def _parse_openid_request(self, request, redirect_uri, jwt_key):
try:
return OpenIDRequest().from_jwt(request, jwt_key)
except Exception, err:
logger.error("Faulty request: %s" % request)
logger.error("Verfied with JWT_keys: %s" % jwt_key)
logger.error("Exception: %s" % (err.__class__.__name__,))
openid_req = OpenIDRequest().from_jwt(request, jwt_key,
verify=False)
logger.error("Request: %s" % openid_req.to_dict())
return self._redirect_authz_error("invalid_openid_request_object",
redirect_uri)
def _collect_user_info(self, session, userinfo_claims=None):
"""
Collect information about a user.
This can happen in two cases, either when constructing an IdToken or
when returning user info through the UserInfo endpoint
:param session: Session information
:param userinfo_claims: user info claims
:return: User info
"""
if userinfo_claims is None:
uic = {}
for scope in session["scope"]:
try:
claims = dict([(name, None) for name in
SCOPE2CLAIMS[scope]])
uic.update(claims)
except KeyError:
pass
if "oidreq" in session:
oidreq = OpenIDRequest().deserialize(session["oidreq"], "json")
logger.debug("OIDREQ: %s" % oidreq.to_dict())
try:
_claims = oidreq["claims"]["userinfo"]
except KeyError:
pass
else:
for key, val in uic.items():
if key not in _claims:
_claims[key] = val
uic = _claims
if uic:
userinfo_claims = Claims(**uic)
else:
userinfo_claims = None
elif uic:
userinfo_claims = Claims(**uic)
else:
userinfo_claims = None
logger.debug("userinfo_claim: %s" % userinfo_claims.to_dict())
logger.debug("Session info: %s" % session)
info = self.userinfo(session["local_sub"], userinfo_claims)
info["sub"] = session["sub"]
logger.debug("user_info_response: %s" % (info,))
return info
def update_claims(session, where, about, old_claims=None):
"""
:param session:
:param where: Which request
:param about: userinfo or id_token
:param old_claims:
:return: claims or None
"""
if old_claims is None:
old_claims = {}
req = None
if where == "oidreq":
try:
req = OpenIDRequest().deserialize(session[where], "json")
except KeyError:
pass
else: # where == "authzreq"
try:
req = AuthorizationRequest().deserialize(session[where], "json")
except KeyError:
pass
if req:
logger.debug("%s: %s" % (where, req.to_dict()))
try:
_claims = req["claims"][about]
if _claims:
# update with old claims, do not overwrite
for key, val in old_claims.items():
if key not in _claims:
_claims[key] = val
return _claims
except KeyError:
pass
return old_claims
def end_session_endpoint(self, request="", cookie=None, **kwargs):
areq = None
redirect_uri = None
try:
areq = urlparse.parse_qs(request)
redirect_uri = self.verify_post_logout_redirect_uri(areq, cookie)
authn = self.pick_auth(areq)
identity = authn.authenticated_as(cookie)
if "uid" not in identity:
return self._error_response("Not allowed!")
except:
return self._error_response("Not allowed!")
verify = self.sdb.getVerifyLogout(identity["uid"])
if (verify is None or "key" not in areq or verify != areq["key"][0]) and \
(self.template_lookup is not None and self.verify_login_template is not None):
if cookie:
headers = [cookie]
else:
headers = []
mte = self.template_lookup.get_template(self.verify_login_template)
self.sdb.setVerifyLogout(identity["uid"])
if redirect_uri is not None:
redirect = redirect_uri
else:
redirect = "/"
try:
tmp_id_token_hint = areq["id_token_hint"][0]
except:
tmp_id_token_hint = ""
argv = {
"id_token_hint": tmp_id_token_hint,
"post_logout_redirect_uri": areq["post_logout_redirect_uri"][0],
"key": self.sdb.getVerifyLogout(identity["uid"]),
"redirect": redirect,
"action": "/"+EndSessionEndpoint("").etype
}
#resp.message = mte.render(**argv)
return Response(mte.render(**argv), headers=[])
id_token = None
try:
id_token = self.sdb.getToken_id(identity["uid"])
except:
pass
if id_token is not None and "id_token_hint" in areq:
try:
id_token_hint = OpenIDRequest().from_jwt(areq["id_token_hint"][0], keyjar=self.keyjar, verify=True)
id_token = OpenIDRequest().from_jwt(id_token, keyjar=self.keyjar, verify=True)
id_token_hint_dict = id_token_hint.to_dict()
id_token_dict = id_token.to_dict()
for key in id_token_dict:
if key in id_token_hint_dict:
if id_token_dict[key] != id_token_hint_dict[key]:
return self._error_response("Not allowed!")
else:
return self._error_response("Not allowed!")
for key in id_token_hint_dict:
if key in id_token_dict:
if id_token_dict[key] != id_token_hint_dict[key]:
return self._error_response("Not allowed!")
else:
return self._error_response("Not allowed!")
except:
self._error_response("Not allowed!")
elif id_token is not None:
self._error_response("Not allowed!")
try:
self.sdb.revoke_uid(identity["uid"])
except:
pass
#If cleanup cannot be performed we will still invalidate the cookie.
if redirect_uri is not None:
return Redirect(str(redirect_uri), headers=[authn.delete_cookie()])
return Response("", headers=[authn.delete_cookie()])
