Skip to content

Option for audience restriction enforcement #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rohe merged 2 commits into from
Jun 27, 2023
Merged

Option for audience restriction enforcement #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
52a1b61
Add fixes on PKCE and client_authn
ctriant May 18, 2023
09a39a0
Add option for audience restriction enforcement
ctriant May 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion src/idpyoidc/server/client_authn.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -512,7 +512,10 @@ def verify_client(
if _get_client_info:
_cinfo = _get_client_info(client_id, _context)
else:
_cinfo = _context.cdb[client_id]
try:
_cinfo = _context.cdb[client_id]
except KeyError:
raise UnknownClient("Unknown Client ID")

if not _cinfo:
raise UnknownClient("Unknown Client ID")
Expand Down
3 changes: 2 additions & 1 deletion src/idpyoidc/server/oauth2/add_on/pkce.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
from idpyoidc.message.oauth2 import AuthorizationErrorResponse
from idpyoidc.message.oauth2 import RefreshAccessTokenRequest
from idpyoidc.message.oauth2 import TokenExchangeRequest
from idpyoidc.message.oauth2 import CCAccessTokenRequest
from idpyoidc.message.oidc import TokenErrorResponse
from idpyoidc.server.endpoint import Endpoint

Expand Down Expand Up @@ -93,7 +94,7 @@ def post_token_parse(request, client_id, context, **kwargs):
"""
if isinstance(
request,
(AuthorizationErrorResponse, RefreshAccessTokenRequest, TokenExchangeRequest),
(AuthorizationErrorResponse, RefreshAccessTokenRequest, TokenExchangeRequest, CCAccessTokenRequest),
):
return request

Expand Down
14 changes: 12 additions & 2 deletions src/idpyoidc/server/oauth2/introspection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ class Introspection(Endpoint):
def __init__(self, upstream_get, **kwargs):
Endpoint.__init__(self, upstream_get, **kwargs)
self.offset = kwargs.get("offset", 0)
self.enforce_aud_restriction = kwargs.get("enforce_audience_restriction", True)

def _introspect(self, token, client_id, grant):
# Make sure that the token is an access_token or a refresh_token
Expand Down Expand Up @@ -114,8 +115,17 @@ def process_request(self, request=None, release: Optional[list] = None, **kwargs
if not aud:
aud = grant.resources

if request["client_id"] not in aud:
return {"response_args": _resp}
client_id = request["client_id"]
try:
_cinfo = _context.cdb[client_id]
enforce_aud_restriction = _cinfo.get(
"enforce_audience_restriction", self.enforce_aud_restriction
)
except:
enforce_aud_restriction = self.enforce_aud_restriction
if enforce_aud_restriction:
if request["client_id"] not in aud:
return {"response_args": _resp}

_info = self._introspect(_token, _session_info["client_id"], _session_info["grant"])
if _info is None:
Expand Down
1 change: 1 addition & 0 deletions tests/test_server_31_oauth2_introspection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ def create_endpoint(self, jwt_token):
"kwargs": {
"client_authn_method": ["client_secret_post"],
"enable_claims_per_client": False,
"enforce_audience_restriction": True,
},
},
"token": {
Expand Down