def client_info_endpoint(self, method="GET", **kwargs):
"""
Operations on this endpoint are switched through the use of different
HTTP methods
:param method: HTTP method used for the request
:param kwargs: keyword arguments
:return: A Response instance
"""
_query = compact(parse_qs(kwargs['query']))
try:
_id = _query["client_id"]
except KeyError:
return BadRequest("Missing query component")
if _id not in self.cdb:
return Unauthorized()
# authenticated client
try:
self.verify_client(kwargs['environ'],
kwargs['request'],
"bearer_header",
client_id=_id)
except (AuthnFailure, UnknownAssertionType):
return Unauthorized()
if method == "GET":
return self.client_info(_id)
elif method == "PUT":
try:
_request = ClientUpdateRequest().from_json(kwargs['request'])
except ValueError as err:
return BadRequest(str(err))
try:
_request.verify()
except InvalidRedirectUri as err:
msg = ClientRegistrationError(error="invalid_redirect_uri",
error_description="%s" % err)
return BadRequest(msg.to_json(), content="application/json")
except (MissingPage, VerificationError) as err:
msg = ClientRegistrationError(error="invalid_client_metadata",
error_description="%s" % err)
return BadRequest(msg.to_json(), content="application/json")
try:
self.client_info_update(_id, _request)
return self.client_info(_id)
except ModificationForbidden:
return Forbidden()
elif method == "DELETE":
try:
del self.cdb[_id]
except KeyError:
return Unauthorized()
else:
return NoContent()
def exception_to_error_mesg(excep):
if isinstance(excep, PyoidcError):
if excep.content_type:
if isinstance(excep.args, tuple):
resp = BadRequest(excep.args[0], content=excep.content_type)
else:
resp = BadRequest(excep.args, content=excep.content_type)
else:
resp = BadRequest()
else:
err = ErrorResponse(error='service_error',
error_description='{}:{}'.format(
excep.__class__.__name__, excep.args))
resp = BadRequest(err.to_json(), content='application/json')
return resp
def registration_endpoint(self, **kwargs):
"""
:param request: The request
:param authn: Client authentication information
:param kwargs: extra keyword arguments
:return: A Response instance
"""
_request = RegistrationRequest().deserialize(kwargs['request'], "json")
try:
_request.verify(keyjar=self.keyjar)
except InvalidRedirectUri as err:
msg = ClientRegistrationError(error="invalid_redirect_uri",
error_description="%s" % err)
return BadRequest(msg.to_json(), content="application/json")
except (MissingPage, VerificationError) as err:
msg = ClientRegistrationError(error="invalid_client_metadata",
error_description="%s" % err)
return BadRequest(msg.to_json(), content="application/json")
# If authentication is necessary at registration
if self.authn_at_registration:
try:
self.verify_client(kwargs['environ'], _request,
self.authn_at_registration)
except (AuthnFailure, UnknownAssertionType):
return Unauthorized()
client_restrictions = {}
if 'parsed_software_statement' in _request:
for ss in _request['parsed_software_statement']:
client_restrictions.update(self.consume_software_statement(ss))
del _request['software_statement']
del _request['parsed_software_statement']
try:
client_id = self.create_new_client(_request, client_restrictions)
except CapabilitiesMisMatch as err:
msg = ClientRegistrationError(error="invalid_client_metadata",
error_description="%s" % err)
return BadRequest(msg.to_json(), content="application/json")
except RestrictionError as err:
msg = ClientRegistrationError(error="invalid_client_metadata",
error_description="%s" % err)
return BadRequest(msg.to_json(), content="application/json")
return self.client_info(client_id)
def revocation_endpoint(self, authn='', request=None, **kwargs):
"""
Implements RFC7009 allows a client to invalidate an access or refresh
token.
:param authn: Client Authentication information
:param request: The revocation request
:param kwargs:
:return:
"""
trr = TokenRevocationRequest().deserialize(request, "urlencoded")
resp = self.get_token_info(authn, trr, 'revocation_endpoint')
if isinstance(resp, Response):
return resp
else:
client_id, token_type, _info = resp
logger.info('{} token revocation: {}'.format(client_id, trr.to_dict()))
try:
self.sdb.token_factory[token_type].invalidate(trr['token'])
except KeyError:
return BadRequest()
else:
return Response('OK')
def verify_endpoint(self, request="", cookie=None, **kwargs):
_req = parse_qs(request)
try:
areq = parse_qs(_req["query"][0])
except KeyError:
return BadRequest('Could not verify endpoint')
authn, acr = self.pick_auth(areq=areq)
kwargs["cookie"] = cookie
return authn.verify(_req, **kwargs)
def client_info(self, client_id):
_cinfo = self.cdb[client_id].copy()
if not valid_client_info(_cinfo):
err = ErrorResponse(error="invalid_client",
error_description="Invalid client secret")
return BadRequest(err.to_json(), content="application/json")
try:
_cinfo["redirect_uris"] = self._tuples_to_uris(
_cinfo["redirect_uris"])
except KeyError:
pass
msg = ClientInfoResponse(**_cinfo)
return Response(msg.to_json(), content="application/json")
def get_token_info(self, authn, req, endpoint):
"""
:param authn:
:param req:
:return:
"""
try:
client_id = self.client_authn(self, req, authn)
except FailedAuthentication as err:
logger.error(err)
err = TokenErrorResponse(error="unauthorized_client",
error_description="%s" % err)
return Response(err.to_json(),
content="application/json",
status="401 Unauthorized")
logger.debug('{}: {} requesting {}'.format(endpoint, client_id,
req.to_dict()))
try:
token_type = req['token_type_hint']
except KeyError:
try:
_info = self.sdb.token_factory['access_token'].info(
req['token'])
except KeyError:
try:
_info = self.sdb.token_factory['refresh_token'].get_info(
req['token'])
except KeyError:
raise
else:
token_type = 'refresh_token'
else:
token_type = 'access_token'
else:
try:
_info = self.sdb.token_factory[token_type].get_info(
req['token'])
except KeyError:
raise
if not self.token_access(endpoint, client_id, _info):
return BadRequest()
return client_id, token_type, _info
def _complete_authz(self, user, areq, sid, **kwargs):
_log_debug = logger.debug
_log_debug("- in authenticated() -")
# Do the authorization
try:
permission = self.authz(user, client_id=areq['client_id'])
self.sdb.update(sid, "permission", permission)
except Exception:
raise
_log_debug("response type: %s" % areq["response_type"])
if self.sdb.is_revoked(sid):
return error_response("access_denied", descr="Token is revoked")
try:
info = self.create_authn_response(areq, sid)
except UnSupported as err:
return error_response(*err.args)
if isinstance(info, Response):
return info
else:
aresp, fragment_enc = info
try:
redirect_uri = self.get_redirect_uri(areq)
except (RedirectURIError, ParameterError) as err:
return BadRequest("%s" % err)
# Must not use HTTP unless implicit grant type and native application
info = self.aresp_check(aresp, areq)
if isinstance(info, Response):
return info
headers = []
try:
_kaka = kwargs["cookie"]
except KeyError:
pass
else:
if _kaka:
if isinstance(_kaka, dict):
for name, val in _kaka.items():
_c = SimpleCookie()
_c[name] = val
_x = _c.output()
if PY2:
_x = str(_x)
headers.append(tuple(_x.split(": ", 1)))
else:
_c = SimpleCookie()
_c.load(_kaka)
for x in _c.output().split('\r\n'):
if PY2:
x = str(x)
headers.append(tuple(x.split(": ", 1)))
if self.cookie_name not in _kaka: # Don't overwrite
header = self.cookie_func(user, typ="sso", ttl=self.sso_ttl)
if header:
headers.append(header)
else:
header = self.cookie_func(user, typ="sso", ttl=self.sso_ttl)
if header:
headers.append(header)
# Now about the response_mode. Should not be set if it's obvious
# from the response_type. Knows about 'query', 'fragment' and
# 'form_post'.
if "response_mode" in areq:
try:
resp = self.response_mode(areq, fragment_enc, aresp=aresp,
redirect_uri=redirect_uri,
headers=headers)
except InvalidRequest as err:
return error_response("invalid_request", str(err))
else:
if resp is not None:
return resp
return aresp, headers, redirect_uri, fragment_enc
def auth_init(self, request, request_class=AuthorizationRequest):
"""
:param request: The AuthorizationRequest
:return:
"""
logger.debug("Request: '%s'" % sanitize(request))
# Same serialization used for GET and POST
try:
areq = self.server.parse_authorization_request(
request=request_class, query=request)
except (MissingRequiredValue, MissingRequiredAttribute,
AuthzError) as err:
logger.debug("%s" % err)
areq = request_class()
areq.lax = True
if isinstance(request, dict):
areq.from_dict(request)
else:
areq.deserialize(request, "urlencoded")
try:
redirect_uri = self.get_redirect_uri(areq)
except (RedirectURIError, ParameterError, UnknownClient) as err:
return error_response("invalid_request", "%s" % err)
try:
_rtype = areq["response_type"]
except KeyError:
_rtype = ["code"]
try:
_state = areq["state"]
except KeyError:
_state = ''
return redirect_authz_error("invalid_request", redirect_uri,
"%s" % err, _state, _rtype)
except KeyError:
areq = request_class().deserialize(request, "urlencoded")
# verify the redirect_uri
try:
self.get_redirect_uri(areq)
except (RedirectURIError, ParameterError) as err:
return error_response("invalid_request", "%s" % err)
except Exception as err:
message = traceback.format_exception(*sys.exc_info())
logger.error(message)
logger.debug("Bad request: %s (%s)" % (err, err.__class__.__name__))
err = ErrorResponse(error='invalid_request',
error_description=str(err))
return BadRequest(err.to_json(), content='application/json')
if not areq:
logger.debug("No AuthzRequest")
return error_response("invalid_request", "Can not parse AuthzRequest")
areq = self.filter_request(areq)
if self.events:
self.events.store('Protocol request', areq)
try:
_cinfo = self.cdb[areq['client_id']]
except KeyError:
logger.error(
'Client ID ({}) not in client database'.format(
areq['client_id']))
return error_response('unauthorized_client', 'unknown client')
else:
try:
_registered = [set(rt.split(' ')) for rt in
_cinfo['response_types']]
except KeyError:
# If no response_type is registered by the client then we'll
# code which it the default according to the OIDC spec.
_registered = [{'code'}]
_wanted = set(areq["response_type"])
if _wanted not in _registered:
return error_response("invalid_request", "Trying to use unregistered response_typ")
logger.debug("AuthzRequest: %s" % (sanitize(areq.to_dict()),))
try:
redirect_uri = self.get_redirect_uri(areq)
except (RedirectURIError, ParameterError, UnknownClient) as err:
return error_response("invalid_request", "{}:{}".format(err.__class__.__name__, err))
try:
keyjar = self.keyjar
except AttributeError:
keyjar = ""
try:
# verify that the request message is correct
areq.verify(keyjar=keyjar, opponent_id=areq["client_id"])
except (MissingRequiredAttribute, ValueError,
MissingRequiredValue) as err:
return redirect_authz_error("invalid_request", redirect_uri,
"%s" % err)
return {"areq": areq, "redirect_uri": redirect_uri}