Skip to content

Commit

Permalink
Merge pull request #72 from ctriant/userinfo-unbind-auth-event
Browse files Browse the repository at this point in the history 
Unbind authentication event lifetime from userinfo response
  • Loading branch information
@rohe
rohe authored Aug 7, 2023
2 parents 9faec70 + 2293ba5 commit 8231bd9
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 54 deletions.
50 changes: 14 additions & 36 deletions src/idpyoidc/server/oidc/userinfo.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,44 +133,22 @@ def process_request(self, request=None, **kwargs):
if token.is_active() is False:
return self.error_cls(error="invalid_token", error_description="Invalid Token")

allowed = True
_auth_event = _grant.authentication_event
# if the authentication is still active or offline_access is granted.
if not _auth_event["valid_until"] >= utc_time_sans_frac():
logger.debug(
"authentication not valid: {} > {}".format(
datetime.fromtimestamp(_auth_event["valid_until"]),
datetime.fromtimestamp(utc_time_sans_frac()),
)
)
allowed = False

# This has to be made more fine grained.
# if "offline_access" in session["authn_req"]["scope"]:
# pass

if allowed:
_cntxt = self.upstream_get("context")
_claims_restriction = _cntxt.claims_interface.get_claims(
_session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo"
)
info = _cntxt.claims_interface.get_user_claims(
_session_info["user_id"], claims_restriction=_claims_restriction
)
info["sub"] = _grant.sub
if _grant.add_acr_value("userinfo"):
info["acr"] = _grant.authentication_event["authn_info"]
_cntxt = self.upstream_get("context")
_claims_restriction = _cntxt.claims_interface.get_claims(
_session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo"
)
info = _cntxt.claims_interface.get_user_claims(
_session_info["user_id"], claims_restriction=_claims_restriction
)
info["sub"] = _grant.sub
if _grant.add_acr_value("userinfo"):
info["acr"] = _grant.authentication_event["authn_info"]

if "userinfo" in _cntxt.cdb[request["client_id"]]:
self.config["policy"] = _cntxt.cdb[request["client_id"]]["userinfo"]["policy"]
if "userinfo" in _cntxt.cdb[request["client_id"]]:
self.config["policy"] = _cntxt.cdb[request["client_id"]]["userinfo"]["policy"]

if "policy" in self.config:
info = self._enforce_policy(request, info, token, self.config)
else:
info = {
"error": "invalid_request",
"error_description": "Access not granted",
}
if "policy" in self.config:
info = self._enforce_policy(request, info, token, self.config)

return {"response_args": info, "client_id": _session_info["client_id"]}

Expand Down
18 changes: 0 additions & 18 deletions tests/test_server_26_oidc_userinfo_endpoint.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -310,24 +310,6 @@ def test_process_request(self):
args = self.endpoint.process_request(_req, http_info=http_info)
assert args

def test_process_request_not_allowed(self):
session_id = self._create_session(AUTH_REQ)
grant = self.session_manager[session_id]
code = self._mint_code(grant, session_id)
access_token = self._mint_token("access_token", grant, session_id, code)

# 2 things can make the request invalid.
# 1) The token is not valid anymore or 2) The event is not valid.
_event = grant.authentication_event
_event["authn_time"] -= 9000
_event["valid_until"] -= 9000

http_info = {"headers": {"authorization": "Bearer {}".format(access_token.value)}}
_req = self.endpoint.parse_request({}, http_info=http_info)

args = self.endpoint.process_request(_req, http_info=http_info)
assert set(args["response_args"].keys()) == {"error", "error_description"}

def test_do_response(self):
session_id = self._create_session(AUTH_REQ)
grant = self.session_manager[session_id]
Expand Down

0 comments on commit 8231bd9

Please sign in to comment.