For debugging purpose nice to know what was put in the ID Token and also what was in a received ID Token.

Author: rohe

example/flask_op/views.py

@@ -32,6 +32,7 @@ def _add_cookie(resp, cookie_spec):
               for k,v in cookie_spec.items()
               if k not in ('name',)}
     kwargs["path"] = "/"
+    kwargs["samesite"] = "Lax"
     resp.set_cookie(cookie_spec["name"], **kwargs)
 
 

requirements.txt

@@ -1,4 +1,4 @@
-oidcmsg>=1.3.0
+oidcmsg>=1.4.0
 pyyaml
 jinja2>=2.11.3
 responses>=0.13.0

src/oidcop/token/id_token.py

@@ -134,6 +134,7 @@ def payload(
             self, session_id, alg="RS256", code=None, access_token=None, extra_claims=None,
     ):
         """
+        Collect payload for the ID Token.
 
         :param session_id: Session identifier
         :param alg: Which signing algorithm to use for the IdToken
@@ -197,6 +198,8 @@ def payload(
             except KeyError:
                 pass
 
+        logger.debug(f"Constructed ID Token payload: {_args}")
+
         return _args
 
     def sign_encrypt(
@@ -297,6 +300,8 @@ def info(self, token):
         except JWSException:
             raise UnknownToken()
 
+        logger.debug(f"Received ID Token payload: {_payload}")
+
         if is_expired(_payload["exp"]):
             raise ToOld("Token has expired")
         # All the token metadata

tests/test_05_id_token.py

@@ -609,3 +609,20 @@ def test_id_token_acr_claim(self):
         _jwt = factory(id_token.value)
         _id_token_content = _jwt.jwt.payload()
         assert _id_token_content["acr"] == "https://refeds.org/profile/mfa"
+
+    def test_id_token_acr_none(self):
+        _req = AREQS.copy()
+        _req["claims"] = {"id_token": {"acr": None}}
+
+        session_id = self._create_session(_req,authn_info="https://refeds.org/profile/mfa")
+        grant = self.session_manager[session_id]
+        code = self._mint_code(grant, session_id)
+        access_token = self._mint_access_token(grant, session_id, code)
+
+        id_token = self._mint_id_token(
+            grant, session_id, token_ref=code, access_token=access_token.value
+        )
+
+        _jwt = factory(id_token.value)
+        _id_token_content = _jwt.jwt.payload()
+        assert _id_token_content["acr"] == "https://refeds.org/profile/mfa"