Merge pull request #23 from IdentityPython/token_exchange_client

Token exchange client

Author: rohe

pyproject.toml

@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
 
 [metadata]
 name = "idpyoidc"
-version = "1.1.1"
+version = "1.2.0"
 author = "Roland Hedberg"
 author_email = "roland@catalogix.se"
 description = "Everything OAuth2 and OIDC"

src/idpyoidc/__init__.py

@@ -1,5 +1,5 @@
 __author__ = "Roland Hedberg"
-__version__ = "1.1.1"
+__version__ = "1.2.0"
 
 import os
 from typing import Dict

src/idpyoidc/client/client_auth.py

@@ -302,11 +302,13 @@ def construct(self, request=None, service=None, http_args=None, **kwargs):
 
         if service.service_name == "refresh_token":
             _acc_token = find_token(request, "refresh_token", service, **kwargs)
+        elif service.service_name == "token_exchange":
+            _acc_token = find_token(request, "subject_token", service, **kwargs)
         else:
             _acc_token = find_token(request, "access_token", service, **kwargs)
 
         if not _acc_token:
-            raise KeyError("No access or refresh token available")
+            raise KeyError("No bearer token available")
 
         # The authorization value starts with 'Bearer' when bearer tokens
         # are used

src/idpyoidc/client/defaults.py

@@ -18,7 +18,7 @@
 }
 
 DEFAULT_OAUTH2_SERVICES = {
-    "discovery": {"class": "idpyoidc.client.oauth2.provider_info_discovery.ProviderInfoDiscovery"},
+    "discovery": {"class": "idpyoidc.client.oauth2.server_metadata.ServerMetadata"},
     "authorization": {"class": "idpyoidc.client.oauth2.authorization.Authorization"},
     "access_token": {"class": "idpyoidc.client.oauth2.access_token.AccessToken"},
     "refresh_access_token": {

src/idpyoidc/client/oauth2/provider_info_discovery.py renamed to src/idpyoidc/client/oauth2/server_metadata.py

@@ -12,14 +12,14 @@
 LOGGER = logging.getLogger(__name__)
 
 
-class ProviderInfoDiscovery(Service):
-    """The service that talks to the OAuth2 provider info discovery endpoint."""
+class ServerMetadata(Service):
+    """The service that talks to the OAuth2 server metadata endpoint."""
 
     msg_type = oauth2.Message
     response_cls = oauth2.ASConfigurationResponse
     error_msg = ResponseMessage
     synchronous = True
-    service_name = "provider_info"
+    service_name = "server_metadata"
     http_method = "GET"
 
     metadata_attributes = {}

src/idpyoidc/client/oauth2/token_exchange.py

@@ -0,0 +1,74 @@
+"""Implements the service that can exchange one token for another."""
+import logging
+
+from idpyoidc.client.oauth2.utils import get_state_parameter
+from idpyoidc.client.service import Service
+from idpyoidc.exception import MissingParameter
+from idpyoidc.exception import MissingRequiredAttribute
+from idpyoidc.message import oauth2
+from idpyoidc.message.oauth2 import ResponseMessage
+from idpyoidc.time_util import time_sans_frac
+
+LOGGER = logging.getLogger(__name__)
+
+
+class TokenExchange(Service):
+    """The token exchange service."""
+
+    msg_type = oauth2.TokenExchangeRequest
+    response_cls = oauth2.TokenExchangeResponse
+    error_msg = ResponseMessage
+    endpoint_name = "token_endpoint"
+    synchronous = True
+    service_name = "token_exchange"
+    default_authn_method = "client_secret_basic"
+    http_method = "POST"
+    request_body_type = "urlencoded"
+    response_body_type = "json"
+
+
+    def __init__(self, client_get, conf=None):
+        Service.__init__(self, client_get, conf=conf)
+        self.pre_construct.append(self.oauth_pre_construct)
+
+    def update_service_context(self, resp, key="", **kwargs):
+        if "expires_in" in resp:
+            resp["__expires_at"] = time_sans_frac() + int(resp["expires_in"])
+        self.client_get("service_context").state.store_item(resp, "token_response", key)
+
+    def oauth_pre_construct(self, request_args=None, post_args=None, **kwargs):
+        """
+
+        :param request_args: Initial set of request arguments
+        :param kwargs: Extra keyword arguments
+        :return: Request arguments
+        """
+        if request_args is None:
+            request_args = {}
+
+        if 'subject_token' not in request_args:
+            try:
+                _key = get_state_parameter(request_args, kwargs)
+            except MissingParameter:
+                raise MissingRequiredAttribute("subject_token")
+
+            parameters = {'access_token', 'scope'}
+
+            _state = self.client_get("service_context").state
+
+            _args = _state.extend_request_args(
+                {}, oauth2.AuthorizationResponse, "auth_response", _key, parameters
+            )
+            _args = _state.extend_request_args(
+                _args, oauth2.AccessTokenResponse, "token_response", _key, parameters
+            )
+            _args = _state.extend_request_args(
+                _args, oauth2.AccessTokenResponse, "refresh_token_response", _key, parameters
+            )
+
+            request_args["subject_token"] = _args["access_token"]
+            request_args["subject_token_type"] = 'urn:ietf:params:oauth:token-type:access_token'
+            if 'scope' not in request_args and "scope" in _args:
+                request_args["scope"] = _args["scope"]
+
+        return request_args, post_args

src/idpyoidc/client/oidc/provider_info_discovery.py

@@ -1,7 +1,7 @@
 import logging
 
 from idpyoidc.client.exception import ConfigurationError
-from idpyoidc.client.oauth2 import provider_info_discovery
+from idpyoidc.client.oauth2 import server_metadata
 from idpyoidc.message import oidc
 from idpyoidc.message.oauth2 import ResponseMessage
 
@@ -61,14 +61,16 @@ def add_redirect_uris(request_args, service=None, **kwargs):
     return request_args, {}
 
 
-class ProviderInfoDiscovery(provider_info_discovery.ProviderInfoDiscovery):
+class ProviderInfoDiscovery(server_metadata.ServerMetadata):
     msg_type = oidc.Message
     response_cls = oidc.ProviderConfigurationResponse
     error_msg = ResponseMessage
+    service_name = "provider_info"
+
     metadata_attributes = {}
 
     def __init__(self, client_get, conf=None):
-        provider_info_discovery.ProviderInfoDiscovery.__init__(self, client_get, conf=conf)
+        server_metadata.ServerMetadata.__init__(self, client_get, conf=conf)
 
     def update_service_context(self, resp, **kwargs):
         _context = self.client_get("service_context")

src/idpyoidc/client/service.py

@@ -16,14 +16,13 @@
 from idpyoidc.message.oauth2 import ResponseMessage
 from idpyoidc.message.oauth2 import is_error_message
 from idpyoidc.util import importer
-
-from ..constant import JOSE_ENCODED
-from ..constant import JSON_ENCODED
-from ..constant import URL_ENCODED
 from .configure import Configuration
 from .exception import ResponseError
 from .util import get_http_body
 from .util import get_http_url
+from ..constant import JOSE_ENCODED
+from ..constant import JSON_ENCODED
+from ..constant import URL_ENCODED
 
 __author__ = "Roland Hedberg"
 
@@ -452,6 +451,7 @@ def get_request_parameters(
                 content_type = JSON_ENCODED
 
             _info["body"] = get_http_body(request, content_type)
+
             _headers.update({"Content-Type": content_type})
 
         if _headers:
@@ -655,7 +655,7 @@ def construct_uris(self, base_url, hex):
                 uri = self.usage_to_uri_map.get(usage)
                 if uri and uri not in self.metadata:
                     self.metadata[uri] = self.get_uri(base_url, self.callback_path[uri],
-                                                               hex)
+                                                      hex)
 
     def get_metadata(self, attribute, default=None):
         try:

src/idpyoidc/server/oauth2/server_metadata.py

@@ -0,0 +1,37 @@
+import logging
+
+from idpyoidc.message import oauth2
+
+from idpyoidc.message import oidc
+from idpyoidc.server.endpoint import Endpoint
+
+logger = logging.getLogger(__name__)
+
+
+class ServerMetadata(Endpoint):
+    request_cls = oauth2.Message
+    response_cls = oauth2.ASConfigurationResponse
+    request_format = ""
+    response_format = "json"
+    name = "server_metadata"
+
+    def __init__(self, server_get, **kwargs):
+        Endpoint.__init__(self, server_get=server_get, **kwargs)
+        self.pre_construct.append(self.add_endpoints)
+
+    def add_endpoints(self, request, client_id, endpoint_context, **kwargs):
+        for endpoint in [
+            "authorization_endpoint",
+            "registration_endpoint",
+            "token_endpoint",
+            "userinfo_endpoint",
+            "end_session_endpoint",
+        ]:
+            endp_instance = self.server_get("endpoint", endpoint)
+            if endp_instance:
+                request[endpoint] = endp_instance.endpoint_path
+
+        return request
+
+    def process_request(self, request=None, **kwargs):
+        return {"response_args": self.server_get("endpoint_context").provider_info}

src/idpyoidc/server/oauth2/token.py

@@ -13,6 +13,7 @@
 from idpyoidc.server.exception import ProcessError
 from idpyoidc.server.oauth2.token_helper import AccessTokenHelper
 from idpyoidc.server.oauth2.token_helper import RefreshTokenHelper
+from idpyoidc.server.session import MintingNotAllowed
 from idpyoidc.server.session.token import TOKEN_TYPES_MAPPING
 from idpyoidc.util import importer
 
@@ -121,6 +122,8 @@ def process_request(self, request: Optional[Union[Message, dict]] = None, **kwar
                 )
         except JWEException as err:
             return self.error_cls(error="invalid_request", error_description="%s" % err)
+        except MintingNotAllowed as err:
+            return self.error_cls(error="invalid_request", error_description="%s" % err)
 
         if isinstance(response_args, ResponseMessage):
             return response_args