From 6eb997a2e7f0093a38de30f8b2f45f529faf11e9 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Dec 28 2016 21:51:17 +0000
Subject: Fix requesting unsigned responses


Ticket: #241
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

---

diff --git a/ipsilon/providers/openidc/api.py b/ipsilon/providers/openidc/api.py
index 3f0b279..66c5802 100644
--- a/ipsilon/providers/openidc/api.py
+++ b/ipsilon/providers/openidc/api.py
@@ -319,14 +319,19 @@ class UserInfo(APIRequest):
             return self._respond_error('invalid_request',
                                        'No userinfo for token')
 
-        if 'userinfo_signed_response_alg' in self.api_client:
+        if self.api_client.get('userinfo_signed_response_alg'):
             cherrypy.response.headers.update({
                 'Content-Type': 'application/jwt'
             })
 
-            sig = JWT(header={'alg': 'RS256',
-                              'kid': self.cfg.idp_sig_key_id},
-                      claims=info)
+            if self.api_client.get('userinfo_signed_response_alg') == 'RS256':
+                sig = JWT(header={'alg': 'RS256',
+                                  'kid': self.cfg.idp_sig_key_id},
+                          claims=info)
+            else:
+                return self._respond_error(
+                    'unsupported_response_type',
+                    'Requested signing mech not supported')
             # FIXME: Maybe add other algorithms in the future
             sig.make_signed_token(self.cfg.keyset.get_key(
                 self.cfg.idp_sig_key_id))