✨(backend) introduce an authorization server client

In OAuth 2.0, the Authorization Server is equivalent to the OIDC provider.

The Authorization Server exposes endpoints for token introspection and JWKS.
I’ve created a client to easily interact with the Authorization Server,
while doing the token introspection in our resource server.

Token introspection will be explained in upcoming commits.

The current OIDC library used in the project doesn’t offer token introspection,
leading to redundancy in the code handling some OIDC/OAuth2 flows.

This overlap makes the code bulky. My goal is to quickly deliver a working
PoC for the resource server, with plans to refactor in the longer run.

Please feel free to provide feedback on the class design.

src/backend/core/resource_server/clients.py

@@ -0,0 +1,87 @@
+"""Resource Server Clients classes"""
+
+import requests
+from joserfc.jwk import KeySet
+
+
+class AuthorizationServerClient:
+    """Client for interacting with an OAuth 2.0 authorization server.
+
+    An authorization server issues access tokens to client applications after authenticating
+    and obtaining authorization from the resource owner. It also provides endpoints for token
+    introspection and JSON Web Key Sets (JWKS) to validate and decode tokens.
+
+    This client facilitates communication with the authorization server, including:
+    - Fetching token introspection responses.
+    - Fetching JSON Web Key Sets (JWKS) for token validation.
+    - Setting appropriate headers for secure communication as recommended by RFC drafts.
+    """
+
+    # ruff: noqa: PLR0913
+    # pylint: disable=too-many-arguments
+    def __init__(
+        self,
+        url,
+        url_jwks,
+        url_introspection,
+        verify_ssl,
+        timeout,
+        proxy,
+    ):
+        self.url = url
+        self._url_introspection = url_introspection
+        self._url_jwks = url_jwks
+        self._verify_ssl = verify_ssl
+        self._timeout = timeout
+        self._proxy = proxy
+
+    @property
+    def _introspection_headers(self):
+        """Get HTTP header for the introspection request.
+
+        Notify the authorization server that we expect a signed and encrypted response
+        by setting the appropriate 'Accept' header.
+
+        This follows the recommendation from the draft RFC:
+        https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-introspection-response-12.
+        """
+        return {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/token-introspection+jwt",
+        }
+
+    def get_introspection(self, client_id, client_secret, token):
+        """Retrieve introspection response about a token."""
+        response = requests.post(
+            self._url_introspection,
+            data={
+                "client_id": client_id,
+                "client_secret": client_secret,
+                "token": token,
+            },
+            headers=self._introspection_headers,
+            verify=self._verify_ssl,
+            timeout=self._timeout,
+            proxies=self._proxy,
+        )
+        response.raise_for_status()
+        return response.text
+
+    def get_jwks(self):
+        """Retrieve Authorization Server JWKS."""
+        response = requests.get(
+            self._url_jwks,
+            verify=self._verify_ssl,
+            timeout=self._timeout,
+            proxies=self._proxy,
+        )
+        response.raise_for_status()
+        return response.json()
+
+    def import_public_keys(self):
+        """Retrieve and import Authorization Server JWKS."""
+
+        jwks = self.get_jwks()
+        public_keys = KeySet.import_key_set(jwks)
+
+        return public_keys

src/backend/core/tests/resource_server/test_clients.py

@@ -0,0 +1,187 @@
+"""
+Test for the Resource Server (RS) clients classes.
+"""
+
+# pylint: disable=W0212
+
+from unittest.mock import MagicMock, patch
+
+import pytest
+from joserfc.jwk import KeySet, RSAKey
+from requests.exceptions import HTTPError
+
+from core.resource_server.clients import AuthorizationServerClient
+
+
+@pytest.fixture(name="client")
+def fixture_client():
+    """Generate an Authorization Server client."""
+    return AuthorizationServerClient(
+        url="https://auth.example.com/api/v2",
+        url_jwks="https://auth.example.com/api/v2/jwks",
+        url_introspection="https://auth.example.com/api/v2/introspect",
+        verify_ssl=True,
+        timeout=5,
+        proxy=None,
+    )
+
+
+def test_authorization_server_client_initialization():
+    """Test the AuthorizationServerClient initialization."""
+
+    new_client = AuthorizationServerClient(
+        url="https://auth.example.com/api/v2",
+        url_jwks="https://auth.example.com/api/v2/jwks",
+        url_introspection="https://auth.example.com/api/v2/checktoken/foo",
+        verify_ssl=True,
+        timeout=5,
+        proxy=None,
+    )
+
+    assert new_client.url == "https://auth.example.com/api/v2"
+    assert (
+        new_client._url_introspection
+        == "https://auth.example.com/api/v2/checktoken/foo"
+    )
+    assert new_client._url_jwks == "https://auth.example.com/api/v2/jwks"
+    assert new_client._verify_ssl is True
+    assert new_client._timeout == 5
+    assert new_client._proxy is None
+
+
+def test_introspection_headers(client):
+    """Test the introspection headers to ensure they match the expected values."""
+    assert client._introspection_headers == {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Accept": "application/token-introspection+jwt",
+    }
+
+
+@patch("requests.post")
+def test_get_introspection_success(mock_post, client):
+    """Test 'get_introspection' method with a successful response."""
+
+    mock_response = MagicMock()
+    mock_response.raise_for_status.return_value = None
+    mock_response.text = "introspection response"
+    mock_post.return_value = mock_response
+
+    result = client.get_introspection("client_id", "client_secret", "token")
+    assert result == "introspection response"
+
+    mock_post.assert_called_once_with(
+        "https://auth.example.com/api/v2/introspect",
+        data={
+            "client_id": "client_id",
+            "client_secret": "client_secret",
+            "token": "token",
+        },
+        headers={
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/token-introspection+jwt",
+        },
+        verify=True,
+        timeout=5,
+        proxies=None,
+    )
+
+
+@patch("requests.post", side_effect=HTTPError())
+# pylint: disable=(unused-argument
+def test_get_introspection_error(mock_post, client):
+    """Test 'get_introspection' method with an HTTPError."""
+    with pytest.raises(HTTPError):
+        client.get_introspection("client_id", "client_secret", "token")
+
+
+@patch("requests.get")
+def test_get_jwks_success(mock_get, client):
+    """Test 'get_jwks' method with a successful response."""
+
+    mock_response = MagicMock()
+    mock_response.raise_for_status.return_value = None
+    mock_response.json.return_value = {"jwks": "foo"}
+    mock_get.return_value = mock_response
+
+    result = client.get_jwks()
+    assert result == {"jwks": "foo"}
+
+    mock_get.assert_called_once_with(
+        "https://auth.example.com/api/v2/jwks",
+        verify=client._verify_ssl,
+        timeout=client._timeout,
+        proxies=client._proxy,
+    )
+
+
+@patch("requests.get")
+def test_get_jwks_error(mock_get, client):
+    """Test 'get_jwks' method with an HTTPError."""
+
+    mock_response = MagicMock()
+    mock_response.raise_for_status.side_effect = HTTPError(
+        response=MagicMock(status=500)
+    )
+    mock_get.return_value = mock_response
+
+    with pytest.raises(HTTPError):
+        client.get_jwks()
+
+
+@patch("requests.get")
+def test_import_public_keys_valid(mock_get, client):
+    """Test 'import_public_keys' method with a successful response."""
+
+    mocked_key = RSAKey.generate_key(2048)
+
+    mock_response = MagicMock()
+    mock_response.raise_for_status.return_value = None
+    mock_response.json.return_value = {"keys": [mocked_key.as_dict()]}
+    mock_get.return_value = mock_response
+
+    response = client.import_public_keys()
+
+    assert isinstance(response, KeySet)
+    assert response.as_dict() == KeySet([mocked_key]).as_dict()
+
+
+@patch("requests.get")
+def test_import_public_keys_http_error(mock_get, client):
+    """Test 'import_public_keys' method with an HTTPError."""
+
+    mock_response = MagicMock()
+    mock_response.raise_for_status.side_effect = HTTPError(
+        response=MagicMock(status=500)
+    )
+    mock_get.return_value = mock_response
+
+    with pytest.raises(HTTPError):
+        client.import_public_keys()
+
+
+@patch("requests.get")
+def test_import_public_keys_empty_jwks(mock_get, client):
+    """Test 'import_public_keys' method with empty keys response."""
+
+    mock_response = MagicMock()
+    mock_response.raise_for_status.return_value = None
+    mock_response.json.return_value = {"keys": []}
+    mock_get.return_value = mock_response
+
+    response = client.import_public_keys()
+
+    assert isinstance(response, KeySet)
+    assert response.as_dict() == {"keys": []}
+
+
+@patch("requests.get")
+def test_import_public_keys_invalid_jwks(mock_get, client):
+    """Test 'import_public_keys' method with invalid keys response."""
+
+    mock_response = MagicMock()
+    mock_response.raise_for_status.return_value = None
+    mock_response.json.return_value = {"keys": [{"foo": "foo"}]}
+    mock_get.return_value = mock_response
+
+    with pytest.raises(ValueError):
+        client.import_public_keys()

src/backend/people/settings.py

@@ -316,6 +316,9 @@ class Base(Configuration):
     OIDC_OP_JWKS_ENDPOINT = values.Value(
         environ_name="OIDC_OP_JWKS_ENDPOINT", environ_prefix=None
     )
+    OIDC_OP_INTROSPECTION_ENDPOINT = values.Value(
+        environ_name="OIDC_OP_INTROSPECTION_ENDPOINT", environ_prefix=None
+    )
     OIDC_OP_AUTHORIZATION_ENDPOINT = values.Value(
         environ_name="OIDC_OP_AUTHORIZATION_ENDPOINT", environ_prefix=None
     )