The jti parameter in a JWS should be used to catch reuse.

Need a database to hold all the jtis I've seen.
Audience in a private_key_jwt JWS is endpoint dependent.
It should not be possible to use a private_key_jwt constructed to be used
at one endpoint to be used at another.

Author: rohe

src/oidcendpoint/client_authn.py

@@ -8,11 +8,11 @@
 from cryptojwt.jwt import utc_time_sans_frac
 from cryptojwt.utils import as_bytes
 from cryptojwt.utils import as_unicode
-from oidcmsg.oidc import RegistrationRequest
 from oidcmsg.oidc import verified_claim_name
 
 from oidcendpoint import JWT_BEARER
 from oidcendpoint import sanitize
+from oidcendpoint.exception import MultipleUsage
 from oidcendpoint.exception import NotForMe
 
 logger = logging.getLogger(__name__)
@@ -78,8 +78,8 @@ def verify(self, request, authorization_info, **kwargs):
         client_info = basic_authn(authorization_info)
 
         if (
-            self.endpoint_context.cdb[client_info["id"]]["client_secret"]
-            == client_info["secret"]
+                self.endpoint_context.cdb[client_info["id"]]["client_secret"]
+                == client_info["secret"]
         ):
             return {"client_id": client_info["id"]}
         else:
@@ -96,8 +96,8 @@ class ClientSecretPost(ClientSecretBasic):
 
     def verify(self, request, **kwargs):
         if (
-            self.endpoint_context.cdb[request["client_id"]]["client_secret"]
-            == request["client_secret"]
+                self.endpoint_context.cdb[request["client_id"]]["client_secret"]
+                == request["client_secret"]
         ):
             return {"client_id": request["client_id"]}
         else:
@@ -141,18 +141,30 @@ def verify(self, request, **kwargs):
             authtoken = sanitize(ca_jwt.to_dict())
         logger.debug("authntoken: {}".format(authtoken))
 
+        _endpoint = kwargs.get("endpoint")
+        if _endpoint is None:
+            if self.endpoint_context.issuer in ca_jwt["aud"]:
+                pass
+            else:
+                raise NotForMe("Not for me!")
+        else:
+            if self.endpoint_context.endpoint[_endpoint].full_path in ca_jwt["aud"]:
+                pass
+            else:
+                raise NotForMe("Not for me!")
+
+        # If there is a jti use it to make sure one-time usage is true
+        _jti = ca_jwt.get('jti')
+        if _jti:
+            _key = "{}:{}".format(ca_jwt['iss'], _jti)
+            if _key in self.endpoint_context.jti_db:
+                raise MultipleUsage("Have seen this token once before")
+            else:
+                self.endpoint_context.jti_db.set(_key, utc_time_sans_frac())
+
         request[verified_claim_name("client_assertion")] = ca_jwt
         client_id = kwargs.get("client_id") or ca_jwt["iss"]
 
-        # I should be among the audience
-        # could be either my issuer id or the token endpoint
-        if self.endpoint_context.issuer in ca_jwt["aud"]:
-            pass
-        elif self.endpoint_context.endpoint["token"].full_path in ca_jwt["aud"]:
-            pass
-        else:
-            raise NotForMe("Not for me!")
-
         return {"client_id": client_id, "jwt": ca_jwt}
 
 
@@ -192,7 +204,8 @@ def valid_client_info(cinfo):
 
 
 def verify_client(
-    endpoint_context, request, authorization_info=None, get_client_id_from_token=None
+        endpoint_context, request, authorization_info=None, get_client_id_from_token=None,
+        endpoint=""
 ):
     """
     Initiated Guessing !
@@ -206,7 +219,8 @@ def verify_client(
     """
 
     # fixes request = {} instead of str
-    # "AttributeError: 'dict' object has no attribute 'startswith'" in oidcendpoint/endpoint.py(158)client_authentication()
+    # "AttributeError: 'dict' object has no attribute 'startswith'" in oidcendpoint/endpoint.py(
+    # 158)client_authentication()
     if isinstance(authorization_info, dict):
         strings_parade = ("{} {}".format(k, v) for k, v in authorization_info.items())
         authorization_info = " ".join(strings_parade)
@@ -216,7 +230,7 @@ def verify_client(
             auth_info = ClientSecretPost(endpoint_context).verify(request)
             auth_info["method"] = "client_secret_post"
         elif "client_assertion" in request:
-            auth_info = JWSAuthnMethod(endpoint_context).verify(request)
+            auth_info = JWSAuthnMethod(endpoint_context).verify(request, endpoint=endpoint)
             #  If symmetric key was used
             # auth_method = 'client_secret_jwt'
             #  If asymmetric key was used
@@ -259,9 +273,9 @@ def verify_client(
         # store what authn method was used
         if auth_info.get("method"):
             if (
-                endpoint_context.cdb[client_id].get("auth_method")
-                and request.__class__.__name__
-                in endpoint_context.cdb[client_id]["auth_method"]
+                    endpoint_context.cdb[client_id].get("auth_method")
+                    and request.__class__.__name__
+                    in endpoint_context.cdb[client_id]["auth_method"]
             ):
                 endpoint_context.cdb[client_id]["auth_method"][
                     request.__class__.__name__

src/oidcendpoint/endpoint.py

@@ -224,7 +224,7 @@ def parse_request(self, request, auth=None, **kwargs):
         # Verify that the client is allowed to do this
         _client_id = ""
         try:
-            auth_info = self.client_authentication(req, auth, **kwargs)
+            auth_info = self.client_authentication(req, auth, endpoint=self.name, **kwargs)
         except UnknownOrNoAuthnMethod:
             # If there is no required client authentication method
             if not self.client_authn_method:
@@ -268,9 +268,12 @@ def client_authentication(self, request, auth=None, **kwargs):
         :return: client_id or raise an exception
         """
 
+        _endpoint = kwargs.get("endpoint")
+
         try:
             authn_info = verify_client(
-                self.endpoint_context, request, auth, self.get_client_id_from_token
+                self.endpoint_context, request, auth, self.get_client_id_from_token,
+                endpoint=_endpoint
             )
         except UnknownOrNoAuthnMethod:
             if self.client_authn_method is None:

src/oidcendpoint/endpoint_context.py

@@ -12,6 +12,7 @@
 from oidcendpoint import rndstr
 from oidcendpoint.client_authn import CLIENT_AUTHN_METHOD
 from oidcendpoint.id_token import IDToken
+from oidcendpoint.in_memory_db import InMemoryDataBase
 from oidcendpoint.session import create_session_db
 from oidcendpoint.sso_db import SSODb
 from oidcendpoint.template_handler import Jinja2TemplateHandler
@@ -95,6 +96,7 @@ def __init__(
         httpc=None,
         cookie_name=None,
         jwks_uri_path=None,
+        jti_db=None,
     ):
         self.conf = conf
         self.keyjar = keyjar or KeyJar()
@@ -142,6 +144,11 @@ def __init__(
         else:
             self.set_session_db(sso_db)
 
+        if jti_db:
+            self.set_jti_db(db=jti_db)
+        else:
+            self.set_jti_db()
+
         if cookie_name:
             self.cookie_name = cookie_name
         elif "cookie_name" in conf:
@@ -233,6 +240,9 @@ def set_session_db(self, sso_db=None, db=None):
         self.do_userinfo()
         logger.debug("Session DB: {}".format(self.sdb.__dict__))
 
+    def set_jti_db(self, db=None):
+        self.jti_db = db or InMemoryDataBase()
+
     def do_add_on(self):
         if self.conf.get("add_on"):
             for spec in self.conf["add_on"].values():
@@ -264,9 +274,7 @@ def do_userinfo(self):
                 self.userinfo = init_user_info(_conf, self.cwd)
                 self.sdb.userinfo = self.userinfo
             else:
-                logger.warning(
-                    ("Cannot init_user_info if any " "session_db was provided.")
-                )
+                logger.warning("Cannot init_user_info if no session_db was provided.")
 
     def do_id_token(self):
         _conf = self.conf.get("id_token")

src/oidcendpoint/exception.py

@@ -26,6 +26,10 @@ class ToOld(OidcEndpointError):
     pass
 
 
+class MultipleUsage(OidcEndpointError):
+    pass
+
+
 class FailedAuthentication(OidcEndpointError):
     pass
 

tests/test_02_client_authn.py

@@ -18,7 +18,9 @@
 from oidcendpoint.client_authn import basic_authn
 from oidcendpoint.client_authn import verify_client
 from oidcendpoint.endpoint_context import EndpointContext
+from oidcendpoint.exception import MultipleUsage
 from oidcendpoint.exception import NotForMe
+from oidcendpoint.oidc.authorization import Authorization
 from oidcendpoint.oidc.token import AccessToken
 
 KEYDEFS = [
@@ -35,7 +37,10 @@
     "grant_expires_in": 300,
     "refresh_token_expires_in": 86400,
     "verify_ssl": False,
-    "endpoint": {"token": {"path": "token", "class": AccessToken, "kwargs": {}}},
+    "endpoint": {
+        "token": {"path": "token", "class": AccessToken, "kwargs": {}},
+        "authorization": {"path": "auth", "class": Authorization, "kwargs": {}}
+    },
     "template_dir": "template",
     "jwks": {
         "private_path": "own/jwks.json",
@@ -85,6 +90,7 @@ def test_client_secret_jwt():
     client_keyjar.add_symmetric("", client_secret, ["sig"])
 
     _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
+    _jwt.with_jti = True
     _assertion = _jwt.pack({"aud": [conf["issuer"]]})
 
     request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
@@ -105,6 +111,7 @@ def test_private_key_jwt():
     endpoint_context.keyjar.import_jwks(_jwks, client_id)
 
     _jwt = JWT(client_keyjar, iss=client_id, sign_alg="RS256")
+    _jwt.with_jti = True
     _assertion = _jwt.pack({"aud": [conf["issuer"]]})
 
     request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
@@ -115,6 +122,54 @@ def test_private_key_jwt():
     assert "jwt" in authn_info
 
 
+def test_private_key_jwt_reusage_other_endpoint():
+    # Own dynamic keys
+    client_keyjar = build_keyjar(KEYDEFS)
+    # The servers keys
+    client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""]
+
+    _jwks = client_keyjar.export_jwks()
+    endpoint_context.keyjar.import_jwks(_jwks, client_id)
+
+    _jwt = JWT(client_keyjar, iss=client_id, sign_alg="RS256")
+    _jwt.with_jti = True
+    _assertion = _jwt.pack({"aud": [endpoint_context.endpoint["token"].full_path]})
+
+    request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
+
+    # This should be OK
+    authn_info = PrivateKeyJWT(endpoint_context).verify(request, endpoint="token")
+
+    # This should NOT be OK
+    with pytest.raises(NotForMe):
+        PrivateKeyJWT(endpoint_context).verify(request, endpoint="authorization")
+
+    # This should NOT be OK
+    with pytest.raises(MultipleUsage):
+        PrivateKeyJWT(endpoint_context).verify(request, endpoint="token")
+
+
+def test_private_key_jwt_auth_endpoint():
+    # Own dynamic keys
+    client_keyjar = build_keyjar(KEYDEFS)
+    # The servers keys
+    client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""]
+
+    _jwks = client_keyjar.export_jwks()
+    endpoint_context.keyjar.import_jwks(_jwks, client_id)
+
+    _jwt = JWT(client_keyjar, iss=client_id, sign_alg="RS256")
+    _jwt.with_jti = True
+    _assertion = _jwt.pack({"aud": [endpoint_context.endpoint["authorization"].full_path]})
+
+    request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
+
+    authn_info = PrivateKeyJWT(endpoint_context).verify(request, endpoint="authorization")
+
+    assert authn_info["client_id"] == client_id
+    assert "jwt" in authn_info
+
+
 def test_wrong_type():
     with pytest.raises(AuthnFailure):
         ClientSecretBasic(endpoint_context).verify({}, "Foppa toffel")
@@ -208,7 +263,7 @@ def test_jws_authn_method_aud_token_endpoint():
 
     request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
 
-    assert JWSAuthnMethod(endpoint_context).verify(request)
+    assert JWSAuthnMethod(endpoint_context).verify(request, endpoint="token")
 
 
 def test_jws_authn_method_aud_not_me():