From 23efe6dd0638c23e0db90e11d86634c560a92c55 Mon Sep 17 00:00:00 2001 From: Roland Hedberg Date: Sat, 17 Feb 2018 18:00:20 +0100 Subject: [PATCH] =?UTF-8?q?Grant=5Ftypes=20should=20follow=20response=5Fty?= =?UTF-8?q?pes=20in=20a=20client=20registration=20req=E2=80=A6=20(#493)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * grant_types should follow response_types in a client registration request. --- CHANGELOG.md | 2 ++ src/oic/oic/__init__.py | 30 ++++++++++++++++++++++++++++++ tests/test_oic_consumer.py | 18 ++++++++++++++++++ 3 files changed, 50 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ad7c5534..8c363a3b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ The format is based on the [KeepAChangeLog] project. ## 0.13.0 [Unreleased] ### Added +- [#493] grant_types specification should follow the response_types specification in a client registration request. - [#469] Allow endpoints to have query parts - [#443] Ability to specify additional supported claims for oic.Provider - [#134] Added method kwarg to registration_endpoint that enables the client to read/modify registration @@ -45,6 +46,7 @@ The format is based on the [KeepAChangeLog] project. ### Security - [#486] SystemRandom is not imported correctly, so various secrets get initialized with bad randomness +[#493]: https://github.com/OpenIDC/pyoidc/pull/493 [#430]: https://github.com/OpenIDC/pyoidc/pull/430 [#427]: https://github.com/OpenIDC/pyoidc/pull/427 [#399]: https://github.com/OpenIDC/pyoidc/issues/399 diff --git a/src/oic/oic/__init__.py b/src/oic/oic/__init__.py index 7730d3294..43d8272cc 100644 --- a/src/oic/oic/__init__.py +++ b/src/oic/oic/__init__.py @@ -257,6 +257,32 @@ def add_token(self, resp): "enc": "%s_encrypted_response_enc", } +rt2gt = { + 'code': ['authorization_code'], + 'id_token': ['implicit'], + 'id_token token': ['implicit'], + 'code id_token': ['authorization_code', 'implicit'], + 'code token': ['authorization_code', 'implicit'], + 'code id_token token': ['authorization_code', 'implicit'] +} + + +def response_types_to_grant_types(response_types): + _res = set() + + for response_type in response_types: + _rt = response_type.split(' ') + _rt.sort() + try: + _gt = rt2gt[" ".join(_rt)] + except KeyError: + raise ValueError( + 'No such response type combination: {}'.format(response_types)) + else: + _res.update(set(_gt)) + + return list(_res) + def claims_match(value, claimspec): """ @@ -1319,6 +1345,10 @@ def create_registration_request(self, **kwargs): except KeyError: pass + if 'response_types' in req: + req['grant_types'] = response_types_to_grant_types( + req['response_types']) + return req def register(self, url, **kwargs): diff --git a/tests/test_oic_consumer.py b/tests/test_oic_consumer.py index 18fff1fc7..9a4c0cdf3 100644 --- a/tests/test_oic_consumer.py +++ b/tests/test_oic_consumer.py @@ -11,6 +11,7 @@ from oic.oauth2.message import MissingSigningKey from oic.oic import DEF_SIGN_ALG from oic.oic import Server +from oic.oic import response_types_to_grant_types from oic.oic.consumer import IGNORE from oic.oic.consumer import Consumer from oic.oic.consumer import clean_response @@ -70,6 +71,23 @@ def _eq(l1, l2): return set(l1) == set(l2) +def test_response_types_to_grant_types(): + req_args = ['code'] + assert set( + response_types_to_grant_types(req_args)) == {'authorization_code'} + req_args = ['code', 'code id_token'] + assert set( + response_types_to_grant_types(req_args)) == {'authorization_code', + 'implicit'} + req_args = ['code', 'id_token code', 'code token id_token'] + assert set( + response_types_to_grant_types(req_args)) == {'authorization_code', + 'implicit'} + + with pytest.raises(ValueError): + response_types_to_grant_types(['foobar openid']) + + def test_clean_response(): atr = AccessTokenResponse(access_token="access_token", token_type="bearer", expires_in=600,