Merge pull request #601 from OpenIDC/fix_jwe

Fix encrypted IdToken
CZ-NIC · Jan 31, 2019 · 5005696 · 5005696
2 parents b94ec42 + 8b6e5bd
commit 5005696
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,9 +10,11 @@ The format is based on the [KeepAChangeLog] project.
 ### Fixed
 - [#592] Do not append cookie header if there is nothing to append
 - [#591] Fix verification of encrypted id_token
+- [#601] Fix headers od encrypted id_token
 
 [#592]: https://github.com/OpenIDC/pyoidc/issues/592
 [#591]: https://github.com/OpenIDC/pyoidc/issues/591
+[#601]: https://github.com/OpenIDC/pyoidc/pull/600
 
 ## 0.15.0 [2019-01-17]
 

diff --git a/src/oic/oic/message.py b/src/oic/oic/message.py
@@ -289,7 +289,11 @@ def verify_id_token(instance, check_hash=False, **kwargs):
         except KeyError:
             raise MissingRequiredAttribute('iss')
 
-    idt = IdToken().from_jwt(_jws, **args)
+    if _jwe is not None:
+        # Use the original encrypted token to set correct headers
+        idt = IdToken().from_jwt(str(instance['id_token']), **args)
+    else:
+        idt = IdToken().from_jwt(_jws, **args)
     if not idt.verify(**kwargs):
         raise VerificationError("Could not verify id_token", idt)
 

diff --git a/tests/test_oic_message.py b/tests/test_oic_message.py
@@ -935,6 +935,7 @@ def test_verify_token_encrypted():
                            iss="https://sso.qa.7pass.ctf.prosiebensat1.com",
                            client_id="554295ce3770612820620000")
     assert vidt
+    assert vidt.jwe_header == {'enc': 'A128CBC-HS256', 'alg': 'RSA1_5', 'cty': 'JWT'}
 
 
 def test_verify_token_encrypted_no_key():