Properly handle id token introsprection

Author: nsklikas

src/oidcop/oauth2/introspection.py

@@ -6,6 +6,7 @@
 
 from oidcop.endpoint import Endpoint
 from oidcop.token.exception import UnknownToken
+from oidcop.token.exception import WrongTokenClass
 
 LOGGER = logging.getLogger(__name__)
 
@@ -94,7 +95,7 @@ def process_request(self, request=None, release: Optional[list] = None, **kwargs
             _session_info = _context.session_manager.get_session_info_by_token(
                 request_token, grant=True
             )
-        except UnknownToken:
+        except (UnknownToken, WrongTokenClass):
             return {"response_args": _resp}
 
         grant = _session_info["grant"]

src/oidcop/session/manager.py

@@ -18,6 +18,7 @@
 from .info import ClientSessionInfo
 from .info import UserSessionInfo
 from ..token import UnknownToken
+from ..token import WrongTokenClass
 from ..token.handler import TokenHandler
 
 logger = logging.getLogger(__name__)
@@ -457,16 +458,20 @@ def get_session_info_by_token(
         authorization_request: bool = False,
     ) -> dict:
         _token_info = self.token_handler.info(token_value)
-        sid = _token_info["sid"]
-        session_info = self.get_session_info(
+        sid = _token_info.get("sid")
+        # If the token is an ID Token then the sid will not be in the
+        # _token_info
+        if not sid:
+            raise WrongTokenClass
+
+        return self.get_session_info(
             sid,
             user_session_info=user_session_info,
             client_session_info=client_session_info,
             grant=grant,
             authentication_event=authentication_event,
             authorization_request=authorization_request,
         )
-        return session_info
 
     def get_session_id_by_token(self, token_value: str) -> str:
         _token_info = self.token_handler.info(token_value)

tests/test_31_oauth2_introspection.py

@@ -115,6 +115,9 @@ def create_endpoint(self, jwt_token):
                     "class": "oidcop.token.jwt_token.JWTToken",
                     "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
                 },
+                "id_token": {
+                    "class": "oidcop.token.id_token.IDToken",
+                }
             },
             "endpoint": {
                 "authorization": {
@@ -469,3 +472,22 @@ def test_revoked_access_token(self):
         )
         _resp = self.introspection_endpoint.process_request(_req)
         assert _resp["response_args"]["active"] is False
+
+    def test_introspect_id_token(self):
+        session_id = self._create_session(AUTH_REQ)
+        grant = self.token_endpoint.server_get("endpoint_context").authz(session_id, AUTH_REQ)
+        self.session_manager[session_id] = grant
+        code = self._mint_token("authorization_code", grant, session_id)
+        id_token = self._mint_token("id_token", grant, session_id, code)
+
+        _context = self.introspection_endpoint.server_get("endpoint_context")
+        _req = self.introspection_endpoint.parse_request(
+            {
+                "token": id_token.value,
+                "client_id": "client_1",
+                "client_secret": _context.cdb["client_1"]["client_secret"],
+            }
+        )
+        _resp = self.introspection_endpoint.process_request(_req)
+
+        assert _resp["response_args"]["active"] is False