From 97f49ae8b6bee13d84c4d9b15e765dbea204f33e Mon Sep 17 00:00:00 2001 From: Kostis Triantafyllakis Date: Wed, 4 Oct 2023 16:55:11 +0300 Subject: [PATCH] Fix per-client configuration of deny_unknown_scopes Signed-off-by: Kostis Triantafyllakis --- src/idpyoidc/server/oauth2/authorization.py | 4 ++- ...server_24_oauth2_authorization_endpoint.py | 32 +++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/src/idpyoidc/server/oauth2/authorization.py b/src/idpyoidc/server/oauth2/authorization.py index 46b12699..9468d426 100755 --- a/src/idpyoidc/server/oauth2/authorization.py +++ b/src/idpyoidc/server/oauth2/authorization.py @@ -268,7 +268,9 @@ def authn_args_gather( def check_unknown_scopes_policy(request_info, client_id, context): - if not context.get_preference("deny_unknown_scopes"): + cinfo = context.cdb.get(client_id, {}) + deny_unknown_scopes = cinfo.get("deny_unknown_scopes", context.get_preference("deny_unknown_scopes")) + if not deny_unknown_scopes: return scope = request_info["scope"] diff --git a/tests/test_server_24_oauth2_authorization_endpoint.py b/tests/test_server_24_oauth2_authorization_endpoint.py index efbf6942..4d97d188 100755 --- a/tests/test_server_24_oauth2_authorization_endpoint.py +++ b/tests/test_server_24_oauth2_authorization_endpoint.py @@ -588,6 +588,38 @@ def test_setup_auth_invalid_scope(self): assert excp assert isinstance(excp, UnAuthorizedClientScope) + def test_setup_auth_invalid_scope_2(self): + request = AuthorizationRequest( + client_id="client_id", + redirect_uri="https://rp.example.com/cb", + response_type=["id_token"], + state="state", + nonce="nonce", + scope="openid THAT-BLOODY_SCOPE", + ) + cinfo = { + "client_id": "client_id", + "redirect_uris": [("https://rp.example.com/cb", {})], + "id_token_signed_response_alg": "RS256", + "allowed_scopes": ["openid", "profile", "email", "address", "phone", "offline_access"], + "deny_unknown_scopes": True + } + + _context = self.endpoint.upstream_get("context") + _context.cdb["client_id"] = cinfo + + kaka = _context.cookie_handler.make_cookie_content("value", "sso") + + # force to 400 Http Error message if the release scope policy is heavy! + _context.set_preference("deny_unknown_scopes", False) + excp = None + try: + res = self.endpoint.process_request(request, http_info={"headers": {"cookie": [kaka]}}) + except UnAuthorizedClientScope as e: + excp = e + assert excp + assert isinstance(excp, UnAuthorizedClientScope) + def test_setup_auth_user(self): request = AuthorizationRequest( client_id="client_id",