A bit of refactoring around client authentication.

Fixed the tests.
Made sure the introspection module also got build with the rest.

Author: rohe

setup.py

@@ -50,7 +50,8 @@ def run_tests(self):
     license="Apache 2.0",
     url='https://github.com/IdentityPython/oicsrv',
     packages=["oidcendpoint", 'oidcendpoint/oidc', 'oidcendpoint/authz',
-              'oidcendpoint/user_authn', 'oidcendpoint/user_info'],
+              'oidcendpoint/user_authn', 'oidcendpoint/user_info',
+              'oidcendpoint/oauth2'],
     package_dir={"": "src"},
     classifiers=[
         "Development Status :: 4 - Beta",

src/oidcendpoint/client_authn.py

@@ -191,7 +191,7 @@ def valid_client_info(cinfo):
     return True
 
 
-def verify_client(endpoint_context, request, authorization_info):
+def verify_client(endpoint_context, request, authorization_info=None):
     """
     Initiated Guessing !
 
@@ -202,7 +202,7 @@ def verify_client(endpoint_context, request, authorization_info):
         possibly access token.
     """
 
-    if not authorization_info:
+    if authorization_info is None:
         if 'client_id' in request and 'client_secret' in request:
             auth_info = ClientSecretPost(endpoint_context).verify(request)
             auth_info['method'] = 'client_secret_post'
@@ -232,7 +232,6 @@ def verify_client(endpoint_context, request, authorization_info):
     try:
         client_id = auth_info['client_id']
     except KeyError:
-        client_id = ''
         try:
             _token = auth_info['token']
         except KeyError:
@@ -258,7 +257,7 @@ def verify_client(endpoint_context, request, authorization_info):
                 logger.warning('Client registration has timed out')
                 raise ValueError('Not valid client')
             else:
-                # check that the expected authz method was used
+                # store what authn method was used
                 try:
                     endpoint_context.cdb[client_id]['auth_method'][
                         request.__class__.__name__] = auth_info['method']

src/oidcendpoint/endpoint.py

@@ -15,7 +15,7 @@
 
 __author__ = 'Roland Hedberg'
 
-logger = logging.getLogger(__name__)
+LOGGER = logging.getLogger(__name__)
 
 """
 method call structure for Endpoints:
@@ -62,7 +62,7 @@ class Endpoint(object):
     request_placement = 'query'
     response_format = 'json'
     response_placement = 'body'
-    client_auth_method = ''
+    client_authn_method = ''
 
     def __init__(self, endpoint_context, **kwargs):
         self.endpoint_context = endpoint_context
@@ -81,8 +81,8 @@ def parse_request(self, request, auth=None, **kwargs):
         :param kwargs: extra keyword arguments
         :return:
         """
-        logger.debug("- {} -".format(self.endpoint_name))
-        logger.info("Request: %s" % sanitize(request))
+        LOGGER.debug("- {} -".format(self.endpoint_name))
+        LOGGER.info("Request: %s" % sanitize(request))
 
         if request:
             if isinstance(request, dict):
@@ -108,7 +108,8 @@ def parse_request(self, request, auth=None, **kwargs):
         try:
             auth_info = self.client_authentication(req, auth, **kwargs)
         except UnknownOrNoAuthnMethod:
-            if not self.client_auth_method:
+            # If there is no required client authentication method
+            if not self.client_authn_method:
                 try:
                     _client_id = req['client_id']
                 except KeyError:
@@ -138,7 +139,7 @@ def parse_request(self, request, auth=None, **kwargs):
             return self.error_cls(error="invalid_request",
                                   error_description="%s" % err)
 
-        logger.info("Parsed and verified request: %s" % sanitize(req))
+        LOGGER.info("Parsed and verified request: %s" % sanitize(req))
 
         # Do any endpoint specific parsing
         return self.do_post_parse_request(req, _client_id, **kwargs)
@@ -154,7 +155,13 @@ def client_authentication(self, request, auth=None, **kwargs):
         :return: client_id or raise an exception
         """
 
-        return verify_client(self.endpoint_context, request, auth)
+        authn_info = verify_client(self.endpoint_context, request, auth)
+
+        if authn_info['method'] not in self.client_authn_method:
+            LOGGER.warning("Wrong client authentication method was used")
+            raise UnknownOrNoAuthnMethod("Wrong authn method")
+
+        return authn_info
 
     def do_post_parse_request(self, request, client_id='', **kwargs):
         for meth in self.post_parse_request:
@@ -197,7 +204,7 @@ def construct(self, response_args, request, **kwargs):
         """
         response_args = self.do_pre_construct(response_args, request, **kwargs)
 
-        # logger.debug("kwargs: %s" % sanitize(kwargs))
+        # LOGGER.debug("kwargs: %s" % sanitize(kwargs))
         response = self.response_cls(**response_args)
 
         return self.do_post_construct(response, request, **kwargs)

src/oidcendpoint/oauth2/introspection.py

@@ -34,13 +34,11 @@ def client_authentication(self, request, auth=None, **kwargs):
         except Exception as err:
             msg = "Failed to verify client due to: {}".format(err)
             LOGGER.error(msg)
-            return self.error_cls(error="unauthorized_client",
-                                  error_description=msg)
+            return self.error_cls(error="unauthorized_client")
         else:
             if 'client_id' not in auth_info:
                 LOGGER.error('No client_id, authentication failed')
-                return self.error_cls(error="unauthorized_client",
-                                      error_description='unknown client')
+                return self.error_cls(error="unauthorized_client")
 
         return auth_info
 

src/oidcendpoint/util.py

@@ -79,11 +79,9 @@ def build_endpoints(conf, endpoint_context, client_authn_method, issuer):
             _instance.provider_info = spec['provider_info']
 
         try:
-            _client_authn_method = kwargs['client_authn_method']
+            _instance.client_authn_method = kwargs['client_authn_method']
         except KeyError:
-            _instance.client_auth_method = client_authn_method
-        else:
-            _instance.client_auth_method = _client_authn_method
+            _instance.client_authn_method = client_authn_method
 
         endpoint[name] = _instance
 

tests/test_02_client_authn.py

@@ -299,7 +299,7 @@ def test_verify_client_jws_authn_method():
         'client_assertion_type': JWT_BEARER
     }
 
-    res = verify_client(endpoint_context, request, '')
+    res = verify_client(endpoint_context, request)
     assert res['method'] == 'private_key_jwt'
     assert res['client_id'] == 'client_id'
 
@@ -308,14 +308,14 @@ def test_verify_client_bearer_body():
     request = {'access_token': '1234567890', 'client_id': client_id}
     sinfo = SessionInfo(authn_req=AuthorizationRequest(client_id= client_id))
     endpoint_context.sdb['1234567890'] = sinfo
-    res = verify_client(endpoint_context, request, '')
+    res = verify_client(endpoint_context, request)
     assert set(res.keys()) == {'token', 'method','client_id'}
     assert res['method'] == 'bearer_body'
 
 
 def test_verify_client_client_secret_post():
     request = {'client_id': client_id, 'client_secret': client_secret}
-    res = verify_client(endpoint_context, request, '')
+    res = verify_client(endpoint_context, request)
     assert set(res.keys()) == {'method','client_id'}
     assert res['method'] == 'client_secret_post'
 

tests/test_26_userinfo_endpoint.py

@@ -131,7 +131,7 @@ def create_endpoint(self):
             'token_endpoint_auth_method': 'client_secret_post',
             'response_types': ['code', 'token', 'code id_token', 'id_token']
         }
-        self.endpoint = userinfo.UserInfo(endpoint_context)
+        self.endpoint = endpoint_context.endpoint['userinfo']
 
     def test_init(self):
         assert self.endpoint

tests/test_31_introspection.py

@@ -6,6 +6,7 @@
 from oidcmsg.oauth2 import TokenIntrospectionRequest
 from oidcmsg.oidc import AuthorizationRequest
 
+from oidcendpoint.client_authn import ClientSecretPost
 from oidcendpoint.client_authn import verify_client
 from oidcendpoint.endpoint_context import EndpointContext
 from oidcendpoint.oauth2.introspection import Introspection
@@ -77,8 +78,11 @@ def create_endpoint(self):
                     'path': '{}/intro',
                     'class': Introspection,
                     'kwargs': {
-                        "release": ['username']
-                    }
+                        "release": ['username'],
+                        "client_authn_method": {
+                            'client_secrert_post': ClientSecretPost
+                        }
+                    },
                 }
             },
             "authentication": {
@@ -91,7 +95,7 @@ def create_endpoint(self):
             'userinfo': {
                 'path': '{}/userinfo',
                 'class': UserInfo,
-                'kwargs': {'db_file': 'users.json'}
+                'kwargs': {'db_file': full_path('users.json')}
             },
             'client_authn': verify_client,
             'template_dir': 'template'
@@ -130,6 +134,19 @@ def test_parse(self):
         assert isinstance(_req, TokenIntrospectionRequest)
         assert set(_req.keys()) == {"token"}
 
+    def test_parse_with_client_auth_in_req(self):
+        _context = self.introspection_endpoint.endpoint_context
+        _ = setup_session(_context, AUTH_REQ, uid='diana')
+        _token = self._create_jwt('diana')
+        _req = self.introspection_endpoint.parse_request(
+            {
+                "token": _token, 'client_id': 'client_1',
+                'client_secret': _context.cdb['client_1']['client_secret']
+            })
+
+        assert isinstance(_req, TokenIntrospectionRequest)
+        assert set(_req.keys()) == {"token", "client_id", "client_secret"}
+
     def test_process_request(self):
         _ = setup_session(self.introspection_endpoint.endpoint_context,
                           AUTH_REQ, uid='diana')