Merge pull request #58 from IdentityPython/ropc

Added support for the flows Resource Owner Password Credentials and Client Credentials

Author: rohe

src/idpyoidc/claims.py

@@ -217,6 +217,15 @@ def supported(self, claim):
     def prefers(self):
         return self.prefer
 
+    def get_claim(self, key, default=None):
+        _val = self.get_usage(key)
+        if _val is None:
+            _val = self.get_preference(key)
+
+        if _val is None:
+            return default
+        else:
+            return _val
 
 SIGNING_ALGORITHM_SORT_ORDER = ['RS', 'ES', 'PS', 'HS']
 

src/idpyoidc/client/claims/oidc.py

@@ -75,7 +75,7 @@ class Claims(client_claims.Claims):
         "contacts": None,
         "default_max_age": 86400,
         "encrypt_id_token_supported": None,
-        "grant_types_supported": ["authorization_code", "implicit", "refresh_token"],
+        # "grant_types_supported": ["authorization_code", "refresh_token"],
         "logo_uri": None,
         "id_token_signing_alg_values_supported": claims.get_signing_algs,
         "id_token_encryption_alg_values_supported": claims.get_encryption_algs,

src/idpyoidc/client/oauth2/access_token.py

@@ -27,6 +27,8 @@ class AccessToken(Service):
     request_body_type = "urlencoded"
     response_body_type = "json"
 
+    _include = {"grant_types_supported": ['authorization_code']}
+
     _supports = {
         "token_endpoint_auth_methods_supported": get_client_authn_methods,
         "token_endpoint_auth_signing_alg": get_signing_algs,

src/idpyoidc/client/oauth2/client_credentials.py

@@ -0,0 +1,43 @@
+import logging
+from typing import Optional
+from typing import Union
+
+from idpyoidc.client.service import Service
+from idpyoidc.message import Message
+from idpyoidc.message import oauth2
+from idpyoidc.time_util import time_sans_frac
+
+
+class CCAccessTokenRequest(Service):
+    """The service that talks to the OAuth2 client credentials endpoint."""
+
+    msg_type = oauth2.CCAccessTokenRequest
+    response_cls = oauth2.AccessTokenResponse
+    error_msg = oauth2.ResponseMessage
+    endpoint_name = "token_endpoint"
+    synchronous = True
+    service_name = "client_credentials"
+    default_authn_method = ""
+    http_method = "POST"
+
+    def __init__(self, upstream_get, conf=None):
+        Service.__init__(self, upstream_get, conf=conf)
+        self.pre_construct.append(self.cc_pre_construct)
+
+    def cc_pre_construct(self,
+                         request: Union[Message, dict],
+                         service: Service,
+                         post_args: Optional[dict],
+                         **_args):
+        _grant_type = request.get('grant_type')
+        if not _grant_type:
+            request['grant_type'] = 'client_credentials'
+        elif _grant_type != 'client_credentials':
+            logging.error('Wrong grant_type')
+
+        return request, post_args
+
+    def update_service_context(self, resp, key: Optional[str] = "", **kwargs):
+        if "expires_in" in resp:
+            resp["__expires_at"] = time_sans_frac() + int(resp["expires_in"])
+        self.upstream_get("context").cstate.update(key, resp)

src/idpyoidc/client/oauth2/client_credentials/cc_access_token.py

@@ -23,6 +23,8 @@ class RefreshAccessToken(Service):
     default_authn_method = "bearer_header"
     http_method = "POST"
 
+    _include = {"grant_types_supported": ['refresh_token']}
+
     def __init__(self, upstream_get, conf=None):
         Service.__init__(self, upstream_get, conf=conf)
         self.pre_construct.append(self.oauth_pre_construct)

src/idpyoidc/client/oauth2/client_credentials/cc_refresh_access_token.py

@@ -0,0 +1,43 @@
+import logging
+from typing import Optional
+from typing import Union
+
+from idpyoidc.client.service import Service
+from idpyoidc.message import Message
+from idpyoidc.message import oauth2
+from idpyoidc.time_util import time_sans_frac
+
+
+class ROPCAccessTokenRequest(Service):
+    """The service uses the OAuth2 resource owner password credentials flow."""
+
+    msg_type = oauth2.ROPCAccessTokenRequest
+    response_cls = oauth2.AccessTokenResponse
+    error_msg = oauth2.ResponseMessage
+    endpoint_name = "token_endpoint"
+    synchronous = True
+    service_name = "resource_owner_password_credentials"
+    default_authn_method = ""
+    http_method = "POST"
+
+    def __init__(self, upstream_get, conf=None):
+        Service.__init__(self, upstream_get, conf=conf)
+        self.pre_construct.append(self.ropc_pre_construct)
+
+    def ropc_pre_construct(self,
+                           request: Union[Message, dict],
+                           service: Service,
+                           post_args: Optional[dict],
+                           **_args):
+        _grant_type = request.get('grant_type')
+        if not _grant_type:
+            request['grant_type'] = 'password'
+        elif _grant_type != 'password':
+            logging.error('Wrong grant_type')
+
+        return request, post_args
+
+    def update_service_context(self, resp, key: Optional[str] = "", **kwargs):
+        if "expires_in" in resp:
+            resp["__expires_at"] = time_sans_frac() + int(resp["expires_in"])
+        self.upstream_get("context").cstate.update(key, resp)

src/idpyoidc/client/oauth2/refresh_access_token.py

@@ -27,6 +27,8 @@ class TokenExchange(Service):
     request_body_type = "urlencoded"
     response_body_type = "json"
 
+    _include = {'grant_types_supported': ['urn:ietf:params:oauth:grant-type:token-exchange']}
+
     def __init__(self, upstream_get, conf=None):
         Service.__init__(self, upstream_get, conf=conf)
         self.pre_construct.append(self.oauth_pre_construct)

src/idpyoidc/client/oauth2/resource_owner_password_credentials.py

@@ -23,6 +23,8 @@ class AccessToken(access_token.AccessToken):
     error_msg = oidc.ResponseMessage
     default_authn_method = "client_secret_basic"
 
+    _include = {"grant_types_supported": ['authorization_code']}
+
     _supports = {
         "token_endpoint_auth_methods_supported": get_client_authn_methods,
         "token_endpoint_auth_signing_alg_values_supported": get_signing_algs