Merge pull request #80 from ctriant/fix-deny-unknown-scopes-perclient

rohe · web-flow · commit 53eedf86fabb · 2023-10-19T09:56:10.000+02:00
Fix per-client configuration of deny_unknown_scopes
diff --git a/src/idpyoidc/server/oauth2/authorization.py b/src/idpyoidc/server/oauth2/authorization.py
@@ -268,7 +268,9 @@ def authn_args_gather(
 
 
 def check_unknown_scopes_policy(request_info, client_id, context):
-    if not context.get_preference("deny_unknown_scopes"):
+    cinfo = context.cdb.get(client_id, {})
+    deny_unknown_scopes = cinfo.get("deny_unknown_scopes", context.get_preference("deny_unknown_scopes"))
+    if not deny_unknown_scopes:
         return
 
     scope = request_info["scope"]
diff --git a/tests/test_server_24_oauth2_authorization_endpoint.py b/tests/test_server_24_oauth2_authorization_endpoint.py
@@ -588,6 +588,38 @@ def test_setup_auth_invalid_scope(self):
         assert excp
         assert isinstance(excp, UnAuthorizedClientScope)
 
+    def test_setup_auth_invalid_scope_2(self):
+        request = AuthorizationRequest(
+            client_id="client_id",
+            redirect_uri="https://rp.example.com/cb",
+            response_type=["id_token"],
+            state="state",
+            nonce="nonce",
+            scope="openid THAT-BLOODY_SCOPE",
+        )
+        cinfo = {
+            "client_id": "client_id",
+            "redirect_uris": [("https://rp.example.com/cb", {})],
+            "id_token_signed_response_alg": "RS256",
+            "allowed_scopes": ["openid", "profile", "email", "address", "phone", "offline_access"],
+            "deny_unknown_scopes": True
+        }
+
+        _context = self.endpoint.upstream_get("context")
+        _context.cdb["client_id"] = cinfo
+
+        kaka = _context.cookie_handler.make_cookie_content("value", "sso")
+
+        # force to 400 Http Error message if the release scope policy is heavy!
+        _context.set_preference("deny_unknown_scopes", False)
+        excp = None
+        try:
+            res = self.endpoint.process_request(request, http_info={"headers": {"cookie": [kaka]}})
+        except UnAuthorizedClientScope as e:
+            excp = e
+        assert excp
+        assert isinstance(excp, UnAuthorizedClientScope)
+
     def test_setup_auth_user(self):
         request = AuthorizationRequest(
             client_id="client_id",
