diff --git a/src/idpyoidc/server/oidc/userinfo.py b/src/idpyoidc/server/oidc/userinfo.py index 5bf3aca..1a9c325 100755 --- a/src/idpyoidc/server/oidc/userinfo.py +++ b/src/idpyoidc/server/oidc/userinfo.py @@ -125,18 +125,27 @@ def process_request(self, request=None, **kwargs): return self.error_cls(error="invalid_token", error_description="Invalid Token") _grant = _session_info["grant"] - token = _grant.get_token(request["access_token"]) - # should be an access token - if token and token.token_class != "access_token": + access_token = _grant.get_token(request["access_token"]) + + # there must be a token + if not access_token: + return self.error_cls(error="invalid_token", error_description="Invalid Token") + + # the token must be an access_token + if access_token.token_class != "access_token": return self.error_cls(error="invalid_token", error_description="Wrong type of token") - # And it should be valid - if token.is_active() is False: + # the access_token must be valid + if access_token.is_active() is False: + return self.error_cls(error="invalid_token", error_description="Invalid Token") + + # the access_token must contain the openid scope + if "openid" not in access_token.scope: return self.error_cls(error="invalid_token", error_description="Invalid Token") _cntxt = self.upstream_get("context") _claims_restriction = _cntxt.claims_interface.get_claims( - _session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo" + _session_info["branch_id"], scopes=access_token.scope, claims_release_point="userinfo" ) info = _cntxt.claims_interface.get_user_claims( _session_info["user_id"], claims_restriction=_claims_restriction @@ -153,7 +162,7 @@ def process_request(self, request=None, **kwargs): self.config["policy"] = _cntxt.cdb[request["client_id"]]["userinfo"]["policy"] if "policy" in self.config: - info = self._enforce_policy(request, info, token, self.config) + info = self._enforce_policy(request, info, access_token, self.config) return {"response_args": info, "client_id": _session_info["client_id"]}