Fix userinfo with missing authn_event in session (CZ-NIC#532)

claweyenuk · May 2, 2018 · 6498f22 · 6498f22
1 parent ef6d5f2
commit 6498f22
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,7 +14,8 @@ The format is based on the [KeepAChangeLog] project.
 - [#481] Loading AuthnEvent from session
 - [#492] Do not verify JWT signature on distributed claims
 - [#526] Cleaned up extra claims from UserInfo with distributed claims
-- [#528]: Fix faulty redirect_uri with query
+- [#528] Fix faulty redirect_uri with query
+- [#532] Fix userinfo endpoint without auhtn_event in session
 
 ### Removed
 - [#494] Methods and functions deprecated in previous releases have been removed
@@ -38,6 +39,7 @@ The format is based on the [KeepAChangeLog] project.
 [#432]: https://github.com/OpenIDC/pyoidc/issues/432
 [#526]: https://github.com/OpenIDC/pyoidc/issues/526
 [#528]: https://github.com/OpenIDC/pyoidc/issues/528
+[#532]: https://github.com/OpenIDC/pyoidc/pull/532
 
 ## 0.13.1 [2018-04-06]
 

diff --git a/src/oic/oic/provider.py b/src/oic/oic/provider.py
@@ -1083,9 +1083,8 @@ def _collect_user_info(self, session, userinfo_claims=None):
 
         logger.debug("Session info: %s" % sanitize(session))
 
-        authn_event = AuthnEvent.from_json(session.get("authn_event"))
-        if authn_event:
-            uid = authn_event.uid
+        if "authn_event" in session:
+            uid = AuthnEvent.from_json(session["authn_event"]).uid
         else:
             uid = session['uid']
 

diff --git a/tests/test_oic_provider.py b/tests/test_oic_provider.py
@@ -865,6 +865,35 @@ def test_userinfo_endpoint_malformed(self):
             'error_description': 'Token is malformed',
             'error': 'invalid_request'}
 
+    def test_userinfo_endpoint_mising_authn(self):
+        authreq = AuthorizationRequest(state="state",
+                                       redirect_uri="http://example.com/authz",
+                                       client_id=CLIENT_ID,
+                                       response_type="code",
+                                       scope=["openid", 'offline_access'],
+                                       prompt='consent')
+        _sdb = self.provider.sdb
+        sid = _sdb.access_token.key(user="sub", areq=authreq)
+        access_grant = _sdb.access_token(sid=sid)
+        # authn_event is missing - this can happen for offline requests
+        _sdb[sid] = {
+            "sub": "my_sub",
+            "oauth_state": "authz",
+            "uid": "user",
+            "authzreq": authreq.to_json(),
+            "client_id": CLIENT_ID,
+            "code": access_grant,
+            "code_used": False,
+            "scope": ["openid", 'offline_access'],
+            "redirect_uri": "http://example.com/authz",
+        }
+
+        uir = UserInfoRequest(access_token=access_grant, schema="openid")
+
+        resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
+        ident = OpenIDSchema().deserialize(resp.message, "json")
+        assert _eq(ident.keys(), ['sub'])
+
     def test_check_session_endpoint(self):
         session = {"sub": "UserID", "client_id": "number5"}
         idtoken = self.provider.id_token_as_signed_jwt(session)