def _post_parse_request(self, request, client_id="", **kwargs):
"""
This is where clients come to refresh their access tokens
:param request: The request
:param authn: Authentication info, comes from HTTP header
:returns:
"""
request = RefreshAccessTokenRequest(**request.to_dict())
try:
keyjar = self.endpoint_context.keyjar
except AttributeError:
keyjar = ""
request.verify(keyjar=keyjar, opponent_id=client_id)
if "client_id" not in request: # Optional for refresh access token request
request["client_id"] = client_id
logger.debug("%s: %s" %
(request.__class__.__name__, sanitize(request)))
return request
def _post_parse_request(self, request, client_id='', **kwargs):
"""
This is where clients come to get their access tokens
:param request: The request
:param authn: Authentication info, comes from HTTP header
:returns:
"""
if 'state' in request:
try:
sinfo = self.endpoint_context.sdb[request['code']]
except KeyError:
logger.error('Code not present in SessionDB')
return self.error_cls(error="unauthorized_client")
else:
state = sinfo['authn_req']['state']
if state != request['state']:
logger.error('State value mismatch')
return self.error_cls(error="unauthorized_client")
if "refresh_token" in request:
request = RefreshAccessTokenRequest(**request.to_dict())
try:
keyjar = self.endpoint_context.keyjar
except AttributeError:
keyjar = ""
request.verify(keyjar=keyjar, opponent_id=client_id)
if "client_id" not in request: # Optional for access token request
request["client_id"] = client_id
logger.debug("%s: %s" %
(request.__class__.__name__, sanitize(request)))
return request
def post_parse_request(
self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
):
"""
This is where clients come to refresh their access tokens
:param request: The request
:param client_id: Client identifier
:returns:
"""
request = RefreshAccessTokenRequest(**request.to_dict())
_context = self.endpoint.server_get("endpoint_context")
try:
keyjar = _context.keyjar
except AttributeError:
keyjar = ""
request.verify(keyjar=keyjar, opponent_id=client_id)
_mngr = _context.session_manager
try:
_session_info = _mngr.get_session_info_by_token(request["refresh_token"], grant=True)
except KeyError:
logger.error("Access Code invalid")
return self.error_cls(error="invalid_grant")
grant = _session_info["grant"]
token = grant.get_token(request["refresh_token"])
if not isinstance(token, RefreshToken):
return self.error_cls(error="invalid_request", error_description="Wrong token type")
if token.is_active() is False:
return self.error_cls(
error="invalid_request", error_description="Refresh token inactive"
)
if "scope" in request:
req_scopes = set(request["scope"])
scopes = set(grant.find_scope(token.based_on))
if scopes < req_scopes:
return self.error_cls(
error="invalid_request",
error_description="Invalid refresh scopes",
)
return request
def _refresh_token_post_parse_request(self,
request,
client_id="",
**kwargs):
"""
This is where clients come to refresh their access tokens
:param request: The request
:param authn: Authentication info, comes from HTTP header
:returns:
"""
request = RefreshAccessTokenRequest(**request.to_dict())
# verify that the request message is correct
try:
request.verify(keyjar=self.endpoint_context.keyjar)
except (MissingRequiredAttribute, ValueError,
MissingRequiredValue) as err:
return self.error_cls(error="invalid_request",
error_description="%s" % err)
try:
keyjar = self.endpoint_context.keyjar
except AttributeError:
keyjar = ""
request.verify(keyjar=keyjar, opponent_id=client_id)
if "client_id" not in request: # Optional for refresh access token request
request["client_id"] = client_id
logger.debug("%s: %s" %
(request.__class__.__name__, sanitize(request)))
return request
redirect_uri="https://example.com/cb",
scope=["openid"],
state="STATE",
response_type="code",
)
TOKEN_REQ = AccessTokenRequest(
client_id="client_1",
redirect_uri="https://example.com/cb",
state="STATE",
grant_type="authorization_code",
client_secret="hemligt",
)
REFRESH_TOKEN_REQ = RefreshAccessTokenRequest(grant_type="refresh_token",
client_id="client_1",
client_secret="hemligt")
TOKEN_REQ_DICT = TOKEN_REQ.to_dict()
BASEDIR = os.path.abspath(os.path.dirname(__file__))
def full_path(local_file):
return os.path.join(BASEDIR, local_file)
USERINFO = UserInfo(json.loads(open(full_path("users.json")).read()))
@pytest.fixture
def test_code_flow(self):
# code is a Token instance
code = self.auth()
# next step is access token request
TOKEN_REQ = AccessTokenRequest(
client_id="client_1",
redirect_uri="https://example.com/cb",
state="STATE",
grant_type="authorization_code",
client_secret="hemligt",
code=code.value,
)
# parse the token
session_id = self.session_manager.token_handler.sid(TOKEN_REQ["code"])
user_id, client_id, grant_id = self.session_manager.decrypt_session_id(
session_id)
# Now given I have the client_id from the request and the user_id from the
# token I can easily find the grant
# client_info = self.session_manager.get([user_id, TOKEN_REQ['client_id']])
tok = self.session_manager.find_token(session_id, TOKEN_REQ["code"])
# Verify that it's of the correct type and can be used
assert tok.token_class == "authorization_code"
assert tok.is_active()
# Mint an access token and a refresh token and mark the code as used
assert tok.supports_minting("access_token")
client_info = self.session_manager.get(
[user_id, TOKEN_REQ["client_id"]])
assert tok.supports_minting("access_token")
grant = self.session_manager[session_id]
grant.mint_token(
session_id=session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=self.session_manager.token_handler["access_token"],
expires_at=time_sans_frac() + 900, # 15 minutes from now
based_on=tok, # Means the token (tok) was used to mint this token
)
# this test is include in the mint_token methods
# assert tok.supports_minting("refresh_token")
refresh_token = grant.mint_token(
session_id=session_id,
endpoint_context=self.endpoint_context,
token_class="refresh_token",
token_handler=self.session_manager.token_handler["refresh_token"],
based_on=tok,
)
tok.register_usage()
assert tok.max_usage_reached() is True
# A bit later a refresh token is used to mint a new access token
REFRESH_TOKEN_REQ = RefreshAccessTokenRequest(
grant_type="refresh_token",
client_id="client_1",
client_secret="hemligt",
refresh_token=refresh_token.value,
scope=["openid", "mail", "offline_access"],
)
session_id = self.session_manager.encrypted_session_id(
user_id, REFRESH_TOKEN_REQ["client_id"], grant_id)
reftok = self.session_manager.find_token(
session_id, REFRESH_TOKEN_REQ["refresh_token"])
# Can I use this token to mint another token ?
assert grant.is_active()
user_claims = self.endpoint_context.userinfo(
user_id,
client_id=TOKEN_REQ["client_id"],
user_info_claims=grant.claims)
access_token_2 = grant.mint_token(
session_id=session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=self.session_manager.token_handler["access_token"],
expires_at=time_sans_frac() + 900, # 15 minutes from now
based_on=
reftok, # Means the refresh token (reftok) was used to mint this token
)
assert access_token_2.is_active()
token_info = self.session_manager.token_handler.info(
access_token_2.value)
assert token_info