From e631fc3ed8f6b5834740b35126926489db722217 Mon Sep 17 00:00:00 2001
From: Kostis Triantafyllakis <ctriant@admin.grnet.gr>
Date: Wed, 26 Jul 2023 19:39:55 +0300
Subject: [PATCH] Unbind authentication event lifetime from userinfo response

Signed-off-by: Kostis Triantafyllakis <ctriant@admin.grnet.gr>
---
 src/idpyoidc/server/oidc/userinfo.py | 40 +++++++---------------------
 1 file changed, 10 insertions(+), 30 deletions(-)

diff --git a/src/idpyoidc/server/oidc/userinfo.py b/src/idpyoidc/server/oidc/userinfo.py
index 32d77506..5bf3acaa 100755
--- a/src/idpyoidc/server/oidc/userinfo.py
+++ b/src/idpyoidc/server/oidc/userinfo.py
@@ -64,7 +64,6 @@ def do_response(
         client_id: Optional[str] = "",
         **kwargs,
     ) -> dict:
-
         if "error" in kwargs and kwargs["error"]:
             return Endpoint.do_response(self, response_args, request, **kwargs)
 
@@ -135,35 +134,16 @@ def process_request(self, request=None, **kwargs):
         if token.is_active() is False:
             return self.error_cls(error="invalid_token", error_description="Invalid Token")
 
-        allowed = True
-        _auth_event = _grant.authentication_event
-        # if the authentication is still active or offline_access is granted.
-        if not _auth_event["valid_until"] >= utc_time_sans_frac():
-            logger.debug(
-                "authentication not valid: {} > {}".format(
-                    datetime.fromtimestamp(_auth_event["valid_until"]),
-                    datetime.fromtimestamp(utc_time_sans_frac()),
-                )
-            )
-            allowed = False
-
-            # This has to be made more finegrained.
-            # if "offline_access" in session["authn_req"]["scope"]:
-            #     pass
-
         _cntxt = self.upstream_get("context")
-        if allowed:
-            _claims_restriction = _cntxt.claims_interface.get_claims(
-                _session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo"
-            )
-            info = _cntxt.claims_interface.get_user_claims(
-                _session_info["user_id"],
-                claims_restriction=_claims_restriction,
-                client_id=_session_info["client_id"]
-            )
-            info["sub"] = _grant.sub
-            if _grant.add_acr_value("userinfo"):
-                info["acr"] = _grant.authentication_event["authn_info"]
+        _claims_restriction = _cntxt.claims_interface.get_claims(
+            _session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo"
+        )
+        info = _cntxt.claims_interface.get_user_claims(
+            _session_info["user_id"], claims_restriction=_claims_restriction
+        )
+        info["sub"] = _grant.sub
+        if _grant.add_acr_value("userinfo"):
+            info["acr"] = _grant.authentication_event["authn_info"]
 
             extra_claims = kwargs.get("extra_claims")
             if extra_claims:
@@ -213,7 +193,7 @@ def parse_request(self, request, http_info=None, **kwargs):
     def _enforce_policy(self, request, response_info, token, config):
         policy = config["policy"]
         callable = policy["function"]
-        kwargs = policy.get("kwargs", {})
+        kwargs = policy.get("kwargs") or {}
 
         if isinstance(callable, str):
             try: