IdentityPython · rohe · Feb 24, 2022 · Feb 19, 2022
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-oidcmsg>=1.4.0
+oidcmsg>=1.6.0
 pyyaml
 jinja2>=2.11.3
 responses>=0.13.0
diff --git a/setup.py b/setup.py
@@ -72,7 +72,7 @@ def run_tests(self):
         "Programming Language :: Python :: 3.9",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "oidcmsg==1.5.4",
+        "oidcmsg==1.6.0",
         "pyyaml",
         "jinja2>=2.11.3",
         "responses>=0.13.0"

diff --git a/src/oidcop/configure.py b/src/oidcop/configure.py
@@ -126,6 +126,8 @@ def __init__(
         conf = copy.deepcopy(conf)
         Base.__init__(self, conf, base_path, file_attributes, dir_attributes=dir_attributes)
 
+        self.key_conf = conf.get('key_conf')
+
         for key in self.parameter.keys():
             _val = conf.get(key)
             if not _val:
@@ -150,9 +152,10 @@ def __init__(
             if key == "template_dir":
                 _val = os.path.abspath(_val)
             if key == "keys":
-                key = "key_conf"
-
-            setattr(self, key, _val)
+                if not self.key_conf:
+                    setattr(self, "key_conf", _val)
+            else:
+                setattr(self, key, _val)
 
 
 class OPConfiguration(EntityConfiguration):

diff --git a/src/oidcop/endpoint_context.py b/src/oidcop/endpoint_context.py
@@ -162,6 +162,7 @@ def __init__(
         self.login_hint2acrs = None
         self.par_db = {}
         self.provider_info = {}
+        self.remove_token = None
         self.scope2claims = conf.get("scopes_to_claims", SCOPE2CLAIMS)
         self.session_manager = None
         self.sso_ttl = 14400  # 4h
@@ -338,3 +339,18 @@ def create_providerinfo(self, capabilities):
             )
 
         return _provider_info
+
+    def set_remember_token(self):
+        ses_par = self.conf.get("session_params") or {}
+
+        self.session_manager.remove_inactive_token = ses_par.get("remove_inactive_token", False)
+
+        _rm = ses_par.get("remember_token", {})
+        if "class" in _rm:
+            _kwargs = _rm.get("kwargs", {})
+            self.session_manager.remember_token = init_service(_rm["class"], **_kwargs)
+        elif "function" in _rm:
+            if isinstance(_rm["function"], str):
+                self.session_manager.remember_token = importer(_rm["function"])
+            else:
+                self.session_manager.remember_token = _rm["function"]
diff --git a/src/oidcop/oauth2/introspection.py b/src/oidcop/oauth2/introspection.py
@@ -31,6 +31,7 @@ def _introspect(self, token, client_id, grant):
             return None
 
         if not token.is_active():
+            #
             return None
 
         scope = token.scope

diff --git a/src/oidcop/server.py b/src/oidcop/server.py
@@ -93,6 +93,7 @@ def __init__(
         self.endpoint_context.do_userinfo()
         # Must be done after userinfo
         self.do_login_hint_lookup()
+        self.endpoint_context.set_remember_token()
 
         for endpoint_name, endpoint_conf in self.endpoint.items():
             _endpoint = self.endpoint[endpoint_name]

diff --git a/src/oidcop/session/grant.py b/src/oidcop/session/grant.py
@@ -1,4 +1,5 @@
 import logging
+from typing import Callable
 from typing import Dict
 from typing import List
 from typing import Optional
@@ -32,11 +33,11 @@ class GrantMessage(ImpExp):
     }
 
     def __init__(
-        self,
-        scope: Optional[str] = "",
-        authorization_details: Optional[dict] = None,
-        claims: Optional[list] = None,
-        resources: Optional[list] = None,
+            self,
+            scope: Optional[str] = "",
+            authorization_details: Optional[dict] = None,
+            claims: Optional[list] = None,
+            resources: Optional[list] = None,
     ):
         ImpExp.__init__(self)
         self.scope = scope
@@ -99,6 +100,10 @@ def token_map_load(items: dict, **kwargs):
     return {k: importer(v) for k, v in items.items()}
 
 
+def remember_token(token):
+    logger.info(str(token))
+
+
 class Grant(Item):
     parameter = Item.parameter.copy()
     parameter.update(
@@ -122,22 +127,24 @@ class Grant(Item):
     }
 
     def __init__(
-        self,
-        scope: Optional[list] = None,
-        claims: Optional[dict] = None,
-        resources: Optional[list] = None,
-        authorization_details: Optional[dict] = None,
-        authorization_request: Optional[Message] = None,
-        authentication_event: Optional[AuthnEvent] = None,
-        issued_token: Optional[list] = None,
-        usage_rules: Optional[dict] = None,
-        issued_at: int = 0,
-        expires_in: int = 0,
-        expires_at: int = 0,
-        revoked: bool = False,
-        token_map: Optional[dict] = None,
-        sub: Optional[str] = "",
-        extra: Optional[Dict[str, str]] = None,
+            self,
+            scope: Optional[list] = None,
+            claims: Optional[dict] = None,
+            resources: Optional[list] = None,
+            authorization_details: Optional[dict] = None,
+            authorization_request: Optional[Message] = None,
+            authentication_event: Optional[AuthnEvent] = None,
+            issued_token: Optional[list] = None,
+            usage_rules: Optional[dict] = None,
+            issued_at: int = 0,
+            expires_in: int = 0,
+            expires_at: int = 0,
+            revoked: bool = False,
+            token_map: Optional[dict] = None,
+            sub: Optional[str] = "",
+            extra: Optional[Dict[str, str]] = None,
+            remember_token: Optional[Callable] = None,
+            remove_inactive_token: Optional[bool] = False
     ):
         Item.__init__(
             self,
@@ -157,6 +164,8 @@ def __init__(
         self.id = uuid1().hex
         self.sub = sub
         self.extra = extra or {}
+        self.remember_token = remember_token
+        self.remove_inactive_token =  remove_inactive_token
 
         if token_map is None:
             self.token_map = TOKEN_MAP
@@ -193,13 +202,13 @@ def add_acr_value(self, claims_release_point):
         return False
 
     def payload_arguments(
-        self,
-        session_id: str,
-        endpoint_context,
-        claims_release_point: str,
-        scope: Optional[dict] = None,
-        extra_payload: Optional[dict] = None,
-        secondary_identifier: str = "",
+            self,
+            session_id: str,
+            endpoint_context,
+            claims_release_point: str,
+            scope: Optional[dict] = None,
+            extra_payload: Optional[dict] = None,
+            secondary_identifier: str = "",
     ) -> dict:
         """
 
@@ -248,16 +257,16 @@ def payload_arguments(
         return payload
 
     def mint_token(
-        self,
-        session_id: str,
-        endpoint_context: object,
-        token_class: str,
-        token_handler: TokenHandler = None,
-        based_on: Optional[SessionToken] = None,
-        usage_rules: Optional[dict] = None,
-        scope: Optional[list] = None,
-        token_type: Optional[str] = "",
-        **kwargs,
+            self,
+            session_id: str,
+            endpoint_context: object,
+            token_class: str,
+            token_handler: TokenHandler = None,
+            based_on: Optional[SessionToken] = None,
+            usage_rules: Optional[dict] = None,
+            scope: Optional[list] = None,
+            token_type: Optional[str] = "",
+            **kwargs,
     ) -> Optional[SessionToken]:
         """
 
@@ -359,8 +368,12 @@ def get_token(self, value: str) -> Optional[SessionToken]:
         return None
 
     def revoke_token(
-        self, value: Optional[str] = "", based_on: Optional[str] = "", recursive: bool = True
+            self,
+            value: Optional[str] = "",
+            based_on: Optional[str] = "",
+            recursive: bool = True
     ):
+        remain = []
         for t in self.issued_token:
             if not value and not based_on:
                 t.revoked = True
@@ -376,6 +389,17 @@ def revoke_token(
                 if recursive:
                     self.revoke_token(based_on=t.value)
 
+            if t.revoked:
+                if self.remove_inactive_token:
+                    if self.remember_token:
+                        self.remember_token(t)
+                else:
+                    remain.append(t)
+            else:
+                remain.append(t)
+
+        self.issued_token = remain
+
     def get_spec(self, token: SessionToken) -> Optional[dict]:
         if self.is_active() is False or token.is_active is False:
             return None
@@ -442,19 +466,19 @@ class ExchangeGrant(Grant):
     type = "exchange_grant"
 
     def __init__(
-        self,
-        scope: Optional[list] = None,
-        claims: Optional[dict] = None,
-        resources: Optional[list] = None,
-        authorization_details: Optional[dict] = None,
-        issued_token: Optional[list] = None,
-        usage_rules: Optional[dict] = None,
-        issued_at: int = 0,
-        expires_in: int = 0,
-        expires_at: int = 0,
-        revoked: bool = False,
-        token_map: Optional[dict] = None,
-        users: list = None,
+            self,
+            scope: Optional[list] = None,
+            claims: Optional[dict] = None,
+            resources: Optional[list] = None,
+            authorization_details: Optional[dict] = None,
+            issued_token: Optional[list] = None,
+            usage_rules: Optional[dict] = None,
+            issued_at: int = 0,
+            expires_in: int = 0,
+            expires_at: int = 0,
+            revoked: bool = False,
+            token_map: Optional[dict] = None,
+            users: list = None,
     ):
         Grant.__init__(
             self,