Skip to content
This repository was archived by the owner on Jun 23, 2023. It is now read-only.

Commit ee87c96

Browse files
nsklikasnsklikas
committed
Fix bugs with refresh tokens
1 parent fca92e7 commit ee87c96

4 files changed

Lines changed: 12 additions & 9 deletions

File tree

src/oidcop/oauth2/token.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -253,7 +253,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
253253
_resp = {
254254
"access_token": access_token.value,
255255
"token_type": access_token.token_type,
256-
"scope": _grant.scope,
256+
"scope": scope,
257257
}
258258

259259
if access_token.expires_at:
@@ -318,7 +318,7 @@ def post_parse_request(
318318
if "scope" in request:
319319
req_scopes = set(request["scope"])
320320
scopes = set(grant.find_scope(token.based_on))
321-
if scopes < req_scopes:
321+
if not req_scopes.issubset(scopes):
322322
return self.error_cls(
323323
error="invalid_request",
324324
error_description="Invalid refresh scopes",

src/oidcop/oidc/token.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -218,7 +218,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
218218
_resp = {
219219
"access_token": access_token.value,
220220
"token_type": token_type,
221-
"scope": _grant.scope,
221+
"scope": scope,
222222
}
223223

224224
if access_token.expires_at:
@@ -307,7 +307,7 @@ def post_parse_request(
307307
if "scope" in request:
308308
req_scopes = set(request["scope"])
309309
scopes = set(grant.find_scope(token.based_on))
310-
if scopes < req_scopes:
310+
if not req_scopes.issubset(scopes):
311311
return self.error_cls(
312312
error="invalid_request",
313313
error_description="Invalid refresh scopes",

tests/test_24_oauth2_token_endpoint.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -458,7 +458,7 @@ def test_refresh_scopes(self):
458458
_session_info["session_id"], _resp["response_args"]["refresh_token"]
459459
)
460460

461-
assert at.scope == rt.scope == _request["scope"]
461+
assert at.scope == rt.scope == _request["scope"] == _resp["response_args"]["scope"]
462462

463463
def test_refresh_more_scopes(self):
464464
areq = AUTH_REQ.copy()
@@ -475,7 +475,7 @@ def test_refresh_more_scopes(self):
475475

476476
_request = REFRESH_TOKEN_REQ.copy()
477477
_request["refresh_token"] = _resp["response_args"]["refresh_token"]
478-
_request["scope"] = ["email", "profile"]
478+
_request["scope"] = ["ema"]
479479

480480
_req = self.token_endpoint.parse_request(_request.to_json())
481481
assert isinstance(_req, TokenErrorResponse)
@@ -534,7 +534,7 @@ def test_refresh_more_scopes_2(self):
534534
_session_info["session_id"], _resp["response_args"]["refresh_token"]
535535
)
536536

537-
assert at.scope == rt.scope == _request["scope"]
537+
assert at.scope == rt.scope == _request["scope"] == _resp["response_args"]["scope"]
538538

539539
def test_do_refresh_access_token_not_allowed(self):
540540
areq = AUTH_REQ.copy()

tests/test_35_oidc_token_endpoint.py

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -485,7 +485,7 @@ def test_refresh_scopes(self):
485485
_session_info["session_id"], _resp["response_args"]["refresh_token"]
486486
)
487487

488-
assert at.scope == rt.scope == _request["scope"]
488+
assert at.scope == rt.scope == _request["scope"] == _resp["response_args"]["scope"]
489489

490490
def test_refresh_more_scopes(self):
491491
areq = AUTH_REQ.copy()
@@ -590,7 +590,7 @@ def test_refresh_more_scopes_2(self):
590590
_session_info["session_id"], _resp["response_args"]["refresh_token"]
591591
)
592592

593-
assert at.scope == rt.scope == _request["scope"]
593+
assert at.scope == rt.scope == _request["scope"] == _resp["response_args"]["scope"]
594594

595595
def test_refresh_less_scopes(self):
596596
areq = AUTH_REQ.copy()
@@ -635,6 +635,7 @@ def test_refresh_less_scopes(self):
635635
)
636636

637637
assert "email" not in idtoken
638+
assert _resp["response_args"]["scope"] == ["openid", "offline_access"]
638639

639640
def test_refresh_no_openid_scope(self):
640641
areq = AUTH_REQ.copy()
@@ -673,6 +674,7 @@ def test_refresh_no_openid_scope(self):
673674
"refresh_token",
674675
"scope",
675676
}
677+
assert _resp["response_args"]["scope"] == ["offline_access"]
676678

677679
def test_refresh_no_offline_access_scope(self):
678680
areq = AUTH_REQ.copy()
@@ -716,6 +718,7 @@ def test_refresh_no_offline_access_scope(self):
716718
self.endpoint_context.keyjar,
717719
sender="",
718720
)
721+
assert _resp["response_args"]["scope"] == ["openid"]
719722

720723
def test_new_refresh_token(self, conf):
721724
self.endpoint_context.cdb["client_1"] = {

0 commit comments

Comments
 (0)