Merge pull request #117 from nsklikas/feature-jwt-access-lifetime

peppelinux · web-flow · commit 7bbde28d860f · 2021-09-03T01:54:05.000+02:00
Fix JWT access token lifetime
diff --git a/src/oidcop/session/grant.py b/src/oidcop/session/grant.py
@@ -316,7 +316,9 @@ def mint_token(
                 scope=scope,
                 extra_payload=handler_args,
             )
-            item.value = token_handler(session_id=session_id, **token_payload)
+            item.value = token_handler(
+                session_id=session_id, usage_rules=usage_rules, **token_payload
+            )
 
         else:
             raise ValueError("Can not mint that kind of token")
diff --git a/src/oidcop/token/id_token.py b/src/oidcop/token/id_token.py
@@ -267,6 +267,7 @@ def __call__(
         encrypt=False,
         code=None,
         access_token=None,
+        usage_rules: Optional[dict] = None,
         **kwargs,
     ) -> str:
         _context = self.server_get("endpoint_context")
diff --git a/src/oidcop/token/jwt_token.py b/src/oidcop/token/jwt_token.py
@@ -48,8 +48,13 @@ def load_custom_claims(self, payload: dict = None):
         # inherit me and do your things here
         return payload
 
-    def __call__(self, session_id: Optional[str] = "", token_class: Optional[str] = "",
-                 **payload) -> str:
+    def __call__(
+        self,
+        session_id: Optional[str] = "",
+        token_class: Optional[str] = "",
+        usage_rules: Optional[dict] = None,
+        **payload
+    ) -> str:
 
         """
         Return a token.
@@ -70,8 +75,15 @@ def __call__(self, session_id: Optional[str] = "", token_class: Optional[str] =
 
         # payload.update(kwargs)
         _context = self.server_get("endpoint_context")
+        if usage_rules and "expires_in" in usage_rules:
+            lifetime = usage_rules.get("expires_in")
+        else:
+            lifetime = self.lifetime
         signer = JWT(
-            key_jar=_context.keyjar, iss=self.issuer, lifetime=self.lifetime, sign_alg=self.alg,
+            key_jar=_context.keyjar,
+            iss=self.issuer,
+            lifetime=lifetime,
+            sign_alg=self.alg,
         )
 
         return signer.pack(payload)
diff --git a/tests/test_35_oidc_token_endpoint.py b/tests/test_35_oidc_token_endpoint.py
@@ -816,6 +816,26 @@ def test_configure_grant_types(self):
         assert "access_token" in self.token_endpoint.helper
         assert "refresh_token" not in self.token_endpoint.helper
 
+    def test_access_token_lifetime(self):
+        lifetime = 100
+        session_id = self._create_session(AUTH_REQ)
+        grant = self.session_manager[session_id]
+        code = self._mint_code(grant, AUTH_REQ["client_id"])
+        grant.usage_rules["access_token"] = {"expires_in": lifetime}
+
+        _token_request = TOKEN_REQ_DICT.copy()
+        _token_request["code"] = code.value
+        _req = self.token_endpoint.parse_request(_token_request)
+        _resp = self.token_endpoint.process_request(request=_req)
+
+        access_token = AccessTokenRequest().from_jwt(
+            _resp["response_args"]["access_token"],
+            self.endpoint_context.keyjar,
+            sender="",
+        )
+
+        assert access_token["exp"] - access_token["iat"] == lifetime
+
 
 class TestOldTokens(object):
     @pytest.fixture(autouse=True)
