Add validation for authorization_params and requested_expiry

adamjmcgrath · adamjmcgrath · commit dd36b800202c · 2025-09-15T13:03:42.000+01:00
diff --git a/src/auth0_server_python/auth_server/server_client.py b/src/auth0_server_python/auth_server/server_client.py
@@ -936,6 +936,22 @@ async def initiate_backchannel_authentication(
                 "login_hint.sub"
             )
 
+        authorization_params = options.get('authorization_params')
+        if authorization_params is not None and not isinstance(authorization_params, dict):
+            raise ApiError(
+                "invalid_argument",
+                "authorization_params must be a dict"
+            )
+
+        if authorization_params:
+            requested_expiry = authorization_params.get("requested_expiry")
+            if requested_expiry is not None:
+                if not isinstance(requested_expiry, int) or requested_expiry <= 0:
+                    raise ApiError(
+                        "invalid_argument",
+                        "authorization_params.requested_expiry must be a positive integer"
+                    )
+
         try:
             # Fetch OpenID Connect metadata if not already fetched
             if not hasattr(self, '_oauth_metadata'):
@@ -976,8 +992,8 @@ async def initiate_backchannel_authentication(
             if self._default_authorization_params:
                 params.update(self._default_authorization_params)
 
-            if options.get('authorization_params'):
-                params.update(options.get('authorization_params'))
+            if authorization_params:
+                params.update(authorization_params)
 
             # Make the backchannel authentication request
             async with httpx.AsyncClient() as client:
diff --git a/src/auth0_server_python/tests/test_server_client.py b/src/auth0_server_python/tests/test_server_client.py
@@ -982,6 +982,26 @@ async def test_initiate_backchannel_authentication_error_response(mocker):
         await client.initiate_backchannel_authentication({"login_hint": {"sub": "user123"}})
     assert "Bad request" in str(exc.value)
 
+@pytest.mark.asyncio
+async def test_authorization_params_not_dict_raises():
+    client = ServerClient("domain", "client_id", "client_secret", secret="s")
+    with pytest.raises(ApiError) as exc:
+        await client.initiate_backchannel_authentication({
+            "login_hint": {"sub": "user_id"},
+            "authorization_params": "not_a_dict"
+        })
+    assert "authorization_params must be a dict" in str(exc.value)
+
+@pytest.mark.asyncio
+async def test_requested_expiry_not_positive_int_raises():
+    client = ServerClient("domain", "client_id", "client_secret", secret="s")
+    with pytest.raises(ApiError) as exc:
+        await client.initiate_backchannel_authentication({
+            "login_hint": {"sub": "user_id"},
+            "authorization_params": {"requested_expiry": -10}
+        })
+    assert "requested_expiry must be a positive integer" in str(exc.value)
+
 @pytest.mark.asyncio
 async def test_backchannel_authentication_grant_success(mocker):
     client = ServerClient(
