Being more explicit on what type of client it is.

Deal with policy expressed in two claims: metadata and metadata_policy.

Author: rohe

src/idpyoidc/client/claims/transform.py

@@ -112,14 +112,31 @@ def array_or_singleton(claim_spec, values):
 
 
 def _is_subset(a, b):
+    # Is 'a' a subset of 'b'
     if isinstance(a, list):
         if isinstance(b, list):
-            return set(b).issubset(set(a))
+            return set(a).issubset(set(b))
     elif isinstance(b, list):
         return a in b
     else:
         return a == b
 
+def _intersection(a, b):
+    res = None
+    if isinstance(a, list):
+        if isinstance(b, list):
+            res = list(set(a).intersection(set(b)))
+        else:
+            if b in a:
+                res = b
+            else:
+                res = []
+    elif isinstance(b, list):
+        if a in b:
+            res = [a]
+        else:
+            res = []
+    return res
 
 def preferred_to_registered(prefers: dict, supported: dict,
                             registration_response: Optional[dict] = None):
@@ -136,10 +153,19 @@ def preferred_to_registered(prefers: dict, supported: dict,
     if registration_response:
         for key, val in registration_response.items():
             if key in REGISTER2PREFERRED:
-                if _is_subset(val, supported.get(REGISTER2PREFERRED[key])):
+                # Is the response value with in what this instance supports
+                _supports = supported.get(REGISTER2PREFERRED[key])
+                if _is_subset(val, _supports):
                     registered[key] = val
                 else:
-                    logger.warning(f'OP tells me to do something I do not support: {key} = {val}')
+                    logger.warning(
+                        f'OP tells me to do something I do not support: (key) = {val} not within '
+                        f'{_supports}')
+                    _val = _intersection(val, _supports)
+                    if _val:
+                        registered[key] = _val
+                    else:
+                        raise ValueError('Not able to support the OPs choice')
             else:
                 registered[key] = val  # Should I just accept with the OP says ??
 

src/idpyoidc/client/entity.py

@@ -13,6 +13,7 @@
 from idpyoidc.client.client_auth import method_to_item
 from idpyoidc.client.configure import Configuration
 from idpyoidc.client.defaults import DEFAULT_OAUTH2_SERVICES
+from idpyoidc.client.defaults import DEFAULT_OIDC_SERVICES
 from idpyoidc.client.service import init_services
 from idpyoidc.client.service_context import ServiceContext
 from idpyoidc.context import OidcContext
@@ -75,7 +76,7 @@ def redirect_uris_from_callback_uris(callback_uris):
     return res
 
 
-class Entity(Unit):  # This is a Client
+class Entity(Unit):  # This is a Client. What type is undefined here.
     parameter = {
         'entity_id': None,
         'jwks_uri': None,
@@ -117,7 +118,10 @@ def __init__(
             _srvs = None
 
         if not _srvs:
-            _srvs = DEFAULT_OAUTH2_SERVICES
+            if client_type == 'oauth2':
+                _srvs = DEFAULT_OAUTH2_SERVICES
+            else:
+                _srvs = DEFAULT_OIDC_SERVICES
 
         self._service = init_services(service_definitions=_srvs, upstream_get=self.unit_get)
 

src/idpyoidc/client/oauth2/__init__.py

@@ -37,6 +37,7 @@ class ExpiredToken(Exception):
 
 
 class Client(Entity):
+    client_type = 'oauth2'
     def __init__(
             self,
             keyjar: Optional[KeyJar] = None,
@@ -69,7 +70,7 @@ def __init__(
         """
 
         if not client_type:
-            client_type = "oauth2"
+            client_type = self.client_type
 
         if verify_ssl is False:
             # just ignore verify_ssl until it goes away

src/idpyoidc/client/oauth2/server_metadata.py

@@ -118,6 +118,8 @@ def _update_service_context(self, resp):
         # that. Otherwise, a new Key Jar is minted
         try:
             _keyjar = self.upstream_get('attribute', 'keyjar')
+            if _keyjar is None:
+                _keyjar = KeyJar()
         except KeyError:
             _keyjar = KeyJar()
 

src/idpyoidc/client/oidc/__init__.py

@@ -77,6 +77,7 @@ class FetchException(Exception):
 
 
 class RP(oauth2.Client):
+    client_type = 'oidc'
 
     def __init__(
             self,
@@ -93,7 +94,10 @@ def __init__(
             **kwargs
     ):
         self.upstream_get = upstream_get
-        _srvs = services or DEFAULT_OIDC_SERVICES
+        if services:
+            _srvs = services
+        else:
+            _srvs = config.get("services", DEFAULT_OIDC_SERVICES)
 
         oauth2.Client.__init__(
             self,

src/idpyoidc/client/oidc/access_token.py

@@ -24,7 +24,7 @@ class AccessToken(access_token.AccessToken):
     default_authn_method = "client_secret_basic"
 
     _supports = {
-        "token_endpoint_auth_method": get_client_authn_methods,
+        "token_endpoint_auth_methods_supported": get_client_authn_methods,
         "token_endpoint_auth_signing_alg_values_supported": get_signing_algs
     }
 

src/idpyoidc/client/provider/github.py

@@ -28,7 +28,7 @@ class AccessToken(access_token.AccessToken):
     response_body_type = "urlencoded"
 
     _supports = {
-        "token_endpoint_auth_method": get_client_authn_methods,
+        "token_endpoint_auth_methods_supported": get_client_authn_methods,
         "token_endpoint_auth_signing_alg_values_supported": get_signing_algs
     }
 

src/idpyoidc/client/provider/linkedin.py

@@ -34,7 +34,7 @@ class AccessToken(access_token.AccessToken):
     error_msg = oauth2.TokenErrorResponse
 
     _supports = {
-        "token_endpoint_auth_method": get_client_authn_methods,
+        "token_endpoint_auth_methods_supported": get_client_authn_methods,
         "token_endpoint_auth_signing_alg_values_supported": get_signing_algs
     }
 

src/idpyoidc/client/service.py

@@ -674,11 +674,9 @@ def construct_uris(self,
             else:
                 _path = self._callback_path.get(uri)
                 if isinstance(_path, str):
-                    _callback_uris[uri] = self.get_uri(base_url, self._callback_path.get(_path),
-                                                       hex)
+                    _callback_uris[uri] = self.get_uri(base_url, _path, hex)
                 else:
-                    _callback_uris[uri] = [self.get_uri(base_url, self._callback_path.get(_var),
-                                                        hex) for _var in _path]
+                    _callback_uris[uri] = [self.get_uri(base_url, _var, hex) for _var in _path]
 
         return _callback_uris
 

src/idpyoidc/server/client_authn.py

@@ -451,7 +451,7 @@ def verify_client(
         get_client_id_from_token: Optional[Callable] = None,
         endpoint=None,  # Optional[Endpoint]
         also_known_as: Optional[Dict[str, str]] = None,
-):
+) -> dict:
     """
     Initiated Guessing !