Merge pull request #19 from ctriant/token-exchange-fixes

Token exchange related fixes

Author: rohe

doc/server/contents/conf.rst

@@ -721,7 +721,7 @@ There are two possible ways to configure Token Exchange in OIDC-OP, globally and
 For the first case the configuration is passed in the Token Exchange handler throught the
 `urn:ietf:params:oauth:grant-type:token-exchange` dictionary in token's `grant_types_supported`.
 
-If present, the token exchange configuration may contain a `policy` dictionary
+If present, the token exchange configuration should contain a `policy` dictionary
 that defines the behaviour for each subject token type. Each subject token type
 is mapped to a dictionary with the keys `callable` (mandatory), which must be a
 python callable or a string that represents the path to a python callable, and
@@ -730,7 +730,14 @@ passed to the callable.
 
 The key `""` represents a fallback policy that will be used if the subject token
 type can't be found. If a subject token type is defined in the `policy` but is
-not in the `subject_token_types_supported` list then it is ignored::
+not in the `subject_token_types_supported` list then it is ignored.
+
+The token exchange configuration should also contain a `requested_token_types_supported`
+list that defines the supported token types that can be requested through the
+`requested_token_type` parameter of a Token Exchange request. In addition, a
+default token type that will be returned in the absence of the `requested_token_type`
+in the Token Exchange request should be defined through the `default_requested_token_type`
+configuration parameter::
 
     "grant_types_supported":{
       "urn:ietf:params:oauth:grant-type:token-exchange": {

src/idpyoidc/server/oauth2/token.py

@@ -129,12 +129,15 @@ def process_request(self, request: Optional[Union[Message, dict]] = None, **kwar
         _context = self.server_get("endpoint_context")
 
         if isinstance(request, TokenExchangeRequest):
-            requested_token_type = request.get(
-                "requested_token_type",
-                self.helper["urn:ietf:params:oauth:grant-type:token-exchange"].config[
+            if "token_exchange" in _context.cdb[request["client_id"]]:
+                default_requested_token_type = _context.cdb[request["client_id"]]["token_exchange"][
                     "default_requested_token_type"
-                ],
-            )
+                ]
+            else:
+                default_requested_token_type = self.helper[
+                    "urn:ietf:params:oauth:grant-type:token-exchange"
+                ].config["default_requested_token_type"]
+            requested_token_type = request.get("requested_token_type", default_requested_token_type)
             _handler_key = TOKEN_TYPES_MAPPING[requested_token_type]
         else:
             _handler_key = "access_token"

src/idpyoidc/server/oauth2/token_helper.py

@@ -384,10 +384,6 @@ def __init__(self, endpoint, config=None):
         TokenEndpointHelper.__init__(self, endpoint=endpoint, config=config)
         if config is None:
             self.config = {
-                "subject_token_types_supported": [
-                    "urn:ietf:params:oauth:token-type:access_token",
-                    "urn:ietf:params:oauth:token-type:refresh_token",
-                ],
                 "requested_token_types_supported": [
                     "urn:ietf:params:oauth:token-type:access_token",
                     "urn:ietf:params:oauth:token-type:refresh_token",
@@ -422,6 +418,8 @@ def post_parse_request(self, request, client_id="", **kwargs):
         ) as err:
             return self.endpoint.error_cls(error="invalid_request", error_description="%s" % err)
 
+        self._validate_configuration(config)
+
         _mngr = _context.session_manager
         try:
             # token exchange is about minting one token based on another
@@ -482,11 +480,6 @@ def _enforce_policy(self, request, token, config):
             )
 
         if subject_token_type not in config["policy"]:
-            if "" not in config["policy"]:
-                raise ImproperlyConfigured(
-                    "subject_token_type {subject_token_type} missing from "
-                    "policy and no default is defined"
-                )
             subject_token_type = ""
 
         policy = config["policy"][subject_token_type]
@@ -601,6 +594,30 @@ def process_request(self, request, **kwargs):
 
         return self.token_exchange_response(token=new_token)
 
+    def _validate_configuration(self, config):
+        if "requested_token_types_supported" not in config:
+            raise ImproperlyConfigured(
+                f"Missing 'requested_token_types_supported'" "from Token Exchange configuration"
+            )
+        if "default_requested_token_type" not in config:
+            raise ImproperlyConfigured(
+                f"Missing 'default_requested_token_type'" "from Token Exchange configuration"
+            )
+        if "policy" not in config:
+            raise ImproperlyConfigured(f"Missing 'policy' from Token Exchange configuration")
+        if "" not in config["policy"]:
+            raise ImproperlyConfigured(
+                f"Default Token Exchange policy configuration is not defined"
+            )
+        if "callable" not in config["policy"][""]:
+            raise ImproperlyConfigured(
+                f"Missing 'callable' from default Token Exchange policy configuration"
+            )
+        if config["default_requested_token_type"] not in config["requested_token_types_supported"]:
+            raise ImproperlyConfigured(
+                f"Unsupported default requested_token_type {config['default_requested_token_type']}"
+            )
+        
 
 def validate_token_exchange_policy(request, context, subject_token, **kwargs):
     if "resource" in request:

tests/test_server_36_oauth2_token_exchange.py

@@ -244,9 +244,9 @@ def test_token_exchange1(self, token):
         Test that token exchange requests work correctly with only the required parameters
         present
         """
-        if list(token.keys())[0] == "refresh_token":
-            AUTH_REQ["scope"] = ["openid", "offline_access"]
         areq = AUTH_REQ.copy()
+        if list(token.keys())[0] == "refresh_token":
+            areq["scope"] = ["openid", "offline_access"]
 
         session_id = self._create_session(areq)
         grant = self.endpoint_context.authz(session_id, areq)
@@ -288,9 +288,9 @@ def test_token_exchange2(self, token):
         """
         Test that token exchange requests work correctly
         """
-        if list(token.keys())[0] == "refresh_token":
-            AUTH_REQ["scope"] = ["openid", "offline_access"]
         areq = AUTH_REQ.copy()
+        if list(token.keys())[0] == "refresh_token":
+            areq["scope"] = ["openid", "offline_access"]
 
         session_id = self._create_session(areq)
         grant = self.endpoint_context.authz(session_id, areq)
@@ -342,6 +342,7 @@ def test_token_exchange_per_client(self, token):
                 "urn:ietf:params:oauth:token-type:access_token",
                 "urn:ietf:params:oauth:token-type:refresh_token",
             ],
+            "default_requested_token_type": "urn:ietf:params:oauth:token-type:access_token",
             "policy": {
                 "": {
                     "callable": "idpyoidc.server.oauth2.token_helper.validate_token_exchange_policy",
@@ -350,9 +351,10 @@ def test_token_exchange_per_client(self, token):
             },
         }
 
-        if list(token.keys())[0] == "refresh_token":
-            AUTH_REQ["scope"] = ["openid", "offline_access"]
         areq = AUTH_REQ.copy()
+        if list(token.keys())[0] == "refresh_token":
+            areq["scope"] = ["openid", "offline_access"]
+        
 
         session_id = self._create_session(areq)
         grant = self.endpoint_context.authz(session_id, areq)
@@ -509,8 +511,8 @@ def test_refresh_token_audience(self):
         """
         Test that requesting a refresh token with audience fails.
         """
-        AUTH_REQ["scope"] = ["openid", "offline_access"]
         areq = AUTH_REQ.copy()
+        areq["scope"] = ["openid", "offline_access"]
 
         session_id = self._create_session(areq)
         grant = self.endpoint_context.authz(session_id, areq)
@@ -579,8 +581,8 @@ def test_exchange_refresh_token_to_refresh_token(self):
         """
         Test whether exchanging a refresh token to another refresh token works.
         """
-        AUTH_REQ["scope"] = ["openid", "offline_access"]
         areq = AUTH_REQ.copy()
+        areq["scope"] = ["openid", "offline_access"]
 
         session_id = self._create_session(areq)
         grant = self.endpoint_context.authz(session_id, areq)
@@ -615,8 +617,8 @@ def test_exchange_refresh_token_to_refresh_token(self):
         ],
     )
     def test_exchange_access_token_to_refresh_token(self, scopes):
-        AUTH_REQ["scope"] = scopes
         areq = AUTH_REQ.copy()
+        areq["scope"] = scopes
 
         session_id = self._create_session(areq)
         grant = self.endpoint_context.authz(session_id, areq)