From 2293ba541578a7f6bc8a9f062564eda22b533f14 Mon Sep 17 00:00:00 2001 From: Kostis Triantafyllakis Date: Wed, 26 Jul 2023 19:39:55 +0300 Subject: [PATCH] Unbind authentication event lifetime from userinfo response Signed-off-by: Kostis Triantafyllakis --- src/idpyoidc/server/oidc/userinfo.py | 50 ++++++------------- .../test_server_26_oidc_userinfo_endpoint.py | 18 ------- 2 files changed, 14 insertions(+), 54 deletions(-) diff --git a/src/idpyoidc/server/oidc/userinfo.py b/src/idpyoidc/server/oidc/userinfo.py index 962c0326..1ececaf1 100755 --- a/src/idpyoidc/server/oidc/userinfo.py +++ b/src/idpyoidc/server/oidc/userinfo.py @@ -133,44 +133,22 @@ def process_request(self, request=None, **kwargs): if token.is_active() is False: return self.error_cls(error="invalid_token", error_description="Invalid Token") - allowed = True - _auth_event = _grant.authentication_event - # if the authentication is still active or offline_access is granted. - if not _auth_event["valid_until"] >= utc_time_sans_frac(): - logger.debug( - "authentication not valid: {} > {}".format( - datetime.fromtimestamp(_auth_event["valid_until"]), - datetime.fromtimestamp(utc_time_sans_frac()), - ) - ) - allowed = False - - # This has to be made more fine grained. - # if "offline_access" in session["authn_req"]["scope"]: - # pass - - if allowed: - _cntxt = self.upstream_get("context") - _claims_restriction = _cntxt.claims_interface.get_claims( - _session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo" - ) - info = _cntxt.claims_interface.get_user_claims( - _session_info["user_id"], claims_restriction=_claims_restriction - ) - info["sub"] = _grant.sub - if _grant.add_acr_value("userinfo"): - info["acr"] = _grant.authentication_event["authn_info"] + _cntxt = self.upstream_get("context") + _claims_restriction = _cntxt.claims_interface.get_claims( + _session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo" + ) + info = _cntxt.claims_interface.get_user_claims( + _session_info["user_id"], claims_restriction=_claims_restriction + ) + info["sub"] = _grant.sub + if _grant.add_acr_value("userinfo"): + info["acr"] = _grant.authentication_event["authn_info"] - if "userinfo" in _cntxt.cdb[request["client_id"]]: - self.config["policy"] = _cntxt.cdb[request["client_id"]]["userinfo"]["policy"] + if "userinfo" in _cntxt.cdb[request["client_id"]]: + self.config["policy"] = _cntxt.cdb[request["client_id"]]["userinfo"]["policy"] - if "policy" in self.config: - info = self._enforce_policy(request, info, token, self.config) - else: - info = { - "error": "invalid_request", - "error_description": "Access not granted", - } + if "policy" in self.config: + info = self._enforce_policy(request, info, token, self.config) return {"response_args": info, "client_id": _session_info["client_id"]} diff --git a/tests/test_server_26_oidc_userinfo_endpoint.py b/tests/test_server_26_oidc_userinfo_endpoint.py index 50313ca4..d53331d2 100755 --- a/tests/test_server_26_oidc_userinfo_endpoint.py +++ b/tests/test_server_26_oidc_userinfo_endpoint.py @@ -310,24 +310,6 @@ def test_process_request(self): args = self.endpoint.process_request(_req, http_info=http_info) assert args - def test_process_request_not_allowed(self): - session_id = self._create_session(AUTH_REQ) - grant = self.session_manager[session_id] - code = self._mint_code(grant, session_id) - access_token = self._mint_token("access_token", grant, session_id, code) - - # 2 things can make the request invalid. - # 1) The token is not valid anymore or 2) The event is not valid. - _event = grant.authentication_event - _event["authn_time"] -= 9000 - _event["valid_until"] -= 9000 - - http_info = {"headers": {"authorization": "Bearer {}".format(access_token.value)}} - _req = self.endpoint.parse_request({}, http_info=http_info) - - args = self.endpoint.process_request(_req, http_info=http_info) - assert set(args["response_args"].keys()) == {"error", "error_description"} - def test_do_response(self): session_id = self._create_session(AUTH_REQ) grant = self.session_manager[session_id]