Token exchange client

pyproject.toml

@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
 
 [metadata]
 name = "idpyoidc"
-version = "1.1.1"
+version = "1.2.0"
 author = "Roland Hedberg"
 author_email = "roland@catalogix.se"
 description = "Everything OAuth2 and OIDC"

src/idpyoidc/__init__.py

@@ -1,5 +1,5 @@
 __author__ = "Roland Hedberg"
-__version__ = "1.1.1"
+__version__ = "1.2.0"
 
 import os
 from typing import Dict

src/idpyoidc/client/client_auth.py

@@ -302,11 +302,13 @@ def construct(self, request=None, service=None, http_args=None, **kwargs):
 
         if service.service_name == "refresh_token":
             _acc_token = find_token(request, "refresh_token", service, **kwargs)
+        elif service.service_name == "token_exchange":
+            _acc_token = find_token(request, "subject_token", service, **kwargs)
         else:
             _acc_token = find_token(request, "access_token", service, **kwargs)
 
         if not _acc_token:
-            raise KeyError("No access or refresh token available")
+            raise KeyError("No bearer token available")
 
         # The authorization value starts with 'Bearer' when bearer tokens
         # are used

src/idpyoidc/client/defaults.py

@@ -18,7 +18,7 @@
 }
 
 DEFAULT_OAUTH2_SERVICES = {
-    "discovery": {"class": "idpyoidc.client.oauth2.provider_info_discovery.ProviderInfoDiscovery"},
+    "discovery": {"class": "idpyoidc.client.oauth2.server_metadata.ServerMetadata"},
     "authorization": {"class": "idpyoidc.client.oauth2.authorization.Authorization"},
     "access_token": {"class": "idpyoidc.client.oauth2.access_token.AccessToken"},
     "refresh_access_token": {

src/idpyoidc/client/oauth2/provider_info_discovery.py → src/idpyoidc/client/oauth2/server_metadata.py

@@ -12,14 +12,14 @@
 LOGGER = logging.getLogger(__name__)
 
 
-class ProviderInfoDiscovery(Service):
-    """The service that talks to the OAuth2 provider info discovery endpoint."""
+class ServerMetadata(Service):
+    """The service that talks to the OAuth2 server metadata endpoint."""
 
     msg_type = oauth2.Message
     response_cls = oauth2.ASConfigurationResponse
     error_msg = ResponseMessage
     synchronous = True
-    service_name = "provider_info"
+    service_name = "server_metadata"
     http_method = "GET"
 
     metadata_attributes = {}

src/idpyoidc/client/oauth2/token_exchange.py

@@ -0,0 +1,74 @@
+"""Implements the service that can exchange one token for another."""
+import logging
+
+from idpyoidc.client.oauth2.utils import get_state_parameter
+from idpyoidc.client.service import Service
+from idpyoidc.exception import MissingParameter
+from idpyoidc.exception import MissingRequiredAttribute
+from idpyoidc.message import oauth2
+from idpyoidc.message.oauth2 import ResponseMessage
+from idpyoidc.time_util import time_sans_frac
+
+LOGGER = logging.getLogger(__name__)
+
+
+class TokenExchange(Service):
+    """The token exchange service."""
+
+    msg_type = oauth2.TokenExchangeRequest
+    response_cls = oauth2.TokenExchangeResponse
+    error_msg = ResponseMessage
+    endpoint_name = "token_endpoint"
+    synchronous = True
+    service_name = "token_exchange"
+    default_authn_method = "client_secret_basic"
+    http_method = "POST"
+    request_body_type = "urlencoded"
+    response_body_type = "json"
+
+
+    def __init__(self, client_get, conf=None):
+        Service.__init__(self, client_get, conf=conf)
+        self.pre_construct.append(self.oauth_pre_construct)
+
+    def update_service_context(self, resp, key="", **kwargs):
+        if "expires_in" in resp:
+            resp["__expires_at"] = time_sans_frac() + int(resp["expires_in"])
+        self.client_get("service_context").state.store_item(resp, "token_response", key)
+
+    def oauth_pre_construct(self, request_args=None, post_args=None, **kwargs):
+        """
+
+        :param request_args: Initial set of request arguments
+        :param kwargs: Extra keyword arguments
+        :return: Request arguments
+        """
+        if request_args is None:
+            request_args = {}
+
+        if 'subject_token' not in request_args:
+            try:
+                _key = get_state_parameter(request_args, kwargs)
+            except MissingParameter:
+                raise MissingRequiredAttribute("subject_token")
+
+            parameters = {'access_token', 'scope'}
+
+            _state = self.client_get("service_context").state
+
+            _args = _state.extend_request_args(
+                {}, oauth2.AuthorizationResponse, "auth_response", _key, parameters
+            )
+            _args = _state.extend_request_args(
+                _args, oauth2.AccessTokenResponse, "token_response", _key, parameters
+            )
+            _args = _state.extend_request_args(
+                _args, oauth2.AccessTokenResponse, "refresh_token_response", _key, parameters
+            )
+
+            request_args["subject_token"] = _args["access_token"]
+            request_args["subject_token_type"] = 'urn:ietf:params:oauth:token-type:access_token'
+            if 'scope' not in request_args and "scope" in _args:
+                request_args["scope"] = _args["scope"]
+
+        return request_args, post_args

src/idpyoidc/client/oidc/provider_info_discovery.py

@@ -1,7 +1,7 @@
 import logging
 
 from idpyoidc.client.exception import ConfigurationError
-from idpyoidc.client.oauth2 import provider_info_discovery
+from idpyoidc.client.oauth2 import server_metadata
 from idpyoidc.message import oidc
 from idpyoidc.message.oauth2 import ResponseMessage
 
@@ -61,14 +61,16 @@ def add_redirect_uris(request_args, service=None, **kwargs):
     return request_args, {}
 
 
-class ProviderInfoDiscovery(provider_info_discovery.ProviderInfoDiscovery):
+class ProviderInfoDiscovery(server_metadata.ServerMetadata):
     msg_type = oidc.Message
     response_cls = oidc.ProviderConfigurationResponse
     error_msg = ResponseMessage
+    service_name = "provider_info"
+
     metadata_attributes = {}
 
     def __init__(self, client_get, conf=None):
-        provider_info_discovery.ProviderInfoDiscovery.__init__(self, client_get, conf=conf)
+        server_metadata.ServerMetadata.__init__(self, client_get, conf=conf)
 
     def update_service_context(self, resp, **kwargs):
         _context = self.client_get("service_context")

src/idpyoidc/client/service.py

@@ -16,14 +16,13 @@
 from idpyoidc.message.oauth2 import ResponseMessage
 from idpyoidc.message.oauth2 import is_error_message
 from idpyoidc.util import importer
-
-from ..constant import JOSE_ENCODED
-from ..constant import JSON_ENCODED
-from ..constant import URL_ENCODED
 from .configure import Configuration
 from .exception import ResponseError
 from .util import get_http_body
 from .util import get_http_url
+from ..constant import JOSE_ENCODED
+from ..constant import JSON_ENCODED
+from ..constant import URL_ENCODED
 
 __author__ = "Roland Hedberg"
 
@@ -452,6 +451,7 @@ def get_request_parameters(
                 content_type = JSON_ENCODED
 
             _info["body"] = get_http_body(request, content_type)
+
             _headers.update({"Content-Type": content_type})
 
         if _headers:
@@ -655,7 +655,7 @@ def construct_uris(self, base_url, hex):
                 uri = self.usage_to_uri_map.get(usage)
                 if uri and uri not in self.metadata:
                     self.metadata[uri] = self.get_uri(base_url, self.callback_path[uri],
-                                                               hex)
+                                                      hex)
 
     def get_metadata(self, attribute, default=None):
         try:

src/idpyoidc/server/oauth2/server_metadata.py

@@ -0,0 +1,37 @@
+import logging
+
+from idpyoidc.message import oauth2
+
+from idpyoidc.message import oidc
+from idpyoidc.server.endpoint import Endpoint
+
+logger = logging.getLogger(__name__)
+
+
+class ServerMetadata(Endpoint):
+    request_cls = oauth2.Message
+    response_cls = oauth2.ASConfigurationResponse
+    request_format = ""
+    response_format = "json"
+    name = "server_metadata"
+
+    def __init__(self, server_get, **kwargs):
+        Endpoint.__init__(self, server_get=server_get, **kwargs)
+        self.pre_construct.append(self.add_endpoints)
+
+    def add_endpoints(self, request, client_id, endpoint_context, **kwargs):
+        for endpoint in [
+            "authorization_endpoint",
+            "registration_endpoint",
+            "token_endpoint",
+            "userinfo_endpoint",
+            "end_session_endpoint",
+        ]:
+            endp_instance = self.server_get("endpoint", endpoint)
+            if endp_instance:
+                request[endpoint] = endp_instance.endpoint_path
+
+        return request
+
+    def process_request(self, request=None, **kwargs):
+        return {"response_args": self.server_get("endpoint_context").provider_info}

src/idpyoidc/server/oauth2/token.py

@@ -13,6 +13,7 @@
 from idpyoidc.server.exception import ProcessError
 from idpyoidc.server.oauth2.token_helper import AccessTokenHelper
 from idpyoidc.server.oauth2.token_helper import RefreshTokenHelper
+from idpyoidc.server.session import MintingNotAllowed
 from idpyoidc.server.session.token import TOKEN_TYPES_MAPPING
 from idpyoidc.util import importer
 
@@ -121,6 +122,8 @@ def process_request(self, request: Optional[Union[Message, dict]] = None, **kwar
                 )
         except JWEException as err:
             return self.error_cls(error="invalid_request", error_description="%s" % err)
+        except MintingNotAllowed as err:
+            return self.error_cls(error="invalid_request", error_description="%s" % err)
 
         if isinstance(response_args, ResponseMessage):
             return response_args

tests/test_client_40_dpop.py

@@ -88,7 +88,7 @@ def create_client(self):
 
         services = {
             "discovery": {
-                "class": "idpyoidc.client.oauth2.provider_info_discovery.ProviderInfoDiscovery"
+                "class": "idpyoidc.client.oauth2.server_metadata.ServerMetadata"
             },
             "authorization": {"class": "idpyoidc.client.oauth2.authorization.Authorization"},
             "access_token": {"class": "idpyoidc.client.oauth2.access_token.AccessToken"},

tests/test_client_55_token_exchange.py

@@ -0,0 +1,92 @@
+import os
+
+from cryptojwt.key_jar import init_key_jar
+import pytest
+
+from idpyoidc.client.entity import Entity
+from idpyoidc.message import Message
+from idpyoidc.message.oauth2 import AccessTokenResponse
+from idpyoidc.message.oauth2 import AuthorizationResponse
+from idpyoidc.message.oidc import IdToken
+from tests.test_client_21_oidc_service import make_keyjar
+
+KEYSPEC = [
+    {"type": "RSA", "use": ["sig"]},
+    {"type": "EC", "crv": "P-256", "use": ["sig"]},
+]
+
+_dirname = os.path.dirname(os.path.abspath(__file__))
+
+ISS = "https://example.com"
+
+ISS_KEY = init_key_jar(
+    public_path="{}/pub_iss.jwks".format(_dirname),
+    private_path="{}/priv_iss.jwks".format(_dirname),
+    key_defs=KEYSPEC,
+    issuer_id=ISS,
+    read_only=False,
+)
+
+ISS_KEY.import_jwks_as_json(open("{}/pub_client.jwks".format(_dirname)).read(), "client_id")
+
+
+def create_jws(val):
+    lifetime = 3600
+
+    idts = IdToken(**val)
+
+    return idts.to_jwt(
+        key=ISS_KEY.get_signing_key("ec", issuer_id=ISS), algorithm="ES256", lifetime=lifetime
+    )
+
+
+class TestUserInfo(object):
+    @pytest.fixture(autouse=True)
+    def create_request(self):
+        self._iss = ISS
+        client_config = {
+            "client_id": "client_id",
+            "client_secret": "a longesh password",
+            "redirect_uris": ["https://example.com/cli/authz_cb"],
+            "issuer": self._iss,
+            "requests_dir": "requests",
+            "base_url": "https://example.com/cli/",
+        }
+        entity = Entity(keyjar=make_keyjar(), config=client_config,
+                        services={
+                            "discovery": {
+                                "class":
+                                    "idpyoidc.client.oauth2.server_metadata.ServerMetadata"},
+                            "authorization": {
+                                "class": "idpyoidc.client.oauth2.authorization.Authorization"},
+                            "access_token": {
+                                "class": "idpyoidc.client.oauth2.access_token.AccessToken"},
+                            "token_exchange": {
+                                "class":
+                                    "idpyoidc.client.oauth2.token_exchange.TokenExchange"
+                            },
+                        }
+                        )
+        entity.client_get("service_context").issuer = "https://example.com"
+        self.service = entity.client_get("service", "token_exchange")
+
+        _state_interface = self.service.client_get("service_context").state
+        # Add history
+        auth_response = AuthorizationResponse(code="access_code").to_json()
+        _state_interface.store_item(auth_response, "auth_response", "abcde")
+
+        idtval = {"nonce": "KUEYfRM2VzKDaaKD", "sub": "diana", "iss": ISS, "aud": "client_id"}
+        idt = create_jws(idtval)
+
+        ver_idt = IdToken().from_jwt(idt, make_keyjar())
+
+        token_response = AccessTokenResponse(
+            access_token="access_token", id_token=idt, __verified_id_token=ver_idt
+        ).to_json()
+        _state_interface.store_item(token_response, "token_response", "abcde")
+
+    def test_construct(self):
+        _req = self.service.construct(state="abcde")
+        assert isinstance(_req, Message)
+        assert len(_req) == 2
+        assert "subject_token" in _req

tests/test_server_24_oauth2_token_endpoint.py

@@ -689,8 +689,9 @@ def test_do_refresh_access_token_not_allowed(self):
         _request = REFRESH_TOKEN_REQ.copy()
         _request["refresh_token"] = _resp["response_args"]["refresh_token"]
         _req = self.token_endpoint.parse_request(_request.to_json())
-        with pytest.raises(MintingNotAllowed):
-            self.token_endpoint.process_request(_req)
+        res = self.token_endpoint.process_request(_req)
+        assert "error" in res
+        assert res["error_description"] == 'Minting of access_token not supported'
 
     def test_do_refresh_access_token_revoked(self):
         areq = AUTH_REQ.copy()

tests/test_server_35_oidc_token_endpoint.py

@@ -905,8 +905,8 @@ def test_do_refresh_access_token_not_allowed(self):
         _request = REFRESH_TOKEN_REQ.copy()
         _request["refresh_token"] = _resp["response_args"]["refresh_token"]
         _req = self.token_endpoint.parse_request(_request.to_urlencoded())
-        with pytest.raises(MintingNotAllowed):
-            self.token_endpoint.process_request(_req)
+        res = self.token_endpoint.process_request(_req)
+        assert "error" in res
 
     def test_do_refresh_access_token_revoked(self):
         areq = AUTH_REQ.copy()