Check for RS256 in id_token_signing_alg_values_supported.

rohe · rohe · commit 88479a042220 · 2020-02-25T11:27:23.000+01:00
According to standard MUST always be present.

Allow for default not always be set.
diff --git a/src/oidcmsg/message.py b/src/oidcmsg/message.py
@@ -35,8 +35,11 @@ class Message(MutableMapping):
     c_default = {}
     c_allowed_values = {}
 
-    def __init__(self, **kwargs):
-        self._dict = self.c_default.copy()
+    def __init__(self, set_defaults=True, **kwargs):
+        if set_defaults:
+            self._dict = self.c_default.copy()
+        else:
+            self._dict = {}
         self.lax = False
         self.jwt = None
         self.jws_header = None
@@ -73,7 +76,7 @@ def set_defaults(self):
         Based on specification set a parameters value to the default value.
         """
         for key, val in self.c_default.items():
-            self._dict[key] = val
+            self._dict.setdefault(key, val)
 
     def to_urlencoded(self, lev=0):
         """
diff --git a/src/oidcmsg/oidc/__init__.py b/src/oidcmsg/oidc/__init__.py
@@ -915,6 +915,9 @@ def verify(self, **kwargs):
         elif parts.scheme != "https":
             raise SchemeError("Not HTTPS")
 
+        if "RS256" not in self["id_token_signing_alg_values_supported"]:
+            raise ValueError('RS256 missing from id_token_signing_alg_values_supported')
+
         if not parts.query and not parts.fragment:
             pass
         else:
diff --git a/tests/test_05_oauth2.py b/tests/test_05_oauth2.py
@@ -490,7 +490,6 @@ def test_init(self):
 class TestCCAccessTokenRequest(object):
     def test_init(self):
         cc = CCAccessTokenRequest(scope="/foo")
-
         assert cc["grant_type"] == "client_credentials"
         assert cc["scope"] == ["/foo"]
 
@@ -499,7 +498,6 @@ class TestRefreshAccessTokenRequest(object):
     def test_init(self):
         ratr = RefreshAccessTokenRequest(refresh_token="ababababab",
                                          client_id="Client_id")
-
         assert ratr["grant_type"] == "refresh_token"
         assert ratr["refresh_token"] == "ababababab"
         assert ratr["client_id"] == "Client_id"
diff --git a/tests/test_06_oidc.py b/tests/test_06_oidc.py
@@ -536,7 +536,6 @@ def test_deserialize(self):
 
         reg = RegistrationRequest().deserialize(json.dumps(msg), "json")
         assert reg.verify()
-
         assert _eq(list(msg.keys()) + ['response_types'], reg.keys())
 
     def test_registration_request(self):
@@ -582,7 +581,6 @@ def test_deser(self):
                                   application_type="web",
                                   redirect_uris=[
                                       "https://example.com/authz_cb"])
-
         ser_req = req.serialize('urlencoded')
         deser_req = registration_request_deser(ser_req)
         assert set(deser_req.keys()) == {'operation', 'default_max_age',
