def authn_verify(self, url_endpoint, **kwargs):
"""
Authentication verification
:param url_endpoint: Which endpoint to use
:param kwargs: response arguments
:return: HTTP redirect
"""
authn_method = self.endpoint_context.endpoint_to_authn_method[
url_endpoint]
username = authn_method.verify(**kwargs)
if not username:
raise cherrypy.HTTPError(403, message='Authentication failed')
auth_args = authn_method.unpack_token(kwargs['token'])
request = AuthorizationRequest().from_urlencoded(auth_args['query'])
authn_event = create_authn_event(
uid=username,
salt='salt',
authn_info=auth_args['authn_class_ref'],
authn_time=auth_args['iat'])
endpoint = self.endpoint_context.endpoint['authorization']
args = endpoint.authz_part2(user=username,
request=request,
authn_event=authn_event)
if isinstance(args, ResponseMessage):
raise cherrypy.HTTPError(400, message=args.to_json())
return do_response(endpoint, request, **args)
def test_client_info_add2(self):
user_info = UserSessionInfo(foo="bar")
self.db.set(["diana"], user_info)
client_info = ClientSessionInfo(sid="abcdef")
self.db.set(["diana", "client_1"], client_info)
# The reference is there but not the value
del self.db.db[self.db.session_key("diana", "client_1")]
authn_event = create_authn_event(uid="diana",
expires_in=10,
authn_info="authn_class_ref")
grant = Grant(authentication_event=authn_event,
authorization_request=AUTHZ_REQ)
access_code = SessionToken("access_code", value="1234567890")
grant.issued_token.append(access_code)
self.db.set(["diana", "client_1", "G1"], grant)
stored_client_info = self.db.get(["diana", "client_1"])
assert set(stored_client_info.keys()) == {
"subordinate",
"revoked",
"type",
"client_id",
"extra_args",
}
stored_grant_info = self.db.get(["diana", "client_1", "G1"])
assert stored_grant_info.issued_at
def verify_user(request):
"""csrf is not needed because it uses oidc token in the post
"""
_name = sys._getframe().f_code.co_name
debug_request(f'{_name}', request)
token = request.POST.get('token')
if not token: # pragma: no cover
return HttpResponse('Access forbidden: invalid token.', status=403)
ec = oidcop_app.endpoint_context
authn_method = ec.endpoint_context.authn_broker.get_method_by_id('user')
kwargs = dict([(k, v) for k, v in request.POST.items()])
user = authn_method.verify(**kwargs)
if not user:
return HttpResponse('Authentication failed', status=403)
auth_args = authn_method.unpack_token(kwargs['token'])
authz_request = AuthorizationRequest().from_urlencoded(auth_args['query'])
# salt size can be customized in settings.OIDC_OP_AUTHN_SALT_SIZE
salt_size = getattr(settings, 'OIDC_OP_AUTHN_SALT_SIZE', 4)
authn_event = create_authn_event(uid=user.username,
salt=base64.b64encode(
os.urandom(salt_size)).decode(),
authn_info=auth_args['authn_class_ref'],
authn_time=auth_args['iat'])
endpoint = oidcop_app.endpoint_context.endpoint['authorization']
client_id = authz_request["client_id"]
_token_usage_rules = endpoint.server_get(
"endpoint_context").authn_broker.get_method_by_id('user')
session_manager = ec.endpoint_context.session_manager
_session_id = session_manager.create_session(
authn_event=authn_event,
auth_req=authz_request,
user_id=user.username,
client_id=client_id,
token_usage_rules=_token_usage_rules)
try:
_args = endpoint.authz_part2(user=user.username,
session_id=_session_id,
request=authz_request,
authn_event=authn_event)
except ValueError as excp:
msg = 'Something went wrong with your Session ... {}'.format(excp)
return HttpResponse(msg, status=403)
if isinstance(_args, ResponseMessage) and 'error' in _args:
return HttpResponse(_args.to_json(), status=400)
elif isinstance(_args.get('response_args'), AuthorizationErrorResponse):
rargs = _args.get('response_args')
logger.error(rargs)
return HttpResponse(rargs.to_json(), status=400)
response = do_response(request, endpoint, authz_request, **_args)
return response
def auth(self):
# Start with an authentication request
# The client ID appears in the request
AUTH_REQ = AuthorizationRequest(
client_id="client_1",
redirect_uri="https://example.com/cb",
scope=["openid", "mail", "address", "offline_access"],
state="STATE",
response_type="code",
)
# The authentication returns a user ID
user_id = "diana"
# User info is stored in the Session DB
authn_event = create_authn_event(
user_id,
authn_info=INTERNETPROTOCOLPASSWORD,
authn_time=time_sans_frac(),
)
user_info = UserSessionInfo(user_id=user_id)
self.session_manager.set([user_id], user_info)
# Now for client session information
client_id = AUTH_REQ["client_id"]
client_info = ClientSessionInfo(client_id=client_id)
self.session_manager.set([user_id, client_id], client_info)
# The user consent module produces a Grant instance
grant = Grant(
scope=AUTH_REQ["scope"],
resources=[client_id],
authorization_request=AUTH_REQ,
authentication_event=authn_event,
)
# the grant is assigned to a session (user_id, client_id)
self.session_manager.set([user_id, client_id, grant.id], grant)
session_id = self.session_manager.encrypted_session_id(
user_id, client_id, grant.id)
# Constructing an authorization code is now done by
code = grant.mint_token(
session_id=session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=self.session_manager.
token_handler["authorization_code"],
expires_at=time_sans_frac() + 300, # 5 minutes from now
)
# get user info
user_info = self.session_manager.get_user_info(uid=user_id, )
return grant.id, code
def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
if sector_identifier:
authz_req = auth_req.copy()
authz_req["sector_identifier_uri"] = sector_identifier
else:
authz_req = auth_req
client_id = authz_req["client_id"]
ae = create_authn_event(self.user_id)
return self.session_manager.create_session(
ae, authz_req, self.user_id, client_id=client_id, sub_type=sub_type
)
def create_session(self, request, user_id, acr, time_stamp, authn_method):
_context = self.server_get("endpoint_context")
_mngr = _context.session_manager
authn_event = create_authn_event(
user_id,
authn_info=acr,
time_stamp=time_stamp,
)
_exp_in = authn_method.kwargs.get("expires_in")
if _exp_in and "valid_until" in authn_event:
authn_event["valid_until"] = utc_time_sans_frac() + _exp_in
_token_usage_rules = _context.authz.usage_rules(request["client_id"])
return _mngr.create_session(
authn_event=authn_event,
auth_req=request,
user_id=user_id,
client_id=request["client_id"],
token_usage_rules=_token_usage_rules,
)