Make usage of upstream_get more consistent.

Author: rohe

src/idpyoidc/client/client_auth.py

@@ -520,9 +520,7 @@ def _get_audience_and_algorithm(self, context, keyjar, **kwargs):
 
     def _construct_client_assertion(self, service, **kwargs):
         _context = service.upstream_get("context")
-        _entity = service.upstream_get("entity")
-        if _entity is None:
-            _entity = service.upstream_get("unit")
+        _entity = service.upstream_get("unit")
 
         _keyjar = service.upstream_get("attribute", "keyjar")
         audience, algorithm = self._get_audience_and_algorithm(_context, _keyjar, **kwargs)

src/idpyoidc/client/entity.py

@@ -145,7 +145,6 @@ def __init__(
             )
 
         self.setup_client_authn_methods(config)
-
         self.upstream_get = upstream_get
 
     def get_services(self, *arg):
@@ -170,8 +169,8 @@ def get_service_by_endpoint_name(self, endpoint_name, *arg):
 
         return None
 
-    def get_entity(self):
-        return self
+    # def get_entity(self):
+    #     return self
 
     def get_client_id(self):
         _val = self.context.claims.get_usage("client_id")

src/idpyoidc/client/oauth2/add_on/dpop.py

@@ -4,16 +4,18 @@
 from typing import Optional
 
 from cryptojwt.jwk.jwk import key_from_jwk_dict
-from cryptojwt.jws.jws import JWS
 from cryptojwt.jws.jws import factory
+from cryptojwt.jws.jws import JWS
 from cryptojwt.key_bundle import key_by_alg
 
+from idpyoidc.client.client_auth import BearerHeader
+from idpyoidc.client.client_auth import find_token_info
 from idpyoidc.client.service_context import ServiceContext
+from idpyoidc.message import Message
 from idpyoidc.message import SINGLE_OPTIONAL_STRING
 from idpyoidc.message import SINGLE_REQUIRED_INT
 from idpyoidc.message import SINGLE_REQUIRED_JSON
 from idpyoidc.message import SINGLE_REQUIRED_STRING
-from idpyoidc.message import Message
 from idpyoidc.metadata import get_signing_algs
 from idpyoidc.time_util import utc_time_sans_frac
 
@@ -91,13 +93,13 @@ def verify_header(self, dpop_header) -> Optional["DPoPProof"]:
 
 
 def dpop_header(
-    service_context: ServiceContext,
-    service_endpoint: str,
-    http_method: str,
-    headers: Optional[dict] = None,
-    token: Optional[str] = "",
-    nonce: Optional[str] = "",
-    **kwargs
+        service_context: ServiceContext,
+        service_endpoint: str,
+        http_method: str,
+        headers: Optional[dict] = None,
+        token: Optional[str] = "",
+        nonce: Optional[str] = "",
+        **kwargs
 ) -> dict:
     """
 
@@ -159,7 +161,7 @@ def dpop_header(
     return headers
 
 
-def add_support(services, dpop_signing_alg_values_supported):
+def add_support(services, dpop_signing_alg_values_supported, with_dpop_header=None):
     """
     Add the necessary pieces to make pushed authorization happen.
 
@@ -185,3 +187,53 @@ def add_support(services, dpop_signing_alg_values_supported):
     _userinfo_service = services.get("userinfo")
     if _userinfo_service:
         _userinfo_service.construct_extra_headers.append(dpop_header)
+    # To be backward compatible
+    if with_dpop_header is None:
+        with_dpop_header = ["userinfo"]
+
+    # Add dpop HTTP header to these
+    for _srv in with_dpop_header:
+        if _srv == "accesstoken":
+            continue
+        _service = services.get(_srv)
+        if _service:
+            _service.construct_extra_headers.append(dpop_header)
+
+
+class DPoPClientAuth(BearerHeader):
+    tag = "dpop_client_auth"
+
+    def construct(self, request=None, service=None, http_args=None, **kwargs):
+        """
+        Constructing the Authorization header. The value of
+        the Authorization header is "Bearer <access_token>".
+
+        :param request: Request class instance
+        :param service: The service this authentication method applies to.
+        :param http_args: HTTP header arguments
+        :param kwargs: extra keyword arguments
+        :return:
+        """
+
+        _token_type = "access_token"
+
+        _token_info = find_token_info(request, _token_type, service, **kwargs)
+
+        if not _token_info:
+            raise KeyError("No bearer token available")
+
+        # The authorization value starts with the token_type
+        # if _token_info["token_type"].to_lower() != "bearer":
+        _bearer = f"DPoP {_token_info[_token_type]}"
+
+        # Add 'Authorization' to the headers
+        if http_args is None:
+            http_args = {"headers": {}}
+            http_args["headers"]["Authorization"] = _bearer
+        else:
+            try:
+                http_args["headers"]["Authorization"] = _bearer
+            except KeyError:
+                http_args["headers"] = {"Authorization": _bearer}
+
+        return http_args

src/idpyoidc/client/oauth2/server_metadata.py

@@ -38,7 +38,7 @@ def get_endpoint(self):
         :return: Service endpoint
         """
         try:
-            _iss = self.upstream_get("context").issuer
+            _iss = self.upstream_get("attribute","issuer")
         except AttributeError:
             _iss = self.endpoint
 
@@ -72,13 +72,16 @@ def _verify_issuer(self, resp, issuer):
 
         # In some cases we can live with the two URLs not being
         # the same. But this is an excepted that has to be explicit
-        try:
-            self.upstream_get("context").allow["issuer_mismatch"]
-        except KeyError:
-            if _issuer != _pcr_issuer:
-                raise OidcServiceError(
-                    "provider info issuer mismatch '%s' != '%s'" % (_issuer, _pcr_issuer)
-                )
+        _allow = self.upstream_get("attribute", "allow")
+        if _allow:
+            _allowed = _allow.get("issuer_mismatch", None)
+            if _allowed:
+                return _issuer
+
+        if _issuer != _pcr_issuer:
+            raise OidcServiceError(
+                "provider info issuer mismatch '%s' != '%s'" % (_issuer, _pcr_issuer)
+            )
         return _issuer
 
     def _set_endpoints(self, resp):
@@ -131,9 +134,10 @@ def _update_service_context(self, resp):
         # is loaded not necessarily that any keys are fetched.
         if "jwks_uri" in resp:
             LOGGER.debug(f"'jwks_uri' in provider info: {resp['jwks_uri']}")
-            _hp = self.upstream_get('entity').httpc_params
-            if "verify" in _hp and "verify" not in _keyjar.httpc_params:
-                _keyjar.httpc_params["verify"] = _hp["verify"]
+            _hp = self.upstream_get("attribute","httpc_params")
+            if _hp:
+                if "verify" in _hp and "verify" not in _keyjar.httpc_params:
+                    _keyjar.httpc_params["verify"] = _hp["verify"]
             _keyjar.load_keys(_pcr_issuer, jwks_uri=resp["jwks_uri"])
             _loaded = True
         elif "jwks" in resp:

src/idpyoidc/client/oidc/__init__.py

@@ -94,7 +94,6 @@ def __init__(
         jwks_uri: Optional[str] = "",
         **kwargs
     ):
-        self.upstream_get = upstream_get
         if services:
             _srvs = services
         else:

src/idpyoidc/client/oidc/access_token.py

@@ -42,7 +42,7 @@ def gather_verify_arguments(
         :return: dictionary with arguments to the verify call
         """
         _context = self.upstream_get("context")
-        _entity = self.upstream_get("entity")
+        _entity = self.upstream_get("unit")
 
         kwargs = {
             "client_id": _entity.get_client_id(),

src/idpyoidc/client/oidc/authorization.py

@@ -90,7 +90,7 @@ def update_service_context(self, resp, key="", **kwargs):
         _context.cstate.update(key, resp)
 
     def get_request_from_response(self, response):
-        _context = self.upstream_get("service_context")
+        _context = self.upstream_get("context")
         return _context.cstate.get_set(response["state"], message=oauth2.AuthorizationRequest)
 
     def post_parse_response(self, response, **kwargs):

src/idpyoidc/client/oidc/provider_info_discovery.py

@@ -25,7 +25,7 @@ def add_redirect_uris(request_args, service=None, **kwargs):
     :param kwargs: Possible extra keyword arguments
     :return: A possibly augmented set of request arguments.
     """
-    _work_environment = service.upstream_get("context").claims
+    _work_environment = service.upstream_get("attribute", "claims")
     if "redirect_uris" not in request_args:
         # Callbacks is a dictionary with callback type 'code', 'implicit',
         # 'form_post' as keys.

src/idpyoidc/node.py

@@ -181,9 +181,9 @@ def get_unit(self, *args):
 def topmost_unit(unit):
     if hasattr(unit, "upstream_get"):
         if unit.upstream_get:
-            next_unit = unit.upstream_get("unit")
-            if next_unit:
-                unit = topmost_unit(next_unit)
+            superior = unit.upstream_get("unit")
+            if superior:
+                unit = topmost_unit(superior)
 
     return unit
 

src/idpyoidc/server/__init__.py

@@ -67,7 +67,6 @@ def __init__(
             issuer_id=self.issuer,
         )
 
-        self.upstream_get = upstream_get
         if isinstance(conf, OPConfiguration) or isinstance(conf, ASConfiguration):
             self.conf = conf
         else: