Skip to content
This repository was archived by the owner on Jun 23, 2023. It is now read-only.

Commit b88dff6

Browse files
roherohe
authored
Merge pull request #76 from IdentityPython/find_scope
Find scope
2 parents 2f1b388 + 184fad7 commit b88dff6

4 files changed

Lines changed: 102 additions & 6 deletions

File tree

src/oidcop/oauth2/introspection.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,10 @@ def _introspect(self, token, client_id, grant):
3434

3535
scope = token.scope
3636
if not scope:
37-
scope = grant.scope
37+
if token.based_on:
38+
scope = grant.find_scope(token.based_on)
39+
else:
40+
scope = grant.scope
3841
aud = token.resources
3942
if not aud:
4043
aud = grant.resources

src/oidcop/session/grant.py

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -175,6 +175,19 @@ def get(self) -> object:
175175
resources=self.resources,
176176
)
177177

178+
def find_scope(self, based_on):
179+
if isinstance(based_on, str):
180+
based_on = self.get_token(based_on)
181+
182+
if based_on:
183+
if based_on.scope:
184+
return based_on.scope
185+
186+
if based_on.based_on:
187+
return self.find_scope(based_on.based_on)
188+
189+
return self.scope
190+
178191
def payload_arguments(
179192
self,
180193
session_id: str,
@@ -187,7 +200,7 @@ def payload_arguments(
187200
188201
:return: dictionary containing information to place in a token value
189202
"""
190-
if not scope:
203+
if scope is None:
191204
scope = self.scope
192205

193206
payload = {"scope": scope, "aud": self.resources, "jti": uuid1().hex}
@@ -260,6 +273,12 @@ def mint_token(
260273
handler_args = {}
261274

262275
if token_class:
276+
if scope is None:
277+
if based_on:
278+
scope = self.find_scope(based_on)
279+
else:
280+
scope = self.scope
281+
263282
item = token_class(
264283
type=token_type,
265284
based_on=_base_on_ref,

tests/test_01_grant.py

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -438,3 +438,73 @@ def test_get_usage_rules(self):
438438

439439
# client specific usage rules
440440
self.endpoint_context.cdb["client_id"] = {"access_token": {"expires_in": 600}}
441+
442+
def test_assigned_scope(self):
443+
session_id = self._create_session(AREQ)
444+
session_info = self.endpoint_context.session_manager.get_session_info(
445+
session_id=session_id, grant=True
446+
)
447+
grant = session_info["grant"]
448+
code = grant.mint_token(
449+
session_id,
450+
endpoint_context=self.endpoint_context,
451+
token_type="authorization_code",
452+
token_handler=TOKEN_HANDLER["authorization_code"],
453+
)
454+
455+
code.scope = ["openid", "email"]
456+
457+
access_token = grant.mint_token(
458+
session_id,
459+
endpoint_context=self.endpoint_context,
460+
token_type="access_token",
461+
token_handler=TOKEN_HANDLER["access_token"],
462+
based_on=code,
463+
)
464+
465+
assert access_token.scope == code.scope
466+
467+
def test_assigned_scope_2nd(self):
468+
session_id = self._create_session(AREQ)
469+
session_info = self.endpoint_context.session_manager.get_session_info(
470+
session_id=session_id, grant=True
471+
)
472+
grant = session_info["grant"]
473+
code = grant.mint_token(
474+
session_id,
475+
endpoint_context=self.endpoint_context,
476+
token_type="authorization_code",
477+
token_handler=TOKEN_HANDLER["authorization_code"],
478+
)
479+
480+
code.scope = ["openid", "email"]
481+
482+
refresh_token = grant.mint_token(
483+
session_id,
484+
endpoint_context=self.endpoint_context,
485+
token_type="refresh_token",
486+
token_handler=TOKEN_HANDLER["refresh_token"],
487+
based_on=code,
488+
)
489+
490+
access_token = grant.mint_token(
491+
session_id,
492+
endpoint_context=self.endpoint_context,
493+
token_type="access_token",
494+
token_handler=TOKEN_HANDLER["access_token"],
495+
based_on=refresh_token,
496+
)
497+
498+
assert access_token.scope == code.scope
499+
500+
refresh_token.scope = ["openid", "xyz"]
501+
502+
access_token = grant.mint_token(
503+
session_id,
504+
endpoint_context=self.endpoint_context,
505+
token_type="access_token",
506+
token_handler=TOKEN_HANDLER["access_token"],
507+
based_on=refresh_token,
508+
)
509+
510+
assert access_token.scope == refresh_token.scope

tests/test_36_oauth2_token_exchange.py

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -197,14 +197,15 @@ def _mint_code(self, grant, session_id):
197197
token_handler=self.session_manager.token_handler["code"],
198198
)
199199

200-
def _mint_access_token(self, grant, session_id, token_ref=None, resources=None):
200+
def _mint_access_token(self, grant, session_id, token_ref=None, resources=None, scope=None):
201201
return grant.mint_token(
202202
session_id=session_id,
203203
endpoint_context=self.endpoint.server_get("endpoint_context"),
204204
token_type="access_token",
205205
token_handler=self.session_manager.token_handler["access_token"],
206206
based_on=token_ref,
207207
resources=resources,
208+
scope=scope
208209
)
209210

210211
def exchange_grant(self, session_id, users, targets, scope):
@@ -257,15 +258,19 @@ def test_do_response(self):
257258
assert exch_grants
258259
exch_grant = exch_grants[0]
259260

260-
session_info = self.session_manager.get_session_info_by_token(ter["subject_token"])
261+
session_info = self.session_manager.get_session_info_by_token(ter["subject_token"],
262+
grant=True)
261263
_token = self.session_manager.find_token(session_info["session_id"], ter["subject_token"])
262264

263265
session_id = self.session_manager.encrypted_session_id(
264266
session_info["user_id"], session_info["client_id"], exch_grant.id
265267
)
266268

269+
_scope = session_info["grant"].find_scope(ter["subject_token"])
270+
267271
_token = self._mint_access_token(
268272
exch_grant, session_id, token_ref=_token, resources=["https://backend.example.com"],
273+
scope=_scope
269274
)
270275

271276
print(_token.value)
@@ -274,8 +279,7 @@ def test_do_response(self):
274279
"token": _token.value,
275280
"client_id": "client_1",
276281
"client_secret": self.introspection_endpoint.server_get("endpoint_context").cdb[
277-
"client_1"
278-
]["client_secret"],
282+
"client_1"]["client_secret"],
279283
}
280284
)
281285
_resp = self.introspection_endpoint.process_request(_req)

0 commit comments

Comments
 (0)