IdentityPython
diff --git a/‎src/idpyoidc/configure.py‎
Lines changed: 38 additions & 41 deletions b/‎src/idpyoidc/configure.py‎
Lines changed: 38 additions & 41 deletions
diff --git a/‎src/idpyoidc/server/client_configure.py‎
Lines changed: 79 additions & 0 deletions b/‎src/idpyoidc/server/client_configure.py‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎src/idpyoidc/server/configure.py‎
Lines changed: 1 addition & 1 deletion b/‎src/idpyoidc/server/configure.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/idpyoidc/server/oauth2/token_helper.py‎
Lines changed: 29 additions & 29 deletions b/‎src/idpyoidc/server/oauth2/token_helper.py‎
Lines changed: 29 additions & 29 deletions
diff --git a/‎src/idpyoidc/server/oidc/token_helper.py‎
Lines changed: 2 additions & 2 deletions b/‎src/idpyoidc/server/oidc/token_helper.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/idpyoidc/server/session/grant.py‎
Lines changed: 1 addition & 12 deletions b/‎src/idpyoidc/server/session/grant.py‎
Lines changed: 1 addition & 12 deletions
@@ -5,10 +5,7 @@
 from typing import Optional
 from typing import Union
 
-from cryptojwt.key_jar import init_key_jar
-
 from idpyoidc.logging import configure_logging
-from idpyoidc.util import instantiate
 from idpyoidc.util import load_config_file
 
 DEFAULT_FILE_ATTRIBUTE_NAMES = [
@@ -97,13 +94,13 @@ class Base(dict):
     parameter = {}
 
     def __init__(
-        self,
-        conf: Dict,
-        base_path: str = "",
-        file_attributes: Optional[List[str]] = None,
-        dir_attributes: Optional[List[str]] = None,
-        domain: Optional[str] = "",
-        port: Optional[int] = 0,
+            self,
+            conf: Dict,
+            base_path: str = "",
+            file_attributes: Optional[List[str]] = None,
+            dir_attributes: Optional[List[str]] = None,
+            domain: Optional[str] = "",
+            port: Optional[int] = 0,
     ):
         dict.__init__(self)
         if file_attributes is None:
@@ -150,14 +147,14 @@ def items(self):
             yield key, getattr(self, key)
 
     def extend(
-        self,
-        conf: Dict,
-        base_path: str,
-        domain: str,
-        port: int,
-        entity_conf: Optional[List[dict]] = None,
-        file_attributes: Optional[List[str]] = None,
-        dir_attributes: Optional[List[str]] = None,
+            self,
+            conf: Dict,
+            base_path: str,
+            domain: str,
+            port: int,
+            entity_conf: Optional[List[dict]] = None,
+            file_attributes: Optional[List[str]] = None,
+            dir_attributes: Optional[List[str]] = None,
     ):
         for econf in entity_conf:
             _path = econf.get("path")
@@ -198,13 +195,13 @@ def complete_paths(self, conf: Dict, keys: List[str], default_config: Dict, base
             setattr(self, key, _val)
 
     def format(
-        self,
-        conf,
-        base_path: str,
-        domain: str,
-        port: int,
-        file_attributes: Optional[List[str]] = None,
-        dir_attributes: Optional[List[str]] = None,
+            self,
+            conf,
+            base_path: str,
+            domain: str,
+            port: int,
+            file_attributes: Optional[List[str]] = None,
+            dir_attributes: Optional[List[str]] = None,
     ) -> Union[Dict, str]:
         """
         Formats parts of the configuration. That includes replacing the strings {domain} and {port}
@@ -239,14 +236,14 @@ class Configuration(Base):
     uris = ["redirect_uris", "issuer", "base_url", "server_name"]
 
     def __init__(
-        self,
-        conf: Dict,
-        base_path: str = "",
-        entity_conf: Optional[List[dict]] = None,
-        file_attributes: Optional[List[str]] = None,
-        domain: Optional[str] = "",
-        port: Optional[int] = 0,
-        dir_attributes: Optional[List[str]] = None,
+            self,
+            conf: Dict,
+            base_path: str = "",
+            entity_conf: Optional[List[dict]] = None,
+            file_attributes: Optional[List[str]] = None,
+            domain: Optional[str] = "",
+            port: Optional[int] = 0,
+            dir_attributes: Optional[List[str]] = None,
     ):
         Base.__init__(
             self,
@@ -293,14 +290,14 @@ def __init__(
 
 
 def create_from_config_file(
-    cls,
-    filename: str,
-    base_path: Optional[str] = "",
-    entity_conf: Optional[List[dict]] = None,
-    file_attributes: Optional[List[str]] = None,
-    domain: Optional[str] = "",
-    port: Optional[int] = 0,
-    dir_attributes: Optional[List[str]] = None,
+        cls,
+        filename: str,
+        base_path: Optional[str] = "",
+        entity_conf: Optional[List[dict]] = None,
+        file_attributes: Optional[List[str]] = None,
+        domain: Optional[str] = "",
+        port: Optional[int] = 0,
+        dir_attributes: Optional[List[str]] = None,
 ):
     return cls(
         load_config_file(filename),
 
@@ -0,0 +1,79 @@
+import logging
+from typing import Callable
+from typing import Optional
+
+from idpyoidc.message import OPTIONAL_LIST_OF_STRINGS
+from idpyoidc.message.oidc import RegistrationResponse
+from idpyoidc.message.oidc import SINGLE_OPTIONAL_BOOLEAN
+from idpyoidc.message.oidc import SINGLE_OPTIONAL_DICT
+from idpyoidc.server.session.token import TOKEN_MAP
+
+logger = logging.getLogger(__name__)
+
+
+class ClientConfiguration(RegistrationResponse):
+    c_param = RegistrationResponse.c_param.copy()
+    c_param.update({
+        "token_usage_rules": SINGLE_OPTIONAL_DICT,
+        "token_exchange": SINGLE_OPTIONAL_DICT,
+        "add_claims": SINGLE_OPTIONAL_DICT,
+        "pkce_essential": SINGLE_OPTIONAL_BOOLEAN,
+        "revoke_refresh_on_issue": SINGLE_OPTIONAL_BOOLEAN,
+        "allowed_scopes": OPTIONAL_LIST_OF_STRINGS,
+        "scopes_to_claims": SINGLE_OPTIONAL_DICT,
+        #
+        # These may be added dynamically at run time
+        # "dpop_jkt": SINGLE_OPTIONAL_STRING,
+        # "si_redirects": OPTIONAL_LIST_OF_STRINGS,
+        # "sector_id": SINGLE_OPTIONAL_STRING,
+        # "client_secret_expires_at": SINGLE_OPTIONAL_INT,
+        # "registration_access_token": SINGLE_OPTIONAL_STRING
+        # "auth_method": SINGLE_OPTIONAL_DICT,
+    })
+
+    def verify(self, **kwargs):
+        RegistrationResponse.verify(self, **kwargs)
+        _server_get = kwargs.get("server_get")
+        if _server_get:
+            _endpoint_context = _server_get("endpoint_context")
+        else:
+            _endpoint_context = None
+
+        if "add_claims" in self:
+            if not set(self["add_claims"].keys()).issubset({"always", "by_scope"}):
+                _diff = set(self["add_claims"].keys()).difference({"always", "by_scope"})
+                logger.warning(f"Undefined add_claims parameter '{_diff}' used")
+
+        if "token_usage_rules" in self:
+            for _typ, _rule in self["token_usage_rules"].items():
+                # The allowed rules are: expires_in, supports_minting, max_usage
+                if _typ not in TOKEN_MAP.keys():
+                    logger.warning(f"Undefined token type '{_typ}' used")
+
+                if not set(_rule.keys()).issubset({'expires_in', 'supports_minting', 'max_usage'}):
+                    _diff = set(_rule.keys()).difference(
+                        {'expires_in', 'supports_minting', 'max_usage'})
+                    logger.warning(f"Undefined token_usage_rules parameter '{_diff}' used")
+
+                _supports = _rule.get("supports_minting")
+                if _supports:
+                    if not set(_supports).issubset(set(TOKEN_MAP.keys())):
+                        _diff = set(_supports).difference(set(TOKEN_MAP.keys()))
+                        logger.warning(f"Unknown supports_minting token '{_diff}' used")
+
+        if "token_exchange" in self:
+            pass
+
+
+def verify_oidc_client_information(conf: dict,
+                                   server_get: Optional[Callable] = None,
+                                   **kwargs) -> dict:
+    res = {}
+    for key, item in conf.items():
+        _rr = ClientConfiguration(**item)
+        _rr.verify(server_get=server_get, **kwargs)
+        if _rr.extra():
+            logger.info(f"Extras: {_rr.extra()}")
+        res[key] = _rr
+
+    return res
@@ -8,7 +8,7 @@
 
 from idpyoidc.configure import Base
 from idpyoidc.server.scopes import SCOPE2CLAIMS
-from idpyoidc.util import verify_oidc_client_information
+from idpyoidc.server.client_configure import verify_oidc_client_information
 
 logger = logging.getLogger(__name__)
 
 
@@ -16,9 +16,9 @@
 from idpyoidc.server.exception import ToOld
 from idpyoidc.server.exception import UnAuthorizedClientScope
 from idpyoidc.server.oauth2.authorization import check_unknown_scopes_policy
-from idpyoidc.server.session.grant import AuthorizationCode
 from idpyoidc.server.session.grant import Grant
-from idpyoidc.server.session.grant import RefreshToken
+from idpyoidc.server.session.token import AuthorizationCode
+from idpyoidc.server.session.token import RefreshToken
 from idpyoidc.server.session.token import MintingNotAllowed
 from idpyoidc.server.session.token import SessionToken
 from idpyoidc.server.token.exception import UnknownToken
@@ -36,7 +36,7 @@ def __init__(self, endpoint, config=None):
         self.error_cls = self.endpoint.error_cls
 
     def post_parse_request(
-        self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
+            self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
     ):
         """Context specific parsing of the request.
         This is done after general request parsing and before processing
@@ -49,15 +49,15 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         raise NotImplementedError
 
     def _mint_token(
-        self,
-        token_class: str,
-        grant: Grant,
-        session_id: str,
-        client_id: str,
-        based_on: Optional[SessionToken] = None,
-        scope: Optional[list] = None,
-        token_args: Optional[dict] = None,
-        token_type: Optional[str] = "",
+            self,
+            token_class: str,
+            grant: Grant,
+            session_id: str,
+            client_id: str,
+            based_on: Optional[SessionToken] = None,
+            scope: Optional[list] = None,
+            token_args: Optional[dict] = None,
+            token_type: Optional[str] = "",
     ) -> SessionToken:
         _context = self.endpoint.server_get("endpoint_context")
         _mngr = _context.session_manager
@@ -171,9 +171,9 @@ def process_request(self, req: Union[Message, dict], **kwargs):
                     _response["expires_in"] = token.expires_at - utc_time_sans_frac()
 
         if (
-            issue_refresh
-            and "refresh_token" in _supports_minting
-            and "refresh_token" in grant_types_supported
+                issue_refresh
+                and "refresh_token" in _supports_minting
+                and "refresh_token" in grant_types_supported
         ):
             try:
                 refresh_token = self._mint_token(
@@ -196,7 +196,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         return _response
 
     def post_parse_request(
-        self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
+            self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
     ):
         """
         This is where clients come to get their access tokens
@@ -300,9 +300,9 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         token.register_usage()
 
         if (
-            "client_id" in req
-            and req["client_id"] in _context.cdb
-            and "revoke_refresh_on_issue" in _context.cdb[req["client_id"]]
+                "client_id" in req
+                and req["client_id"] in _context.cdb
+                and "revoke_refresh_on_issue" in _context.cdb[req["client_id"]]
         ):
             revoke_refresh = _context.cdb[req["client_id"]].get("revoke_refresh_on_issue")
         else:
@@ -314,7 +314,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         return _resp
 
     def post_parse_request(
-        self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
+            self, request: Union[Message, dict], client_id: Optional[str] = "", **kwargs
     ):
         """
         This is where clients come to refresh their access tokens
@@ -405,10 +405,10 @@ def post_parse_request(self, request, client_id="", **kwargs):
         try:
             request.verify(keyjar=keyjar, opponent_id=client_id)
         except (
-            MissingRequiredAttribute,
-            ValueError,
-            MissingRequiredValue,
-            JWKESTException,
+                MissingRequiredAttribute,
+                ValueError,
+                MissingRequiredValue,
+                JWKESTException,
         ) as err:
             return self.endpoint.error_cls(error="invalid_request", error_description="%s" % err)
 
@@ -449,8 +449,8 @@ def _enforce_policy(self, request, token, config):
             )
 
         if (
-            "requested_token_type" in request
-            and request["requested_token_type"] not in config["requested_token_types_supported"]
+                "requested_token_type" in request
+                and request["requested_token_type"] not in config["requested_token_types_supported"]
         ):
             return TokenErrorResponse(
                 error="invalid_request",
@@ -605,14 +605,14 @@ def validate_token_exchange_policy(request, context, subject_token, **kwargs):
         )
 
     if (
-        "requested_token_type" in request
-        and request["requested_token_type"] == "urn:ietf:params:oauth:token-type:refresh_token"
+            "requested_token_type" in request
+            and request["requested_token_type"] == "urn:ietf:params:oauth:token-type:refresh_token"
     ):
         if "offline_access" not in subject_token.scope:
             return TokenErrorResponse(
                 error="invalid_request",
                 error_description=f"Exchange {request['subject_token_type']} to refresh token "
-                f"forbbiden",
+                                  f"forbbiden",
             )
 
     if "scope" in request:
 
@@ -10,8 +10,8 @@
 from idpyoidc.message.oidc import RefreshAccessTokenRequest
 from idpyoidc.server import oauth2
 from idpyoidc.server.oauth2.token_helper import TokenEndpointHelper
-from idpyoidc.server.session.grant import AuthorizationCode
-from idpyoidc.server.session.grant import RefreshToken
+from idpyoidc.server.session.token import AuthorizationCode
+from idpyoidc.server.session.token import RefreshToken
 from idpyoidc.server.session.token import MintingNotAllowed
 from idpyoidc.server.token.exception import UnknownToken
 from idpyoidc.util import sanitize
 
@@ -9,17 +9,14 @@
 from idpyoidc.message import Message
 from idpyoidc.message.oauth2 import AuthorizationRequest
 from idpyoidc.server.authn_event import AuthnEvent
+from idpyoidc.server.session.token import TOKEN_MAP
 from idpyoidc.server.token import Token as TokenHandler
 from idpyoidc.util import importer
 
 from ...message.oauth2 import TokenExchangeRequest
 from . import MintingNotAllowed
 from .claims import claims_match
-from .token import AccessToken
-from .token import AuthorizationCode
-from .token import IDToken
 from .token import Item
-from .token import RefreshToken
 from .token import SessionToken
 
 logger = logging.getLogger(__name__)
@@ -54,14 +51,6 @@ def find_token(issued, token_id):
     return None
 
 
-TOKEN_MAP = {
-    "authorization_code": AuthorizationCode,
-    "access_token": AccessToken,
-    "refresh_token": RefreshToken,
-    "id_token": IDToken,
-}
-
-
 def qualified_name(cls):
     """Does both classes and class instances