Check if nonce values are the same.

Deal with missing attribute.

Author: rohe

src/oidcrp/oidc/authorization.py

@@ -1,5 +1,6 @@
 import logging
 
+from oidcmsg import oauth2
 from oidcmsg import oidc
 from oidcmsg.oidc import make_openid_request
 from oidcmsg.oidc import verified_claim_name
@@ -47,18 +48,20 @@ def set_state(self, request_args, **kwargs):
 
     def update_service_context(self, resp, key='', **kwargs):
         _context = self.client_get("service_context")
-        try:
-            _idt = resp[verified_claim_name('id_token')]
-        except KeyError:
-            pass
-        else:
+
+        _idt = resp.get(verified_claim_name('id_token'))
+        if _idt:
             # If there is a verified ID Token then we have to do nonce
             # verification
-            try:
-                if _context.state.get_state_by_nonce(_idt['nonce']) != key:
-                    raise ParameterError('Someone has messed with "nonce"')
-            except KeyError:
-                raise ValueError('Missing nonce value')
+            item = _context.state.get_item(oauth2.AuthorizationRequest, 'auth_request', key)
+            if item['nonce'] != _idt['nonce']:
+                raise ValueError('Invalid nonce')
+
+            # try:
+            #     if _context.state.get_state_by_nonce(_idt['nonce']) != key:
+            #         raise ParameterError('Someone has messed with "nonce"')
+            # except KeyError:
+            #     raise ValueError('Invalid nonce')
 
             _context.state.store_sub2state(_idt['sub'], key)
 
@@ -229,6 +232,33 @@ def oidc_post_construct(self, req, **kwargs):
 
         return req
 
+    # def post_parse_response(self, response, **kwargs):
+    #     """
+    #     Add scope claim to response, from the request, if not present in the
+    #     response
+    #
+    #     :param response: The response
+    #     :param kwargs: Extra Keyword arguments
+    #     :return: A possibly augmented response
+    #     """
+    #
+    #     authorization.Authorization.parse_response(self, response, **kwargs)
+    #
+    #     if "id_token" not in response:
+    #         try:
+    #             _key = kwargs['state']
+    #         except KeyError:
+    #             pass
+    #         else:
+    #             if _key:
+    #                 item = self.client_get("service_context").state.get_item(oauth2.AuthorizationRequest,
+    #                                                                  'auth_request', _key)
+    #                 try:
+    #                     response["scope"] = item["scope"]
+    #                 except KeyError:
+    #                     pass
+    #     return response
+
     def gather_verify_arguments(self):
         """
         Need to add some information before running verify()
@@ -242,6 +272,10 @@ def gather_verify_arguments(self):
             'skew': _context.clock_skew
         }
 
+        _nonce = _context.state.get_item(oauth2.AuthorizationRequest, 'auth_request', 'nonce')
+        if _nonce:
+            kwargs["nonce"] = _nonce
+
         _client_id = _context.client_id
         if _client_id:
             kwargs['client_id'] = _client_id

src/oidcrp/rp_handler.py

@@ -9,6 +9,7 @@
 from cryptojwt.utils import as_bytes
 from oidcmsg import verified_claim_name
 from oidcmsg.exception import MessageException
+from oidcmsg.exception import MissingRequiredAttribute
 from oidcmsg.exception import NotForMe
 from oidcmsg.oauth2 import ResponseMessage
 from oidcmsg.oauth2 import is_error_message
@@ -628,16 +629,14 @@ def finalize_auth(self, client, issuer: str, response: dict,
 
         _srv = client.get_service('authorization')
         try:
-            authorization_response = _srv.parse_response(response,
-                                                         sformat='dict')
+            authorization_response = _srv.parse_response(response, sformat='dict')
         except Exception as err:
             logger.error('Parsing authorization_response: {}'.format(err))
             message = traceback.format_exception(*sys.exc_info())
             logger.error(message)
             raise
         else:
-            logger.debug(
-                'Authz response: {}'.format(authorization_response.to_dict()))
+            logger.debug('Authz response: {}'.format(authorization_response.to_dict()))
 
         if is_error_message(authorization_response):
             return authorization_response
@@ -947,8 +946,10 @@ def backchannel_logout(client, request='', request_args=None):
     """
     if request:
         req = BackChannelLogoutRequest().from_urlencoded(as_unicode(request))
+    elif request_args:
+        req = BackChannelLogoutRequest(**request_args)
     else:
-        req = BackChannelLogoutRequest()
+        raise MissingRequiredAttribute('logout_token')
 
     _context = client.client_get("service_context")
     kwargs = {
@@ -959,10 +960,13 @@ def backchannel_logout(client, request='', request_args=None):
             "id_token_signed_response_alg", "RS256")
     }
 
+    logger.debug(f"(backchannel_logout) Verifying request using: {kwargs}")
     try:
         req.verify(**kwargs)
     except (MessageException, ValueError, NotForMe) as err:
         raise MessageException('Bogus logout request: {}'.format(err))
+    else:
+        logger.debug("Request verified OK")
 
     # Find the subject through 'sid' or 'sub'
     sub = req[verified_claim_name('logout_token')].get('sub')