Merge pull request #66 from IdentityPython/enforce-aud-restriction

rohe · web-flow · commit 63f6ed325608 · 2023-06-27T09:00:42.000+02:00
Option for audience restriction enforcement
diff --git a/src/idpyoidc/server/oauth2/introspection.py b/src/idpyoidc/server/oauth2/introspection.py
@@ -32,6 +32,7 @@ class Introspection(Endpoint):
     def __init__(self, upstream_get, **kwargs):
         Endpoint.__init__(self, upstream_get, **kwargs)
         self.offset = kwargs.get("offset", 0)
+        self.enforce_aud_restriction = kwargs.get("enforce_audience_restriction", True)
 
     def _introspect(self, token, client_id, grant):
         # Make sure that the token is an access_token or a refresh_token
@@ -114,8 +115,17 @@ def process_request(self, request=None, release: Optional[list] = None, **kwargs
         if not aud:
             aud = grant.resources
 
-        if request["client_id"] not in aud:
-            return {"response_args": _resp}
+        client_id = request["client_id"]
+        try:
+            _cinfo = _context.cdb[client_id]
+            enforce_aud_restriction = _cinfo.get(
+                "enforce_audience_restriction", self.enforce_aud_restriction
+            )
+        except:
+            enforce_aud_restriction = self.enforce_aud_restriction
+        if enforce_aud_restriction:
+            if request["client_id"] not in aud:
+                return {"response_args": _resp}
 
         _info = self._introspect(_token, _session_info["client_id"], _session_info["grant"])
         if _info is None:
diff --git a/tests/test_server_31_oauth2_introspection.py b/tests/test_server_31_oauth2_introspection.py
@@ -132,6 +132,7 @@ def create_endpoint(self, jwt_token):
                     "kwargs": {
                         "client_authn_method": ["client_secret_post"],
                         "enable_claims_per_client": False,
+                        "enforce_audience_restriction": True,
                     },
                 },
                 "token": {
