Introduce grant and session for token exchange

Author: ctriant

docs/source/contents/conf.rst

@@ -670,7 +670,7 @@ There are two possible ways to configure Token Exchange in OIDC-OP, globally and
 For the first case the configuration is passed in the Token Exchange handler throught the
 `urn:ietf:params:oauth:grant-type:token-exchange` dictionary in token's `grant_types_supported`.
 
-If present, the token exchange configuration must contain a `policy` object that describes a default
+If present, the token exchange configuration may contain a `policy` object that describes a default
 policy `callable` and its `kwargs` through the `""` key. Different callables can be optionally
 defined for each token type supported.
 

src/oidcop/oidc/token.py

@@ -381,7 +381,7 @@ def __init__(self, endpoint, config=None):
                 ],
                 "policy": {
                     "": {
-                        "callable": "oidcop.oidc.token.default_token_exchange_policy",
+                        "callable": default_token_exchange_policy,
                         "kwargs": {
                             "scope": ["openid"]
                         }
@@ -491,17 +491,16 @@ def _enforce_policy(self, request, token, config):
             )
 
         try:
-            if (
-                "requested_token_type" in request
-                and request["requested_token_type"] in config["policy"]
-            ):
-                callable = config["policy"][request["requested_token_type"]]["callable"]
-                kwargs = config["policy"][request["requested_token_type"]]["kwargs"]
+            subject_token_type = request.get("subject_token_type", "")
+            if subject_token_type not in config["policy"]:
+                subject_token_type = ""
+            callable = config["policy"][subject_token_type]["callable"]
+            kwargs = config["policy"][subject_token_type]["kwargs"]
+
+            if isinstance(callable, str):
+                fn = importer(callable)
             else:
-                callable = config["policy"][""]["callable"]
-                kwargs = config["policy"][""]["kwargs"]
-
-            fn = importer(callable)
+                fn = callable
             return fn(request, context=_context, subject_token=token, **kwargs)
 
         except Exception:
@@ -515,7 +514,7 @@ def token_exchange_response(self, token):
         response_args["access_token"] = token.value
         response_args["scope"] = token.scope
         response_args["issued_token_type"] = token.token_class
-        response_args["expires_in"] = token.usage_rules["expires_in"]
+        response_args["expires_in"] = token.usage_rules.get("expires_in", 0)
         response_args["token_type"] = "bearer"
 
         return TokenExchangeResponse(**response_args)
@@ -541,9 +540,7 @@ def process_request(self, request, **kwargs):
             )
 
         token = _mngr.find_token(_session_info["session_id"], request["subject_token"])
-
         grant = _session_info["grant"]
-
         _requested_token_type = request.get("requested_token_type",
                                            "urn:ietf:params:oauth:token-type:access_token")
 
@@ -555,24 +552,30 @@ def process_request(self, request, **kwargs):
 
         sid = _session_info["session_id"]
         if request["client_id"] != _session_info["client_id"]:
-            authn_event = _session_info["grant"].authentication_event
             _token_usage_rules = _context.authz.usage_rules(request["client_id"])
-            _exp_in = _token_usage_rules["refresh_token"].get("expires_in")
-            if _exp_in and "valid_until" in authn_event:
-                authn_event["valid_until"] = utc_time_sans_frac() + _exp_in
 
-            sid = _mngr.create_session(
-                authn_event=authn_event,
-                auth_req=request,
+            sid = _mngr.create_exchange_session(
+                exchange_request=request,
+                original_session_id=sid,
                 user_id=_session_info["user_id"],
                 client_id=request["client_id"],
                 token_usage_rules=_token_usage_rules,
             )
 
+            try:
+                _session_info = _mngr.get_session_info(
+                    session_id=sid, grant=True)
+            except Exception:
+                logger.error("Error retrieving token exchabge session information")
+                return self.error_cls(
+                    error="server_error",
+                    error_description="Internal server error"
+                )
+
         try:
             new_token = self._mint_token(
                 token_class=_token_class,
-                grant=grant,
+                grant=_session_info["grant"],
                 session_id=sid,
                 client_id=request["client_id"],
                 based_on=token,

src/oidcop/session/grant.py

@@ -449,12 +449,14 @@ def __init__(
         authorization_details: Optional[dict] = None,
         issued_token: Optional[list] = None,
         usage_rules: Optional[dict] = None,
+        exchange_request: str = "",
+        original_session_id: str = "",
         issued_at: int = 0,
         expires_in: int = 0,
         expires_at: int = 0,
         revoked: bool = False,
         token_map: Optional[dict] = None,
-        users: list = None,
+        users: list = None
     ):
         Grant.__init__(
             self,
@@ -475,3 +477,5 @@ def __init__(
         self.usage_rules = {
             "access_token": {"supports_minting": ["access_token"], "expires_in": 60}
         }
+        self.exchange_request=exchange_request
+        self.original_session_id=original_session_id

src/oidcop/session/manager.py

@@ -6,6 +6,7 @@
 import uuid
 
 from oidcmsg.oauth2 import AuthorizationRequest
+from oidcmsg.oauth2 import TokenExchangeRequest
 
 from oidcop import rndstr
 from oidcop.authn_event import AuthnEvent
@@ -15,6 +16,7 @@
 from oidcop.session.database import NoSuchClientSession
 from .database import Database
 from .grant import Grant
+from .grant import ExchangeGrant
 from .grant import SessionToken
 from .info import ClientSessionInfo
 from .info import UserSessionInfo
@@ -198,6 +200,41 @@ def create_grant(
 
         return self.encrypted_session_id(user_id, client_id, grant.id)
 
+    def create_exchange_grant(
+        self,
+        exchange_request: TokenExchangeRequest,
+        original_session_id: str,
+        user_id: str,
+        client_id: Optional[str] = "",
+        sub_type: Optional[str] = "public",
+        token_usage_rules: Optional[dict] = None,
+        scopes: Optional[list] = None,
+    ) -> str:
+        """
+
+        :param scopes: Scopes
+        :param exchange_req:
+        :param user_id:
+        :param client_id:
+        :param sub_type:
+        :param token_usage_rules:
+        :return:
+        """
+        sector_identifier = exchange_request.get("sector_identifier_uri", "")
+
+        _claims = exchange_request.get("claims", {})
+
+        grant = ExchangeGrant(
+            usage_rules=token_usage_rules,
+            scope=scopes,
+            claims=_claims,
+            original_session_id=original_session_id,
+            exchange_request=exchange_request
+        )
+        self.set([user_id, client_id, grant.id], grant)
+
+        return self.encrypted_session_id(user_id, client_id, grant.id)
+
     def create_session(
         self,
         authn_event: AuthnEvent,
@@ -247,6 +284,55 @@ def create_session(
             scopes=scopes,
         )
 
+    def create_exchange_session(
+        self,
+        exchange_request: TokenExchangeRequest,
+        original_session_id: str,
+        user_id: str,
+        client_id: Optional[str] = "",
+        sub_type: Optional[str] = "public",
+        token_usage_rules: Optional[dict] = None,
+        scopes: Optional[list] = None,
+    ) -> str:
+        """
+        Create part of a user session. The parts added are user- and client
+        information and a grant.
+
+        :param scopes:
+        :param authn_event: Authentication Event information
+        :param auth_req: Authorization Request
+        :param client_id: Client ID
+        :param user_id: User ID
+        :param sub_type: What kind of subject will be assigned
+        :param token_usage_rules: Rules for how tokens can be used
+        :return: Session key
+        """
+
+        try:
+            _usi = self.get([user_id])
+        except KeyError:
+            _usi = UserSessionInfo(user_id=user_id)
+            self.set([user_id], _usi)
+
+        if not client_id:
+            client_id = exchange_request["client_id"]
+
+        try:
+            self.get([user_id, client_id])
+        except (NoSuchClientSession, ValueError):
+            client_info = ClientSessionInfo(client_id=client_id)
+            self.set([user_id, client_id], client_info)
+
+        return self.create_exchange_grant(
+            exchange_request=exchange_request,
+            original_session_id = original_session_id,
+            user_id=user_id,
+            client_id=client_id,
+            sub_type=sub_type,
+            token_usage_rules=token_usage_rules,
+            scopes=scopes,
+        )
+
     def __getitem__(self, session_id: str):
         return self.get(self.decrypt_session_id(session_id))