Merge pull request #430 from rohe/audience

Audience is endpoint dependent.
CZ-NIC · Oct 6, 2017 · 516bf6b · 516bf6b
2 parents bb8e71a + 612ed45
commit 516bf6b
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,9 +8,11 @@ The format is based on the [KeepAChangeLog] project.
 ## 0.13.0 [Unreleased]
 
 ### Fixed
+- [#430] Audience of a client assertion is endpoint dependent.
 - [#427] Made matching for response_types order independent for authorization requests
 - [#399] Matching response_types for authz requests is too strict
 
+[#430]: https://github.com/OpenIDC/pyoidc/pull/430
 [#427]: https://github.com/OpenIDC/pyoidc/pull/427
 [#399]: https://github.com/OpenIDC/pyoidc/issues/399
 

diff --git a/src/oic/utils/authn/client.py b/src/oic/utils/authn/client.py
@@ -45,6 +45,7 @@ def assertion_jwt(cli, keys, audience, algorithm, lifetime=600):
     at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
                     aud=audience, jti=rndstr(32),
                     exp=_now + lifetime, iat=_now)
+    logger.debug('AuthnToken: {}'.format(at.to_dict()))
     return at.to_jwt(key=keys, algorithm=algorithm)
 
 
@@ -310,14 +311,16 @@ def construct(self, cis, request_args=None, http_args=None, **kwargs):
         # audience is the OP endpoint
         # audience = self.cli._endpoint(REQUEST2ENDPOINT[cis.type()])
         # OR OP identifier
-        audience = self.cli.provider_info['issuer']
         algorithm = None
         if kwargs['authn_endpoint'] in ['token', 'refresh']:
             try:
                 algorithm = self.cli.registration_info[
                     'token_endpoint_auth_signing_alg']
             except (KeyError, AttributeError):
                 pass
+            audience = self.cli.provider_info['token_endpoint']
+        else:
+            audience = self.cli.provider_info['issuer']
 
         if not algorithm:
             algorithm = self.choose_algorithm(**kwargs)

diff --git a/tests/test_client.py b/tests/test_client.py
@@ -188,7 +188,8 @@ def test_construct(self, client):
                             {"key": _key, "kty": "RSA", "use": "sig"}])
         client.keyjar[""] = kc_rsa
         client.token_endpoint = "https://example.com/token"
-        client.provider_info = {'issuer': 'https://example.com/'}
+        client.provider_info = {'issuer': 'https://example.com/',
+                                'token_endpoint': "https://example.com/token"}
         cis = AccessTokenRequest()
         pkj = PrivateKeyJWT(client)
         http_args = pkj.construct(cis, algorithm="RS256",
@@ -199,12 +200,14 @@ def test_construct(self, client):
         jso = _jwt.payload()
         assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
         assert _jwt.headers == {'alg': 'RS256'}
+        assert jso['aud'] == [client.provider_info['token_endpoint']]
 
 
-class TestClientSecretJWT(object):
+class TestClientSecretJWT_TE(object):
     def test_client_secret_jwt(self, client):
         client.token_endpoint = "https://example.com/token"
-        client.provider_info = {'issuer': 'https://example.com/'}
+        client.provider_info = {'issuer': 'https://example.com/',
+                                'token_endpoint': "https://example.com/token"}
 
         csj = ClientSecretJWT(client)
         cis = AccessTokenRequest()
@@ -224,6 +227,34 @@ def test_client_secret_jwt(self, client):
             cas, [SYMKey(k=b64e(as_bytes(client.client_secret)))])
 
         assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
+        assert info['aud'] == [client.provider_info['token_endpoint']]
+
+
+class TestClientSecretJWT_UI(object):
+    def test_client_secret_jwt(self, client):
+        client.token_endpoint = "https://example.com/token"
+        client.provider_info = {'issuer': 'https://example.com/',
+                                'token_endpoint': "https://example.com/token"}
+
+        csj = ClientSecretJWT(client)
+        cis = AccessTokenRequest()
+
+        csj.construct(cis, algorithm="HS256",
+                      authn_endpoint='userinfo')
+        assert cis["client_assertion_type"] == JWT_BEARER
+        assert "client_assertion" in cis
+        cas = cis["client_assertion"]
+        _jwt = JWT().unpack(cas)
+        jso = _jwt.payload()
+        assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
+        assert _jwt.headers == {'alg': 'HS256'}
+
+        _rj = JWS()
+        info = _rj.verify_compact(
+            cas, [SYMKey(k=b64e(as_bytes(client.client_secret)))])
+
+        assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
+        assert info['aud'] == [client.provider_info['issuer']]
 
 
 class TestValidClientInfo(object):