Fixed client id retrieval when aud is a list of str. (#210)

* Fixed client id retrievel when aud is a list of str. * Split tests.
2017-11-09 12:05:20 +01:00 · 2017-11-09 12:05:20 +01:00 · 65c6cc6fec
parent 6beb186540
commit 65c6cc6fec
2 changed files with 30 additions and 6 deletions
--- a/oidc_provider/lib/utils/token.py
+++ b/oidc_provider/lib/utils/token.py
@ -91,7 +91,12 @@ def client_id_from_id_token(id_token):
    Returns a string or None.
    """
    payload = JWT().unpack(id_token).payload()
-    return payload.get('aud', None)
+    aud = payload.get('aud', None)
+    if aud is None:
+        return None
+    if isinstance(aud, list):
+        return aud[0]
+    return aud


 def create_token(user, client, scope, id_token_dic=None):
--- a/oidc_provider/tests/test_end_session_endpoint.py
+++ b/oidc_provider/tests/test_end_session_endpoint.py
@ -30,21 +30,40 @@ class EndSessionTestCase(TestCase):

        self.url = reverse('oidc_provider:end-session')

-    def test_redirects(self):
+    def test_redirects_when_aud_is_str(self):
        query_params = {
            'post_logout_redirect_uri': self.LOGOUT_URL,
        }
        response = self.client.get(self.url, query_params)
-        # With no id_token the OP MUST NOT redirect to the requested redirect_uri.
-        self.assertRedirects(response, settings.get('OIDC_LOGIN_URL'), fetch_redirect_response=False)
+        # With no id_token the OP MUST NOT redirect to the requested
+        # redirect_uri.
+        self.assertRedirects(
+            response, settings.get('OIDC_LOGIN_URL'),
+            fetch_redirect_response=False)

-        id_token_dic = create_id_token(user=self.user, aud=self.oidc_client.client_id)
+        id_token_dic = create_id_token(
+            user=self.user, aud=self.oidc_client.client_id)
        id_token = encode_id_token(id_token_dic, self.oidc_client)

        query_params['id_token_hint'] = id_token

        response = self.client.get(self.url, query_params)
-        self.assertRedirects(response, self.LOGOUT_URL, fetch_redirect_response=False)
+        self.assertRedirects(
+            response, self.LOGOUT_URL, fetch_redirect_response=False)
+
+    def test_redirects_when_aud_is_list(self):
+        """Check with 'aud' containing a list of str."""
+        query_params = {
+            'post_logout_redirect_uri': self.LOGOUT_URL,
+        }
+        id_token_dic = create_id_token(
+            user=self.user, aud=self.oidc_client.client_id)
+        id_token_dic['aud'] = [id_token_dic['aud']]
+        id_token = encode_id_token(id_token_dic, self.oidc_client)
+        query_params['id_token_hint'] = id_token
+        response = self.client.get(self.url, query_params)
+        self.assertRedirects(
+            response, self.LOGOUT_URL, fetch_redirect_response=False)

    @mock.patch(settings.get('OIDC_AFTER_END_SESSION_HOOK'))
    def test_call_post_end_session_hook(self, hook_function):