRQ", "n": "rRz52ddyP9Y2ezSlRsnkt-sjXfV_Ii7vOFX-cStLE3IUlVeSJGEe_kAASLr2r3BE2unjntaxj67NP8D95h_rzG1SpCklTEn-aTe3FOwNyTzUH_oiDVeRoEcf04Y43ciRGYRB5PhI6ii-2lYuig6hyUr776Qxiu6-0zw-M_ay2MgGSy5CEj55dDSvcUyxStUObxGpPWnEvybO1vnE7iJEWGNe0L5uPe5nLidOiR-JwjxSWEx1xZYtIjxaf2Ulu-qu4hwgwBUQdx4bNZyBfljKj55skWuHqPMG3xMjnedQC6Ms5bR3rIkbBpvmgI3kJK-4CZikM6ruyLo94-Lk19aYQw", "e": "AQAB"}]}