Added an endpoint that supports RFC7662.

Author: rohe

src/oidcendpoint/__init__.py

@@ -5,7 +5,7 @@
 except ImportError:
     import random as rnd
 
-__version__ = '0.8.4'
+__version__ = '0.8.5'
 
 
 DEF_SIGN_ALG = {"id_token": "RS256",

src/oidcendpoint/oauth2/__init__.py

@@ -0,0 +1,94 @@
+"""Implements RFC7662"""
+import logging
+
+from cryptojwt import JWT
+from oidcmsg import oauth2
+from oidcmsg.time_util import utc_time_sans_frac
+
+from oidcendpoint.client_authn import verify_client
+from oidcendpoint.endpoint import Endpoint
+
+LOGGER = logging.getLogger(__name__)
+
+
+class Introspection(Endpoint):
+    request_cls = oauth2.TokenIntrospectionRequest
+    response_cls = oauth2.TokenIntrospectionResponse
+    request_format = 'urlencoded'
+    response_format = 'json'
+    endpoint_name = 'introspection'
+
+    def do_response(self, response_args=None, request=None, **kwargs):
+        """Construct an Introspection response.
+
+        :param response_args:
+        :param request:
+        :param kwargs: request arguments
+        :return: Response information
+        """
+        info = {
+            'response': response_args.to_json(),
+            'http_headers': [('Content-type', 'application/json')]
+        }
+
+        return info
+
+    def client_authentication(self, request, auth=None, **kwargs):
+        """
+        Deal with client authentication
+
+        :param request: The introspection request
+        :param auth: Client authentication information
+        :param kwargs: Extra keyword arguments
+        :return: dictionary containing client id, client authentication method.
+        """
+
+        try:
+            auth_info = verify_client(self.endpoint_context, request, auth)
+        except Exception as err:
+            msg = "Failed to verify client due to: {}".format(err)
+            LOGGER.error(msg)
+            return self.error_cls(error="unauthorized_client",
+                                  error_description=msg)
+        else:
+            if 'client_id' not in auth_info:
+                LOGGER.error('No client_id, authentication failed')
+                return self.error_cls(error="unauthorized_client",
+                                      error_description='unknown client')
+
+        return auth_info
+
+    def process_request(self, request_info=None, **kwargs):
+        """
+
+        :param request_info: The authorization request as a dictionary
+        :param kwargs:
+        :return:
+        """
+        _introspect_request = self.request_cls(**request_info)
+
+        _jwt = JWT(key_jar=self.endpoint_context.keyjar)
+
+        try:
+            _jwt_info = _jwt.unpack(_introspect_request['token'])
+        except Exception:
+            return {'response': {'active': False}}
+
+        # expired ?
+        if 'exp' in _jwt_info:
+            now = utc_time_sans_frac()
+            if _jwt_info['exp'] < now:
+                return {'response': {'active': False}}
+
+        if 'release' in self.kwargs:
+            if 'username' in self.kwargs['release']:
+                try:
+                    _jwt_info['username'] = self.endpoint_context.userinfo.search(sub=_jwt_info['sub'])
+                except KeyError:
+                    return {'response': {'active': False}}
+
+        _resp = self.response_cls(**_jwt_info)
+        _resp.weed()
+        _resp['active'] = True
+
+        return {'response_args': _resp}

src/oidcendpoint/oauth2/introspection.py

@@ -0,0 +1,156 @@
+import json
+import os
+
+import pytest
+from cryptojwt import JWT
+from oidcmsg.oauth2 import TokenIntrospectionRequest
+from oidcmsg.oidc import AuthorizationRequest
+
+from oidcendpoint.client_authn import verify_client
+from oidcendpoint.endpoint_context import EndpointContext
+from oidcendpoint.oauth2.introspection import Introspection
+from oidcendpoint.oidc.authorization import Authorization
+from oidcendpoint.session import setup_session
+from oidcendpoint.user_authn.authn_context import INTERNETPROTOCOLPASSWORD
+from oidcendpoint.user_info import UserInfo
+
+KEYDEFS = [
+    {"type": "RSA", "key": '', "use": ["sig"]},
+    {"type": "EC", "crv": "P-256", "use": ["sig"]}
+]
+
+RESPONSE_TYPES_SUPPORTED = [
+    ["code"], ["token"], ["id_token"], ["code", "token"], ["code", "id_token"],
+    ["id_token", "token"], ["code", "token", "id_token"], ['none']]
+
+CAPABILITIES = {
+    "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
+    "token_endpoint_auth_methods_supported": [
+        "client_secret_post", "client_secret_basic",
+        "client_secret_jwt", "private_key_jwt"],
+    "response_modes_supported": ['query', 'fragment', 'form_post'],
+    "subject_types_supported": ["public", "pairwise"],
+    "grant_types_supported": [
+        "authorization_code", "implicit",
+        "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token"],
+    "claim_types_supported": ["normal", "aggregated", "distributed"],
+    "claims_parameter_supported": True,
+    "request_parameter_supported": True,
+    "request_uri_parameter_supported": True,
+}
+
+AUTH_REQ = AuthorizationRequest(client_id='client_1',
+                                redirect_uri='https://example.com/cb',
+                                scope=['openid'],
+                                state='STATE',
+                                response_type='code id_token')
+
+BASEDIR = os.path.abspath(os.path.dirname(__file__))
+
+
+def full_path(local_file):
+    return os.path.join(BASEDIR, local_file)
+
+
+class TestEndpoint(object):
+    @pytest.fixture(autouse=True)
+    def create_endpoint(self):
+        conf = {
+            "issuer": "https://example.com/",
+            "password": "mycket hemligt",
+            "token_expires_in": 600,
+            "grant_expires_in": 300,
+            "refresh_token_expires_in": 86400,
+            "verify_ssl": False,
+            "capabilities": CAPABILITIES,
+            "jwks": {
+                'uri_path': 'jwks.json',
+                'key_defs': KEYDEFS,
+            },
+            'endpoint': {
+                'authorization': {
+                    'path': '{}/authorization',
+                    'class': Authorization,
+                    'kwargs': {}
+                },
+                'introspection': {
+                    'path': '{}/intro',
+                    'class': Introspection,
+                    'kwargs': {
+                        "release": ['username']
+                    }
+                }
+            },
+            "authentication": {
+                'anon': {
+                    'acr': INTERNETPROTOCOLPASSWORD,
+                    'class': 'oidcendpoint.user_authn.user.NoAuthn',
+                    'kwargs': {'user': 'diana'}
+                }
+            },
+            'userinfo': {
+                'path': '{}/userinfo',
+                'class': UserInfo,
+                'kwargs': {'db_file': 'users.json'}
+            },
+            'client_authn': verify_client,
+            'template_dir': 'template'
+        }
+        endpoint_context = EndpointContext(conf)
+        endpoint_context.cdb['client_1'] = {
+            "client_secret": 'hemligt',
+            "redirect_uris": [("https://example.com/cb", None)],
+            "client_salt": "salted",
+            'token_endpoint_auth_method': 'client_secret_post',
+            'response_types': ['code', 'token', 'code id_token', 'id_token']
+        }
+        endpoint_context.keyjar.import_jwks_as_json(
+            endpoint_context.keyjar.export_jwks_as_json(private=True),
+            endpoint_context.issuer)
+        self.introspection_endpoint = endpoint_context.endpoint['introspection']
+
+    def _create_jwt(self, uid, lifetime=0, with_jti=False):
+        _jwt = JWT(self.introspection_endpoint.endpoint_context.keyjar,
+                   iss=self.introspection_endpoint.endpoint_context.issuer,
+                   lifetime=lifetime)
+
+        if with_jti:
+            _jwt.with_jti = with_jti
+
+        _info = self.introspection_endpoint.endpoint_context.userinfo.db[uid]
+        _payload = {'sub': _info['sub']}
+        return _jwt.pack(_payload, aud='client_1')
+
+    def test_parse(self):
+        _ = setup_session(self.introspection_endpoint.endpoint_context,
+                          AUTH_REQ, uid='diana')
+        _token = self._create_jwt('diana')
+        _req = self.introspection_endpoint.parse_request({"token": _token})
+
+        assert isinstance(_req, TokenIntrospectionRequest)
+        assert set(_req.keys()) == {"token"}
+
+    def test_process_request(self):
+        _ = setup_session(self.introspection_endpoint.endpoint_context,
+                          AUTH_REQ, uid='diana')
+        _token = self._create_jwt('diana', lifetime=6000)
+        _req = self.introspection_endpoint.parse_request({"token": _token})
+        _resp = self.introspection_endpoint.process_request(_req)
+
+        assert _resp
+        assert set(_resp.keys()) == {'response_args'}
+
+    def test_do_response(self):
+        _ = setup_session(self.introspection_endpoint.endpoint_context,
+                          AUTH_REQ, uid='diana')
+        _token = self._create_jwt('diana', lifetime=6000, with_jti=True)
+        _req = self.introspection_endpoint.parse_request({"token": _token})
+        _resp = self.introspection_endpoint.process_request(_req)
+        msg_info = self.introspection_endpoint.do_response(request=_req, **_resp)
+        assert isinstance(msg_info, dict)
+        assert set(msg_info.keys()) == {'response', 'http_headers'}
+        assert msg_info['http_headers'] == [('Content-type', 'application/json')]
+        _payload = json.loads(msg_info['response'])
+        assert set(_payload.keys()) == {'sub', 'username', 'exp', 'iat', 'aud',
+                                        'active', 'iss', 'jti'}
+        assert _payload['active'] == True