If cookie parsing fails or if referenced session ID is missing direct the user to reauthentication.

Author: rohe

src/idpyoidc/server/cookie_handler.py

@@ -279,15 +279,15 @@ def parse_cookie(self, name: str, cookies: List[dict]) -> Optional[List[dict]]:
         LOGGER.debug("Looking for '{}' cookies".format(name))
         res = []
         for _cookie in cookies:
-            LOGGER.debug("Cookie: {}".format(_cookie))
+            LOGGER.debug(f"Cookie: {_cookie}")
             if "name" in _cookie and _cookie["name"] == name:
                 _content = self._ver_dec_content(_cookie["value"].split("|"))
                 if _content:
-                    payload, timestamp = self._ver_dec_content(_cookie["value"].split("|"))
+                    payload, timestamp = _content
                     value, typ = payload.split("::")
                     res.append({"value": value, "type": typ, "timestamp": timestamp})
                 else:
-                    LOGGER.debug(f"Could not verify {name} cookie")
+                    LOGGER.debug(f"Could not verify '{name}' cookie")
         return res
 
 

src/idpyoidc/server/oauth2/authorization.py

@@ -603,21 +603,22 @@ def setup_auth(
                         if _csi.is_active() is False:
                             identity = None
 
-        authn_args = authn_args_gather(request, authn_class_ref, cinfo, **kwargs)
         _mngr = _context.session_manager
         _session_id = ""
 
         # To authenticate or Not
         if not identity:  # No!
             logger.info("No active authentication")
-            logger.debug("Known clients: {}".format(list(_context.cdb.keys())))
+            # logger.debug("Known clients: {}".format(list(_context.cdb.keys())))
 
             if "prompt" in request and "none" in request["prompt"]:
                 # Need to authenticate but not allowed
                 return self._login_required_error(redirect_uri, request)
             else:
+                authn_args = authn_args_gather(request, authn_class_ref, cinfo, **kwargs)
                 return {"function": authn, "args": authn_args}
         else:
+            authn_args = authn_args_gather(request, authn_class_ref, cinfo, **kwargs)
             logger.info(f"Active authentication: {identity}")
             if re_authenticate(request, authn):
                 # demand re-authentication
@@ -994,7 +995,7 @@ def process_request(
         cinfo = _context.cdb[_cid]
         # logger.debug("client {}: {}".format(_cid, cinfo))
 
-        # this apply the default optionally deny_unknown_scopes policy
+        # this applies the default optionally deny_unknown_scopes policy
         check_unknown_scopes_policy(request, _cid, _context)
 
         if http_info is None:
@@ -1004,7 +1005,11 @@ def process_request(
         if _cookies:
             logger.debug("parse_cookie@process_request")
             _session_cookie_name = _context.cookie_handler.name["session"]
-            _my_cookies = _context.cookie_handler.parse_cookie(_session_cookie_name, _cookies)
+            try:
+                _my_cookies = _context.cookie_handler.parse_cookie(_session_cookie_name, _cookies)
+            except Exception as err:
+                logger.info(f"Parse cookie failed due to: {err}")
+                _my_cookies = {}
         else:
             _my_cookies = {}
 

src/idpyoidc/server/user_authn/user.py

@@ -13,6 +13,9 @@
 
 from idpyoidc.server.exception import FailedAuthentication
 from idpyoidc.server.exception import ImproperlyConfigured
+from idpyoidc.server.exception import InconsistentDatabase
+from idpyoidc.server.exception import NoSuchClientSession
+from idpyoidc.server.exception import NoSuchGrant
 from idpyoidc.server.exception import OnlyForTestingWarning
 from idpyoidc.time_util import utc_time_sans_frac
 from idpyoidc.util import instantiate
@@ -64,8 +67,8 @@ def authenticated_as(self, client_id, cookie=None, **kwargs):
             return None, 0
         else:
             _info = self.cookie_info(cookie, client_id)
-            logger.debug("authenticated_as: cookie info={}".format(_info))
             if _info:
+                logger.debug("authenticated_as: cookie info={}".format(_info))
                 if "max_age" in kwargs and kwargs["max_age"] != 0:
                     _max_age = kwargs["max_age"]
                     _now = utc_time_sans_frac()
@@ -74,6 +77,9 @@ def authenticated_as(self, client_id, cookie=None, **kwargs):
                             "Too old by {} seconds".format(_now - (_info["timestamp"] + _max_age))
                         )
                         return None, 0
+            else:
+                logger.info("Failed to find session based on cookie")
+
             return _info, utc_time_sans_frac()
 
     def verify(self, *args, **kwargs):
@@ -109,9 +115,18 @@ def cookie_info(self, cookie: List[dict], client_id: str) -> dict:
             for val in cookie:
                 _info = json.loads(val["value"])
                 _info["timestamp"] = int(val["timestamp"])
+
+                # verify session ID
+                try:
+                    _context.session_manager[_info["sid"]]
+                except (KeyError, ValueError, InconsistentDatabase,
+                        NoSuchClientSession, NoSuchGrant) as err:
+                    logger.info(f"Verifying session ID fail due to {err}")
+                    return {}
+
                 session_id = _context.session_manager.decrypt_session_id(_info["sid"])
                 logger.debug("cookie_info: session id={}".format(session_id))
-                # _, cid, _ = _context.session_manager.decrypt_session_id(_info["sid"])
+
                 if session_id[1] != client_id:
                     continue
                 else:
@@ -138,13 +153,13 @@ class UserPassJinja2(UserAuthnMethod):
     url_endpoint = "/verify/user_pass_jinja"
 
     def __init__(
-        self,
-        db,
-        template_handler,
-        template="user_pass.jinja2",
-        server_get=None,
-        verify_endpoint="",
-        **kwargs,
+            self,
+            db,
+            template_handler,
+            template="user_pass.jinja2",
+            server_get=None,
+            verify_endpoint="",
+            **kwargs,
     ):
 
         super(UserPassJinja2, self).__init__(server_get=server_get)

tests/test_server_24_oidc_authorization_endpoint.py

@@ -1362,6 +1362,20 @@ def create_endpoint_context(self):
         }
         server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
         self.endpoint_context = server.endpoint_context
+        self.session_manager = self.endpoint_context.session_manager
+        self.user_id = "diana"
+
+    def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
+        if sector_identifier:
+            authz_req = auth_req.copy()
+            authz_req["sector_identifier_uri"] = sector_identifier
+        else:
+            authz_req = auth_req
+        client_id = authz_req["client_id"]
+        ae = create_authn_event(self.user_id)
+        return self.session_manager.create_session(
+            ae, authz_req, self.user_id, client_id=client_id, sub_type=sub_type
+        )
 
     def test_authenticated_as_without_cookie(self):
         authn_item = self.endpoint_context.authn_broker.pick(INTERNETPROTOCOLPASSWORD)
@@ -1375,11 +1389,35 @@ def test_authenticated_as_with_cookie(self):
         method = authn_item[0]["method"]
 
         authn_req = {"state": "state_identifier", "client_id": "client 12345"}
+        session_id = self._create_session(authn_req)
+
         _cookie = self.endpoint_context.new_cookie(
             name=self.endpoint_context.cookie_handler.name["session"],
             sub="diana",
+            sid=session_id,
+            state=authn_req["state"],
+            client_id=authn_req["client_id"],
+        )
+
+        # Parsed once before setup_auth
+        kakor = self.endpoint_context.cookie_handler.parse_cookie(
+            cookies=[_cookie], name=self.endpoint_context.cookie_handler.name["session"]
+        )
+
+        _info, _time_stamp = method.authenticated_as(client_id="client 12345", cookie=kakor)
+        assert _info["sub"] == "diana"
+
+    def test_authenticated_as_with_unknown_user(self):
+        authn_item = self.endpoint_context.authn_broker.pick(INTERNETPROTOCOLPASSWORD)
+        method = authn_item[0]["method"]
+
+        authn_req = {"state": "state_identifier", "client_id": "client 12345"}
+        session_id = self._create_session(authn_req)
+        _cookie = self.endpoint_context.new_cookie(
+            name=self.endpoint_context.cookie_handler.name["session"],
+            sub="adam",
             sid=self.endpoint_context.session_manager.encrypted_session_id(
-                "diana", "client 12345", "abcdefgh"
+                "adam", "client 12345", "0123456789"
             ),
             state=authn_req["state"],
             client_id=authn_req["client_id"],
@@ -1391,4 +1429,28 @@ def test_authenticated_as_with_cookie(self):
         )
 
         _info, _time_stamp = method.authenticated_as(client_id="client 12345", cookie=kakor)
-        assert _info["sub"] == "diana"
+        assert _info == {}
+
+    def test_authenticated_as_with_goobledigook(self):
+        authn_item = self.endpoint_context.authn_broker.pick(INTERNETPROTOCOLPASSWORD)
+        method = authn_item[0]["method"]
+
+        authn_req = {"state": "state_identifier", "client_id": "client 12345"}
+        _ = self._create_session(authn_req)
+        _cookie = self.endpoint_context.new_cookie(
+            name=self.endpoint_context.cookie_handler.name["session"],
+            sub="adam",
+            sid=self.endpoint_context.session_manager.encrypted_session_id(
+                "adam", "client 12345", "0123456789"
+            ),
+            state=authn_req["state"],
+            client_id=authn_req["client_id"],
+        )
+
+        kakor = [{
+            'value': '{"sub": "adam", "sid": "Z0FBQUFBQmlhVl", "state": "state_identifier", "client_id": "client 12345"}',
+            'type': '',
+            'timestamp': '1651070251'}]
+
+        _info, _time_stamp = method.authenticated_as(client_id="client 12345", cookie=kakor)
+        assert _info == {}