Fixed refactoring of the construction of request object.

rohe · rohe · commit 671698bd81ab · 2024-08-25T15:58:38.000+02:00
diff --git a/src/idpyoidc/client/oauth2/add_on/jar.py b/src/idpyoidc/client/oauth2/add_on/jar.py
@@ -1,13 +1,9 @@
 import logging
 from typing import Optional
 
-from idpyoidc import claims
 from idpyoidc import metadata
-from idpyoidc.client.oidc.utils import construct_request_uri
-from idpyoidc.client.oidc.utils import request_object_encryption
 from idpyoidc.client.request_object import construct_request_parameter
-from idpyoidc.message.oidc import make_openid_request
-from idpyoidc.time_util import utc_time_sans_frac
+from idpyoidc.client.request_object import construct_request_uri
 
 logger = logging.getLogger(__name__)
 
@@ -36,7 +32,6 @@ def store_request_on_file(service, req, **kwargs):
     return _webname
 
 
-
 def jar_post_construct(request_args, service, **kwargs):
     """
     Modify the request arguments.
@@ -89,14 +84,14 @@ def jar_post_construct(request_args, service, **kwargs):
 
 
 def add_support(
-    service,
-    request_type: Optional[str] = "request_parameter",
-    request_dir: Optional[str] = "",
-    request_object_signing_alg: Optional[str] = "RS256",
-    expires_in: Optional[int] = DEFAULT_EXPIRES_IN,
-    with_jti: Optional[bool] = False,
-    request_object_encryption_alg: Optional[str] = "",
-    request_object_encryption_enc: Optional[str] = "",
+        service,
+        request_type: Optional[str] = "request_parameter",
+        request_dir: Optional[str] = "",
+        request_object_signing_alg: Optional[str] = "RS256",
+        expires_in: Optional[int] = DEFAULT_EXPIRES_IN,
+        with_jti: Optional[bool] = False,
+        request_object_encryption_alg: Optional[str] = "",
+        request_object_encryption_enc: Optional[str] = "",
 ):
     """
     JAR support can only be considered if this client can access an authorization service.
diff --git a/src/idpyoidc/client/oidc/authorization.py b/src/idpyoidc/client/oidc/authorization.py
@@ -7,8 +7,8 @@
 from idpyoidc.client.oauth2 import authorization
 from idpyoidc.client.oauth2.utils import pre_construct_pick_redirect_uri
 from idpyoidc.client.oidc import IDT2REG
-from idpyoidc.client.oidc.utils import construct_request_uri
 from idpyoidc.client.request_object import construct_request_parameter
+from idpyoidc.client.request_object import construct_request_uri
 from idpyoidc.client.service_context import ServiceContext
 from idpyoidc.client.util import implicit_response_types
 from idpyoidc.exception import MissingRequiredAttribute
diff --git a/src/idpyoidc/client/oidc/utils.py b/src/idpyoidc/client/oidc/utils.py
@@ -1,85 +0,0 @@
-import os
-
-from cryptojwt.jwe.jwe import JWE
-from cryptojwt.jwe.utils import alg2keytype
-
-from idpyoidc.exception import MissingRequiredAttribute
-from idpyoidc.util import rndstr
-
-
-def request_object_encryption(msg, service_context, keyjar, **kwargs):
-    """
-    Created an encrypted JSON Web token with *msg* as body.
-
-    :param msg: The mesaqg
-    :param service_context:
-    :param kwargs:
-    :return:
-    """
-    try:
-        encalg = kwargs["request_object_encryption_alg"]
-    except KeyError:
-        try:
-            encalg = service_context.get_usage("request_object_encryption_alg")
-        except KeyError:
-            return msg
-
-    if not encalg:
-        return msg
-
-    try:
-        encenc = kwargs["request_object_encryption_enc"]
-    except KeyError:
-        try:
-            encenc = service_context.get_usage("request_object_encryption_enc")
-        except KeyError:
-            raise MissingRequiredAttribute("No request_object_encryption_enc specified")
-
-    if not encenc:
-        raise MissingRequiredAttribute("No request_object_encryption_enc specified")
-
-    _jwe = JWE(msg, alg=encalg, enc=encenc)
-    _kty = alg2keytype(encalg)
-
-    try:
-        _kid = kwargs["enc_kid"]
-    except KeyError:
-        _kid = ""
-
-    _target = kwargs.get("target", kwargs.get("recv", None))
-    if _target is None:
-        raise MissingRequiredAttribute("No target specified")
-
-    if _kid:
-        _keys = keyjar.get_encrypt_key(_kty, issuer_id=_target, kid=_kid)
-        _jwe["kid"] = _kid
-    else:
-        _keys = keyjar.get_encrypt_key(_kty, issuer_id=_target)
-
-    return _jwe.encrypt(_keys)
-
-
-def construct_request_uri(local_dir, base_path, **kwargs):
-    """
-    Constructs a special redirect_uri to be used when communicating with
-    one OP. Each OP should get their own redirect_uris.
-
-    :param local_dir: Local directory in which to place the file
-    :param base_path: Base URL to start with
-    :param kwargs:
-    :return: 2-tuple with (filename, url)
-    """
-    _filedir = local_dir
-    if not os.path.isdir(_filedir):
-        os.makedirs(_filedir)
-    _webpath = base_path
-    _name = rndstr(10) + ".jwt"
-    filename = os.path.join(_filedir, _name)
-    while os.path.exists(filename):
-        _name = rndstr(10)
-        filename = os.path.join(_filedir, _name)
-    if _webpath.endswith("/"):
-        _webname = f"{_webpath}{_name}"
-    else:
-        _webname = f"{_webpath}/{_name}"
-    return filename, _webname
diff --git a/src/idpyoidc/client/request_object.py b/src/idpyoidc/client/request_object.py
@@ -15,7 +15,7 @@ def request_object_encryption(msg, service_context, keyjar, **kwargs):
     """
     Created an encrypted JSON Web token with *msg* as body.
 
-    :param msg: The mesaqg
+    :param msg: The message
     :param service_context:
     :param kwargs:
     :return:
@@ -124,7 +124,10 @@ def construct_request_parameter(service, req, audience=None, **kwargs):
     if _issuer is None:
         kwargs["issuer"] = _context.get_client_id()
 
-    if kwargs.get("recv") is None:
+    # The receiver
+    if audience:
+        kwargs["recv"] = audience
+    elif kwargs.get("recv") is None:
         try:
             kwargs["recv"] = _context.provider_info["issuer"]
         except KeyError:
@@ -140,10 +143,12 @@ def construct_request_parameter(service, req, audience=None, **kwargs):
 
     kwargs["with_jti"] = kwargs.get("with_jti",True)
 
-    # _enc_enc = _jar_conf.get("request_object_encryption_enc", "")
-    # if _enc_enc:
-    #     kwargs["request_object_encryption_enc"] = _enc_enc
-    #     kwargs["request_object_encryption_alg"] = _jar_conf.get("request_object_encryption_alg")
+    _enc_enc = kwargs.get("request_object_encryption_enc", "")
+    if not _enc_enc:
+        _enc_enc = _context.get_usage("request_object_encryption_enc")
+        if _enc_enc:
+            kwargs["request_object_encryption_enc"] = _enc_enc
+            kwargs["request_object_encryption_alg"] = _context.get_usage("request_object_encryption_alg")
 
     # Filter out only the arguments I want
     _mor_args = {
@@ -159,9 +164,6 @@ def construct_request_parameter(service, req, audience=None, **kwargs):
         if k in kwargs
     }
 
-    if audience:
-        _mor_args["aud"] = audience
-
     _req_jwt = make_openid_request(req, **_mor_args)
 
     if "target" not in kwargs:
diff --git a/src/idpyoidc/message/oidc/__init__.py b/src/idpyoidc/message/oidc/__init__.py
@@ -1182,7 +1182,7 @@ def make_openid_request(
     :param request_object_signing_alg: Which signing algorithm to use
     :param recv: The intended receiver of the request
     :param with_jti: Whether a JTI should be included in the JWT.
-    :param lifetime: How long the JWT is expect to be live.
+    :param lifetime: How long the JWT is expected to be alive.
     :return: JWT encoded OpenID request
     """
 
diff --git a/tests/private/token_jwks.json b/tests/private/token_jwks.json
@@ -1 +1 @@
-{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "etMvKWMjiDg3OSf1P_eXtue8iDOxUGqp"}]}
+{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "iIetL7Smy3aIAy38ENGPqMaufuxvV0GI"}]}
diff --git a/tests/pub_client.jwks b/tests/pub_client.jwks
@@ -1 +1 @@
-{"keys": [{"kty": "EC", "use": "sig", "kid": "azZQQ2FEQjh3QnVZWVdrbHJkMEZSaWR6aVJ0LTBjeUFfeWRlbTRrRFZ5VQ", "crv": "P-256", "x": "2ADe18caWWGp6hpRbfa9HqQHDFNpid9xUmR56Wzm_wc", "y": "HnD_8QBanz4Y-UF8mKQFZXfqkGkXUSm34mLsdDKtSyk"}, {"kty": "RSA", "use": "sig", "kid": "SHEyYWcwNVk0LTdROTZzZ2FUWndIVXdack0xWUM5SEpwcS03dVUxWU4zRQ", "n": "rRz52ddyP9Y2ezSlRsnkt-sjXfV_Ii7vOFX-cStLE3IUlVeSJGEe_kAASLr2r3BE2unjntaxj67NP8D95h_rzG1SpCklTEn-aTe3FOwNyTzUH_oiDVeRoEcf04Y43ciRGYRB5PhI6ii-2lYuig6hyUr776Qxiu6-0zw-M_ay2MgGSy5CEj55dDSvcUyxStUObxGpPWnEvybO1vnE7iJEWGNe0L5uPe5nLidOiR-JwjxSWEx1xZYtIjxaf2Ulu-qu4hwgwBUQdx4bNZyBfljKj55skWuHqPMG3xMjnedQC6Ms5bR3rIkbBpvmgI3kJK-4CZikM6ruyLo94-Lk19aYQw", "e": "AQAB"}]}
+{"keys": [{"kty": "EC", "use": "sig", "kid": "azZQQ2FEQjh3QnVZWVdrbHJkMEZSaWR6aVJ0LTBjeUFfeWRlbTRrRFZ5VQ", "crv": "P-256", "x": "2ADe18caWWGp6hpRbfa9HqQHDFNpid9xUmR56Wzm_wc", "y": "HnD_8QBanz4Y-UF8mKQFZXfqkGkXUSm34mLsdDKtSyk"}, {"kty": "RSA", "use": "sig", "kid": "SHEyYWcwNVk0LTdROTZzZ2FUWndIVXdack0xWUM5SEpwcS03dVUxWU4zRQ", "e": "AQAB", "n": "rRz52ddyP9Y2ezSlRsnkt-sjXfV_Ii7vOFX-cStLE3IUlVeSJGEe_kAASLr2r3BE2unjntaxj67NP8D95h_rzG1SpCklTEn-aTe3FOwNyTzUH_oiDVeRoEcf04Y43ciRGYRB5PhI6ii-2lYuig6hyUr776Qxiu6-0zw-M_ay2MgGSy5CEj55dDSvcUyxStUObxGpPWnEvybO1vnE7iJEWGNe0L5uPe5nLidOiR-JwjxSWEx1xZYtIjxaf2Ulu-qu4hwgwBUQdx4bNZyBfljKj55skWuHqPMG3xMjnedQC6Ms5bR3rIkbBpvmgI3kJK-4CZikM6ruyLo94-Lk19aYQw"}]}
diff --git a/tests/pub_iss.jwks b/tests/pub_iss.jwks
@@ -1 +1 @@
-{"keys": [{"kty": "EC", "use": "sig", "kid": "SmdKMlVGcG1zMnprdDdXZGpGWEczdHhlZVpGbkx1THpPdUY4d0w4bnZkSQ", "crv": "P-256", "x": "tRHJYm0fsOi0icpGEb33qiDVgt68ltMoYSWdLGhDGz4", "y": "fRpX0i6p5Jigf5I0qwW34PyStosMShwWAWS8x_w5o7E"}, {"kty": "RSA", "use": "sig", "kid": "R0FsaFdqREFaUFp1c0MwbUpsbHVSZ200blBJZWJVMTUtNGsyVlBmdHk5UQ", "n": "2ilgsKVqF92KfhwmosSVeZOaDgb3RF1mbg-pqkmLO6YpOO06LF4V4angF-GhP-ysAm2E75aSIU4tnHVThFlcxTgKFqjYKJQXyVzTVK2r-L2IbvFPaDtvoU6WteybpMlIUVk2po3cFDGObCWYKCm7CUOLlwH0uOpui66P9VSCqdKVKbJRAQBvTSbP10KWPxulfqjWGJtHO5fY7-JVWwOBkG-eHSJIT_uaoPjyvKCZjknq04bLUV9qP78KRQpRyYijBN60w2v8F79baN9CN10TIEjjWKGz0uX0M_YYQzTUoSY5l5ka9RkL3wT4o2iQ1t5nHphX6aA-gqwgCQmi-nvjaw", "e": "AQAB"}]}
+{"keys": [{"kty": "EC", "use": "sig", "kid": "SmdKMlVGcG1zMnprdDdXZGpGWEczdHhlZVpGbkx1THpPdUY4d0w4bnZkSQ", "crv": "P-256", "x": "tRHJYm0fsOi0icpGEb33qiDVgt68ltMoYSWdLGhDGz4", "y": "fRpX0i6p5Jigf5I0qwW34PyStosMShwWAWS8x_w5o7E"}, {"kty": "RSA", "use": "sig", "kid": "R0FsaFdqREFaUFp1c0MwbUpsbHVSZ200blBJZWJVMTUtNGsyVlBmdHk5UQ", "e": "AQAB", "n": "2ilgsKVqF92KfhwmosSVeZOaDgb3RF1mbg-pqkmLO6YpOO06LF4V4angF-GhP-ysAm2E75aSIU4tnHVThFlcxTgKFqjYKJQXyVzTVK2r-L2IbvFPaDtvoU6WteybpMlIUVk2po3cFDGObCWYKCm7CUOLlwH0uOpui66P9VSCqdKVKbJRAQBvTSbP10KWPxulfqjWGJtHO5fY7-JVWwOBkG-eHSJIT_uaoPjyvKCZjknq04bLUV9qP78KRQpRyYijBN60w2v8F79baN9CN10TIEjjWKGz0uX0M_YYQzTUoSY5l5ka9RkL3wT4o2iQ1t5nHphX6aA-gqwgCQmi-nvjaw"}]}
diff --git a/tests/test_client_21_oidc_service.py b/tests/test_client_21_oidc_service.py
@@ -213,6 +213,8 @@ def test_request_init_request_method(self):
             "iss",
             "aud",
             "iat",
+            "jti",
+            "exp"
         }
 
     def test_request_param(self):
diff --git a/tests/test_client_24_oic_utils.py b/tests/test_client_24_oic_utils.py
@@ -1,8 +1,8 @@
 from cryptojwt.jwe.jwe import factory
 from cryptojwt.key_jar import build_keyjar
 
-from idpyoidc.client.oidc.utils import construct_request_uri
-from idpyoidc.client.oidc.utils import request_object_encryption
+from idpyoidc.client.request_object import construct_request_uri
+from idpyoidc.client.request_object import request_object_encryption
 from idpyoidc.client.service_context import ServiceContext
 from idpyoidc.message.oidc import AuthorizationRequest
 

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "etMvKWMjiDg3OSf1P_eXtue8iDOxUGqp"}]}`
	`1`	`+{"keys": [{"kty": "oct", "use": "enc", "kid": "code", "k": "vSHDkLBHhDStkR0NWu8519rmV5zmnm5_"}, {"kty": "oct", "use": "enc", "kid": "refresh", "k": "iIetL7Smy3aIAy38ENGPqMaufuxvV0GI"}]}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		-{"keys": [{"kty": "EC", "use": "sig", "kid": "azZQQ2FEQjh3QnVZWVdrbHJkMEZSaWR6aVJ0LTBjeUFfeWRlbTRrRFZ5VQ", "crv": "P-256", "x": "2ADe18caWWGp6hpRbfa9HqQHDFNpid9xUmR56Wzm_wc", "y": "HnD_8QBanz4Y-UF8mKQFZXfqkGkXUSm34mLsdDKtSyk"}, {"kty": "RSA", "use": "sig", "kid": "SHEyYWcwNVk0LTdROTZzZ2FUWndIVXdack0xWUM5SEpwcS03dVUxWU4zRQ", "n": "rRz52ddyP9Y2ezSlRsnkt-sjXfV_Ii7vOFX-cStLE3IUlVeSJGEe_kAASLr2r3BE2unjntaxj67NP8D95h_rzG1SpCklTEn-aTe3FOwNyTzUH_oiDVeRoEcf04Y43ciRGYRB5PhI6ii-2lYuig6hyUr776Qxiu6-0zw-M_ay2MgGSy5CEj55dDSvcUyxStUObxGpPWnEvybO1vnE7iJEWGNe0L5uPe5nLidOiR-JwjxSWEx1xZYtIjxaf2Ulu-qu4hwgwBUQdx4bNZyBfljKj55skWuHqPMG3xMjnedQC6Ms5bR3rIkbBpvmgI3kJK-4CZikM6ruyLo94-Lk19aYQw", "e": "AQAB"}]}
	`1`	+{"keys": [{"kty": "EC", "use": "sig", "kid": "azZQQ2FEQjh3QnVZWVdrbHJkMEZSaWR6aVJ0LTBjeUFfeWRlbTRrRFZ5VQ", "crv": "P-256", "x": "2ADe18caWWGp6hpRbfa9HqQHDFNpid9xUmR56Wzm_wc", "y": "HnD_8QBanz4Y-UF8mKQFZXfqkGkXUSm34mLsdDKtSyk"}, {"kty": "RSA", "use": "sig", "kid": "SHEyYWcwNVk0LTdROTZzZ2FUWndIVXdack0xWUM5SEpwcS03dVUxWU4zRQ", "e": "AQAB", "n": "rRz52ddyP9Y2ezSlRsnkt-sjXfV_Ii7vOFX-cStLE3IUlVeSJGEe_kAASLr2r3BE2unjntaxj67NP8D95h_rzG1SpCklTEn-aTe3FOwNyTzUH_oiDVeRoEcf04Y43ciRGYRB5PhI6ii-2lYuig6hyUr776Qxiu6-0zw-M_ay2MgGSy5CEj55dDSvcUyxStUObxGpPWnEvybO1vnE7iJEWGNe0L5uPe5nLidOiR-JwjxSWEx1xZYtIjxaf2Ulu-qu4hwgwBUQdx4bNZyBfljKj55skWuHqPMG3xMjnedQC6Ms5bR3rIkbBpvmgI3kJK-4CZikM6ruyLo94-Lk19aYQw"}]}
Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,8 @@ def test_request_init_request_method(self):`
`213`	`213`	`"iss",`
`214`	`214`	`"aud",`
`215`	`215`	`"iat",`
	`216`	`+ "jti",`
	`217`	`+ "exp"`
`216`	`218`	`}`
`217`	`219`
`218`	`220`	`def test_request_param(self):`