Support OIDC client authorization_parameters #861

Author: m-mohr

openeo/rest/auth/oidc.py

@@ -256,6 +256,7 @@ def __init__(
         title: str = None,
         default_clients: Union[List[dict], None] = None,
         requests_session: Optional[requests.Session] = None,
+        authorization_parameters: Optional[dict] = None,
     ):
         # TODO: id and title are required in the openEO API spec.
         self.id = provider_id
@@ -280,6 +281,7 @@ def __init__(
         self._scopes = {"openid"}.union(scopes or []).intersection(self._supported_scopes)
         log.debug(f"Scopes: provider supported {self._supported_scopes} & backend desired {scopes} -> {self._scopes}")
         self.default_clients = default_clients
+        self.authorization_parameters = authorization_parameters or {}
 
     @classmethod
     def from_dict(cls, data: dict) -> OidcProviderInfo:
@@ -289,6 +291,7 @@ def from_dict(cls, data: dict) -> OidcProviderInfo:
             issuer=data["issuer"],
             scopes=data.get("scopes"),
             default_clients=data.get("default_clients"),
+            authorization_parameters=data.get("authorization_parameters"),
         )
 
     def get_scopes_string(self, request_refresh_token: bool = False) -> str:
@@ -563,6 +566,7 @@ def _get_auth_code(self, request_refresh_token: bool = False) -> AuthCodeResult:
                         "nonce": nonce,
                         "code_challenge": pkce.code_challenge,
                         "code_challenge_method": pkce.code_challenge_method,
+                        **self._client_info.provider.authorization_parameters,
                     }
                 ),
             )
@@ -855,6 +859,7 @@ def _get_verification_info(self, request_refresh_token: bool = False) -> Verific
         if self._pkce:
             post_data["code_challenge"] = self._pkce.code_challenge
             post_data["code_challenge_method"] = self._pkce.code_challenge_method
+        post_data.update(self._client_info.provider.authorization_parameters)
         resp = self._requests.post(url=self._device_code_url, data=post_data)
         if resp.status_code != 200:
             raise OidcException(

tests/rest/auth/test_oidc.py

@@ -1,6 +1,7 @@
 import logging
 import re
 import time
+import urllib.parse
 from io import BytesIO
 from queue import Queue
 
@@ -818,3 +819,29 @@ def post_token(request, context):
 
     assert tokens.access_token == "6cce5-t0k3n"
     assert len(adapter.request_history) == 2
+
+
+class TestOidcProviderInfoAuthorizationParameters:
+    """Tests for the authorization_parameters feature (openEO API 1.3.0, issue #534)"""
+
+    def test_from_dict_with_authorization_parameters(self, requests_mock):
+        requests_mock.get("https://authit.test/.well-known/openid-configuration", json={"scopes_supported": ["openid"]})
+        data = {
+            "id": "google",
+            "title": "Google",
+            "issuer": "https://authit.test",
+            "scopes": ["openid"],
+            "authorization_parameters": {"access_type": "offline", "prompt": "consent"},
+        }
+        info = OidcProviderInfo.from_dict(data)
+        assert info.authorization_parameters == {"access_type": "offline", "prompt": "consent"}
+
+    def test_from_dict_without_authorization_parameters(self, requests_mock):
+        requests_mock.get("https://authit.test/.well-known/openid-configuration", json={"scopes_supported": ["openid"]})
+        data = {
+            "id": "egi",
+            "title": "EGI",
+            "issuer": "https://authit.test",
+        }
+        info = OidcProviderInfo.from_dict(data)
+        assert info.authorization_parameters == {}