Ensure the access_token contains the openid scope

c00kiemon5ter · lionick · commit cc1d61ff4542 · 2024-11-07T08:29:59.000Z
Signed-off-by: Ivan Kanakarakis &lt;ivan.kanak@gmail.com&gt;
diff --git a/src/idpyoidc/server/oidc/userinfo.py b/src/idpyoidc/server/oidc/userinfo.py
@@ -125,18 +125,27 @@ def process_request(self, request=None, **kwargs):
             return self.error_cls(error="invalid_token", error_description="Invalid Token")
 
         _grant = _session_info["grant"]
-        token = _grant.get_token(request["access_token"])
-        # should be an access token
-        if token and token.token_class != "access_token":
+        access_token = _grant.get_token(request["access_token"])
+
+        # there must be a token
+        if not access_token:
+            return self.error_cls(error="invalid_token", error_description="Invalid Token")
+
+        # the token must be an access_token
+        if access_token.token_class != "access_token":
             return self.error_cls(error="invalid_token", error_description="Wrong type of token")
 
-        # And it should be valid
-        if token.is_active() is False:
+        # the access_token must be valid
+        if access_token.is_active() is False:
+            return self.error_cls(error="invalid_token", error_description="Invalid Token")
+
+        # the access_token must contain the openid scope
+        if "openid" not in access_token.scope:
             return self.error_cls(error="invalid_token", error_description="Invalid Token")
 
         _cntxt = self.upstream_get("context")
         _claims_restriction = _cntxt.claims_interface.get_claims(
-            _session_info["branch_id"], scopes=token.scope, claims_release_point="userinfo"
+            _session_info["branch_id"], scopes=access_token.scope, claims_release_point="userinfo"
         )
         info = _cntxt.claims_interface.get_user_claims(
             _session_info["user_id"], claims_restriction=_claims_restriction
@@ -153,7 +162,7 @@ def process_request(self, request=None, **kwargs):
             self.config["policy"] = _cntxt.cdb[request["client_id"]]["userinfo"]["policy"]
 
         if "policy" in self.config:
-            info = self._enforce_policy(request, info, token, self.config)
+            info = self._enforce_policy(request, info, access_token, self.config)
 
         return {"response_args": info, "client_id": _session_info["client_id"]}
 
