Handle scopes inside policy callable

Author: ctriant

src/oidcop/oidc/token.py

@@ -424,15 +424,15 @@ def post_parse_request(self, request, client_id="", **kwargs):
 
         token = _mngr.find_token(_session_info["session_id"], request["subject_token"])
 
-        error = self.enforce_policy(request, token)
-        if error is not None:
-            return error
+        resp = self.enforce_policy(request, token)
+        if isinstance(resp, TokenErrorResponse):
+            return resp
 
         if token.is_active() is False:
             return self.error_cls(
                 error="invalid_request", error_description="Subject token inactive"
             )
-        return request
+        return resp
 
     def enforce_policy(self, request, token):
         _context = self.endpoint.server_get("endpoint_context")
@@ -599,21 +599,14 @@ def default_token_exchange_policy(request, context, kwargs):
                 error="invalid_target", error_description="Unknown audience"
             )
 
-    # TODO: if requested type is jwt make sure our tokens are jwt
-    # if (
-    #     "requested_token_type" in request
-    #     and request["requested_token_type"] not in kwargs["token_types_allowed"]
-    # ):
-    #     return TokenErrorResponse(
-    #         error="invalid_target",
-    #         error_description="Unsupported requested token type"
-    #     )
-
     if "actor_token" in request or "actor_token_type" in request:
         return TokenErrorResponse(
             error="invalid_request", error_description="Actor token not supported"
         )
 
+    request["scope"] = kwargs.get("scope", ["openid"])
+    return request
+
 class Token(oauth2.token.Token):
     request_cls = Message
     response_cls = oidc.AccessTokenResponse

tests/test_36_oauth2_token_exchange.py

@@ -130,23 +130,23 @@ def create_endpoint(self):
                                     "kwargs": {
                                         "audience": ["https://example.com"],
                                         "resource": [],
-                                        "scopes": ["abc", "def"]
+                                        "scope": ["openid"]
                                     }
                                 },
                                 "urn:ietf:params:oauth:token-type:refresh_token": {
                                     "callable": "oidcop.oidc.token.default_token_exchange_policy",
                                     "kwargs": {
                                         "audience": ["https://example.com"],
                                         "resource": [],
-                                        "scopes": ["abc", "def"]
+                                        "scope": ["openid"]
                                     }
                                 },
                                 "": {
                                     "callable": "oidcop.oidc.token.default_token_exchange_policy",
                                     "kwargs": {
                                         "audience": ["https://example.com"],
                                         "resource": [],
-                                        "scopes": ["abc", "def"]
+                                        "scope": ["openid"]
                                     }
                                 },
                             },