Skip to content

Commit

Permalink
Ensure the access_token contains the openid scope
Browse files Browse the repository at this point in the history
Signed-off-by: Ivan Kanakarakis <[email protected]>
  • Loading branch information
c00kiemon5ter authored and lionick committed Nov 7, 2024
1 parent e631fc3 commit cc1d61f
Showing 1 changed file with 16 additions and 7 deletions.
23 changes: 16 additions & 7 deletions src/idpyoidc/server/oidc/userinfo.py
Original file line number Diff line number Diff line change
Expand Up @@ -125,18 +125,27 @@ def process_request(self, request=None, **kwargs):
return self.error_cls(error="invalid_token", error_description="Invalid Token")

_grant = _session_info["grant"]
token = _grant.get_token(request["access_token"])
# should be an access token
if token and token.token_class != "access_token":
access_token = _grant.get_token(request["access_token"])

# there must be a token
if not access_token:
return self.error_cls(error="invalid_token", error_description="Invalid Token")

# the token must be an access_token
if access_token.token_class != "access_token":
return self.error_cls(error="invalid_token", error_description="Wrong type of token")

# And it should be valid
if token.is_active() is False:
# the access_token must be valid
if access_token.is_active() is False:
return self.error_cls(error="invalid_token", error_description="Invalid Token")

# the access_token must contain the openid scope
if "openid" not in access_token.scope:
return self.error_cls(error="invalid_token", error_description="Invalid Token")

_cntxt = self.upstream_get("context")
_claims_restriction = _cntxt.claims_interface.get_claims(
_session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo"
_session_info["branch_id"], scopes=access_token.scope, claims_release_point="userinfo"
)
info = _cntxt.claims_interface.get_user_claims(
_session_info["user_id"], claims_restriction=_claims_restriction
Expand All @@ -153,7 +162,7 @@ def process_request(self, request=None, **kwargs):
self.config["policy"] = _cntxt.cdb[request["client_id"]]["userinfo"]["policy"]

if "policy" in self.config:
info = self._enforce_policy(request, info, token, self.config)
info = self._enforce_policy(request, info, access_token, self.config)

return {"response_args": info, "client_id": _session_info["client_id"]}

Expand Down

0 comments on commit cc1d61f

Please sign in to comment.