Validity of authn event was a bit to low.

IdentityPython · Jul 10, 2020 · 5929fde · 5929fde
1 parent 28aeab8
commit 5929fde
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 24 deletions.
diff --git a/src/oidcendpoint/authn_event.py b/src/oidcendpoint/authn_event.py
@@ -3,6 +3,7 @@
 from oidcmsg.message import Message
 from oidcmsg.time_util import time_sans_frac
 
+DEFAULT_AUTHN_EXPIRES_IN = 3600
 
 class AuthnEvent(Message):
     c_param = {
@@ -46,9 +47,7 @@ def create_authn_event(uid, salt, authn_info=None, **kwargs):
     try:
         args["valid_until"] = kwargs["valid_until"]
     except KeyError:
-        try:
-            args["valid_until"] = args["authn_time"] + kwargs["expires_in"]
-        except KeyError:
-            args["valid_until"] = args["authn_time"] + 3600
+        _expires_in = kwargs.get("expires_in", DEFAULT_AUTHN_EXPIRES_IN)
+        args["valid_until"] = args["authn_time"] + _expires_in
 
     return AuthnEvent(**args)
diff --git a/src/oidcendpoint/oidc/authorization.py b/src/oidcendpoint/oidc/authorization.py
@@ -1,10 +1,10 @@
 import json
 import logging
-import time
 
 from cryptojwt import BadSyntax
 from cryptojwt.jwe.exception import JWEException
 from cryptojwt.jws.exception import NoSuitableSigningKeys
+from cryptojwt.jwt import utc_time_sans_frac
 from cryptojwt.utils import as_bytes
 from cryptojwt.utils import as_unicode
 from cryptojwt.utils import b64d
@@ -282,7 +282,7 @@ def _do_request_uri(self, request, client_id, endpoint_context, **kwargs):
                         "enc_enc",
                     )
                 # The protected info overwrites the non-protected
-                for k,v in _ver_request.items():
+                for k, v in _ver_request.items():
                     request[k] = v
 
                 request[verified_claim_name("request")] = _ver_request
@@ -435,11 +435,11 @@ def setup_auth(self, request, redirect_uri, cinfo, cookie, acr=None, **kwargs):
                 if "req_user" in kwargs:
                     sids = self.endpoint_context.sdb.get_sids_by_sub(kwargs["req_user"])
                     if (
-                        sids
-                        and user
-                        != self.endpoint_context.sdb.get_authentication_event(
-                            sids[-1]
-                        ).uid
+                            sids
+                            and user
+                            != self.endpoint_context.sdb.get_authentication_event(
+                        sids[-1]
+                    ).uid
                     ):
                         logger.debug("Wanted to be someone else!")
                         if "prompt" in request and "none" in request["prompt"]:
@@ -451,26 +451,21 @@ def setup_auth(self, request, redirect_uri, cinfo, cookie, acr=None, **kwargs):
                         else:
                             return {"function": authn, "args": authn_args}
 
+        authn_event = None
         if session:
             authn_event = session.get('authn_event')
-            if authn_event is None:
-                authn_event = create_authn_event(
-                    identity["uid"],
-                    identity.get("salt", ""),
-                    authn_info=authn_class_ref,
-                    time_stamp=_ts,
-                )
-        else:
+
+        if authn_event is None:
             authn_event = create_authn_event(
                 identity["uid"],
                 identity.get("salt", ""),
                 authn_info=authn_class_ref,
                 time_stamp=_ts,
             )
 
-        if "valid_until" in authn_event:
-            vu = time.time() + authn.kwargs.get("expires_in", 0.0)
-            authn_event["valid_until"] = vu
+        _exp_in = authn.kwargs.get("expires_in")
+        if _exp_in and "valid_until" in authn_event:
+            authn_event["valid_until"] = utc_time_sans_frac() + _exp_in
 
         return {"authn_event": authn_event, "identity": identity, "user": user}
 

diff --git a/src/oidcendpoint/oidc/userinfo.py b/src/oidcendpoint/oidc/userinfo.py
@@ -3,10 +3,10 @@
 
 from cryptojwt.exception import MissingValue
 from cryptojwt.jwt import JWT
+from cryptojwt.jwt import utc_time_sans_frac
 from oidcmsg import oidc
 from oidcmsg.message import Message
 from oidcmsg.oauth2 import ResponseMessage
-from oidcmsg.time_util import time_sans_frac
 
 from oidcendpoint.endpoint import Endpoint
 from oidcendpoint.userinfo import collect_user_info
@@ -107,9 +107,12 @@ def process_request(self, request=None, **kwargs):
 
         allowed = True
         # if the authenticate is still active or offline_access is granted.
-        if session["authn_event"]["valid_until"] > time_sans_frac():
+        if session["authn_event"]["valid_until"] > utc_time_sans_frac():
             pass
         else:
+            logger.debug("authentication not valid: {} > {}".format(
+                session["authn_event"]["valid_until"], utc_time_sans_frac()
+            ))
             allowed = False
 
             # This has to be made more fine grained.