More debug messages

Author: rohe

example/flask_op/private/cookie_jwks.json

@@ -1 +1 @@
-{"keys": [{"kty": "oct", "use": "enc", "kid": "enc", "k": "LrU7gu0Jcj_3XJ0cPeUuxA0-jq5H792-"}, {"kty": "oct", "use": "sig", "kid": "sig", "k": "FQguegtRW6c0fXxDhke8dIg9QDddiAYX"}]}
+{"keys": [{"kty": "oct", "use": "enc", "kid": "enc", "k": "GCizp3ewVRV0VZEef3VQwFve7n2QwAFI"}, {"kty": "oct", "use": "sig", "kid": "sig", "k": "QC2JxpVJXPDMpYv_h76jIrt_lA1P4KSu"}]}

example/flask_rp/templates/opbyuid.html

@@ -19,7 +19,7 @@ <h3>By entering your unique identifier:</h3>
   <input type="text" id="uid" name="uid" class="form-control" placeholder="UID" autofocus>
     <h3>an issuer ID</h3>
     <input type="text" id="dyn_iss" name="dyn_iss" class="form-control">
-  <h3><em>Or</em> you can chose one of the preconfigured OpenID Connect Providers</h3>
+  <h3><em>Or</em> you can choose one of the preconfigured OpenID Connect Providers</h3>
   <select name="static_iss">
   <option value=""></option>
       {% for op in providers %}

src/idpyoidc/client/client_auth.py

@@ -298,14 +298,15 @@ def find_token_info(request: Union[Message, dict], token_type: str, service, **k
             request.c_param[token_type] = SINGLE_OPTIONAL_STRING
             return {token_type: _token, "token_type": "Bearer"}
 
+    _state = kwargs.get("state", kwargs.get("key"))
+    _token_info = service.upstream_get("context").cstate.get_set(_state, claim=[token_type,
+                                                                                "token_type"])
+
     _token = kwargs.get("access_token", None)
     if _token:
-        return {token_type: _token, "token_type": "Bearer"}
+        return {token_type: _token, "token_type": _token_info["token_type"]}
     else:
-        # Get the latest acquired token.
-        _state = kwargs.get("state", kwargs.get("key"))
-        return service.upstream_get("context").cstate.get_set(_state, claim=[token_type,
-                                                                             "token_type"])
+        return _token_info
 
 
 class BearerHeader(ClientAuthnMethod):
@@ -336,7 +337,7 @@ def construct(self, request=None, service=None, http_args=None, **kwargs):
             raise KeyError("No bearer token available")
 
         # The authorization value starts with the token_type
-        #if _token_info["token_type"].to_lower() != "bearer":
+        # if _token_info["token_type"].to_lower() != "bearer":
         _bearer = f"{_token_info['token_type']} {_token_info[_token_type]}"
 
         # Add 'Authorization' to the headers

src/idpyoidc/client/current.py

@@ -105,3 +105,6 @@ def create_state(self, **kwargs):
         _key = self.create_key()
         self._db[_key] = kwargs
         return _key
+
+    def keys(self):
+        return self._db.keys()

src/idpyoidc/client/oauth2/add_on/par.py

@@ -6,6 +6,7 @@
 from idpyoidc.client.client_auth import CLIENT_AUTHN_METHOD
 from idpyoidc.message import Message
 from idpyoidc.message.oauth2 import JWTSecuredAuthorizationRequest
+from idpyoidc.server.util import execute
 from idpyoidc.util import instantiate
 from requests import request
 
@@ -21,24 +22,41 @@ def push_authorization(request_args, service, **kwargs):
 
     _context = service.upstream_get("context")
     method_args = _context.add_on["pushed_authorization"]
+    logger.debug(f"PAR method args: {method_args}")
+    logger.debug(f"PAR kwargs: {kwargs}")
+
     if method_args["apply"] is False:
         return request_args
 
     _http_method = method_args["http_client"]
+    _httpc_params = service.upstream_get("unit").httpc_params
 
     # Add client authentication if needed
     _headers = {}
     authn_method = method_args["authn_method"]
     if authn_method:
-        if authn_method not in _context.client_authn_methods:
-            _context.client_authn_methods[authn_method] = CLIENT_AUTHN_METHOD[authn_method]()
+        if isinstance(authn_method, str):
+            if authn_method not in _context.client_authn_methods:
+                _context.client_authn_methods[authn_method] = CLIENT_AUTHN_METHOD[authn_method]()
+        else:
+            _name = ""
+            for _name, spec in authn_method.items():
+                if _name not in _context.client_authn_methods:
+                    _context.client_authn_methods[_name] = execute(spec)
+            authn_method = _name
 
         _args = {}
         if _context.issuer:
             _args["iss"] = _context.issuer
+        if _name == "client_attestation":
+            _wia = kwargs.get("client_attestation")
+            if _wia:
+                _args["client_attestation"] = _wia
+
         _headers = service.get_headers(
             request_args, http_method=_http_method, authn_method=authn_method, **_args
         )
+        _headers["Content-Type"] = "application/x-www-form-urlencoded"
 
     # construct the message body
     if method_args["body_format"] == "urlencoded":
@@ -56,12 +74,13 @@ def push_authorization(request_args, service, **kwargs):
 
         _body = _msg.to_urlencoded()
 
-    # Send it to the Pushed Authorization Request Endpoint
+    # Send it to the Pushed Authorization Request Endpoint using POST
     resp = _http_method(
-        method="GET",
+        method="POST",
         url=_context.provider_info["pushed_authorization_request_endpoint"],
         data=_body,
         headers=_headers,
+        **_httpc_params
     )
 
     if resp.status_code == 200:

src/idpyoidc/client/oauth2/stand_alone_client.py

@@ -436,6 +436,7 @@ def finalize_auth(self, response: dict, behaviour_args: Optional[dict] = None):
             # got it from the wrong bloke
             raise ValueError("Impersonator {}".format(issuer))
 
+        _context.cstate.update(authorization_response["state"], authorization_response)
         _srv.update_service_context(authorization_response, key=authorization_response["state"])
         return authorization_response
 

src/idpyoidc/server/client_authn.py

@@ -225,6 +225,7 @@ def _verify(
         get_client_id_from_token: Optional[Callable] = None,
         **kwargs,
     ):
+        logger.debug(f"Client Auth method: {self.tag}")
         token = authorization_token.split(" ", 1)[1]
         _context = self.upstream_get("context")
         client_id = ""
@@ -235,7 +236,10 @@ def _verify(
                 raise BearerTokenAuthenticationError("Expired token")
             except KeyError:
                 raise BearerTokenAuthenticationError("Unknown token")
-        return {"token": token, "client_id": client_id}
+            except Exception as err:
+                logger.debug(f"Exception in {self.tag}")
+
+        return {"token": token, "client_id": client_id, "method": self.tag}
 
 
 class BearerBody(ClientSecretPost):
@@ -502,6 +506,8 @@ def verify_client(
             logger.info("Verifying auth using {} failed: {}".format(_method.tag, err))
             continue
 
+        logger.debug(f"Verify returned: {auth_info}")
+
         if auth_info.get("method") == "none" and auth_info.get("client_id") is None:
             break
 
@@ -542,6 +548,8 @@ def verify_client(
             continue
         break
 
+    logger.debug(f"Authn methods applied")
+
     # store what authn method was used
     if "method" in auth_info and client_id:
         _request_type = request.__class__.__name__

src/idpyoidc/server/endpoint.py

@@ -228,6 +228,7 @@ def parse_request(
 
         # Verify that the client is allowed to do this
         auth_info = self.client_authentication(req, http_info, endpoint=self, **kwargs)
+        LOGGER.debug(f"parse_request:auth_info:{auth_info}")
 
         _client_id = auth_info.get("client_id", "")
         if _client_id:
@@ -239,6 +240,8 @@ def parse_request(
         else:
             _client_id = req.get("client_id")
 
+        LOGGER.debug(f"parse_request:auth_info:{auth_info}")
+
         # verify that the request message is correct, may have to do it twice
         err_response = self.verify_request(
             request=req, keyjar=_keyjar, client_id=_client_id, verify_args=verify_args