The new client auth process demands that endpoint is known.

Use the client_authn_setup function to initiate the client auth methods to be used.
Fixed tests.

Author: rohe

src/oidcendpoint/client_authn.py

@@ -9,6 +9,7 @@
 from cryptojwt.jwt import utc_time_sans_frac
 from cryptojwt.utils import as_bytes
 from cryptojwt.utils import as_unicode
+from oidcmsg.oidc import JsonWebToken
 from oidcmsg.oidc import verified_claim_name
 
 from oidcendpoint import JWT_BEARER
@@ -17,6 +18,7 @@
 from oidcendpoint.exception import MultipleUsage
 from oidcendpoint.exception import NotForMe
 from oidcendpoint.exception import UnknownClient
+from oidcendpoint.util import importer
 
 logger = logging.getLogger(__name__)
 
@@ -53,7 +55,17 @@ def verify(self, **kwargs):
         :param kwargs:
         :return:
         """
-        raise NotImplementedError
+        raise NotImplementedError()
+
+    def is_usable(self, request=None, authorization_info=None):
+        """
+        Verify that this authentication method is applicable.
+
+        :param request: The request
+        :param authorization_info: Other authorization information
+        :return: True/False
+        """
+        raise NotImplementedError()
 
 
 def basic_authn(authn):
@@ -76,14 +88,17 @@ class ClientSecretBasic(ClientAuthnMethod):
     Server, authenticate with the Authorization Server in accordance with
     Section 3.2.1 of OAuth 2.0 [RFC6749] using HTTP Basic authentication scheme.
     """
+    tag = "client_secret_basic"
 
-    def verify(self, request, authorization_info, **kwargs):
+    def is_usable(self, request=None, authorization_info=None):
+        if authorization_info is not None and authorization_info.startswith("Basic "):
+            return True
+        return False
+
+    def verify(self, authorization_info, **kwargs):
         client_info = basic_authn(authorization_info)
 
-        if (
-                self.endpoint_context.cdb[client_info["id"]]["client_secret"]
-                == client_info["secret"]
-        ):
+        if self.endpoint_context.cdb[client_info["id"]]["client_secret"] == client_info["secret"]:
             return {"client_id": client_info["id"]}
         else:
             raise AuthnFailure()
@@ -96,12 +111,18 @@ class ClientSecretPost(ClientSecretBasic):
     Section 3.2.1 of OAuth 2.0 [RFC6749] by including the Client Credentials in
     the request body.
     """
+    tag = "client_secret_post"
+
+    def is_usable(self, request=None, authorization_info=None):
+        if request is None:
+            return False
+        if "client_id" in request and "client_secret" in request:
+            return True
+        return False
 
     def verify(self, request, **kwargs):
-        if (
-                self.endpoint_context.cdb[request["client_id"]]["client_secret"]
-                == request["client_secret"]
-        ):
+        if self.endpoint_context.cdb[request["client_id"]]["client_secret"] == request[
+            "client_secret"]:
             return {"client_id": request["client_id"]}
         else:
             raise AuthnFailure("secrets doesn't match")
@@ -110,38 +131,70 @@ def verify(self, request, **kwargs):
 class BearerHeader(ClientSecretBasic):
     """
     """
+    tag = "bearer_header"
 
-    def verify(self, request, authorization_info, **kwargs):
-        if not authorization_info.startswith("Bearer "):
-            raise AuthnFailure("Wrong type of authorization token")
+    def is_usable(self, request=None, authorization_info=None):
+        if authorization_info is not None and authorization_info.startswith("Bearer "):
+            return True
+        return False
 
+    def verify(self, authorization_info, **kwargs):
         return {"token": authorization_info.split(" ", 1)[1]}
 
 
 class BearerBody(ClientSecretPost):
     """
     Same as Client Secret Post
     """
+    tag = "bearer_body"
+
+    def is_usable(self, request=None, authorization_info=None):
+        if request is not None and "access_token" in request:
+            return True
+        return False
 
     def verify(self, request, **kwargs):
-        try:
-            return {"token": request["access_token"]}
-        except KeyError:
+        _token = request.get("access_token")
+        if _token is None:
             raise AuthnFailure("No access token")
 
+        res = {"token": _token}
+        _client_id = request.get("client_id")
+        if _client_id:
+            res["client_id"] = _client_id
+        return res
+
 
 class JWSAuthnMethod(ClientAuthnMethod):
-    def verify(self, request, **kwargs):
-        _jwt = JWT(self.endpoint_context.keyjar)
+    def is_usable(self, request=None, authorization_info=None):
+        if request is None:
+            return False
+        if "client_assertion" in request:
+            return True
+        return False
+
+    def verify(self, request, key_type, **kwargs):
+        _jwt = JWT(self.endpoint_context.keyjar, msg_cls=JsonWebToken)
         try:
             ca_jwt = _jwt.unpack(request["client_assertion"])
         except (Invalid, MissingKey, BadSignature) as err:
             logger.info("%s" % sanitize(err))
             raise AuthnFailure("Could not verify client_assertion.")
 
-        authtoken = sanitize(ca_jwt)
-        if hasattr(ca_jwt, "to_dict") and callable(ca_jwt, "to_dict"):
-            authtoken = sanitize(ca_jwt.to_dict())
+        _sign_alg = ca_jwt.jws_header.get("alg")
+        if _sign_alg and _sign_alg.startswith("HS"):
+            if key_type == "private_key":
+                raise AttributeError("Wrong key type")
+            keys = self.endpoint_context.keyjar.get("sig", 'oct', ca_jwt["iss"],
+                                                    ca_jwt.jws_header.get("kid"))
+            _secret = self.endpoint_context.cdb[ca_jwt["iss"]].get('client_secret')
+            if _secret and keys[0].key != as_bytes(_secret):
+                raise AttributeError("Oct key used for signing not client_secret")
+        else:
+            if key_type == "client_secret":
+                raise AttributeError("Wrong key type")
+
+        authtoken = sanitize(ca_jwt.to_dict())
         logger.debug("authntoken: {}".format(authtoken))
 
         _endpoint = kwargs.get("endpoint")
@@ -179,12 +232,28 @@ class ClientSecretJWT(JWSAuthnMethod):
     The HMAC (Hash-based Message Authentication Code) is calculated using the
     bytes of the UTF-8 representation of the client_secret as the shared key.
     """
+    tag = "client_secret_jwt"
+
+    def verify(self, request=None, **kwargs):
+        res = JWSAuthnMethod.verify(self, request, key_type="client_secret",
+                                    **kwargs)
+        # Verify that a HS alg was used
+        res['method'] = self.tag
+        return res
 
 
 class PrivateKeyJWT(JWSAuthnMethod):
     """
     Clients that have registered a public key sign a JWT using that key.
     """
+    tag = "private_key_jwt"
+
+    def verify(self, request=None, **kwargs):
+        res = JWSAuthnMethod.verify(self, request, key_type="private_key",
+                                    **kwargs)
+        # Verify that an RS or ES alg was used
+        res['method'] = self.tag
+        return res
 
 
 CLIENT_AUTHN_METHOD = {
@@ -208,9 +277,12 @@ def valid_client_info(cinfo):
 
 
 def verify_client(
-        endpoint_context, request, authorization_info=None, get_client_id_from_token=None,
-        endpoint=None, also_known_as=None
-):
+        endpoint_context,
+        request,
+        authorization_info=None,
+        get_client_id_from_token=None,
+        endpoint=None,
+        also_known_as=None):
     """
     Initiated Guessing !
 
@@ -229,34 +301,28 @@ def verify_client(
         strings_parade = ("{} {}".format(k, v) for k, v in authorization_info.items())
         authorization_info = " ".join(strings_parade)
 
-    if authorization_info is None:
-        if "client_id" in request and "client_secret" in request:
-            auth_info = ClientSecretPost(endpoint_context).verify(request)
-            auth_info["method"] = "client_secret_post"
-        elif "client_assertion" in request:
-            auth_info = JWSAuthnMethod(endpoint_context).verify(request, endpoint=endpoint)
-            #  If symmetric key was used
-            # auth_method = 'client_secret_jwt'
-            #  If asymmetric key was used
-            auth_info["method"] = "private_key_jwt"
-        elif "access_token" in request:
-            auth_info = BearerBody(endpoint_context).verify(request)
-            auth_info["method"] = "bearer_body"
-        else:
-            raise UnknownOrNoAuthnMethod()
-    else:
-        if authorization_info.startswith("Basic "):
-            auth_info = ClientSecretBasic(endpoint_context).verify(
-                request, authorization_info
-            )
-            auth_info["method"] = "client_secret_basic"
-        elif authorization_info.startswith("Bearer "):
-            auth_info = BearerHeader(endpoint_context).verify(
-                request, authorization_info
-            )
-            auth_info["method"] = "bearer_header"
-        else:
-            raise UnknownOrNoAuthnMethod(authorization_info)
+    auth_info = {}
+    _methods = []
+    if endpoint:
+        try:
+            _methods = endpoint_context.endpoint[endpoint].client_authn_method
+        except AttributeError:
+            pass
+
+    for _method in _methods:
+        if _method.is_usable(request, authorization_info):
+            try:
+                auth_info = _method.verify(request=request, authorization_info=authorization_info,
+                                           endpoint=endpoint)
+            except Exception as err:
+                logger.warning("Verifying auth using {} failed: {}".format(_method.tag, err))
+            else:
+                if "method" not in auth_info:
+                    auth_info["method"] = _method.tag
+                break
+
+    if not auth_info:
+        return auth_info
 
     if also_known_as:
         client_id = also_known_as[auth_info.get("client_id")]
@@ -303,3 +369,16 @@ def verify_client(
             raise ValueError("Unknown token")
 
     return auth_info
+
+
+def client_auth_setup(auth_set, endpoint_context):
+    res = []
+
+    for item in auth_set:
+        _cls = CLIENT_AUTHN_METHOD.get(item)
+        if _cls:
+            res.append(_cls(endpoint_context))
+        else:
+            res.append(importer(item)(endpoint_context))
+
+    return res

src/oidcendpoint/endpoint.py

@@ -11,8 +11,9 @@
 
 from oidcendpoint import sanitize
 from oidcendpoint.client_authn import UnknownOrNoAuthnMethod
-from oidcendpoint.client_authn import WrongAuthnMethod
+from oidcendpoint.client_authn import client_auth_setup
 from oidcendpoint.client_authn import verify_client
+from oidcendpoint.exception import UnAuthorizedClient
 from oidcendpoint.util import OAUTH2_NOCACHE_HEADERS
 
 __author__ = "Roland Hedberg"
@@ -176,13 +177,13 @@ def __init__(self, endpoint_context, **kwargs):
             if _val:
                 setattr(self, param, _val)
 
-        if "client_authn_method" in kwargs:
-            self.client_authn_method = kwargs["client_authn_method"]
-        elif self.default_capabilities is not None:
-            if "client_authn_method" in self.default_capabilities:
-                self.client_authn_method = self.default_capabilities[
-                    "client_authn_method"
-                ]
+        _methods = kwargs.get("client_authn_method")
+        if _methods:
+            self.client_authn_method = client_auth_setup(_methods, endpoint_context)
+        elif self.default_capabilities:
+            _methods = self.default_capabilities.get("client_authn_method")
+            if _methods:
+                self.client_authn_method = client_auth_setup(_methods, endpoint_context)
 
         self.endpoint_info = construct_endpoint_info(
             self.default_capabilities, **kwargs
@@ -284,10 +285,8 @@ def client_authentication(self, request, auth=None, **kwargs):
                 else:
                     raise
 
-        if authn_info["method"] not in self.client_authn_method:
-            LOGGER.error("Wrong client authentication method was used: %s",
-                         authn_info["method"])
-            raise WrongAuthnMethod("Wrong authn method: {}".format(authn_info["method"]))
+        if authn_info == {} and self.client_authn_method and len(self.client_authn_method):
+            raise UnAuthorizedClient("Authorization failed")
 
         return authn_info
 

src/oidcendpoint/oidc/userinfo.py

@@ -141,7 +141,7 @@ def parse_request(self, request, auth=None, **kwargs):
             request = {}
 
         # Verify that the client is allowed to do this
-        auth_info = self.client_authentication(request, auth, **kwargs)
+        auth_info = self.client_authentication(request, auth, endpoint="userinfo", **kwargs)
         if isinstance(auth_info, ResponseMessage):
             return auth_info
         else:

tests/test_02_client_authn.py renamed to tests/test_02_client_authn.py.old

@@ -9,6 +9,7 @@
 from oidcendpoint.client_authn import verify_client
 from oidcendpoint.endpoint_context import EndpointContext
 from oidcendpoint.exception import MultipleUsage
+from oidcendpoint.exception import UnAuthorizedClient
 from oidcendpoint.oidc import userinfo
 from oidcendpoint.oidc.authorization import Authorization
 from oidcendpoint.oidc.provider_config import ProviderConfiguration
@@ -249,6 +250,6 @@ def test_process_request_using_private_key_jwt(self):
         _resp = self.endpoint.process_request(request=_req)
 
         # 2nd time used
-        with pytest.raises(MultipleUsage):
+        with pytest.raises(UnAuthorizedClient):
             self.endpoint.parse_request(_token_request)
 

tests/test_25_oidc_token_endpoint.py

@@ -17,6 +17,7 @@
 from oidcendpoint.client_authn import WrongAuthnMethod
 from oidcendpoint.client_authn import verify_client
 from oidcendpoint.endpoint_context import EndpointContext
+from oidcendpoint.exception import UnAuthorizedClient
 from oidcendpoint.oauth2.authorization import Authorization
 from oidcendpoint.oauth2.introspection import Introspection
 from oidcendpoint.oidc.token_coop import TokenCoop
@@ -110,7 +111,7 @@ def create_endpoint(self):
                     "class": Introspection,
                     "kwargs": {
                         "release": ["username"],
-                        "client_authn_method": {"client_secret_post": ClientSecretPost},
+                        "client_authn_method": ["client_secret_post"],
                     },
                 },
                 "token": {
@@ -175,7 +176,7 @@ def test_parse_no_authn(self):
             self.introspection_endpoint.endpoint_context, AUTH_REQ, uid="diana"
         )
         _token = self._create_jwt("diana")
-        with pytest.raises(UnknownOrNoAuthnMethod):
+        with pytest.raises(UnAuthorizedClient):
             self.introspection_endpoint.parse_request({"token": _token})
 
     def test_parse_with_client_auth_in_req(self):
@@ -203,7 +204,7 @@ def test_parse_with_wrong_client_authn(self):
         _basic_token = as_unicode(base64.b64encode(as_bytes(_basic_token)))
         _basic_authz = "Basic {}".format(_basic_token)
 
-        with pytest.raises(WrongAuthnMethod):
+        with pytest.raises(UnAuthorizedClient):
             self.introspection_endpoint.parse_request({"token": _token}, _basic_authz)
 
     def test_process_request(self):