Handle missing token exchange requested_token_type parameter

IdentityPython / idpy-oidc

Implementation of everything OIDC and OAuth2

Apache License 2.0

40 stars 22 forks source link

Handle missing token exchange requested_token_type parameter #18

Closed ctriant closed 2 years ago

ctriant commented 2 years ago

According to OAuth 2.0 Token Exchange the requested_token_type of a Token Exchange request is optional. In the case where this parameter is missing from the request, a KeyError is raised.

To solve this issue, this MR introduces a mandatory configuration parameter default_requested_token_type for the TokenExchangeHelper configuration.

ctriant commented 2 years ago

Should we enforce that default_requested_token_type is a permitted token type according to requested_token_types_supported, or should we push the responsibility to the user? @rohe

rohe commented 2 years ago

Pushing responsibility to the user is almost never a good thing.