If you want to turn off refresh access token.

rohe · rohe · commit 93890423de3f · 2020-02-10T11:03:04.000+01:00
diff --git a/src/oidcendpoint/oidc/token_coop.py b/src/oidcendpoint/oidc/token_coop.py
@@ -14,6 +14,7 @@
 from oidcendpoint import sanitize
 from oidcendpoint.cookie import new_cookie
 from oidcendpoint.endpoint import Endpoint
+from oidcendpoint.exception import ProcessError
 from oidcendpoint.token_handler import AccessCodeUsed
 from oidcendpoint.token_handler import ExpiredToken
 from oidcendpoint.userinfo import by_schema
@@ -40,6 +41,7 @@ def __init__(self, endpoint_context, **kwargs):
             self.endpoint_info["token_endpoint_auth_methods_supported"] = kwargs[
                 "client_authn_method"
             ]
+        self.allow_refresh = kwargs.get("allow_refresh", True)
 
     def _refresh_access_token(self, req, **kwargs):
         _sdb = self.endpoint_context.sdb
@@ -198,7 +200,10 @@ def _post_parse_request(self, request, client_id="", **kwargs):
         if request["grant_type"] == "authorization_code":
             return self._access_token_post_parse_request(request, client_id, **kwargs)
         else:  # request["grant_type"] == "refresh_token":
-            return self._refresh_token_post_parse_request(request, client_id, **kwargs)
+            if self.allow_refresh:
+                return self._refresh_token_post_parse_request(request, client_id, **kwargs)
+            else:
+                raise ProcessError("Refresh Token not allowed")
 
     def process_request(self, request=None, **kwargs):
         """
diff --git a/tests/test_35_oidc_token_coop_endpoint.py b/tests/test_35_oidc_token_coop_endpoint.py
@@ -12,6 +12,7 @@
 from oidcendpoint.client_authn import verify_client
 from oidcendpoint.endpoint_context import EndpointContext
 from oidcendpoint.exception import MultipleUsage
+from oidcendpoint.exception import ProcessError
 from oidcendpoint.oidc import userinfo
 from oidcendpoint.oidc.authorization import Authorization
 from oidcendpoint.oidc.provider_config import ProviderConfiguration
@@ -306,3 +307,23 @@ def test_do_2nd_refresh_access_token(self):
         }
         msg = self.endpoint.do_response(request=_req, **_resp)
         assert isinstance(msg, dict)
+
+    def test_do_refresh_access_token_not_allowed(self):
+        areq = AUTH_REQ.copy()
+        areq["scope"] = ["openid", "offline_access"]
+        _cntx = self.endpoint.endpoint_context
+        session_id = setup_session(
+            _cntx, areq, uid="user", acr=INTERNETPROTOCOLPASSWORD
+        )
+        _cntx.sdb.update(session_id, user="diana")
+        _token_request = TOKEN_REQ_DICT.copy()
+        _token_request["code"] = _cntx.sdb[session_id]["code"]
+        _req = self.endpoint.parse_request(_token_request)
+        _resp = self.endpoint.process_request(request=_req)
+
+        self.endpoint.allow_refresh = False
+
+        _request = REFRESH_TOKEN_REQ.copy()
+        _request["refresh_token"] = _resp["response_args"]["refresh_token"]
+        with pytest.raises(ProcessError):
+            self.endpoint.parse_request(_request.to_json())
