Request parameter + max_age parameter

docs/sections/changelog.rst

@@ -8,6 +8,8 @@ All notable changes to this project will be documented in this file.
 Unreleased
 ==========
 
+* Added: support of max_age parameter on authorization request.
+* Added: Passing Request Parameters as JWTs now returning request_not_supported error.
 * Changed: Django 5 added to test matrix.
 * Changed: ID Token JSON encoder improved using DjangoJSONEncoder.
 * Changed: Use unittest.mock in tests. Remove mock library.

oidc_provider/lib/endpoints/authorize.py

@@ -3,6 +3,8 @@
 from hashlib import md5
 from hashlib import sha256
 
+from oidc_provider.compat import get_attr_or_callable
+
 try:
     from urllib import urlencode
 
@@ -16,6 +18,7 @@
     from urllib.parse import urlunsplit
 from uuid import uuid4
 
+from django.utils import dateformat
 from django.utils import timezone
 
 from oidc_provider import settings
@@ -74,11 +77,12 @@ def _extract_params(self):
         self.params["scope"] = query_dict.get("scope", "").split()
         self.params["state"] = query_dict.get("state", "")
         self.params["nonce"] = query_dict.get("nonce", "")
-
+        # https://openid.net/specs/openid-connect-core-1_0.html#RequestObject
+        self.params["request"] = query_dict.get("request", "")
         self.params["prompt"] = self._allowed_prompt_params.intersection(
             set(query_dict.get("prompt", "").split())
         )
-
+        self.params["max_age"] = query_dict.get("max_age", "")
         self.params["code_challenge"] = query_dict.get("code_challenge", "")
         self.params["code_challenge_method"] = query_dict.get("code_challenge_method", "")
 
@@ -105,6 +109,12 @@ def validate_params(self):
                 self.params["redirect_uri"], "unsupported_response_type", self.grant_type
             )
 
+        # Passing Request Parameters as JWT not supported.
+        if self.params["request"]:
+            raise AuthorizeError(
+                self.params["redirect_uri"], "request_not_supported", self.grant_type
+            )
+
         if not self.is_authentication and (
             self.grant_type == "hybrid"
             or self.params["response_type"] in ["id_token", "id_token token"]
@@ -302,6 +312,25 @@ def is_client_allowed_to_skip_consent(self):
             or self.params["response_type"] in implicit_flow_resp_types
         )
 
+    def is_authentication_age_is_greater_than_max_age(self):
+        """
+        If the End-User authentication age is greater than the max_age value present in the
+        Authorization request, the OP MUST attempt to actively re-authenticate the End-User.
+        """
+        if not get_attr_or_callable(self.request.user, "is_authenticated"):
+            return False
+        try:
+            max_age = int(self.params["max_age"])
+        except ValueError:
+            return False
+
+        auth_time = int(
+            dateformat.format(self.request.user.last_login or self.request.user.date_joined, "U")
+        )
+        max_allowed_time = int(dateformat.format(timezone.now(), "U")) - max_age
+
+        return auth_time < max_allowed_time
+
     def get_scopes_information(self):
         """
         Return a list with the description of all the scopes requested.

oidc_provider/tests/app/utils.py

@@ -26,6 +26,7 @@
 )
 FAKE_CODE_CHALLENGE = "YlYXEqXuRm-Xgi2BOUiK50JW1KsGTX6F1TDnZSC8VTg"
 FAKE_CODE_VERIFIER = "SmxGa0XueyNh5bDgTcSrqzAh2_FmXEqU8kDT6CuXicw"
+FAKE_USER_PASSWORD = "1234"
 
 
 def create_fake_user():
@@ -39,7 +40,7 @@ def create_fake_user():
     user.email = "[email protected]"
     user.first_name = "John"
     user.last_name = "Doe"
-    user.set_password("1234")
+    user.set_password(FAKE_USER_PASSWORD)
 
     user.save()