More about sessions and back channel support.

rohe · rohe · commit 429d0c542244 · 2019-02-14T14:20:43.000+01:00
diff --git a/src/oidcmsg/oidc/__init__.py b/src/oidcmsg/oidc/__init__.py
@@ -349,7 +349,9 @@ class AuthorizationResponse(oauth2.AuthorizationResponse,
         # "nonce": SINGLE_OPTIONAL_STRING,
         "access_token": SINGLE_OPTIONAL_STRING,
         "token_type": SINGLE_OPTIONAL_STRING,
-        "id_token": SINGLE_OPTIONAL_IDTOKEN
+        "id_token": SINGLE_OPTIONAL_IDTOKEN,
+        # Below is REQUIRED if doing session management
+        "session_state": SINGLE_OPTIONAL_STRING
         })
 
     def verify(self, **kwargs):
@@ -607,7 +609,7 @@ class RegistrationRequest(Message):
         "post_logout_redirect_uris": OPTIONAL_LIST_OF_STRINGS,
         "frontchannel_logout_uri": SINGLE_OPTIONAL_STRING,
         "frontchannel_logout_session_required": SINGLE_OPTIONAL_BOOLEAN,
-        "backchannel_logout_supported": SINGLE_OPTIONAL_BOOLEAN,
+        "backchannel_logout_uri": SINGLE_OPTIONAL_STRING,
         "backchannel_logout_session_supported": SINGLE_OPTIONAL_BOOLEAN
         }
     c_default = {"application_type": "web", "response_types": ["code"]}
@@ -900,7 +902,9 @@ def verify(self, **kwargs):
                 check_char_set(scope, SCOPE_CHARSET)
 
         parts = urlparse(self["issuer"])
-        if parts.scheme != "https":
+        if 'allow_http' in kwargs:
+            pass
+        elif parts.scheme != "https":
             raise SchemeError("Not HTTPS")
 
         if not parts.query and not parts.fragment:
@@ -909,7 +913,7 @@ def verify(self, **kwargs):
             raise ValueError('Issuer ID invalid')
 
         if any("code" in rt for rt in self[
-            "response_types_supported"]) and "token_endpoint" not in self:
+                "response_types_supported"]) and "token_endpoint" not in self:
             raise MissingRequiredAttribute("token_endpoint")
 
         return True
diff --git a/src/oidcmsg/oidc/session.py b/src/oidcmsg/oidc/session.py
@@ -20,7 +20,6 @@
 logger = logging.getLogger(__name__)
 
 
-
 class RefreshSessionRequest(MessageWithIdToken):
     c_param = MessageWithIdToken.c_param.copy()
     c_param.update({
diff --git a/tests/test_7_session.py b/tests/test_7_session.py
@@ -96,6 +96,17 @@ def test_example(self):
                                     lifetime=300))
         keyjar = KeyJar()
         keyjar.add_kb('', KC_SYM_S)
+        with pytest.raises(ValueError):
+            assert csr.verify(keyjar=keyjar)
+
+
+    def test_example_1(self):
+        _symkey = KC_SYM_S.get(alg2keytype("HS256"))
+        csr = CheckSessionRequest(
+            id_token=IDTOKEN.to_jwt(key=_symkey, algorithm="HS256",
+                                    lifetime=300))
+        keyjar = KeyJar()
+        keyjar.add_kb(ISS, KC_SYM_S)
         assert csr.verify(keyjar=keyjar)
 
 
