Fixed PKCE support.

rohe · rohe · commit e3509b5777a3 · 2020-01-08T20:14:46.000+01:00
diff --git a/src/oidcservice/oidc/add_on/__init__.py b/src/oidcservice/oidc/add_on/__init__.py
@@ -0,0 +1,7 @@
+from oidcservice.util import importer
+
+
+def do_add_ons(add_ons, services):
+    for key, spec in add_ons.items():
+        _func = importer(spec['function'])
+        _func(services, **spec['kwargs'])
diff --git a/src/oidcservice/oidc/add_on/pkce.py b/src/oidcservice/oidc/add_on/pkce.py
@@ -1,3 +1,5 @@
+import logging
+
 from cryptojwt.utils import b64e
 from oidcmsg.message import Message
 
@@ -6,6 +8,8 @@
 from oidcservice.exception import Unsupported
 from oidcservice.oauth2.utils import get_state_parameter
 
+logger = logging.getLogger(__name__)
+
 
 def add_code_challenge(request_args, service, **kwargs):
     """
@@ -18,8 +22,10 @@ def add_code_challenge(request_args, service, **kwargs):
     :param kwargs: Extra set of keyword arguments
     :return: Updated set of request arguments
     """
+    _kwargs = service.service_context.add_on["pkce"]
+
     try:
-        cv_len = service.service_context.config['code_challenge']['length']
+        cv_len = _kwargs['code_challenge_length']
     except KeyError:
         cv_len = 64  # Use default
 
@@ -28,7 +34,7 @@ def add_code_challenge(request_args, service, **kwargs):
     _cv = code_verifier.encode()
 
     try:
-        _method = service.service_context.config['code_challenge']['method']
+        _method = _kwargs['code_challenge_method']
     except KeyError:
         _method = 'S256'
 
@@ -46,8 +52,11 @@ def add_code_challenge(request_args, service, **kwargs):
     _item = Message(code_verifier=code_verifier, code_challenge_method=_method)
     service.store_item(_item, 'pkce', request_args['state'])
 
-    request_args.update({"code_challenge": code_challenge,
-                         "code_challenge_method": _method})
+    request_args.update(
+        {
+            "code_challenge": code_challenge,
+            "code_challenge_method": _method
+        })
     return request_args, {}
 
 
@@ -73,20 +82,25 @@ def put_state_in_post_args(request_args, **kwargs):
 
 def add_pkce_support(service, code_challenge_length, code_challenge_method):
     """
+    PKCE support can only be considered if this client can access authorization and
+    access token services.
 
     :param service: Dictionary of services
     :param code_challenge_length:
     :param code_challenge_method:
     :return:
     """
-    authn_service = service["authorization"]
-    authn_service.service_context.args['pkce'] = {
-        "code_challenge_length": code_challenge_length,
-        "code_challenge_method": code_challenge_method
-    }
-
-    authn_service.pre_construct.append(add_code_challenge)
-
-    token_service = service['accesstoken']
-    token_service.pre_construct.append(put_state_in_post_args)
-    token_service.post_construct.append(add_code_verifier)
+    if "authorization" in service and "accesstoken" in service:
+        _service = service["authorization"]
+        _service.service_context.add_on['pkce'] = {
+            "code_challenge_length": code_challenge_length,
+            "code_challenge_method": code_challenge_method
+        }
+
+        _service.pre_construct.append(add_code_challenge)
+
+        token_service = service['accesstoken']
+        token_service.pre_construct.append(put_state_in_post_args)
+        token_service.post_construct.append(add_code_verifier)
+    else:
+        logger.warning("PKCE support could NOT be added")
diff --git a/src/oidcservice/oidc/utils.py b/src/oidcservice/oidc/utils.py
@@ -67,11 +67,11 @@ def construct_request_uri(local_dir, base_path, **kwargs):
     """
     Constructs a special redirect_uri to be used when communicating with
     one OP. Each OP should get their own redirect_uris.
-    
+
     :param local_dir: Local directory in which to place the file
     :param base_path: Base URL to start with
-    :param kwargs: 
-    :return: 2-tuple with (filename, url) 
+    :param kwargs:
+    :return: 2-tuple with (filename, url)
     """
     _filedir = local_dir
     if not os.path.isdir(_filedir):
diff --git a/src/oidcservice/service.py b/src/oidcservice/service.py
@@ -228,7 +228,7 @@ def construct_request(self, request_args=None, **kwargs):
         The request information is gathered and the where and how of sending the
         request is decided.
 
-        :param request_args: Initial request arguments
+        :param request_args: Initial request arguments as a dictionary
         :param kwargs: Extra keyword arguments
         :return: A dictionary with the keys 'url' and possibly 'body', 'kwargs',
             'request' and 'ht_args'.
diff --git a/src/oidcservice/service_context.py b/src/oidcservice/service_context.py
@@ -87,6 +87,7 @@ def __init__(self, keyjar=None, config=None, **kwargs):
         self.redirect_uris = []
         self.callback = None
         self.args = {}
+        self.add_on = {}
 
         try:
             self.clock_skew = config['clock_skew']
diff --git a/tests/test_14_pkce.py b/tests/test_14_pkce.py
