Merge pull request #844 from azmeuk/806-get-jwt-config-client

lepture · web-flow · commit 0a423d4638be · 2025-12-12T16:51:56.000+09:00
`get_jwt_config` takes a `client` parameter.
diff --git a/authlib/oidc/core/grants/code.py b/authlib/oidc/core/grants/code.py
@@ -8,6 +8,7 @@
 """
 
 import logging
+import warnings
 
 from authlib.oauth2.rfc6749 import OAuth2Request
 
@@ -20,7 +21,7 @@
 
 
 class OpenIDToken:
-    def get_jwt_config(self, grant):  # pragma: no cover
+    def get_jwt_config(self, grant, client):  # pragma: no cover
         """Get the JWT configuration for OpenIDCode extension. The JWT
         configuration will be used to generate ``id_token``.
         If ``alg`` is undefined, the ``id_token_signed_response_alg`` client
@@ -29,15 +30,16 @@ def get_jwt_config(self, grant):  # pragma: no cover
         will be used.
         Developers MUST implement this method in subclass, e.g.::
 
-            def get_jwt_config(self, grant):
+            def get_jwt_config(self, grant, client):
                 return {
                     "key": read_private_key_file(key_path),
-                    "alg": "RS256",
+                    "alg": client.id_token_signed_response_alg or "RS256",
                     "iss": "issuer-identity",
                     "exp": 3600,
                 }
 
         :param grant: AuthorizationCodeGrant instance
+        :param client: OAuth2 client instance
         :return: dict
         """
         raise NotImplementedError()
@@ -78,7 +80,17 @@ def process_token(self, grant, response):
         request: OAuth2Request = grant.request
         authorization_code = request.authorization_code
 
-        config = self.get_jwt_config(grant)
+        try:
+            config = self.get_jwt_config(grant, request.client)
+        except TypeError:
+            warnings.warn(
+                "get_jwt_config(self, grant) is deprecated and will be removed in version 1.8. "
+                "Use get_jwt_config(self, grant, client) instead.",
+                DeprecationWarning,
+                stacklevel=2,
+            )
+            config = self.get_jwt_config(grant)
+
         config["aud"] = self.get_audiences(request)
 
         # Per OpenID Connect Registration 1.0 Section 2:
diff --git a/authlib/oidc/core/grants/implicit.py b/authlib/oidc/core/grants/implicit.py
@@ -1,4 +1,5 @@
 import logging
+import warnings
 
 from authlib.oauth2.rfc6749 import AccessDeniedError
 from authlib.oauth2.rfc6749 import ImplicitGrant
@@ -36,19 +37,20 @@ def exists_nonce(self, nonce, request):
         """
         raise NotImplementedError()
 
-    def get_jwt_config(self):
+    def get_jwt_config(self, client):
         """Get the JWT configuration for OpenIDImplicitGrant. The JWT
         configuration will be used to generate ``id_token``. Developers
         MUST implement this method in subclass, e.g.::
 
-            def get_jwt_config(self):
+            def get_jwt_config(self, client):
                 return {
                     "key": read_private_key_file(key_path),
-                    "alg": "RS256",
+                    "alg": client.id_token_signed_response_alg or "RS256",
                     "iss": "issuer-identity",
                     "exp": 3600,
                 }
 
+        :param client: OAuth2 client instance
         :return: dict
         """
         raise NotImplementedError()
@@ -143,7 +145,17 @@ def create_granted_params(self, grant_user):
         return params
 
     def process_implicit_token(self, token, code=None):
-        config = self.get_jwt_config()
+        try:
+            config = self.get_jwt_config(self.request.client)
+        except TypeError:
+            warnings.warn(
+                "get_jwt_config(self) is deprecated and will be removed in version 1.8. "
+                "Use get_jwt_config(self, client) instead.",
+                DeprecationWarning,
+                stacklevel=2,
+            )
+            config = self.get_jwt_config()
+
         config["aud"] = self.get_audiences(self.request)
         config["nonce"] = self.request.payload.data.get("nonce")
         if code is not None:
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -6,6 +6,13 @@ Changelog
 
 Here you can see the full list of changes between each Authlib release.
 
+Version 1.6.6
+-------------
+
+**Released on Dec 11, 2025**
+
+- ``get_jwt_config`` takes a ``client`` parameter.
+
 Version 1.6.5
 -------------
 
diff --git a/tests/clients/test_requests/test_oauth2_session.py b/tests/clients/test_requests/test_oauth2_session.py
@@ -324,16 +324,16 @@ def test_token_status3():
 
 
 def test_expires_in_used_when_expires_at_unparseable():
-    """Test that expires_in is used as fallback when expires_at is unparseable."""
+    """Test that expires_in is used as fallback when expires_at is unparsable."""
     token = dict(
         access_token="a",
         token_type="bearer",
         expires_in=3600,  # 1 hour from now
-        expires_at="2024-01-01T00:00:00Z",  # Unparseable - should fall back to expires_in
+        expires_at="2024-01-01T00:00:00Z",  # Unparsable - should fall back to expires_in
     )
     sess = OAuth2Session("foo", token=token)
 
-    # The token should use expires_in since expires_at is unparseable
+    # The token should use expires_in since expires_at is unparsable
     # So it should be considered expired with leeway > 3600
     assert sess.token.is_expired(leeway=3700) is True
     # And not expired with leeway < 3600
diff --git a/tests/flask/test_oauth2/test_openid_code_grant.py b/tests/flask/test_oauth2/test_openid_code_grant.py
@@ -15,6 +15,7 @@
 from authlib.oidc.core.grants import OpenIDCode as _OpenIDCode
 from tests.util import read_file_path
 
+from .models import Client
 from .models import CodeGrantMixin
 from .models import exists_nonce
 from .models import save_authorization_code
@@ -54,7 +55,7 @@ def save_authorization_code(self, code, request):
             return save_authorization_code(code, request)
 
     class OpenIDCode(_OpenIDCode):
-        def get_jwt_config(self, grant):
+        def get_jwt_config(self, grant, client):
             key = current_app.config.get("OAUTH2_JWT_KEY")
             alg = current_app.config.get("OAUTH2_JWT_ALG")
             iss = current_app.config.get("OAUTH2_JWT_ISS")
@@ -419,3 +420,64 @@ def test_authorize_token_algs(test_client, server, app, alg, private_key, public
         claims_options={"iss": {"value": "Authlib"}},
     )
     claims.validate()
+
+
+def test_deprecated_get_jwt_config_signature(test_client, server, db, user):
+    """Using the old get_jwt_config(self, grant) signature should emit a DeprecationWarning."""
+
+    class DeprecatedOpenIDCode(_OpenIDCode):
+        def get_jwt_config(self, grant):
+            return {"key": "secret", "alg": "HS256", "iss": "Authlib", "exp": 3600}
+
+        def exists_nonce(self, nonce, request):
+            return exists_nonce(nonce, request)
+
+        def generate_user_info(self, user, scopes):
+            return user.generate_user_info(scopes)
+
+    class AuthorizationCodeGrant(CodeGrantMixin, _AuthorizationCodeGrant):
+        def save_authorization_code(self, code, request):
+            return save_authorization_code(code, request)
+
+    server.register_grant(AuthorizationCodeGrant, [DeprecatedOpenIDCode()])
+
+    client = Client(
+        user_id=user.id,
+        client_id="deprecated-client",
+        client_secret="secret",
+    )
+    client.set_client_metadata(
+        {
+            "redirect_uris": ["https://client.test"],
+            "scope": "openid profile",
+            "response_types": ["code"],
+            "grant_types": ["authorization_code"],
+        }
+    )
+    db.session.add(client)
+    db.session.commit()
+
+    rv = test_client.post(
+        "/oauth/authorize",
+        data={
+            "response_type": "code",
+            "client_id": "deprecated-client",
+            "state": "bar",
+            "scope": "openid profile",
+            "redirect_uri": "https://client.test",
+            "user_id": "1",
+        },
+    )
+    params = dict(url_decode(urlparse.urlparse(rv.location).query))
+    code = params["code"]
+
+    with pytest.warns(DeprecationWarning, match="get_jwt_config.*version 1.8"):
+        test_client.post(
+            "/oauth/token",
+            data={
+                "grant_type": "authorization_code",
+                "redirect_uri": "https://client.test",
+                "code": code,
+            },
+            headers=create_basic_header("deprecated-client", "secret"),
+        )
diff --git a/tests/flask/test_oauth2/test_openid_hybrid_grant.py b/tests/flask/test_oauth2/test_openid_hybrid_grant.py
@@ -26,7 +26,7 @@ def save_authorization_code(self, code, request):
             return save_authorization_code(code, request)
 
     class OpenIDCode(_OpenIDCode):
-        def get_jwt_config(self, grant):
+        def get_jwt_config(self, grant, client):
             return dict(JWT_CONFIG)
 
         def exists_nonce(self, nonce, request):
@@ -39,7 +39,7 @@ class OpenIDHybridGrant(_OpenIDHybridGrant):
         def save_authorization_code(self, code, request):
             return save_authorization_code(code, request)
 
-        def get_jwt_config(self):
+        def get_jwt_config(self, client):
             return dict(JWT_CONFIG)
 
         def exists_nonce(self, nonce, request):
diff --git a/tests/flask/test_oauth2/test_openid_implict_grant.py b/tests/flask/test_oauth2/test_openid_implict_grant.py
@@ -5,9 +5,12 @@
 from authlib.common.urls import url_decode
 from authlib.common.urls import urlparse
 from authlib.jose import JsonWebToken
+from authlib.oauth2.rfc6749.requests import BasicOAuth2Payload
+from authlib.oauth2.rfc6749.requests import OAuth2Request
 from authlib.oidc.core import ImplicitIDToken
 from authlib.oidc.core.grants import OpenIDImplicitGrant as _OpenIDImplicitGrant
 
+from .models import Client
 from .models import exists_nonce
 
 authorize_url = "/oauth/authorize?response_type=token&client_id=client-id"
@@ -16,7 +19,7 @@
 @pytest.fixture(autouse=True)
 def server(server):
     class OpenIDImplicitGrant(_OpenIDImplicitGrant):
-        def get_jwt_config(self):
+        def get_jwt_config(self, client):
             alg = current_app.config.get("OAUTH2_JWT_ALG", "HS256")
             return dict(key="secret", alg=alg, iss="Authlib", exp=3600)
 
@@ -259,3 +262,42 @@ def test_client_metadata_alg_none(test_client, app, db, client):
     )
     params = dict(url_decode(urlparse.urlparse(rv.location).fragment))
     assert params["error"] == "invalid_request"
+
+
+def test_deprecated_get_jwt_config_signature(user):
+    """Using the old get_jwt_config(self) signature should emit a DeprecationWarning."""
+
+    class DeprecatedImplicitGrant(_OpenIDImplicitGrant):
+        def get_jwt_config(self):
+            return {"key": "secret", "alg": "HS256", "iss": "Authlib", "exp": 3600}
+
+        def generate_user_info(self, user, scopes):
+            return user.generate_user_info(scopes)
+
+        def exists_nonce(self, nonce, request):
+            return exists_nonce(nonce, request)
+
+    client = Client(
+        user_id=user.id,
+        client_id="deprecated-client",
+        client_secret="secret",
+    )
+    client.set_client_metadata(
+        {
+            "redirect_uris": ["https://client.test/callback"],
+            "scope": "openid profile",
+            "token_endpoint_auth_method": "none",
+            "response_types": ["id_token"],
+        }
+    )
+
+    request = OAuth2Request("POST", "https://server.test/authorize")
+    request.payload = BasicOAuth2Payload({"nonce": "test-nonce"})
+    request.client = client
+    request.user = user
+
+    grant = DeprecatedImplicitGrant(request, client)
+    token = {"scope": "openid", "expires_in": 3600}
+
+    with pytest.warns(DeprecationWarning, match="get_jwt_config.*version 1.8"):
+        grant.process_implicit_token(token)
diff --git a/tests/flask/test_oauth2/test_password_grant.py b/tests/flask/test_oauth2/test_password_grant.py
@@ -26,7 +26,7 @@ def client(client, db):
 
 
 class IDToken(OpenIDToken):
-    def get_jwt_config(self, grant):
+    def get_jwt_config(self, grant, client):
         return {
             "iss": "Authlib",
             "key": "secret",
