#170 Fix requesting unsigned responses
Merged 4 years ago by puiterwijk. Opened 4 years ago by puiterwijk.
puiterwijk/ipsilon ticket-241  into  master

@@ -319,14 +319,19 @@ 

              return self._respond_error('invalid_request',

                                         'No userinfo for token')

  

-         if 'userinfo_signed_response_alg' in self.api_client:

+         if self.api_client.get('userinfo_signed_response_alg'):

              cherrypy.response.headers.update({

                  'Content-Type': 'application/jwt'

              })

  

-             sig = JWT(header={'alg': 'RS256',

-                               'kid': self.cfg.idp_sig_key_id},

-                       claims=info)

+             if self.api_client.get('userinfo_signed_response_alg') == 'RS256':

+                 sig = JWT(header={'alg': 'RS256',

+                                   'kid': self.cfg.idp_sig_key_id},

+                           claims=info)

+             else:

+                 return self._respond_error(

+                     'unsupported_response_type',

+                     'Requested signing mech not supported')

              # FIXME: Maybe add other algorithms in the future

              sig.make_signed_token(self.cfg.keyset.get_key(

                  self.cfg.idp_sig_key_id))

Ticket: #241
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com

Commit cbcadfd fixes this pull-request

Pull-Request has been merged by puiterwijk@redhat.com

4 years ago