Token exchange client code.

Authorization Server metadata endpoint support.

Author: rohe

src/idpyoidc/client/client_auth.py

@@ -302,11 +302,13 @@ def construct(self, request=None, service=None, http_args=None, **kwargs):
 
         if service.service_name == "refresh_token":
             _acc_token = find_token(request, "refresh_token", service, **kwargs)
+        elif service.service_name == "token_exchange":
+            _acc_token = find_token(request, "subject_token", service, **kwargs)
         else:
             _acc_token = find_token(request, "access_token", service, **kwargs)
 
         if not _acc_token:
-            raise KeyError("No access or refresh token available")
+            raise KeyError("No bearer token available")
 
         # The authorization value starts with 'Bearer' when bearer tokens
         # are used

src/idpyoidc/client/oauth2/provider_info_discovery.py renamed to src/idpyoidc/client/oauth2/server_metadata.py

@@ -12,14 +12,14 @@
 LOGGER = logging.getLogger(__name__)
 
 
-class ProviderInfoDiscovery(Service):
-    """The service that talks to the OAuth2 provider info discovery endpoint."""
+class ServerMetadata(Service):
+    """The service that talks to the OAuth2 server metadata endpoint."""
 
     msg_type = oauth2.Message
     response_cls = oauth2.ASConfigurationResponse
     error_msg = ResponseMessage
     synchronous = True
-    service_name = "provider_info"
+    service_name = "server_metadata"
     http_method = "GET"
 
     metadata_attributes = {}

src/idpyoidc/client/oauth2/token_exchange.py

@@ -0,0 +1,68 @@
+"""Implements the service that can exchange one token for another."""
+import logging
+
+from idpyoidc.client.oauth2.utils import get_state_parameter
+from idpyoidc.client.service import Service
+from idpyoidc.message import oauth2
+from idpyoidc.message.oauth2 import ResponseMessage
+from idpyoidc.time_util import time_sans_frac
+
+LOGGER = logging.getLogger(__name__)
+
+
+class TokenExchange(Service):
+    """The token exchange service."""
+
+    msg_type = oauth2.TokenExchangeRequest
+    response_cls = oauth2.TokenExchangeResponse
+    error_msg = ResponseMessage
+    endpoint_name = "token_endpoint"
+    synchronous = True
+    service_name = "token_exchange"
+    default_authn_method = "client_secret_basic"
+    http_method = "POST"
+    request_body_type = "urlencoded"
+    response_body_type = "json"
+
+
+    def __init__(self, client_get, conf=None):
+        Service.__init__(self, client_get, conf=conf)
+        self.pre_construct.append(self.oauth_pre_construct)
+
+    def update_service_context(self, resp, key="", **kwargs):
+        if "expires_in" in resp:
+            resp["__expires_at"] = time_sans_frac() + int(resp["expires_in"])
+        self.client_get("service_context").state.store_item(resp, "token_response", key)
+
+    def oauth_pre_construct(self, request_args=None, post_args=None, **kwargs):
+        """
+
+        :param request_args: Initial set of request arguments
+        :param kwargs: Extra keyword arguments
+        :return: Request arguments
+        """
+        if request_args is None:
+            request_args = {}
+
+        if 'subject_token' not in request_args:
+            _key = get_state_parameter(request_args, kwargs)
+            parameters = {'access_token', 'scope'}
+
+            _state = self.client_get("service_context").state
+
+            _args = _state.extend_request_args(
+                {}, oauth2.AuthorizationResponse, "auth_response", _key, parameters
+            )
+            _args = _state.extend_request_args(
+                _args, oauth2.AccessTokenResponse, "token_response", _key, parameters
+            )
+            _args = _state.extend_request_args(
+                _args, oauth2.AccessTokenResponse, "refresh_token_response", _key, parameters
+            )
+
+            request_args["subject_token"] = _args["access_token"]
+            request_args["subject_token_type"] = 'urn:ietf:params:oauth:token-type:access_token'
+            if 'scope' not in request_args and "scope" in _args:
+                request_args["scope"] = _args["scope"]
+
+        return request_args, post_args

src/idpyoidc/server/oauth2/server_metadata.py

@@ -0,0 +1,37 @@
+import logging
+
+from idpyoidc.message import oauth2
+
+from idpyoidc.message import oidc
+from idpyoidc.server.endpoint import Endpoint
+
+logger = logging.getLogger(__name__)
+
+
+class ServerMetadata(Endpoint):
+    request_cls = oauth2.Message
+    response_cls = oauth2.ASConfigurationResponse
+    request_format = ""
+    response_format = "json"
+    name = "server_metadata"
+
+    def __init__(self, server_get, **kwargs):
+        Endpoint.__init__(self, server_get=server_get, **kwargs)
+        self.pre_construct.append(self.add_endpoints)
+
+    def add_endpoints(self, request, client_id, endpoint_context, **kwargs):
+        for endpoint in [
+            "authorization_endpoint",
+            "registration_endpoint",
+            "token_endpoint",
+            "userinfo_endpoint",
+            "end_session_endpoint",
+        ]:
+            endp_instance = self.server_get("endpoint", endpoint)
+            if endp_instance:
+                request[endpoint] = endp_instance.endpoint_path
+
+        return request
+
+    def process_request(self, request=None, **kwargs):
+        return {"response_args": self.server_get("endpoint_context").provider_info}

tests/test_client_55_token_exchange.py

@@ -0,0 +1,92 @@
+import os
+
+from cryptojwt.key_jar import init_key_jar
+import pytest
+
+from idpyoidc.client.entity import Entity
+from idpyoidc.message import Message
+from idpyoidc.message.oauth2 import AccessTokenResponse
+from idpyoidc.message.oauth2 import AuthorizationResponse
+from idpyoidc.message.oidc import IdToken
+from tests.test_client_21_oidc_service import make_keyjar
+
+KEYSPEC = [
+    {"type": "RSA", "use": ["sig"]},
+    {"type": "EC", "crv": "P-256", "use": ["sig"]},
+]
+
+_dirname = os.path.dirname(os.path.abspath(__file__))
+
+ISS = "https://example.com"
+
+ISS_KEY = init_key_jar(
+    public_path="{}/pub_iss.jwks".format(_dirname),
+    private_path="{}/priv_iss.jwks".format(_dirname),
+    key_defs=KEYSPEC,
+    issuer_id=ISS,
+    read_only=False,
+)
+
+ISS_KEY.import_jwks_as_json(open("{}/pub_client.jwks".format(_dirname)).read(), "client_id")
+
+
+def create_jws(val):
+    lifetime = 3600
+
+    idts = IdToken(**val)
+
+    return idts.to_jwt(
+        key=ISS_KEY.get_signing_key("ec", issuer_id=ISS), algorithm="ES256", lifetime=lifetime
+    )
+
+
+class TestUserInfo(object):
+    @pytest.fixture(autouse=True)
+    def create_request(self):
+        self._iss = ISS
+        client_config = {
+            "client_id": "client_id",
+            "client_secret": "a longesh password",
+            "redirect_uris": ["https://example.com/cli/authz_cb"],
+            "issuer": self._iss,
+            "requests_dir": "requests",
+            "base_url": "https://example.com/cli/",
+        }
+        entity = Entity(keyjar=make_keyjar(), config=client_config,
+                        services={
+                            "discovery": {
+                                "class":
+                                    "idpyoidc.client.oauth2.server_metadata.ServerMetadata"},
+                            "authorization": {
+                                "class": "idpyoidc.client.oauth2.authorization.Authorization"},
+                            "access_token": {
+                                "class": "idpyoidc.client.oauth2.access_token.AccessToken"},
+                            "token_exchange": {
+                                "class":
+                                    "idpyoidc.client.oauth2.token_exchange.TokenExchange"
+                            },
+                        }
+                        )
+        entity.client_get("service_context").issuer = "https://example.com"
+        self.service = entity.client_get("service", "token_exchange")
+
+        _state_interface = self.service.client_get("service_context").state
+        # Add history
+        auth_response = AuthorizationResponse(code="access_code").to_json()
+        _state_interface.store_item(auth_response, "auth_response", "abcde")
+
+        idtval = {"nonce": "KUEYfRM2VzKDaaKD", "sub": "diana", "iss": ISS, "aud": "client_id"}
+        idt = create_jws(idtval)
+
+        ver_idt = IdToken().from_jwt(idt, make_keyjar())
+
+        token_response = AccessTokenResponse(
+            access_token="access_token", id_token=idt, __verified_id_token=ver_idt
+        ).to_json()
+        _state_interface.store_item(token_response, "token_response", "abcde")
+
+    def test_construct(self):
+        _req = self.service.construct(state="abcde")
+        assert isinstance(_req, Message)
+        assert len(_req) == 2
+        assert "subject_token" in _req