IdentityPython
diff --git a/‎src/oidcrp/oauth2/utils.py‎
Lines changed: 6 additions & 2 deletions b/‎src/oidcrp/oauth2/utils.py‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎src/oidcrp/oidc/registration.py‎
Lines changed: 141 additions & 16 deletions b/‎src/oidcrp/oidc/registration.py‎
Lines changed: 141 additions & 16 deletions
diff --git a/‎src/oidcrp/rp_handler.py‎
Lines changed: 50 additions & 67 deletions b/‎src/oidcrp/rp_handler.py‎
Lines changed: 50 additions & 67 deletions
@@ -3,6 +3,7 @@
 from typing import Union
 
 from oidcmsg.exception import MissingParameter
+from oidcmsg.exception import MissingRequiredAttribute
 from oidcmsg.message import Message
 
 from oidcrp.service import Service
@@ -32,7 +33,9 @@ def pick_redirect_uri(context,
     if 'redirect_uri' in request_args:
         return request_args["redirect_uri"]
 
-    if context.callback:
+    if context.redirect_uris:
+        redirect_uri = context.redirect_uris[0]
+    elif context.callback:
         if not response_type:
             _conf_resp_types = context.behaviour.get('response_types', [])
             response_type = request_args.get('response_type')
@@ -52,7 +55,8 @@ def pick_redirect_uri(context,
             f"pick_redirect_uris: response_type={response_type}, response_mode={_response_mode}, "
             f"redirect_uri={redirect_uri}")
     else:
-        redirect_uri = context.redirect_uris[0]
+        logger.error("No redirect_uri")
+        raise MissingRequiredAttribute('redirect_uri')
 
     return redirect_uri
 
 
@@ -1,5 +1,9 @@
+import hashlib
 import logging
+from typing import List
+from typing import Optional
 
+from cryptojwt.utils import as_bytes
 from oidcmsg import oidc
 from oidcmsg.oauth2 import ResponseMessage
 
@@ -37,19 +41,133 @@ def response_types_to_grant_types(response_types):
     return list(_res)
 
 
-def add_request_uri(request_args=None, service=None, **kwargs):
-    _context = service.client_get("service_context")
-    if _context.requests_dir:
-        _pi = _context.provider_info
-        if _pi:
-            _req = _pi.get('require_request_uri_registration', False)
-            if _req is True:
-                request_args['request_uris'] = _context.generate_request_uris(_context.requests_dir)
+def create_callbacks(issuer: str,
+                     hash_seed: str,
+                     base_url: str,
+                     code: Optional[bool] = False,
+                     implicit: Optional[bool] = False,
+                     form_post: Optional[bool] = False,
+                     request_uris: Optional[bool] = False,
+                     backchannel_logout_uri: Optional[bool] = False,
+                     frontchannel_logout_uri: Optional[bool] = False):
+    """
+    To mitigate some security issues the redirect_uris should be OP/AS
+    specific. This method creates a set of redirect_uris unique to the
+    OP/AS.
+
+    :param frontchannel_logout_uri: Whether a front-channel logout uri should be constructed
+    :param backchannel_logout_uri: Whether a back-channel logout uri should be constructed
+    :param request_uri: Whether a request_uri should be constructed
+    :param issuer: Issuer ID
+    :return: A set of redirect_uris
+    """
+    _hash = hashlib.sha256()
+    _hash.update(hash_seed)
+    _hash.update(as_bytes(issuer))
+    _hex = _hash.hexdigest()
+
+    res = {'__hex': _hex}
+
+    if code:
+        res['code'] = f"{base_url}/authz_cb/{_hex}"
+
+    if implicit:
+        res['implicit'] = f"{base_url}/authz_im_cb/{_hex}"
+
+    if form_post:
+        res['form_post'] = f"{base_url}/authz_fp_cb/{_hex}"
+
+    if request_uris:
+        res["request_uris"] = f"{base_url}/req_uri/{_hex}"
+
+    if backchannel_logout_uri or frontchannel_logout_uri:
+        res["post_logout_redirect_uris"] = f"{base_url}/session_logout/{_hex}"
+
+    if backchannel_logout_uri:
+        res["backchannel_logout_uri"] = f"{base_url}/bc_logout/{_hex}"
+
+    if frontchannel_logout_uri:
+        res["frontchannel_logout_uri"] = f"{base_url}/fc_logout/{_hex}"
+
+    logger.debug(f"Created callback URIs: {res}")
+    return res
+
+
+def _cmp(a, b):
+    if b is None:  # Don't care about the value as long as there is one
+        return True
+    elif isinstance(a, str) and a == b:
+        return True
+    elif isinstance(a, list) and b in a:
+        return True
+
+    return a == b
 
-    return request_args, {}
 
+def _in_config_or_client_preferences(config, attr, val):
+    _val = config.get("client_preferences", {}).get(attr)
+    if _cmp(_val, val):
+        return True
+    _val = config.get(attr)
+    return _cmp(_val, val)
 
-def add_post_logout_redirect_uris(request_args=None, service=None, **kwargs):
+
+def add_callbacks(context, ignore: Optional[List[str]] = None):
+    if ignore is None:
+        ignore = []
+    _iss = context.get('issuer')
+
+    _uris = {}
+
+    _pi = context.get('provider_info')
+    _cp = context.config.get("client_preferences")
+
+    if "redirect_uris" not in ignore:
+        # code and/or implicit
+        if _in_config_or_client_preferences(context.config, "response_types", "code"):
+            _uris['code'] = True
+        for rt in ["id_token", "id_token token", "code id_token token", "code idtoken",
+                   "code token"]:
+            if _in_config_or_client_preferences(context.config, "response_types", rt):
+                _uris["implicit"] = True
+                break
+
+    if "form_post" not in ignore:
+        if _in_config_or_client_preferences(context.config, "form_post_usable", True):
+            _uris["form_post"] = True
+
+    if "request_uris" not in ignore:
+        if 'require_request_uri_registration' in _pi and _in_config_or_client_preferences(
+                context.config, "request_uri_usable", True):
+            _uris['request_uris'] = True
+
+    if "frontchannel_logout_uri" not in ignore:
+        if 'frontchannel_logout_supported' in _pi and _in_config_or_client_preferences(
+                context.config, "frontchannel_logout_usable", True):
+            _uris["frontchannel_logout_uri"] = True
+
+    if "backchannel_logout_uri" not in ignore:
+        if 'backchannel_logout_supported' in _pi and _in_config_or_client_preferences(
+                context.config, "backchannel_logout_usable", True):
+            _uris["backchannel_logout_uri"] = True
+
+    callbacks = create_callbacks(_iss,
+                                 hash_seed=context.get('hash_seed'),
+                                 base_url=context.get("base_url"),
+                                 **_uris)
+    context.hash2issuer[callbacks['__hex']] = _iss
+
+    if "redirect_uris" not in ignore:
+        _redirect_uris = [v for k, v in callbacks.items() if k in ["code", "implicit", "form_post"]]
+        callbacks["redirect_uris"] = _redirect_uris
+    context.set('callback', callbacks)
+
+
+CALLBACK_URIS = ["post_logout_redirect_uris", "backchannel_logout_uri", "frontchannel_logout_uri",
+                 "request_uris", 'redirect_uris']
+
+
+def add_callback_uris(request_args=None, service=None, **kwargs):
     """
 
     :param request_args:
@@ -59,10 +177,17 @@ def add_post_logout_redirect_uris(request_args=None, service=None, **kwargs):
     :return:
     """
 
-    if "post_logout_redirect_uris" not in request_args:
-        _uris = service.client_get("service_context").register_args.get("post_logout_redirect_uris")
-        if _uris:
-            request_args["post_logout_redirect_uris"] = _uris
+    _context = service.client_get("service_context")
+    _ignore = [k for k in list(request_args.keys()) if k in CALLBACK_URIS]
+    add_callbacks(_context, ignore=_ignore)
+    for _key in CALLBACK_URIS:
+        _req_val = request_args.get(_key)
+        if not _req_val:
+            _uri = _context.register_args.get(_key)
+            if _uri is None:
+                _uri = _context.callback.get(_key)
+            if _uri:
+                request_args[_key] = _uri
 
     return request_args, {}
 
@@ -107,8 +232,8 @@ def __init__(self, client_get, client_authn_factory=None, conf=None):
                          client_authn_factory=client_authn_factory,
                          conf=conf)
         self.pre_construct = [self.add_client_behaviour_preference,
-                              add_redirect_uris, add_request_uri,
-                              add_post_logout_redirect_uris,
+                              #add_redirect_uris,
+                              add_callback_uris,
                               add_jwks_uri_or_jwks]
         self.post_construct = [self.oidc_post_construct]
 
 
@@ -1,4 +1,3 @@
-import hashlib
 import logging
 import sys
 import traceback
@@ -29,6 +28,8 @@
 from .exception import OidcServiceError
 from .oauth2 import Client
 from .oauth2.utils import pick_redirect_uri
+from .oidc.registration import CALLBACK_URIS
+from .oidc.registration import add_callbacks
 from .util import add_path
 from .util import dynamic_provider_info_discovery
 from .util import load_registration_response
@@ -237,33 +238,10 @@ def do_provider_info(self, client=None, state='', behaviour_args=None):
             except KeyError:
                 return _context.get('issuer')
 
-    def add_callbacks(self, context):
-        _iss = context.get('issuer')
-        # Create the necessary callback URLs
-        # as a side effect self.hash2issuer is set
-        _extra_uris = {
-            "request_uri": False,
-            "backchannel_logout_uri": False,
-            "frontchannel_logout_uri": False
-        }
-        _pi = context.get('provider_info')
-        _cp = context.config.get("client_preferences")
-        if 'require_request_uri_registration' in _pi and "request_uri_usable" in _cp:
-            _extra_uris['request_uri'] = True
-        if 'frontchannel_logout_supported' in _pi and "frontchannel_logout_usable" in _cp:
-            _extra_uris["frontchannel_logout_uri"] = True
-        if 'backchannel_logout_supported' in _pi and "backchannel_logout_usable" in _cp:
-            _extra_uris["backchannel_logout_uri"] = True
-
-        callbacks = self.create_callbacks(_iss, **_extra_uris)
-
-        context.set('redirect_uris', [
-            v for k, v in callbacks.items() if not k.startswith('__')])
-        context.set('callback', callbacks)
-
     def do_client_registration(self, client=None,
                                iss_id: Optional[str] = '',
                                state: Optional[str] = '',
+                               request_args: Optional[dict] = None,
                                behaviour_args: Optional[dict] = None):
         """
         Prepare for and do client registration if configured to do so
@@ -289,14 +267,19 @@ def do_client_registration(self, client=None,
             _context.post_logout_redirect_uris = [self.base_url]
 
         if not _context.client_id:  # means I have to do dynamic client registration
-            if not _context.get('redirect_uris'):
-                self.add_callbacks(_context)
+            if request_args is None:
+                request_args = {}
 
             if behaviour_args:
                 _params = RegistrationRequest().parameters()
-                request_args = {k: v for k, v in behaviour_args.items() if k in _params}
-            else:
-                request_args = {}
+                request_args.update({k: v for k, v in behaviour_args.items() if k in _params})
+
+            # _ignore = [k for k in list(request_args.keys()) if k in CALLBACK_URIS]
+            # if _context.get('redirect_uris'):
+            #     if 'redirect_uris' not in _ignore:
+            #         _ignore.append('redirect_uris')
+            #
+            # add_callbacks(_context, _ignore)
 
             load_registration_response(client, request_args=request_args)
 
@@ -358,43 +341,43 @@ def client_setup(self, iss_id='', user='', behaviour_args=None):
         self.issuer2rp[issuer] = client
         return client
 
-    def create_callbacks(self, issuer, request_uri=False, backchannel_logout_uri=False,
-                         frontchannel_logout_uri=False):
-        """
-        To mitigate some security issues the redirect_uris should be OP/AS
-        specific. This method creates a set of redirect_uris unique to the
-        OP/AS.
-
-        :param frontchannel_logout_uri: Whether a front-channel logout uri should be constructed
-        :param backchannel_logout_uri: Whether a back-channel logout uri should be constructed
-        :param request_uri: Whether a request_uri should be constructed
-        :param issuer: Issuer ID
-        :return: A set of redirect_uris
-        """
-        _hash = hashlib.sha256()
-        _hash.update(self.hash_seed)
-        _hash.update(as_bytes(issuer))
-        _hex = _hash.hexdigest()
-        self.hash2issuer[_hex] = issuer
-        res = {
-            'code': "{}/authz_cb/{}".format(self.base_url, _hex),
-            'implicit': "{}/authz_im_cb/{}".format(self.base_url, _hex),
-            'form_post': "{}/authz_fp_cb/{}".format(self.base_url, _hex),
-            '__hex': _hex
-        }
-        if request_uri:
-            res["request_uri"] = f"{self.base_url}/req_uri/{_hex}"
-
-        if backchannel_logout_uri or frontchannel_logout_uri:
-            res["post_logout_redirect_uris"] = f"{self.base_url}/session_logout/{_hex}"
-
-        if backchannel_logout_uri:
-            res["backchannel_logout_uri"] = f"{self.base_url}/bc_logout/{_hex}"
-        if frontchannel_logout_uri:
-            res["frontchannel_logout_uri"] = f"{self.base_url}/fc_logout/{_hex}"
-
-        logger.debug(f"Created callback URIs: {res}")
-        return res
+    # def create_callbacks(self, issuer, request_uri=False, backchannel_logout_uri=False,
+    #                      frontchannel_logout_uri=False):
+    #     """
+    #     To mitigate some security issues the redirect_uris should be OP/AS
+    #     specific. This method creates a set of redirect_uris unique to the
+    #     OP/AS.
+    #
+    #     :param frontchannel_logout_uri: Whether a front-channel logout uri should be constructed
+    #     :param backchannel_logout_uri: Whether a back-channel logout uri should be constructed
+    #     :param request_uri: Whether a request_uri should be constructed
+    #     :param issuer: Issuer ID
+    #     :return: A set of redirect_uris
+    #     """
+    #     _hash = hashlib.sha256()
+    #     _hash.update(self.hash_seed)
+    #     _hash.update(as_bytes(issuer))
+    #     _hex = _hash.hexdigest()
+    #     self.hash2issuer[_hex] = issuer
+    #     res = {
+    #         'code': "{}/authz_cb/{}".format(self.base_url, _hex),
+    #         'implicit': "{}/authz_im_cb/{}".format(self.base_url, _hex),
+    #         'form_post': "{}/authz_fp_cb/{}".format(self.base_url, _hex),
+    #         '__hex': _hex
+    #     }
+    #     if request_uri:
+    #         res["request_uri"] = f"{self.base_url}/req_uri/{_hex}"
+    #
+    #     if backchannel_logout_uri or frontchannel_logout_uri:
+    #         res["post_logout_redirect_uris"] = f"{self.base_url}/session_logout/{_hex}"
+    #
+    #     if backchannel_logout_uri:
+    #         res["backchannel_logout_uri"] = f"{self.base_url}/bc_logout/{_hex}"
+    #     if frontchannel_logout_uri:
+    #         res["frontchannel_logout_uri"] = f"{self.base_url}/fc_logout/{_hex}"
+    #
+    #     logger.debug(f"Created callback URIs: {res}")
+    #     return res
 
     def _get_response_type(self, context, req_args: Optional[dict] = None):
         if req_args: