def init_oidc_op(app: Flask):
_op_config = app.srv_config.op
_fed_conf = _op_config.federation
if 'httpc_params' not in _fed_conf:
_fed_conf.httpc_params = get_http_params(_op_config.httpc_params)
op = FederationServer(_op_config, cwd=dir_path)
for endp in op.endpoint.values():
p = urlparse(endp.endpoint_path)
_vpath = p.path.split('/')
if _vpath[0] == '':
endp.vpath = _vpath[1:]
else:
endp.vpath = _vpath
return op
def create_endpoint(self):
# First the RP
_config = copy.deepcopy(RP_CONFIG)
_config['behaviour'] = {'federation_types_supported': ['explicit']}
entity = FederationRP(config=_config)
self.rp_federation_entity = entity.client_get(
"service_context").federation_entity
# The test data collector
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR,
httpd=HTTPC,
root_dir=os.path.join(BASE_PATH, 'base_data'))
# The RP has/supports 3 services
self.service = {
'discovery':
FedProviderInfoDiscovery(entity.client_get),
'registration':
Registration(entity.client_get),
'authorization':
FedAuthorization(entity.client_get,
conf={"request_object_expires_in": 300}),
}
# and now for the OP
_config = copy.copy(OP_CONF)
_config['add_on'] = {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
'client_registration_authn_methods_supported': {
"ar": ['request_object']
},
'where': ['authorization']
}
}
}
server = FederationServer(_config)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
federation_entity = server.server_get(
"endpoint_context").federation_entity
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
def create_endpoint(self):
# First the RP
_config = copy.deepcopy(RP_CONFIG)
_config['behaviour'] = {'federation_types_supported': ['explicit']}
entity = FederationRP(config=_config)
self.rp_federation_entity = entity.client_get(
"service_context").federation_entity
# The test data collector
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR,
httpd=HTTPC,
root_dir=os.path.join(BASE_PATH, 'base_data'))
entity._service = {
'discovery':
FedProviderInfoDiscovery(entity.client_get),
'registration':
Registration(entity.client_get),
'authorization':
FedAuthorization(entity.client_get,
conf={"request_object_expires_in": 300}),
}
self.rp = entity
# and now for the OP
_config = copy.copy(OP_CONF)
server = FederationServer(_config)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
federation_entity = server.server_get(
"endpoint_context").federation_entity
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
def create_endpoint(self):
# First the RP
entity = FederationRP(config=RP_CONFIG)
_fe = entity.client_get("service_context").federation_entity
# The test data collector
_fe.collector = DummyCollector(trusted_roots=ANCHOR,
httpd=HTTPC,
root_dir=os.path.join(
BASE_PATH, 'base_data'))
# The RP has/supports 3 services
self.service = {
'discovery': FedProviderInfoDiscovery(entity.client_get),
'registration': Registration(entity.client_get),
'authorization': FedAuthorization(entity.client_get),
}
# and now for the OP
server = FederationServer(OP_CONF, httpc=HTTPC)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
# === Federation stuff =======
federation_entity = server.server_get(
"endpoint_context").federation_entity
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
def create_endpoint(self):
conf = {
"issuer": ENTITY_ID,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
'keys': {
'key_defs': KEYSPEC,
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json"
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
}
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template',
"federation": {
"entity_id": ENTITY_ID,
'keys': {
'key_defs': KEYSPEC
},
"endpoint": {
"fetch": {
"path": "fetch",
"class": Fetch,
"kwargs": {
"client_authn_method": None
},
}
},
"trusted_roots": ANCHOR,
"authority_hints": ['https://feide.no'],
"entity_type": 'openid_relying_party',
"opponent_entity_type": 'openid_provider'
}
}
server = FederationServer(conf)
self.endpoint = server.server_get('endpoint', 'provider_config')
server.endpoint_context.federation_entity.collector = DummyCollector(
httpd=Publisher(os.path.join(BASE_PATH, 'data')),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
def create_endpoint(self):
try:
shutil.rmtree('storage')
except FileNotFoundError:
pass
conf = {
"issuer": ENTITY_ID,
"password": "******",
"claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
"verify_ssl": False,
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {"client_authn_method": None},
},
},
"token_handler_args": {
"jwks_def": {
"private_path": "private/token_jwks.json",
"read_only": False,
"key_defs": [
{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"},
{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "token"},
{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "refresh"}
],
},
"code": {"kwargs": {"lifetime": 600}},
"token": {"kwargs": {"lifetime": 3600}},
"refresh": {"kwargs": {"lifetime": 3600}},
},
"keys": {
'key_defs': KEYSPEC,
"private_path": full_path("own/jwks.json"),
"uri_path": full_path("static/jwks.json")
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {"user": "******"}
}
},
'template_dir': 'template',
'federation': {
'entity_id': ENTITY_ID,
'signing_keys': {
'private_path': full_path('private/fed_keys.json'),
'key_defs': KEYSPEC,
'public_path': full_path('static/fed_keys.json'),
'read_only': False
},
"endpoint": {
"fetch": {
"path": "fetch",
"class": Fetch,
"kwargs": {"client_authn_method": None},
}
},
'priority': [],
'entity_type': 'openid_provider',
'opponent_entity_type': 'openid_relying_party',
'registration_type': 'explicit'
}
}
conf['federation']['trusted_roots'] = full_path('trusted_roots.json')
conf['federation']['authority_hints'] = full_path('authority_hints.json')
server = FederationServer(conf)
self.endpoint = server.server_get("endpoint", "provider_config")
def create_setup(self):
# First the RP
config = {
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {'key_defs': KEYSPEC},
"federation": {
"endpoint": {
"fetch": {
"path": "fetch",
"class": Fetch,
"kwargs": {"client_authn_method": None},
}
},
'entity_id': RP_ENTITY_ID,
"trusted_roots": ANCHOR,
"authority_hints": ['https://ntnu.no'],
"entity_type": 'openid_relying_party',
"opponent_entity_type": 'openid_provider'
}
}
self.entity = FederationRP(config=config)
service_context = self.entity.get_service_context()
service_context.federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# The RP has/supports 2 services
self.discovery_service = FedProviderInfoDiscovery(self.entity.client_get)
self.registration_service = RPRegistration(self.entity.client_get)
# self.authorization_service = FedAuthorization(entity.client_get)
# and now for the OP
op_entity_id = "https://op.ntnu.no"
op_conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path": "private/token_jwks.json",
"read_only": False,
"key_defs": [
{"type": "oct", "bytes": 24, "use": ["enc"], "kid": "code"},
{"type": "oct", "bytes": 24, "use": ["enc"], "kid": "refresh"},
],
},
"code": {"lifetime": 600},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope": True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {"lifetime": 86400},
},
"claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYSPEC},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [
" ".join(x) for x in RESPONSE_TYPES_SUPPORTED
],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {"key_defs": COOKIE_KEYDEFS},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
},
"federation": {
"endpoint": {
"fetch": {
"path": "fetch",
"class": Fetch,
"kwargs": {"client_authn_method": None},
}
},
"entity_id": op_entity_id,
"trusted_roots": ANCHOR,
"authority_hints": ['https://ntnu.no'],
"entity_type": 'openid_relying_party',
"opponent_entity_type": 'openid_relying_party'
}
}
server = FederationServer(conf=op_conf)
endpoint_context = server.get_endpoint_context()
# _clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
# store keys under my own ID
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), op_conf["issuer"]
)
self.pushed_authorization_endpoint = server.server_get("endpoint", "pushed_authorization")
self.authorization_endpoint = server.server_get("endpoint", "authorization")
self.registration_endpoint = server.server_get("endpoint", "registration")
endpoint_context.federation_entity.collector = DummyCollector(
httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)