add client

id.saladeaula.digital/app/oauth2.py

@@ -1,11 +1,11 @@
-import re
-
-from authlib.oauth2 import OAuth2Request
+from authlib.common.urls import add_params_to_uri
+from authlib.oauth2 import OAuth2Request, rfc9207
 from authlib.oauth2.rfc6749 import ClientMixin, TokenMixin, grants
 from authlib.oauth2.rfc7636 import CodeChallenge
 from authlib.oidc.core import OpenIDCode as OpenIDCode_
 from authlib.oidc.core import UserInfo
 from aws_lambda_powertools import Logger
+from aws_lambda_powertools.event_handler.api_gateway import Response
 from aws_lambda_powertools.event_handler.exceptions import NotFoundError
 from layercake.dateutils import now, ttl
 from layercake.dynamodb import DynamoDBPersistenceLayer, KeyPair
@@ -186,6 +186,26 @@ class RefreshTokenGrant(grants.RefreshTokenGrant):
             )
 
 
+class IssuerParameter(rfc9207.IssuerParameter):
+    def add_issuer_parameter(
+        self,
+        authorization_server: AuthorizationServer,
+        response: Response,
+    ):
+        location = response.headers.get('Location')
+
+        if self.get_issuer() and location:
+            # RFC9207 §2
+            # In authorization responses to the client, including error responses,
+            # an authorization server supporting this specification MUST indicate
+            # its identity by including the iss parameter in the response.
+            new_location = add_params_to_uri(location, {'iss': self.get_issuer()})  # type: ignore
+            response.headers['Location'] = new_location
+
+    def get_issuer(self) -> str:
+        return ISSUER
+
+
 server = AuthorizationServer(persistence_layer=oauth2_layer)
 server.register_grant(
     AuthorizationCodeGrant,
@@ -195,3 +215,4 @@ server.register_grant(
     ],
 )
 server.register_grant(RefreshTokenGrant)
+server.register_extension(IssuerParameter())