def test_by_schema(): # There are no requested or optional claims defined for Message assert by_schema(Message, sub='John') == {} assert by_schema(OpenIDSchema, sub='John', given_name='John', age=34) == { 'sub': 'John', 'given_name': 'John' }
def test_by_schema(): # There are no requested or optional claims defined for Message assert by_schema(Message, sub="John") == {} assert by_schema(OpenIDSchema, sub="John", given_name="John", age=34) == { "sub": "John", "given_name": "John", }
def _refresh_access_token(self, req, **kwargs): _sdb = self.endpoint_context.sdb rtoken = req["refresh_token"] try: _info = _sdb.refresh_token(rtoken) except ExpiredToken: return self.error_cls(error="invalid_request", error_description="Refresh token is expired") return by_schema(AccessTokenResponse, **_info)
def _refresh_access_token(self, req, **kwargs): _sdb = self.endpoint_context.sdb client_id = str(req['client_id']) if req["grant_type"] != "refresh_token": return self.error_cls(error='invalid_request', error_description='Wrong grant_type') rtoken = req["refresh_token"] try: _info = _sdb.refresh_token(rtoken, client_id=client_id) except ExpiredToken: return self.error_cls(error="invalid_request", error_description="Refresh token is expired") return by_schema(AccessTokenResponse, **_info)
def _access_token(self, req, **kwargs): _context = self.endpoint_context _sdb = _context.sdb _log_debug = logger.debug try: _access_code = req["code"].replace(" ", "+") except KeyError: # Missing code parameter - absolutely fatal return self.error_cls(error="invalid_request", error_description="Missing code") # Session might not exist or _access_code malformed try: _info = _sdb[_access_code] except KeyError: return self.error_cls(error="invalid_request", error_description="Code is invalid") _authn_req = _info["authn_req"] # assert that the code is valid if _context.sdb.is_session_revoked(_access_code): return self.error_cls(error="invalid_request", error_description="Session is revoked") # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _authn_req: if req["redirect_uri"] != _authn_req["redirect_uri"]: return self.error_cls( error="invalid_request", error_description="redirect_uri mismatch") _log_debug("All checks OK") issue_refresh = False if "issue_refresh" in kwargs: issue_refresh = kwargs["issue_refresh"] # offline_access the default if nothing is specified permissions = _info.get("permission", ["offline_access"]) if "offline_access" in _authn_req[ "scope"] and "offline_access" in permissions: issue_refresh = True try: _info = _sdb.upgrade_to_token(_access_code, issue_refresh=issue_refresh) except AccessCodeUsed as err: logger.error("%s" % err) # Should revoke the token issued to this access code _sdb.revoke_all_tokens(_access_code) return self.error_cls(error="access_denied", error_description="Access Code already used") if "openid" in _authn_req["scope"]: try: _idtoken = _context.idtoken.make(req, _info, _authn_req) except (JWEException, NoSuitableSigningKeys) as err: logger.warning(str(err)) resp = TokenErrorResponse( error="invalid_request", error_description="Could not sign/encrypt id_token", ) return resp _sdb.update_by_token(_access_code, id_token=_idtoken) _info = _sdb[_info['sid']] return by_schema(AccessTokenResponse, **_info)
def _access_token(self, req, **kwargs): _context = self.endpoint_context _sdb = _context.sdb _log_debug = logger.debug if req["grant_type"] != "authorization_code": return self.error_cls(error='invalid_request', error_description='Unknown grant_type') try: _access_code = req["code"].replace(' ', '+') except KeyError: # Missing code parameter - absolutely fatal return self.error_cls(error='invalid_request', error_description='Missing code') # Session might not exist or _access_code malformed try: _info = _sdb[_access_code] except KeyError: return self.error_cls(error="invalid_request", error_description="Code is invalid") _authn_req = _info['authn_req'] # assert that the code is valid if _context.sdb.is_session_revoked(_access_code): return self.error_cls(error="invalid_request", error_description="Session is revoked") # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _authn_req: if req["redirect_uri"] != _authn_req["redirect_uri"]: return self.error_cls(error="invalid_request", error_description="redirect_uri mismatch") _log_debug("All checks OK") issue_refresh = False if "issue_refresh" in kwargs: issue_refresh = kwargs["issue_refresh"] # offline_access the default if nothing is specified permissions = _info.get('permission', ['offline_access']) if 'offline_access' in _authn_req['scope'] and 'offline_access' in permissions: issue_refresh = True try: _info = _sdb.upgrade_to_token(_access_code, issue_refresh=issue_refresh) except AccessCodeUsed as err: logger.error("%s" % err) # Should revoke the token issued to this access code _sdb.revoke_all_tokens(_access_code) return self.error_cls(error="access_denied", error_description="Access Code already used") if "openid" in _authn_req["scope"]: userinfo = userinfo_in_id_token_claims(_context, _info) try: _client_id = req['client_id'] except KeyError: _client_id = _authn_req['client_id'] try: _idtoken = sign_encrypt_id_token(_context, _info, _client_id, sign=True, user_info=userinfo) except (JWEException, NoSuitableSigningKeys) as err: logger.warning(str(err)) return self.error_cls( error="invalid_request", error_description="Could not sign/encrypt id_token") _sdb.update_by_token(_access_code, id_token=_idtoken) _info = _sdb[_access_code] return by_schema(AccessTokenResponse, **_info)