Merge pull request #254 from q3aiml/fix-token-introspection-response

Fix token introspection "aud" and "client_id" response

oidc_provider/lib/endpoints/introspection.py

@@ -18,6 +18,7 @@ class TokenIntrospectionEndpoint(object):
     def __init__(self, request):
         self.request = request
         self.params = {}
+        self.token = None
         self.id_token = None
         self.client = None
         self._extract_params()
@@ -37,19 +38,19 @@ class TokenIntrospectionEndpoint(object):
             logger.debug('[Introspection] No token provided')
             raise TokenIntrospectionError()
         try:
-            token = Token.objects.get(access_token=self.params['token'])
+            self.token = Token.objects.get(access_token=self.params['token'])
         except Token.DoesNotExist:
             logger.debug('[Introspection] Token does not exist: %s', self.params['token'])
             raise TokenIntrospectionError()
-        if token.has_expired():
+        if self.token.has_expired():
             logger.debug('[Introspection] Token is not valid: %s', self.params['token'])
             raise TokenIntrospectionError()
-        if not token.id_token:
+        if not self.token.id_token:
             logger.debug('[Introspection] Token not an authentication token: %s',
                          self.params['token'])
             raise TokenIntrospectionError()
 
-        self.id_token = token.id_token
+        self.id_token = self.token.id_token
         audience = self.id_token.get('aud')
         if not audience:
             logger.debug('[Introspection] No audience found for token: %s', self.params['token'])
@@ -74,10 +75,9 @@ class TokenIntrospectionEndpoint(object):
             raise TokenIntrospectionError()
 
     def create_response_dic(self):
-        response_dic = dict((k, self.id_token[k]) for k in ('sub', 'exp', 'iat', 'iss'))
+        response_dic = dict((k, self.id_token[k]) for k in ('aud', 'sub', 'exp', 'iat', 'iss'))
         response_dic['active'] = True
-        response_dic['client_id'] = self.id_token.get('aud')
-        response_dic['aud'] = self.client.client_id
+        response_dic['client_id'] = self.token.client.client_id
 
         response_dic = run_processing_hook(response_dic,
                                            'OIDC_INTROSPECTION_PROCESSING_HOOK',

oidc_provider/tests/cases/test_introspection_endpoint.py

@@ -30,16 +30,17 @@ class IntrospectionTestCase(TestCase):
         call_command('creatersakey')
         self.factory = RequestFactory()
         self.user = create_fake_user()
+        self.aud = 'testaudience'
         self.client = create_fake_client(response_type='id_token token')
         self.resource = create_fake_client(response_type='id_token token')
-        self.resource.scope = ['token_introspection', self.client.client_id]
+        self.resource.scope = ['token_introspection', self.aud]
         self.resource.save()
         self.token = create_fake_token(self.user, self.client.scope, self.client)
         self.token.access_token = str(random.randint(1, 999999)).zfill(6)
         self.now = time.time()
         with patch('oidc_provider.lib.utils.token.time.time') as time_func:
             time_func.return_value = self.now
-            self.token.id_token = create_id_token(self.token, self.user, self.client.client_id)
+            self.token.id_token = create_id_token(self.token, self.user, self.aud)
         self.token.save()
 
     def _assert_inactive(self, response):
@@ -50,7 +51,7 @@ class IntrospectionTestCase(TestCase):
         self.assertEqual(response.status_code, 200)
         expected_content = {
             'active': True,
-            'aud': self.resource.client_id,
+            'aud': self.aud,
             'client_id': self.client.client_id,
             'sub': str(self.user.pk),
             'iat': int(self.now),