def test_missing_token_endpoint():
conf = {
"issuer": "https://example.com/",
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"authorization": {
"path": "authorization",
"class": "oidcop.oauth2.authorization.Authorization",
"kwargs": {},
},
"introspection": {
"path": "introspection",
"class": "oidcop.oauth2.introspection.Introspection",
"kwargs": {},
},
},
}
configuration = OPConfiguration(conf,
base_path=BASEDIR,
domain="127.0.0.1",
port=443)
server = Server(configuration)
add_pkce_support(server.server_get("endpoints"))
assert "pkce" not in server.server_get("endpoint_context").args
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"webfinger": {
"path": ".well-known/webfinger",
"class": Discovery,
"kwargs": {
"client_authn_method": None
},
}
},
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint = server.server_get("endpoint", "discovery")
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {}
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
self.endpoint = server.server_get("endpoint", "provider_config")
def create_endpoint_context(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
}
},
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"authentication": {
"anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},},
},
"cookie_handler": {
"class": "oidcop.cookie_handler.CookieHandler",
"kwargs": {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
)
self.endpoint = server.server_get("endpoint", "authorization")
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def create_endpoint(self, conf):
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
endpoint_context.keyjar.import_jwks(CLIENT_KEYJAR.export_jwks(), "client_1")
self.session_manager = endpoint_context.session_manager
self.token_endpoint = server.server_get("endpoint", "token")
self.user_id = "diana"
self.endpoint_context = endpoint_context
def __init__(self,
conf: Union[dict, OPConfiguration, ASConfiguration],
keyjar: Optional[KeyJar] = None,
cwd: Optional[str] = "",
cookie_handler: Optional[Any] = None,
httpc: Optional[Any] = None):
Server.__init__(self,
conf=conf,
keyjar=keyjar,
cwd=cwd,
cookie_handler=cookie_handler,
httpc=httpc)
fed_conf = conf.get("federation")
if fed_conf:
self.endpoint_context.federation_entity = FederationEntity(
config=fed_conf, httpc=httpc, cwd=cwd)
def test_capabilities_subset2():
_cnf = copy(conf)
_cnf["capabilities"] = {"response_types_supported": ["code", "id_token"]}
server = Server(_cnf)
assert set(server.endpoint_context.provider_info["response_types_supported"]) == {
"code",
"id_token",
}
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {"keys": {"key_defs": COOKIE_KEY_DEFS}},
},
"endpoint": {
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {"client_auth_method": None},
},
"registration_api": {
"path": "registration_api",
"class": RegistrationRead,
"kwargs": {"client_authn_method": ["bearer_header"]},
},
"authorization": {"path": "authorization", "class": Authorization, "kwargs": {},},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {"path": "userinfo", "class": UserInfo, "kwargs": {}},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
self.registration_endpoint = server.server_get("endpoint", "registration")
self.registration_api_endpoint = server.server_get("endpoint", "registration_read")
def create_server(config):
server = Server(ASConfiguration(conf=config, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), config["issuer"])
return server
def test_server_login_hint_lookup():
_str = open(full_path("op_config.json")).read()
_conf = json.loads(_str)
configuration = OPConfiguration(conf=_conf,
base_path=BASEDIR,
domain="127.0.0.1",
port=443)
server = Server(configuration)
assert server.endpoint_context.login_hint_lookup(
"tel:0907865000") == "diana"
def setup_token_handler(self):
password = "******"
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"keys": {
"key_defs": KEYDEFS,
"uri_path": "static/jwks.json"
},
"jwks_uri": "https://example.com/jwks.json",
"token_handler_args": {
"code": {
"kwargs": {
"lifetime": 600,
"password": password
}
},
"token": {
"kwargs": {
"lifetime": 900,
"password": password
}
},
"refresh": {
"kwargs": {
"lifetime": 86400,
"password": password
}
},
},
"endpoint": {
"authorization_endpoint": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token_endpoint": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
self.session_manager = self.endpoint_context.session_manager
def init_oidc_op_endpoints(app):
op_config = app.srv_config
op_config['issuer']
server = Server(op_config, cwd=folder)
for endp in server.endpoint.values():
p = urlparse(endp.endpoint_path)
_vpath = p.path.split('/')
endp.vpath = _vpath
return server
def init_oidc_op(app):
_op_config = app.srv_config
server = Server(_op_config, cwd=folder)
for endp in server.endpoint.values():
p = urlparse(endp.endpoint_path)
_vpath = p.path.split('/')
if _vpath[0] == '':
endp.vpath = _vpath[1:]
else:
endp.vpath = _vpath
return server
def create_session_manager(self):
server = Server(conf)
self.endpoint_context = server.endpoint_context
self.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligtochintekort",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
self.endpoint_context.keyjar.add_symmetric("client_1",
"hemligtochintekort",
["sig", "enc"])
self.session_manager = self.endpoint_context.session_manager
self.user_id = USER_ID
def test_capabilities_default():
_str = open(full_path("op_config.json")).read()
_conf = json.loads(_str)
configuration = OPConfiguration(conf=_conf, base_path=BASEDIR, domain="127.0.0.1", port=443)
server = Server(configuration)
assert set(server.endpoint_context.provider_info["response_types_supported"]) == {
"code",
"token",
"id_token",
"code token",
"code id_token",
"id_token token",
"code id_token token",
}
assert server.endpoint_context.provider_info["request_uri_parameter_supported"] is True
def create_endpoint(self):
conf = {
"issuer": ENTITY_ID,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
'keys': {
'key_defs': KEYSPEC,
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json"
},
"endpoint": {},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {"user": "******"}
}
},
'template_dir': 'template'
}
server = Server(conf)
endpoint_context = server.endpoint_context
self.endpoint = ProviderConfiguration(server.server_get)
# === Federation stuff =======
fe_conf = {
'keys': {'key_defs': KEYSPEC}
}
federation_entity = FederationEntity(
ENTITY_ID, trusted_roots=ANCHOR,
authority_hints={'https://ntnu.no': ['https://feide.no']},
httpd=Publisher(ROOT_DIR), config=fe_conf,
entity_type='openid_relying_party', opponent_entity_type='openid_provider')
federation_entity.collector = DummyCollector(
httpd=Publisher(os.path.join(BASE_PATH, 'data')),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.fedent = federation_entity
self.endpoint.server_get("endpoint_context").federation_entity = federation_entity
def create_endpoint_context(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
}
},
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"authentication": {
"user": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": UserPassJinja2,
"verify_endpoint": "verify/user",
"kwargs": {
"template": "user_pass.jinja2",
"sym_key": "24AA/LR6HighEnergy",
"db": {
"class": JSONDictDB,
"kwargs": {"filename": full_path("passwd.json")},
},
"page_header": "Testing log in",
"submit_btn": "Get me in!",
"user_label": "Nickname",
"passwd_label": "Secret sauce",
},
},
"anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},},
},
"cookie_handler": {
"class": "oidcop.cookie_handler.CookieHandler",
"kwargs": {"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
def create_endpoint(self):
try:
shutil.rmtree("db")
except FileNotFoundError:
pass
server1 = Server(OPConfiguration(conf=ENDPOINT_CONTEXT_CONFIG,
base_path=BASEDIR),
cwd=BASEDIR)
server2 = Server(OPConfiguration(conf=ENDPOINT_CONTEXT_CONFIG,
base_path=BASEDIR),
cwd=BASEDIR)
server1.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
_store = server1.endpoint_context.dump()
server2.endpoint_context.load(
_store,
init_args={
"server_get": server2.server_get,
"handler":
server2.endpoint_context.session_manager.token_handler,
},
)
self.endpoint = {
1: server1.server_get("endpoint", "userinfo"),
2: server2.server_get("endpoint", "userinfo"),
}
self.session_manager = {
1: server1.endpoint_context.session_manager,
2: server2.endpoint_context.session_manager,
}
self.user_id = "diana"
def create_endpoint(self, jwt_token):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
}
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"introspection": {
"path": "{}/intro",
"class": Introspection,
"kwargs": {
"client_authn_method": ["client_secret_post"],
"enable_claims_per_client": False,
},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"path": "{}/userinfo",
"class": UserInfo,
"kwargs": {
"db_file": full_path("users.json")
},
},
"client_authn": verify_client,
"template_dir": "template",
"authz": {
"class": AuthzHandling,
"kwargs": {
"grant_config": {
"usage_rules": {
"authorization_code": {
"supports_minting": [
"access_token",
"refresh_token",
"id_token",
],
"max_usage":
1,
},
"access_token": {},
"refresh_token": {
"supports_minting":
["access_token", "refresh_token"],
},
},
"expires_in": 43200,
}
},
},
}
if jwt_token:
conf["token_handler_args"]["token"] = {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {},
}
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
"introspection_claims": {
"nickname": None,
"eduperson_scoped_affiliation": None,
},
}
endpoint_context.keyjar.import_jwks_as_json(
endpoint_context.keyjar.export_jwks_as_json(private=True),
endpoint_context.issuer,
)
self.introspection_endpoint = server.server_get(
"endpoint", "introspection")
self.token_endpoint = server.server_get("endpoint", "token")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
def create_endpoint(self):
conf = {
"issuer": ISS,
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {
"client_authn_method": None
},
},
"registration": {
"path": "{}/registration",
"class": Registration,
"kwargs": {
"client_authn_method": None
},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"client_authn_method": None
},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
"userinfo": {
"path": "{}/userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"db_file": "users.json"
},
},
"session": {
"path": "{}/end_session",
"class": Session,
"kwargs": {
"post_logout_uri_path": "post_logout",
"signing_alg": "ES256",
"logout_verify_url": "{}/verify_logout".format(ISS),
"client_authn_method": None,
},
},
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "code"
}],
},
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
},
}
cookie_conf = {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
}
self.cd = CookieHandler(**cookie_conf)
server = Server(
OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR,
cookie_handler=self.cd,
keyjar=KEYJAR,
)
endpoint_context = server.endpoint_context
endpoint_context.cdb = {
"client_1": {
"client_secret": "hemligt",
"redirect_uris": [("{}cb".format(CLI1), None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types":
["code", "token", "code id_token", "id_token"],
"post_logout_redirect_uris":
[("{}logout_cb".format(CLI1), "")],
},
"client_2": {
"client_secret": "hemligare",
"redirect_uris": [("{}cb".format(CLI2), None)],
"client_salt": "saltare",
"token_endpoint_auth_method": "client_secret_post",
"response_types":
["code", "token", "code id_token", "id_token"],
"post_logout_redirect_uris":
[("{}logout_cb".format(CLI2), "")],
},
}
self.session_manager = endpoint_context.session_manager
self.authn_endpoint = server.server_get("endpoint", "authorization")
self.session_endpoint = server.server_get("endpoint", "session")
self.token_endpoint = server.server_get("endpoint", "token")
self.user_id = "diana"
def create_authn_broker(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
},
"authentication": METHOD,
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
}
cookie_conf = {
"sign_key":
SYMKey(k="ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"),
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
}
cookie_handler = CookieHandler(**cookie_conf)
server = Server(conf, cookie_handler=cookie_handler)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret":
"hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt":
"salted",
"token_endpoint_auth_method":
"client_secret_post",
"response_types": [
"code",
"token",
"code id_token",
"id_token",
"code id_token token",
],
}
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.server = server
def test_token_handler_from_config():
conf = {
"issuer": "https://example.com/op",
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"endpoint": {
"path": "endpoint",
"class": Endpoint,
"kwargs": {}
},
},
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "code"
}],
},
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
token_handler = server.endpoint_context.session_manager.token_handler
assert token_handler
assert len(token_handler.handler) == 4
assert set(token_handler.handler.keys()) == {
"authorization_code",
"access_token",
"refresh_token",
"id_token",
}
assert isinstance(token_handler.handler["authorization_code"],
DefaultToken)
assert isinstance(token_handler.handler["access_token"], JWTToken)
assert isinstance(token_handler.handler["refresh_token"], JWTToken)
assert isinstance(token_handler.handler["id_token"], IDToken)
assert token_handler.handler["authorization_code"].lifetime == 600
assert token_handler.handler["access_token"].alg == "ES256"
assert token_handler.handler["access_token"].kwargs == {
"add_claims_by_scope": True
}
assert token_handler.handler["access_token"].lifetime == 3600
assert token_handler.handler["access_token"].def_aud == [
"https://example.org/appl"
]
assert token_handler.handler["refresh_token"].alg == "ES256"
assert token_handler.handler["refresh_token"].kwargs == {}
assert token_handler.handler["refresh_token"].lifetime == 3600
assert token_handler.handler["refresh_token"].def_aud == [
"https://example.org/appl"
]
assert token_handler.handler["id_token"].lifetime == 300
assert "base_claims" in token_handler.handler["id_token"].kwargs
def setup_session_manager(self):
conf = {
"issuer": ISSUER,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {
"lifetime": 600
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {},
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "{}/registration",
"class": Registration,
"kwargs": {},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
"session": {
"path": "{}/end_session",
"class": Session
},
},
"client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {
"db_file": full_path("users.json")
},
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
keyjar=KEYJAR,
cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
self.session_manager = self.endpoint_context.session_manager
def test_file(jwks):
conf = {
"issuer": "https://example.com/op",
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"endpoint": {
"path": "endpoint",
"class": Endpoint,
"kwargs": {}
},
},
"token_handler_args": {
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
},
}
for arg in ["jwks_file", "jwks_def"]:
try:
del conf["token_handler_args"][arg]
except KeyError:
pass
for _file in [
"private/token_jwks_1.json",
"private/token_jwks_2.json",
"private/token_jwks.json",
]:
if os.path.exists(full_path(_file)):
os.unlink(full_path(_file))
if jwks:
conf["token_handler_args"].update(jwks)
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
token_handler = server.endpoint_context.session_manager.token_handler
assert token_handler
if "jwks_file" in conf["token_handler_args"]:
assert os.path.exists(full_path("private/token_jwks_1.json"))
elif "jwks_def" in conf["token_handler_args"]:
assert os.path.exists(full_path("private/token_jwks_2.json"))
else:
assert os.path.exists(full_path("private/token_jwks.json"))
def create_session_manager(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"keys": {
"key_defs": KEYDEFS,
"uri_path": "static/jwks.json"
},
"jwks_uri": "https://example.com/jwks.json",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "code"
}],
},
"code": {
"lifetime": 600
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims": True,
"add_claim_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
},
"endpoint": {
"authorization_endpoint": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token_endpoint": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
},
"template_dir": "template",
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
}
server = Server(conf)
self.server = server
self.endpoint_context = server.endpoint_context
self.session_manager = server.endpoint_context.session_manager
self.authn_event = AuthnEvent(uid="uid",
valid_until=time_sans_frac() + 1,
authn_info="authn_class_ref")
self.dummy_session_id = self.session_manager.encrypted_session_id(
"user_id", "client_id", "grant.id")
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"request_cls":
JWTSecuredAuthorizationRequest,
},
}
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
}
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.endpoint = server.server_get("endpoint", "authorization")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1",
"hemligtkodord1234567890")
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_methods": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {
"path": "userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"claim_types_supported": [
"normal",
"aggregated",
"distributed",
],
"client_authn_method": ["bearer_header"],
},
},
},
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {
"db_file": full_path("users.json")
},
},
# "client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"add_on": {
"custom_scopes": {
"function":
"oidcop.oidc.add_on.custom_scopes.add_custom_scopes",
"kwargs": {
"research_and_scholarship": [
"name",
"given_name",
"family_name",
"email",
"email_verified",
"sub",
"eduperson_scoped_affiliation",
]
},
}
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
self.endpoint = server.server_get("endpoint", "userinfo")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": {
"subject_types_supported": ["public", "pairwise", "ephemeral"],
"grant_types_supported": [
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"refresh_token",
],
},
"token_handler_args": {
"jwks_def": {
"private_path": "private/token_jwks.json",
"read_only": False,
"key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}],
},
"code": {"kwargs": {"lifetime": 600}},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {"keys": {"key_defs": COOKIE_KEYDEFS}},
},
"keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
"endpoint": {
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {"client_auth_method": None},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claim_types_supported": ["normal", "aggregated", "distributed",],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {"path": "userinfo", "class": UserInfo, "kwargs": {}},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
self.endpoint = server.server_get("endpoint", "registration")
def create_endpoint(self):
conf = {
"issuer": ISSUER,
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"add_on": {
"dpop": {
"function": "oidcop.oauth2.add_on.dpop.add_support",
"kwargs": {
"dpop_signing_alg_values_supported": ["ES256"]
}
},
},
"keys": {"uri_path": "jwks.json", "key_defs": KEYDEFS},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {"lifetime": 600},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"base_claims": {"eduperson_scoped_affiliation": None},
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}},
},
"client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"template_dir": "template",
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {"db_file": "users.json"},
},
}
server = Server(OPConfiguration(conf, base_path=BASEDIR), keyjar=KEYJAR)
self.endpoint_context = server.endpoint_context
self.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
self.user_id = "diana"
self.token_endpoint = server.server_get("endpoint", "token")
self.session_manager = self.endpoint_context.session_manager
def create_setup(self):
# First the RP
entity = Entity(
config={
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
service_context = entity.get_service_context()
self.rp_federation_entity = FederationEntity(
entity_id=RP_ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=RP_ENTITY_ID)
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.discovery_service = FedProviderInfoDiscovery(entity.client_get)
self.registration_service = RPRegistration(entity.client_get)
# self.authorization_service = FedAuthorization(entity.client_get)
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "code"
},
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "refresh"
},
],
},
"code": {
"lifetime": 600
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {
"lifetime": 86400
},
},
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
}
}
server = Server(conf)
endpoint_context = server.get_endpoint_context()
_clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.pushed_authorization_endpoint = server.server_get(
"endpoint", "pushed_authorization")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.registration_endpoint = server.server_get("endpoint",
"registration")
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
# federation_entity.keyjar.import_jwks(
# read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'),
# 'op.ntnu.no', 'jwks'),
# issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.authorization_endpoint.server_get(
"endpoint_context").federation_entity = federation_entity
