Calculate what metadata to use, before modifying the

metadata based on provider info annd client registration.

Author: rohe

src/idpyoidc/client/service_context.py

@@ -187,6 +187,9 @@ def __init__(
 
         self.construct_uris(response_types=_response_types)
 
+        self.map_supported_to_preferred()
+        self.map_preferred_to_registered()
+
     def __setitem__(self, key, value):
         setattr(self, key, value)
 

tests/afs/client_1.lock.lock

@@ -1 +1 @@
-{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "XB2_T04TbhR_hmpm439FntWuuidEDy-H"}]}
+{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "Ps_KwX5Kw9lB89TaXnArVOZGClLgW2CX"}]}

tests/afs/client_2.lock.lock

@@ -1 +1 @@
-{"keys": [{"kty": "EC", "use": "sig", "kid": "azZQQ2FEQjh3QnVZWVdrbHJkMEZSaWR6aVJ0LTBjeUFfeWRlbTRrRFZ5VQ", "crv": "P-256", "x": "2ADe18caWWGp6hpRbfa9HqQHDFNpid9xUmR56Wzm_wc", "y": "HnD_8QBanz4Y-UF8mKQFZXfqkGkXUSm34mLsdDKtSyk"}, {"kty": "RSA", "use": "sig", "kid": "SHEyYWcwNVk0LTdROTZzZ2FUWndIVXdack0xWUM5SEpwcS03dVUxWU4zRQ", "e": "AQAB", "n": "rRz52ddyP9Y2ezSlRsnkt-sjXfV_Ii7vOFX-cStLE3IUlVeSJGEe_kAASLr2r3BE2unjntaxj67NP8D95h_rzG1SpCklTEn-aTe3FOwNyTzUH_oiDVeRoEcf04Y43ciRGYRB5PhI6ii-2lYuig6hyUr776Qxiu6-0zw-M_ay2MgGSy5CEj55dDSvcUyxStUObxGpPWnEvybO1vnE7iJEWGNe0L5uPe5nLidOiR-JwjxSWEx1xZYtIjxaf2Ulu-qu4hwgwBUQdx4bNZyBfljKj55skWuHqPMG3xMjnedQC6Ms5bR3rIkbBpvmgI3kJK-4CZikM6ruyLo94-Lk19aYQw"}]}
+{"keys": [{"kty": "EC", "use": "sig", "kid": "azZQQ2FEQjh3QnVZWVdrbHJkMEZSaWR6aVJ0LTBjeUFfeWRlbTRrRFZ5VQ", "crv": "P-256", "x": "2ADe18caWWGp6hpRbfa9HqQHDFNpid9xUmR56Wzm_wc", "y": "HnD_8QBanz4Y-UF8mKQFZXfqkGkXUSm34mLsdDKtSyk"}, {"kty": "RSA", "use": "sig", "kid": "SHEyYWcwNVk0LTdROTZzZ2FUWndIVXdack0xWUM5SEpwcS03dVUxWU4zRQ", "n": "rRz52ddyP9Y2ezSlRsnkt-sjXfV_Ii7vOFX-cStLE3IUlVeSJGEe_kAASLr2r3BE2unjntaxj67NP8D95h_rzG1SpCklTEn-aTe3FOwNyTzUH_oiDVeRoEcf04Y43ciRGYRB5PhI6ii-2lYuig6hyUr776Qxiu6-0zw-M_ay2MgGSy5CEj55dDSvcUyxStUObxGpPWnEvybO1vnE7iJEWGNe0L5uPe5nLidOiR-JwjxSWEx1xZYtIjxaf2Ulu-qu4hwgwBUQdx4bNZyBfljKj55skWuHqPMG3xMjnedQC6Ms5bR3rIkbBpvmgI3kJK-4CZikM6ruyLo94-Lk19aYQw", "e": "AQAB"}]}

tests/private/token_jwks.json

@@ -1 +1 @@
-eyJhbGciOiJSUzI1NiIsImtpZCI6IlNIRXlZV2N3TlZrMExUZFJPVFp6WjJGVVduZElWWGRhY2sweFdVTTVTRXB3Y1MwM2RWVXhXVTR6UlEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICI1ams1WkdMLTE3NXpHT0FPQW5yTlZra2paZXltS0JwOVFoek81QV90eDQwIiwgImNsaWVudF9pZCI6ICJjbGllbnRfaWQiLCAiaXNzIjogImNsaWVudF9pZCIsICJpYXQiOiAxNjg3MTgwNzk0LCAiYXVkIjogWyJodHRwczovL2V4YW1wbGUuY29tIl19.HUbiyiC0pypd8hamG9JJ-xQaJ7FEAVjDoy4jH00hJ5FtLqm87PAKIvD5aptYv8VzdpA5X8hCDUW4g0noNBbEsmvXeJpoXHSeVz_A4Ue8Ziz7z6dnrYf7BNFt3NyTibKVlkcWNGPBhEjyw0k4r6O86lQ2mSQjINJuqpR7VeEQyK7CBhDl5bicPctB4yGm4VksvC39695hhyGtUrUyrGW539g54VkG-x0kKv2HMc_ZGsnsEgFrT0fHKWuc1hPRkGi2XuSyhhD20zhnZhMGyTovwoZxmbx2seiIinjd0_wZVMZS277yUvMQTCvjOHJyu80XLLZqI71GguonCWdxIIrblQ
+eyJhbGciOiJSUzI1NiIsImtpZCI6IlNIRXlZV2N3TlZrMExUZFJPVFp6WjJGVVduZElWWGRhY2sweFdVTTVTRXB3Y1MwM2RWVXhXVTR6UlEifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICJpcno4SG5ELXFsOVhNYVJYUll1S3BpcEpHM2hiRWZ5akxBYXQwMjNLZEdvIiwgImNsaWVudF9pZCI6ICJjbGllbnRfaWQiLCAiaXNzIjogImNsaWVudF9pZCIsICJpYXQiOiAxNzEwODM2MDQwLCAiYXVkIjogWyJodHRwczovL2V4YW1wbGUuY29tIl19.EDvgPn7QJFm6O4d9QFU9gVZEmAREDIfl1RTiMtec7_ZJ4vGag3dxCyXgz15GbDrQgo6mqCydCe-Mal_4HBlRwMctqhy9NMIGM5PxIKzrqMjsk88jxAoz-WWw3I-pKrJUS4m23mEgLZkGQpB1N3YgO_RhG-7vGCkiJd_8VuomRMd2dX5_Jax3j12T7vhM_TUI9S6XJ5zsLn2ZOPQVXfoprr7HHY6UJjJ65Fp_hoGA3gmfJiHwbxYss8D2X1BNoLmEMze_e6cS-DGe648t2U47E77BvHdzsKi791Y1L3eizkm364gJ371KWbi3avvbSkTi4hEd3OikkyeMQZk6vDiJww

tests/pub_client.jwks

@@ -252,3 +252,141 @@ def test_registration_response(self):
 
         # Not what I asked for but something I can handle
         assert to_use["subject_type"] == "pairwise"
+
+    def test_registration_response_consistence(self):
+        client_conf = {
+            "application_type": "web",
+            "base_url": "https://client.example.org/",
+            "redirect_uris": [
+                "https://client.example.org/callback",
+                "https://client.example.org/callback2",
+            ],
+            "client_name": "My Example",
+            "client_id": "client_id",
+            "keys": {"key_defs": KEYSPEC, "read_only": True},
+            "client_secret": "a longesh password",
+            "logo_uri": "https://client.example.org/logo.png",
+            "contacts": ["ve7jtb@example.org", "mary@example.org"],
+        }
+
+        self.claims.load_conf(client_conf, self.supported)
+
+        self.claims.prefer = supported_to_preferred(
+            supported=self.supported,
+            preference=self.claims.prefer,
+            base_url="https://example.com",
+        )
+        to_use_1 = preferred_to_registered(
+            prefers=self.claims.prefer,
+            supported=self.supported,
+        )
+
+        OP_BASEURL = "https://example.com"
+        provider_info_response = {
+            "version": "3.0",
+            "token_endpoint_auth_methods_supported": [
+                "client_secret_post",
+                "client_secret_basic",
+                "client_secret_jwt",
+                "private_key_jwt",
+            ],
+            "issuer": OP_BASEURL,
+            "jwks_uri": f"{OP_BASEURL}/static/jwks_tE2iLbOAqXhe8bqh.json",
+            "authorization_endpoint": f"{OP_BASEURL}/authorization",
+            "token_endpoint": f"{OP_BASEURL}/token",
+            "userinfo_endpoint": f"{OP_BASEURL}/userinfo",
+            "registration_endpoint": f"{OP_BASEURL}/registration",
+            "end_session_endpoint": f"{OP_BASEURL}/end_session",
+            # below are a set which the RP has default values but the OP overwrites
+            "scopes_supported": ["openid", "fee", "faa", "foo", "fum"],
+            "response_types_supported": ["code", "id_token", "code id_token"],
+            "response_modes_supported": ["query", "form_post", "new_fangled"],
+            # this does not have a default value
+            "acr_values_supported": ["mfa"],
+        }
+
+        pref = self.claims.prefer = supported_to_preferred(
+            supported=self.supported,
+            preference=self.claims.prefer,
+            base_url="https://example.com",
+            info=provider_info_response,
+        )
+
+        registration_request = create_registration_request(self.claims.prefer, self.supported)
+
+        assert set(registration_request.keys()) == {
+            "application_type",
+            "client_name",
+            "contacts",
+            "default_max_age",
+            "id_token_signed_response_alg",
+            "jwks",
+            "logo_uri",
+            "redirect_uris",
+            "request_object_signing_alg",
+            "response_modes",  # non-standard
+            "response_types",
+            "subject_type",
+            "token_endpoint_auth_method",
+            "token_endpoint_auth_signing_alg",
+            "userinfo_signed_response_alg",
+        }
+
+        assert registration_request["subject_type"] == "public"
+
+        registration_response = {
+            "application_type": "web",
+            "redirect_uris": [
+                "https://client.example.org/callback",
+                "https://client.example.org/callback2",
+            ],
+            "client_name": "My Example",
+            "logo_uri": "https://client.example.org/logo.png",
+            "subject_type": "pairwise",
+            "sector_identifier_uri": "https://other.example.net/file_of_redirect_uris.json",
+            "token_endpoint_auth_method": "client_secret_basic",
+            "jwks_uri": "https://client.example.org/my_public_keys.jwks",
+            "userinfo_encrypted_response_alg": "RSA1_5",
+            "userinfo_encrypted_response_enc": "A128CBC-HS256",
+            "contacts": ["ve7jtb@example.org", "mary@example.org"],
+            "request_uris": [
+                "https://client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA"
+            ],
+        }
+
+        to_use_2 = preferred_to_registered(
+            prefers=self.claims.prefer,
+            supported=self.supported,
+            registration_response=registration_response,
+        )
+
+        assert set(to_use_2.keys()) == {
+            "application_type",
+            "client_id",
+            "client_name",
+            "client_secret",
+            "contacts",
+            "default_max_age",
+            "encrypt_request_object_supported",
+            "encrypt_userinfo_supported",
+            "id_token_signed_response_alg",
+            "jwks",
+            "jwks_uri",
+            "logo_uri",
+            "redirect_uris",
+            "request_object_signing_alg",
+            "request_uris",
+            "response_modes",
+            "response_types",
+            "scope",
+            "sector_identifier_uri",
+            "subject_type",
+            "token_endpoint_auth_method",
+            "token_endpoint_auth_signing_alg",
+            "userinfo_encrypted_response_alg",
+            "userinfo_encrypted_response_enc",
+            "userinfo_signed_response_alg",
+        }
+
+        # Not what I asked for but something I can handle
+        assert to_use_2["subject_type"] == "pairwise"

tests/request123456.jwt

@@ -1,13 +1,13 @@
 import os
 
-import pytest
-import responses
 from cryptojwt.exception import UnsupportedAlgorithm
 from cryptojwt.jws import jws
 from cryptojwt.jws.utils import left_hash
 from cryptojwt.jwt import JWT
 from cryptojwt.key_jar import build_keyjar
 from cryptojwt.key_jar import init_key_jar
+import pytest
+import responses
 
 from idpyoidc.client.defaults import DEFAULT_OIDC_SERVICES
 from idpyoidc.client.entity import Entity
@@ -725,7 +725,7 @@ def test_post_parse(self):
             "end_session_endpoint": "{}/end_session".format(OP_BASEURL),
         }
         _context = self.service.upstream_get("context")
-        assert _context.claims.use == {}
+        # assert _context.claims.use == {}
         resp = self.service.post_parse_response(provider_info_response)
 
         iss_jwks = ISS_KEY.export_jwks_as_json(issuer_id=ISS)
@@ -788,7 +788,31 @@ def test_post_parse_2(self):
             "end_session_endpoint": "{}/end_session".format(OP_BASEURL),
         }
         _context = self.service.upstream_get("context")
-        assert _context.claims.use == {}
+        assert set(_context.claims.use.keys()) == {
+            'application_type',
+            'backchannel_logout_session_required',
+            'backchannel_logout_uri',
+            'callback_uris',
+            'client_id',
+            'client_secret',
+            'contacts',
+            'default_max_age',
+            'encrypt_id_token_supported',
+            'encrypt_request_object_supported',
+            'encrypt_userinfo_supported',
+            'grant_types',
+            'id_token_signed_response_alg',
+            'jwks',
+            'post_logout_redirect_uris',
+            'redirect_uris',
+            'request_object_signing_alg',
+            'response_modes',
+            'response_types',
+            'scope',
+            'subject_type',
+            'token_endpoint_auth_method',
+            'token_endpoint_auth_signing_alg',
+            'userinfo_signed_response_alg'}
         resp = self.service.post_parse_response(provider_info_response)
 
         iss_jwks = ISS_KEY.export_jwks_as_json(issuer_id=ISS)

tests/test_09_work_condition.py

@@ -121,6 +121,7 @@ def test_construct_refresh_token_request(self):
             "client_secret": "abcdefghijklmnop",
             "grant_type": "refresh_token",
             "refresh_token": "refresh_with_me",
+            'scope': 'openid'
         }
 
     def test_do_userinfo_request_init(self):

tests/test_client_21_oidc_service.py

@@ -4,16 +4,16 @@
 from urllib.parse import urlparse
 from urllib.parse import urlsplit
 
+from cryptojwt.key_jar import init_key_jar
 import pytest
 import responses
-from cryptojwt.key_jar import init_key_jar
 
 from idpyoidc.client.entity import Entity
 from idpyoidc.client.rp_handler import RPHandler
-from idpyoidc.message.oidc import JRD
 from idpyoidc.message.oidc import AccessTokenResponse
 from idpyoidc.message.oidc import AuthorizationResponse
 from idpyoidc.message.oidc import IdToken
+from idpyoidc.message.oidc import JRD
 from idpyoidc.message.oidc import Link
 from idpyoidc.message.oidc import OpenIDSchema
 from idpyoidc.message.oidc import ProviderConfigurationResponse
@@ -260,14 +260,21 @@ def test_init_client(self):
         }
 
         _pref = [k for k, v in _context.prefers().items() if v]
-        assert set(_pref) == {
-            "client_id",
-            "client_secret",
-            "redirect_uris",
-            "response_types_supported",
-            "callback_uris",
-            "scopes_supported",
-        }
+        assert set(_pref) == {'application_type',
+                              'callback_uris',
+                              'client_id',
+                              'client_secret',
+                              'default_max_age',
+                              'grant_types_supported',
+                              'id_token_signing_alg_values_supported',
+                              'redirect_uris',
+                              'request_object_signing_alg_values_supported',
+                              'response_modes_supported',
+                              'response_types_supported',
+                              'scopes_supported',
+                              'subject_types_supported',
+                              'token_endpoint_auth_signing_alg_values_supported',
+                              'userinfo_signing_alg_values_supported'}
 
         _github_id = iss_id("github")
         _keyjar = _context.upstream_get("attribute", "keyjar")
@@ -304,8 +311,9 @@ def test_do_client_registration(self):
 
         assert self.rph.hash2issuer["github"] == issuer
         assert (
-            client.get_context().get_preference("callback_uris").get("post_logout_redirect_uris")
-            is None
+                client.get_context().get_preference("callback_uris").get(
+                    "post_logout_redirect_uris")
+                is None
         )
 
     def test_do_client_setup(self):