Allow OpenID Client registration with JWT (#719)

* When register an OpenID Client, registration tokens that are valid JWTs are now passed through to the OpenID Provider. Every other string is still base64 encoded.

3 files changed, 47 insertions, 4 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f774b2b5..d0c327a5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ The format is based on the [KeepAChangeLog] project.
 
 ## Unreleased
 
+### Added
+- [#719] Add support for JWT registration tokens
+
+[#719]: https://github.com/OpenIDC/pyoidc/pull/719
+
 ## 1.1.2 [2019-11-23]
 
 ### Fixed
@@ -16,7 +21,7 @@ The format is based on the [KeepAChangeLog] project.
 
 [#711]: https://github.com/OpenIDC/pyoidc/pull/711
 [#712]: https://github.com/OpenIDC/pyoidc/pull/712
-[#712]: https://github.com/OpenIDC/pyoidc/pull/717
+[#717]: https://github.com/OpenIDC/pyoidc/pull/717
 
 ## 1.1.1 [2019-11-04]
 
diff --git a/src/oic/oic/__init__.py b/src/oic/oic/__init__.py
index 1c4ccf0e..906dce5b 100644
--- a/src/oic/oic/__init__.py
+++ b/src/oic/oic/__init__.py
@@ -15,9 +15,11 @@ from typing import cast # noqa - Used for MyPy
 from urllib.parse import parse_qs
 from urllib.parse import urlparse
 
+from jwkest import BadSyntax
 from jwkest import as_bytes
 from jwkest import jwe
 from jwkest import jws
+from jwkest import jwt
 from jwkest.jwe import JWE
 from requests import ConnectionError
 
@@ -1346,9 +1348,14 @@ class Client(oauth2.Client):
 
 headers = {"content-type": "application/json"}
 if registration_token is not None:
- headers["Authorization"] = (
- "Bearer " + b64encode(registration_token.encode()).decode()
- )
+ try:
+ token = jwt.JWT()
+ token.unpack(registration_token)
+ except BadSyntax:
+ # no JWT
+ registration_token = b64encode(registration_token.encode()).decode()
+ finally:
+ headers["Authorization"] = "Bearer " + registration_token
 
 rsp = self.http_request(url, "POST", data=req.to_json(), headers=headers)
 
diff --git a/tests/test_oic_consumer.py b/tests/test_oic_consumer.py
index a012ee5b..27e3fb2d 100644
--- a/tests/test_oic_consumer.py
+++ b/tests/test_oic_consumer.py
@@ -791,6 +791,37 @@ class TestOICConsumer:
 header = rsps.calls[0].request.headers["Authorization"]
 assert header == "Bearer aW5pdGlhbF9yZWdpc3RyYXRpb25fdG9rZW4="
 
+ def test_client_register_token_b64(self):
+ c = Consumer(None, None)
+
+ c.redirect_uris = ["https://example.com/authz"]
+
+ client_info = {
+ "client_id": "clientid",
+ "redirect_uris": ["https://example.com/authz"],
+ }
+ registration_token = (
+ "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6IC"
+ "JlYjc1N2M3Yy00MWRlLTRmZDYtOTkwNy1hNGFiMDY1ZjEzMmEifQ.eyJqdGkiOiI2ZWY0MDZi"
+ "MC02YzA3LTQ0NzctOWU1YS1hY2FiZjNiMWNiMjgiLCJleHAiOjAsIm5iZiI6MCwiaWF0Ijox"
+ "NTczNzMxNjg5LCJpc3MiOiJodHRwczovL29wZW5pZC1wcm92aWRlci5leGFtcGxlLmNvbS9h"
+ "dXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwczovL29wZW5pZC1wcm92aWRlci5leGFt"
+ "cGxlLmNvbS9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJ0eXAiOiJJbml0aWFsQWNjZXNzVG9rZW4i"
+ "fQ.0XTlit_JcxPZeIy8A4BzrHn1NvegVP7ws8KI0ySFex8"
+ )
+ with responses.RequestsMock() as rsps:
+ rsps.add(
+ rsps.POST,
+ "https://provider.example.com/registration/",
+ json=client_info,
+ )
+ c.register(
+ "https://provider.example.com/registration/",
+ registration_token=registration_token,
+ )
+ header = rsps.calls[0].request.headers["Authorization"]
+ assert header == "Bearer " + registration_token
+
 def _faulty_id_token(self):
 idval = {
 "nonce": "KUEYfRM2VzKDaaKD",