def test_by_schema():
# There are no requested or optional claims defined for Message
assert by_schema(Message, sub='John') == {}
assert by_schema(OpenIDSchema, sub='John', given_name='John', age=34) == {
'sub': 'John',
'given_name': 'John'
}
def test_by_schema():
# There are no requested or optional claims defined for Message
assert by_schema(Message, sub="John") == {}
assert by_schema(OpenIDSchema, sub="John", given_name="John", age=34) == {
"sub": "John",
"given_name": "John",
}
def _refresh_access_token(self, req, **kwargs):
_sdb = self.endpoint_context.sdb
rtoken = req["refresh_token"]
try:
_info = _sdb.refresh_token(rtoken)
except ExpiredToken:
return self.error_cls(error="invalid_request",
error_description="Refresh token is expired")
return by_schema(AccessTokenResponse, **_info)
def _refresh_access_token(self, req, **kwargs):
_sdb = self.endpoint_context.sdb
client_id = str(req['client_id'])
if req["grant_type"] != "refresh_token":
return self.error_cls(error='invalid_request',
error_description='Wrong grant_type')
rtoken = req["refresh_token"]
try:
_info = _sdb.refresh_token(rtoken, client_id=client_id)
except ExpiredToken:
return self.error_cls(error="invalid_request",
error_description="Refresh token is expired")
return by_schema(AccessTokenResponse, **_info)
def _access_token(self, req, **kwargs):
_context = self.endpoint_context
_sdb = _context.sdb
_log_debug = logger.debug
try:
_access_code = req["code"].replace(" ", "+")
except KeyError: # Missing code parameter - absolutely fatal
return self.error_cls(error="invalid_request",
error_description="Missing code")
# Session might not exist or _access_code malformed
try:
_info = _sdb[_access_code]
except KeyError:
return self.error_cls(error="invalid_request",
error_description="Code is invalid")
_authn_req = _info["authn_req"]
# assert that the code is valid
if _context.sdb.is_session_revoked(_access_code):
return self.error_cls(error="invalid_request",
error_description="Session is revoked")
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _authn_req:
if req["redirect_uri"] != _authn_req["redirect_uri"]:
return self.error_cls(
error="invalid_request",
error_description="redirect_uri mismatch")
_log_debug("All checks OK")
issue_refresh = False
if "issue_refresh" in kwargs:
issue_refresh = kwargs["issue_refresh"]
# offline_access the default if nothing is specified
permissions = _info.get("permission", ["offline_access"])
if "offline_access" in _authn_req[
"scope"] and "offline_access" in permissions:
issue_refresh = True
try:
_info = _sdb.upgrade_to_token(_access_code,
issue_refresh=issue_refresh)
except AccessCodeUsed as err:
logger.error("%s" % err)
# Should revoke the token issued to this access code
_sdb.revoke_all_tokens(_access_code)
return self.error_cls(error="access_denied",
error_description="Access Code already used")
if "openid" in _authn_req["scope"]:
try:
_idtoken = _context.idtoken.make(req, _info, _authn_req)
except (JWEException, NoSuitableSigningKeys) as err:
logger.warning(str(err))
resp = TokenErrorResponse(
error="invalid_request",
error_description="Could not sign/encrypt id_token",
)
return resp
_sdb.update_by_token(_access_code, id_token=_idtoken)
_info = _sdb[_info['sid']]
return by_schema(AccessTokenResponse, **_info)
def _access_token(self, req, **kwargs):
_context = self.endpoint_context
_sdb = _context.sdb
_log_debug = logger.debug
if req["grant_type"] != "authorization_code":
return self.error_cls(error='invalid_request',
error_description='Unknown grant_type')
try:
_access_code = req["code"].replace(' ', '+')
except KeyError: # Missing code parameter - absolutely fatal
return self.error_cls(error='invalid_request',
error_description='Missing code')
# Session might not exist or _access_code malformed
try:
_info = _sdb[_access_code]
except KeyError:
return self.error_cls(error="invalid_request",
error_description="Code is invalid")
_authn_req = _info['authn_req']
# assert that the code is valid
if _context.sdb.is_session_revoked(_access_code):
return self.error_cls(error="invalid_request",
error_description="Session is revoked")
# If redirect_uri was in the initial authorization request
# verify that the one given here is the correct one.
if "redirect_uri" in _authn_req:
if req["redirect_uri"] != _authn_req["redirect_uri"]:
return self.error_cls(error="invalid_request",
error_description="redirect_uri mismatch")
_log_debug("All checks OK")
issue_refresh = False
if "issue_refresh" in kwargs:
issue_refresh = kwargs["issue_refresh"]
# offline_access the default if nothing is specified
permissions = _info.get('permission', ['offline_access'])
if 'offline_access' in _authn_req['scope'] and 'offline_access' in permissions:
issue_refresh = True
try:
_info = _sdb.upgrade_to_token(_access_code,
issue_refresh=issue_refresh)
except AccessCodeUsed as err:
logger.error("%s" % err)
# Should revoke the token issued to this access code
_sdb.revoke_all_tokens(_access_code)
return self.error_cls(error="access_denied",
error_description="Access Code already used")
if "openid" in _authn_req["scope"]:
userinfo = userinfo_in_id_token_claims(_context, _info)
try:
_client_id = req['client_id']
except KeyError:
_client_id = _authn_req['client_id']
try:
_idtoken = sign_encrypt_id_token(_context, _info, _client_id,
sign=True, user_info=userinfo)
except (JWEException, NoSuitableSigningKeys) as err:
logger.warning(str(err))
return self.error_cls(
error="invalid_request",
error_description="Could not sign/encrypt id_token")
_sdb.update_by_token(_access_code, id_token=_idtoken)
_info = _sdb[_access_code]
return by_schema(AccessTokenResponse, **_info)
