def web_flow(ctx):
client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
issuer = f"{settings.AUTH_DEFAULT_HOST}/auth/realms/unikube"
client.provider_config(issuer)
state = rndstr()
nonce = rndstr()
# 1. run callback server
from unikube.authentication.web import run_callback_server
port = run_callback_server(state, nonce, client, ctx)
# 2. send to login with redirect url.
args = {
"client_id": "cli",
"response_type": ["token"],
"response_mode": "form_post",
"scope": ["openid"],
"nonce": nonce,
"state": state,
"redirect_uri": f"http://localhost:{port}",
}
auth_req = client.construct_AuthorizationRequest(request_args=args)
login_url = auth_req.request(client.authorization_endpoint)
console.info("If your Browser does not open automatically, go to the following URL and login:")
console.link(login_url)
click.launch(login_url)
return True
def get_proxy_token(refresh_token_data, *,
user_agent=constants.USER_AGENT,
scope=constants.FXA_PROXY_SCOPE,
resource=constants.DEFAULT_PROXY_URL,
ttl=constants.FXA_EXP_TOKEN_TIME,
timeout=10.):
client = Client(client_authn_method=None)
provider_info = client.provider_config(constants.FXA_PROVIDER_URL)
token_endpoint = client.token_endpoint
#return resp.to_dict()
http_req = urllib.request.Request(
token_endpoint,
data=json.dumps({
"client_id": constants.CLIENT_ID,
"grant_type": "refresh_token",
"refresh_token": refresh_token_data["refresh_token"],
"scope": scope,
"ttl": ttl,
"ppid_seed": random.randrange(1024),
"resource": resource,
}).encode('ascii'),
headers={
"User-Agent": user_agent,
"Content-Type": "application/json",
}
)
with urllib.request.urlopen(http_req, None, timeout) as resp:
coding = resp.headers.get_content_charset()
coding = coding if coding is not None else 'utf-8-sig'
decoder = codecs.getreader(coding)(resp)
res = json.load(decoder)
res["received_at"] = int(time.time())
return res
def test_sign_enc_request(self):
cli = Client()
cli.redirect_uris = ["http://www.example.org/authz"]
cli.client_id = "client_1"
for kb in self.server.keyjar.issuer_keys[""]:
_jwks = kb.jwks()
_keys = [k for k in json.loads(_jwks)["keys"]
if k["use"] in ["ver"]]
_kb = KeyBundle(_keys)
cli.keyjar.add_kb(self.server.name, _kb)
_kb = keybundle_from_local_file("%s/rsa.pub" % BASE_PATH, "RSA", ["enc"])
cli.keyjar.add_kb(self.server.name, _kb)
request_args = {"redirect_uri": cli.redirect_uris[0],
"client_id": cli.client_id,
"scope": "openid",
"response_type": "code"}
kwargs = {"request_object_signing_alg": "none",
"request_object_encryption_alg": "RSA1_5",
"request_object_encryption_enc": "A128CBC-HS256",
"request_method": "parameter",
"target": self.server.name}
areq = cli.construct_AuthorizationRequest(request_args=request_args,
**kwargs)
assert areq
assert areq["request"]
def access_token_request(request):
client = Client(client_id=CLIENT__OAUTH2KEY, client_authn_method={"client_secret_post": ClientSecretPost})
raw_response = json.dumps(dict(request.GET))
aresp = client.parse_response(AuthorizationResponse, info=raw_response) # , sformat="urlencoded")
arespdata_state = aresp["state"]
sessiondata_state = request.session["state"]
logger.debug(" auth (2) %s" % (arespdata_state))
if arespdata_state == sessiondata_state:
code = aresp["code"]
params = {
"token_endpoint": WSO2IS__TOKENENDPOINT,
"code": code,
"client_id": CLIENT__OAUTH2KEY,
"client_secret": CLIENT__OAUTH2SECRET,
"redirect_uri": CLIENT__REDIRECTURL,
}
result = client.do_access_token_request(
scope=["openid"], state=arespdata_state, request_args=params, authn_method="client_secret_post"
)
user_data = result["id_token"]["sub"]
document_id = user_data[: user_data.find("@")]
logger.debug(" auth (3) %s [doc=%s]" % (arespdata_state, document_id))
return HttpResponse("User authenticated {}".format(document_id))
else:
return HttpResponse("Error: invalid parameters sent to authorization endpoint.")
def test_construct_UserInfoRequest():
cli = Client()
cli.userinfo_endpoint = "https://example.org/oauth2/userinfo"
uir = cli.construct_UserInfoRequest(request_args={"access_token": "access_token"})
print uir
assert ("%s" % uir) == "access_token=access_token"
def pedir_token(request):
cliente = Client(
client_id=llave,
client_authn_method={"client_secret_post": ClientSecretPost}
)
respuesta_cruda = json.dumps(dict(request.GET))
respuesta = cliente.parse_response(AuthorizationResponse, info=respuesta_cruda)
estado_recibido = respuesta['state']
estado_almacenado = request.session['estado']
if estado_recibido == estado_almacenado:
codigo = respuesta['code']
parametros = {
"token_endpoint": endpoint_token,
"code": codigo,
"client_id": llave,
"client_secret": secreto,
"redirect_uri": callback
}
resultado = cliente.do_access_token_request(
scope = ["openid"],
state = estado_recibido,
request_args = parametros,
authn_method = "client_secret_post"
)
usuario = resultado['id_token']['sub']
cedula = usuario[:usuario.find('@')]
return HttpResponse("Bienvenido, usuario {}".format(cedula))
else:
return HttpResponse("Error: el estado enviado al endpoint de autorizacion no corresponde con el recibido.")
def test_construct_CheckSessionRequest():
cli = Client()
cli.check_session_endpoint = "https://example.org/oauth2/check_session"
csr = cli.construct_CheckSessionRequest(request_args={"id_token": "id_token"})
print csr
assert ("%s" % csr) == "id_token=id_token"
def _configure_client(self):
config_file_path = JwtAuthenticationMethod.openid_client_config_path()
if not os.path.exists(config_file_path):
logger.info(
'OpenID Connect configuration ({}) not found, JWT'
' authentication is disabled'.format(config_file_path)
)
return
with open(config_file_path) as fp:
config = json.loads(fp.read())
self._client = Client(
client_authn_method=CLIENT_AUTHN_METHOD,
verify_ssl='/etc/pki/tls/certs/ca-bundle.crt'
)
self._client.provider_config(config['issuer'])
client_registration = RegistrationResponse(
client_id=config['client_id'],
client_secret=config['client_secret']
)
self._client.store_registration_info(client_registration)
def __init__(self, provider_configuration, redirect_uri):
"""
Args:
provider_configuration (flask_pyoidc.provider_configuration.ProviderConfiguration)
"""
self._provider_configuration = provider_configuration
self._client = Client(client_authn_method=CLIENT_AUTHN_METHOD,
settings=provider_configuration.client_settings)
# Token Introspection is implemented under extension sub-package of
# the client in pyoidc.
self._client_extension = ClientExtension(
client_authn_method=CLIENT_AUTHN_METHOD,
settings=provider_configuration.client_settings)
# Client Credentials Flow is implemented under oauth2 sub-package of
# the client in pyoidc.
self._oauth2_client = Oauth2Client(
client_authn_method=CLIENT_AUTHN_METHOD,
message_factory=CCMessageFactory,
settings=self._provider_configuration.client_settings)
provider_metadata = provider_configuration.ensure_provider_metadata(
self._client)
self._client.handle_provider_config(
ProviderConfigurationResponse(**provider_metadata.to_dict()),
provider_metadata['issuer'])
if self._provider_configuration.registered_client_metadata:
client_metadata = self._provider_configuration.registered_client_metadata.to_dict(
)
client_metadata.update(redirect_uris=list(redirect_uri))
self._store_registration_info(client_metadata)
self._redirect_uri = redirect_uri
def init_app(self, app):
try:
self.client_id = app.config["NHS_OIDC_CLIENT_ID"]
self.authorization_callback_url = app.config[
"NHS_OIDC_LOGIN_CALLBACK_URL"]
self.registration_callback_url = app.config[
"NHS_OIDC_REGISTRATION_CALLBACK_URL"]
self.scopes = [
"openid", "profile", "email", "phone", "profile_extended"
]
self.vtr = '["P5.Cp.Cd", "P5.Cp.Ck", "P5.Cm"]'
self.authority_url = app.config["NHS_OIDC_AUTHORITY_URL"]
except ValueError as e:
raise ValueError(f"Missing NHS OIDC configuration: {e!r}")
self.client = Client(client_id=self.client_id,
client_authn_method=CLIENT_AUTHN_METHOD)
self.client.provider_config(self.authority_url)
self.private_key = app.config["NHS_OIDC_LOGIN_PRIVATE_KEY"]
if not self.private_key:
private_key_path = app.config["NHS_OIDC_LOGIN_PRIVATE_KEY_PATH"]
if not os.stat(private_key_path):
raise ValueError(
f"Missing private key file. Expected private key file at {self.private_key_path!r}"
)
with open(private_key_path) as key_file:
self.private_key = key_file.read()
def pedir_token(request):
cliente = Client(
client_id=llave,
client_authn_method={"client_secret_post": ClientSecretPost})
respuesta_cruda = json.dumps(dict(request.GET))
respuesta = cliente.parse_response(AuthorizationResponse,
info=respuesta_cruda)
estado_recibido = respuesta['state']
estado_almacenado = request.session['estado']
if estado_recibido == estado_almacenado:
codigo = respuesta['code']
parametros = {
"token_endpoint": endpoint_token,
"code": codigo,
"client_id": llave,
"client_secret": secreto,
"redirect_uri": callback
}
resultado = cliente.do_access_token_request(
scope=["openid"],
state=estado_recibido,
request_args=parametros,
authn_method="client_secret_post")
usuario = resultado['id_token']['sub']
cedula = usuario[:usuario.find('@')]
return HttpResponse("Bienvenido, usuario {}".format(cedula))
else:
return HttpResponse(
"Error: el estado enviado al endpoint de autorizacion no corresponde con el recibido."
)
def test_userinfo_request():
cli = Client()
cli.userinfo_endpoint = "http://example.com/userinfo"
info = ARESP.to_urlencoded()
cli.parse_response(AuthorizationResponse, info,
sformat="urlencoded", state="state0")
cli.parse_response(AccessTokenResponse, TRESP.to_json(), state="state0")
path, body, method, h_args = cli.user_info_request(state="state0")
assert path == "http://example.com/userinfo?access_token=access_token"
assert method == "GET"
assert body is None
assert h_args == {}
path, body, method, h_args = cli.user_info_request(method="POST",
state="state0")
assert path == "http://example.com/userinfo"
assert method == "POST"
assert body == "access_token=access_token"
assert h_args == {'headers': {
'Content-type': 'application/x-www-form-urlencoded'}}
path, body, method, h_args = cli.user_info_request(method="POST",
state="state0")
assert path == "http://example.com/userinfo"
assert method == "POST"
assert body == "access_token=access_token"
assert h_args == {'headers': {
'Content-type': 'application/x-www-form-urlencoded'}}
def make_authentication_request():
print ('create authentication request')
# consider storing a hash in state
# what to hash in state might include cookie data, time, salt, etc...
# force login in order to work around the Azure AD issue where a user may be logged in to the wrong domain.
# Set prompt=login in the implicit flow request to force a new login
state = rndstr()
nounce = rndstr()
request_args = {
"response_type": "id_token code",
"response_mode": "form_post",
"state": state,
"nonce": nounce,
"prompt": "login",
"redirect_uri": Settings.auth_redirect_url,
"scope":"openid profile"
}
print (Settings.auth_client_id)
client = Client(Settings.auth_client_id)
auth_req = client.construct_AuthorizationRequest(request_args = request_args)
provider_url = Settings.auth_provider_url
if Settings.auth_tenant is not None:
provider_url = provider_url.replace("{{tenant}}", Settings.auth_tenant)
login_url = auth_req.request(provider_url)
print(login_url)
return redirect(login_url)
def get_client():
"""Method that prepare the oidc client.
This method use lru_cache in order call the OIDC provider once
per thread
Today we only support OIDC providers (ISSUER) that expose a
/.well-known/openid-configuration route
At the moment to authenticate the RP to the OIDC provider we only
support through client_id/secret_ID/rp_callback attributes.
You must configure OIDC in AnyBlok configuration:
* **oidc-provider-issuer**: The OIDC Provider urls
(ie: https://gitlab.com)
* **oidc-relying-party-callback**: The Relaying Party callback, once
the user is authenticate against the OIDC provider he will be redirect
to that uri to the RP service (ie: http://localhost:8080/callback).
In general this value is also configured in your OIDC provider to
avoid redirection issues.
* **oidc-relying-party-client-id**: The client id provide by your OIDC
provider
* **oidc-relying-party-secret-id**: The secret id provide by your OIDC
provider
And optionally:
* **oidc-scope**: Specify what access privileges are being requested for
Access Tokens. `cf Requesting claims using scope values
<https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims`_.
a list of claims using coma separator. (default value: `openid,email`)
* **oidc-userinfo-field**: Specify which field to use from the response
of the OIDC provider `userinfo endpoint <https://openid.net/specs/
openid-connect-core-1_0.html#UserInfoResponse>`_. To make sure
it's a known user. (default value: `email`).
"""
client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
for config in [
"oidc_provider_issuer",
"oidc_relying_party_client_id",
"oidc_relying_party_secret_id",
"oidc_relying_party_callback",
]:
if Configuration.get(config, None) is None:
raise ValueError("You must provide {} parameter".format(config))
provider_info = client.provider_config(
Configuration.get("oidc_provider_issuer"))
info = {
"client_id": Configuration.get("oidc_relying_party_client_id"),
"client_secret": Configuration.get("oidc_relying_party_secret_id"),
"redirect_uris": [Configuration.get("oidc_relying_party_callback")],
}
info.update(provider_info._dict)
client_reg = RegistrationResponse(**info)
client.store_registration_info(client_reg)
return client
def __init__(self, client_id=None, ca_certs=""):
Client.__init__(self, client_id, ca_certs)
self.request2endpoint = REQUEST2ENDPOINT.copy()
self.request2endpoint["UserClaimsRequest"] = "userclaims_endpoint"
self.response2error = RESPONSE2ERROR.copy()
self.response2error["UserClaimsResponse"] = ["ErrorResponse"]
def __init__(self, client_id=None, ca_certs=""):
Client.__init__(self, client_id, ca_certs)
self.request2endpoint = REQUEST2ENDPOINT.copy()
self.request2endpoint["UserClaimsRequest"] = "userclaims_endpoint"
self.response2error = RESPONSE2ERROR.copy()
self.response2error["UserClaimsResponse"] = ["ErrorResponse"]
def __init__(self, client_id=None, verify_ssl=True):
Client.__init__(self, client_id, verify_ssl=verify_ssl)
self.request2endpoint = REQUEST2ENDPOINT.copy()
self.request2endpoint["UserClaimsRequest"] = "userclaims_endpoint"
self.response2error = RESPONSE2ERROR.copy()
self.response2error["UserClaimsResponse"] = ["ErrorResponse"]
def test_construct_CheckSessionRequest():
cli = Client()
cli.check_session_endpoint = "https://example.org/oauth2/check_session"
csr = cli.construct_CheckSessionRequest(
request_args={"id_token": "id_token"})
print csr
assert ("%s" % csr) == 'id_token=id_token'
def test_construct_UserInfoRequest():
cli = Client()
cli.userinfo_endpoint = "https://example.org/oauth2/userinfo"
uir = cli.construct_UserInfoRequest(
request_args={"access_token": "access_token"})
print uir
assert ("%s" % uir) == "access_token=access_token"
def test_assertion_jwt():
cli = Client("Foo")
cli.client_secret = "secert"
at = oic.assertion_jwt(cli, {}, audience="audience", algorithm="none")
print at
header, claim, crypto, header_b64, claim_b64 = unpack(at)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "prn", "jti", "exp", "iat"])
def __init__(self, client_id=None, verify_ssl=True):
Client.__init__(self, client_id, verify_ssl=verify_ssl)
self.request2endpoint = REQUEST2ENDPOINT.copy()
self.request2endpoint["UserClaimsRequest"] = "userclaims_endpoint"
self.response2error = RESPONSE2ERROR.copy()
self.response2error["UserClaimsResponse"] = ["ErrorResponse"]
def prepare_client():
# http://pyoidc.readthedocs.io/en/latest/examples/rp.html
# Instantiate a client
client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
# Register the OP
# endpoints are now loaded from a json file rather than defined here
# DEV endpoints
# issuer = "https://unity.eudat-aai.fz-juelich.de:443"
# authorization_endpoint = "https://unity.eudat-aai.fz-juelich.de:443/oauth2-as/oauth2-authz"
# token_endpoint = "https://unity.eudat-aai.fz-juelich.de:443/oauth2/token"
# userinfo_endpoint = "https://unity.eudat-aai.fz-juelich.de:443/oauth2/userinfo"
# PROD endpoints
# issuer = "https://b2access.eudat.eu:443"
# authorization_endpoint = "https://b2access.eudat.eu:443/oauth2-as/oauth2-authz"
# token_endpoint = "https://b2access.eudat.eu:443/oauth2/token"
# userinfo_endpoint = "https://b2access.eudat.eu:443/oauth2/userinfo"
try:
dir = os.path.dirname(__file__)
provider_endpoints = json.load(open(dir + '/provider_endpoints.json'))
issuer = provider_endpoints['issuer']
authorization_endpoint = provider_endpoints['authorization_endpoint']
token_endpoint = provider_endpoints['token_endpoint']
userinfo_endpoint = provider_endpoints['userinfo_endpoint']
except:
print "Error when reading provider_endpoints.json"
stdlogger.error("Error when reading provider_endpoints.json")
issuer = "error"
authorization_endpoint = "error"
token_endpoint = "error"
userinfo_endpoint = "error"
op_info = ProviderConfigurationResponse(issuer=issuer, authorization_endpoint=authorization_endpoint, token_endpoint=token_endpoint, userinfo_endpoint=userinfo_endpoint)
client.provider_info = op_info
# Set our credentials (that we got from manually registering to B2Access), as well as the redirect URI
try:
dir = os.path.dirname(__file__)
client_credentials = json.load(open(dir + '/client_credentials.json'))
id = client_credentials['client_id']
secret = client_credentials['client_secret']
uri = client_credentials['client_redirect_uri']
except:
print "Error when reading client_credential.json"
stdlogger.error("Error when reading client_credential.json")
id = "error"
secret = "error"
uri = "error"
# /!\ Added the redirect URI here, else it's not defined later (in args ={[...] client.registration_response["redirect_uris"][0])
uris = [uri]
info = {"client_id": id, "client_secret": secret, "redirect_uris": uris}
client_reg = RegistrationResponse(**info)
client.store_registration_info(client_reg)
return client
def test_get_access_token_request():
resp = AuthorizationResponse(code="code", state="state")
grant = Grant(1)
grant.add_code(resp)
client = Client()
client.grant["openid"] = grant
time.sleep(2)
raises(GrantExpired, 'client.construct_AccessTokenRequest(state="openid")')
def setup_class(self):
self.client = Client(CLIENT_ID,
client_authn_method=CLIENT_AUTHN_METHOD)
self.client.redirect_uris = ["http://example.com/redirect"]
self.client.client_secret = CLIENT_SECRET
self.client.keyjar[""] = KC_RSA
self.client.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
self._state = ""
def test_get_access_token_request():
resp = AuthorizationResponse(code="code", state="state")
grant = Grant(1)
grant.add_code(resp)
client = Client()
client.grant["openid"] = grant
time.sleep(2)
raises(GrantExpired, 'client.construct_AccessTokenRequest(state="openid")')
def test_userinfo_request():
cli = Client()
cli.userinfo_endpoint = "http://example.com/userinfo"
info = ARESP.to_urlencoded()
cli.parse_response(AuthorizationResponse, info,
sformat="urlencoded", state="state0")
cli.parse_response(AccessTokenResponse, TRESP.to_json(), state="state0")
path, body, method, h_args = cli.user_info_request(state="state0")
assert path == "http://example.com/userinfo?access_token=access_token"
assert method == "GET"
assert body is None
assert h_args == {}
path, body, method, h_args = cli.user_info_request(method="POST",
state="state0")
assert path == "http://example.com/userinfo"
assert method == "POST"
assert body == "access_token=access_token"
assert h_args == {'headers': {
'content-type': 'application/x-www-form-urlencoded'}}
path, body, method, h_args = cli.user_info_request(method="POST",
state="state0")
assert path == "http://example.com/userinfo"
assert method == "POST"
assert body == "access_token=access_token"
assert h_args == {'headers': {
'content-type': 'application/x-www-form-urlencoded'}}
def init_oidc_client(app):
oidc_client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
oidc_client.store_registration_info(RegistrationRequest(**app.config['CLIENT_REGISTRATION_INFO']))
provider = app.config['PROVIDER_CONFIGURATION_INFO']['issuer']
try:
oidc_client.provider_config(provider)
except ConnectionError as e:
app.logger.critical('No connection to provider {!s}. Can not start without provider configuration.'.format(
provider))
raise e
return oidc_client
def test_client_get_grant():
cli = Client()
resp = AuthorizationResponse(code="code", state="state")
grant = Grant()
grant.add_code(resp)
cli.grant["state"] = grant
gr1 = cli.grant_from_state("state")
assert gr1.code == "code"
def test_client_get_grant():
cli = Client()
resp = AuthorizationResponse(code="code", state="state")
grant = Grant()
grant.add_code(resp)
cli.grant["state"] = grant
gr1 = cli.grant_from_state("state")
assert gr1.code == "code"
def _get_client(self):
client = Client(client_id=self.conf['client_id'],
client_authn_method=CLIENT_AUTHN_METHOD)
# Set client configurations based on issuer_url
if not OpenIDConnectAuthPlugin.provider_config:
OpenIDConnectAuthPlugin.provider_config = client.provider_config(
self.conf['issuer_url'])
else:
client.handle_provider_config(
OpenIDConnectAuthPlugin.provider_config,
self.conf['issuer_url'])
return client
def create_client(self):
self.redirect_uri = "https://example.com/redirect"
self.client = Client(CLIENT_ID, client_authn_method=CLIENT_AUTHN_METHOD)
self.client.redirect_uris = [self.redirect_uri]
self.client.authorization_endpoint = "https://example.com/authorization"
self.client.token_endpoint = "https://example.com/token"
self.client.userinfo_endpoint = "https://example.com/userinfo"
self.client.check_session_endpoint = "https://example.com/check_session"
self.client.client_secret = "abcdefghijklmnop"
self.client.keyjar[""] = KC_RSA
self.client.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
def test_authz_endpoint():
server = provider_init
cli = Client()
cli.redirect_uris = ["http://www.example.org/authz"]
cli.client_id = "client0"
cli.state = "_state_"
args = {"response_type": ["code", "token"], "scope": ["openid"]}
req = cli.construct_AuthorizationRequest(request_args=args)
resp = server.authorization_endpoint(request=req.to_urlencoded())
print resp.message
assert "token_type=Bearer" in resp.message
assert "code=" in resp.message
def test_construct_CheckSessionRequest_2():
cli = Client()
cli.userinfo_endpoint = "https://example.org/oauth2/userinfo"
cli.grant["foo"] = Grant()
cli.grant["foo"].grant_expiration_time = time.time() + 60
cli.grant["foo"].code = "access_code"
resp = AccessTokenResponse(id_token="id_id_id_id", access_token="access", scope=["openid"])
cli.grant["foo"].tokens.append(Token(resp))
uir = cli.construct_CheckSessionRequest(state="foo", scope=["openid"])
print uir
assert ("%s" % uir) == "id_token=id_id_id_id"
def test_private_key_jwt():
cli = Client("FOO")
cli.token_endpoint = "https://example.com/token"
cli.keyjar[""] = KC_RSA
cis = AccessTokenRequest()
at = oic.private_key_jwt(cli, cis, algorithm="RS256")
assert at == {}
cas = cis["client_assertion"]
header, claim, crypto, header_b64, claim_b64 = unpack(cas)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
print header
assert header == {'alg': 'RS256'}
def test_client_parse_args():
cli = Client()
args = {
"response_type": "",
"client_id": "client_id",
"redirect_uri": "http://example.com/authz",
"scope": "scope",
"state": "state",
}
ar_args = cli._parse_args(AuthorizationRequest, **args)
print ar_args.keys()
assert _eq(ar_args.keys(), ["scope", "state", "redirect_uri", "response_type", "client_id"])
def test_request_attr_mis_match():
redirect_uri = "http://example.com/redirect"
client = Client(CLIENT_ID, client_authn_method=CLIENT_AUTHN_METHOD)
client.redirect_uris = [redirect_uri]
client.authorization_endpoint = "http://example.com/authorization"
client.client_secret = "abcdefghijklmnop"
client.keyjar[""] = KC_RSA
client.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
srv = Server()
srv.keyjar = KEYJ
areq = client.construct_AuthorizationRequest(
request_args={
"scope": "openid",
"response_type": ["code"],
"max_age": 86400,
"state": "foobar",
},
request_param="request",
)
for attr in ["state", "max_age", "client_id"]:
del areq[attr]
areq.lax = True
req = srv.parse_authorization_request(query=areq.to_urlencoded())
assert req.verify()
def make_client(**kw_args):
_cli = Client(client_authn_method=CLIENT_AUTHN_METHOD,
keyjar=kw_args["keyjar"])
_cli.kid = kw_args["kidd"]
_cli.jwks_uri = kw_args["jwks_uri"]
try:
_cli_info = kw_args["conf"].INFO["client"]
except KeyError:
pass
else:
for arg, val in _cli_info.items():
setattr(_cli, arg, val)
return _cli
def test_construct_CheckSessionRequest_2():
cli = Client()
cli.userinfo_endpoint = "https://example.org/oauth2/userinfo"
cli.grant["foo"] = Grant()
cli.grant["foo"].grant_expiration_time = time.time() + 60
cli.grant["foo"].code = "access_code"
resp = AccessTokenResponse(id_token="id_id_id_id",
access_token="access", scope=["openid"])
cli.grant["foo"].tokens.append(Token(resp))
uir = cli.construct_CheckSessionRequest(state="foo", scope=["openid"])
print uir
assert ("%s" % uir) == "{'id_token': 'id_id_id_id'}"
def test_construct_EndSessionRequest():
cli = Client()
cli.redirect_uris = ["http://example.com/authz"]
cli.grant["foo"] = Grant()
cli.grant["foo"].grant_expiration_time = time.time() + 60
cli.grant["foo"].code = "access_code"
resp = AccessTokenResponse(id_token="id_id_id_id", access_token="access", scope=["openid"])
cli.grant["foo"].tokens.append(Token(resp))
args = {"redirect_url": "http://example.com/end"}
esr = cli.construct_EndSessionRequest(state="foo", request_args=args)
print esr.keys()
assert _eq(esr.keys(), ["id_token", "state", "redirect_url"])
def make_client(**kw_args):
_, _keyjar, _ = build_keyjar(kw_args["conf"].keys)
_cli = Client(client_authn_method=CLIENT_AUTHN_METHOD, keyjar=_keyjar)
_cli.kid = kw_args["kidd"]
_cli.jwks_uri = kw_args["jwks_uri"]
try:
_cli_info = kw_args["conf"].INFO["client"]
except KeyError:
pass
else:
for arg, val in _cli_info.items():
setattr(_cli, arg, val)
return _cli
def test_private_key_jwt():
cli = Client("FOO")
cli.token_endpoint = "https://example.com/token"
cli.keystore.set_sign_key(rsapub, "rsa")
cli.keystore.set_verify_key(rsapub, "rsa")
cis = AccessTokenRequest()
at = oic.private_key_jwt(cli, cis)
assert at == {}
cas = cis["client_assertion"]
header, claim, crypto, header_b64, claim_b64 = unpack(cas)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "prn", "jti", "exp", "iat"])
print header
assert header == {"alg": "RS256"}
def test_client_parse_args():
cli = Client()
args = {
"response_type": "",
"client_id": "client_id",
"redirect_uri": "http://example.com/authz",
"scope": "scope",
"state": "state",
}
ar_args = cli._parse_args(AuthorizationRequest, **args)
print ar_args.keys()
assert _eq(ar_args.keys(), ['scope', 'state', 'redirect_uri',
'response_type', 'client_id'])
def __init__(self, flask_app, client_registration_info=None, issuer=None,
provider_configuration_info=None, userinfo_endpoint_method='POST',
extra_request_args=None):
self.app = flask_app
self.userinfo_endpoint_method = userinfo_endpoint_method
self.extra_request_args = extra_request_args or {}
self.client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
if not issuer and not provider_configuration_info:
raise ValueError(
'Either \'issuer\' (for dynamic discovery) or \'provider_configuration_info\' (for static configuration must be specified.')
if issuer and not provider_configuration_info:
self.client.provider_config(issuer)
else:
self.client.handle_provider_config(
ProviderConfigurationResponse(**provider_configuration_info),
provider_configuration_info['issuer'])
self.client_registration_info = client_registration_info or {}
# setup redirect_uri
self.app.add_url_rule('/redirect_uri', 'redirect_uri',
self._handle_authentication_response)
with self.app.app_context():
self.client_registration_info['redirect_uris'] = url_for('redirect_uri')
if client_registration_info and 'client_id' in client_registration_info:
# static client info provided
self.client.store_registration_info(RegistrationRequest(**client_registration_info))
self.logout_view = None
def test_construct_UserInfoRequest_2():
cli = Client()
cli.userinfo_endpoint = "https://example.org/oauth2/userinfo"
cli.grant["foo"] = Grant()
cli.grant["foo"].grant_expiration_time = time.time() + 60
cli.grant["foo"].code = "access_code"
resp = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access", id_token="IDTOKEN",
scope=["openid"])
cli.grant["foo"].tokens.append(Token(resp))
uir = cli.construct_UserInfoRequest(state="foo", scope=["openid"])
print uir
assert uir.keys() == ["access_token"]
def test_client_parse_extra_args():
cli = Client()
args = {
"response_type": "",
"client_id": "client_id",
"redirect_uri": "http://example.com/authz",
"scope": "scope",
"state": "state",
"extra_session": "home"
}
ar_args = cli._parse_args(AuthorizationRequest, **args)
print ar_args.keys()
assert _eq(ar_args.keys(), ['state', 'redirect_uri', 'response_type',
'client_id', 'scope', 'extra_session'])
def test_construct_UserInfoRequest_2():
cli = Client()
cli.userinfo_endpoint = "https://example.org/oauth2/userinfo"
cli.grant["foo"] = Grant()
cli.grant["foo"].grant_expiration_time = time.time() + 60
cli.grant["foo"].code = "access_code"
resp = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access", id_token="IDTOKEN",
scope=["openid"])
cli.grant["foo"].tokens.append(Token(resp))
uir = cli.construct_UserInfoRequest(state="foo", scope=["openid"])
print uir
assert uir.keys() == ["access_token"]
def __init__(self, client_id, secret, redirect_uri,
allow_empty_state=True, issuer=_issuer):
super(MiraclClient, self).__init__()
self.issuer = issuer
self.allow_empty_state = allow_empty_state
client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
self.provider_info = client.provider_config(issuer=self.issuer)
_logger.info(MIRACL_LOG_RECEIVED_PROVIDER_INFO, self.provider_info)
self.info = {"client_id": client_id,
"client_secret": secret,
"redirect_uris": [redirect_uri]
}
def test_fetch_distributed_claims_with_no_callback():
client = Client(CLIENT_ID, client_authn_method=CLIENT_AUTHN_METHOD)
client.http_request = fake_request # type: ignore # FIXME: Replace with responses?
userinfo = {
"sub": "foobar",
"_claim_names": {"shoe_size": "src1"},
"_claim_sources": {
"src1": {"endpoint": "https://bank.example.com/claim_source"}
},
}
_ui = client.fetch_distributed_claims(userinfo, callback=None)
assert _ui["shoe_size"] == 10
assert _ui["sub"] == "foobar"
def test_client_secret_jwt():
cli = Client("Foo")
cli.token_endpoint = "https://example.com/token"
cli.client_secret = "foobar"
cis = AccessTokenRequest()
at = oic.client_secret_jwt(cli, cis)
assert at == {}
assert cis["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in cis
cas = cis["client_assertion"]
header, claim, crypto, header_b64, claim_b64 = unpack(cas)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "prn", "jti", "exp", "iat"])
print header
assert header == {"alg": "HS256"}
def authorization_request(request):
client = Client()
hapax = rndstr()
state = rndstr()
params = {
"authorization_endpoint": WSO2IS__AUTHORIZATIONENDPOINT,
"client_id": CLIENT__OAUTH2KEY,
"response_type": "code",
"scope": ["openid"],
"nonce": hapax,
"redirect_uri": CLIENT__REDIRECTURL,
}
result = client.do_authorization_request(state=state, request_args=params)
logger.debug(" auth (1) %s" % (state))
request.session["state"] = state
return HttpResponseRedirect(result.headers["location"])
def test_should_register_dynamic_client_if_client_registration_info_is_given(
self):
registration_endpoint = self.PROVIDER_BASEURL + '/register'
redirect_uris = [
'https://client.example.com/redirect',
'https://client.example.com/redirect2'
]
post_logout_redirect_uris = ['https://client.example.com/logout']
responses.add(responses.POST,
registration_endpoint,
json={
'client_id': 'client1',
'client_secret': 'secret1',
'redirect_uris': redirect_uris,
'post_logout_redirect_uris':
post_logout_redirect_uris
})
provider_config = ProviderConfiguration(
provider_metadata=self.provider_metadata(
registration_endpoint=registration_endpoint),
client_registration_info=ClientRegistrationInfo(
redirect_uris=redirect_uris,
post_logout_redirect_uris=post_logout_redirect_uris))
provider_config.register_client(Client(CLIENT_AUTHN_METHOD))
assert provider_config._client_metadata['client_id'] == 'client1'
assert provider_config._client_metadata['client_secret'] == 'secret1'
assert provider_config._client_metadata[
'redirect_uris'] == redirect_uris
assert provider_config._client_metadata[
'post_logout_redirect_uris'] == post_logout_redirect_uris
def test_construct_EndSessionRequest():
cli = Client()
cli.redirect_uris = ["http://example.com/authz"]
cli.grant["foo"] = Grant()
cli.grant["foo"].grant_expiration_time = time.time() + 60
cli.grant["foo"].code = "access_code"
resp = AccessTokenResponse(id_token="id_id_id_id",
access_token="access", scope=["openid"])
cli.grant["foo"].tokens.append(Token(resp))
args = {"redirect_url": "http://example.com/end"}
esr = cli.construct_EndSessionRequest(state="foo", request_args=args)
print esr.keys()
assert _eq(esr.keys(), ['id_token', 'state', "redirect_url"])
def __init__(self, client_id=None, verify_ssl=None, settings=None):
self.settings = settings or OicClientSettings()
if verify_ssl is not None:
warnings.warn(
"`verify_ssl` is deprecated, please use `settings` instead if you need to set a non-default value.",
DeprecationWarning,
stacklevel=2,
)
self.settings.verify_ssl = verify_ssl
Client.__init__(self, client_id, settings=self.settings)
self.request2endpoint = REQUEST2ENDPOINT.copy()
self.request2endpoint["UserClaimsRequest"] = "userclaims_endpoint"
self.response2error = RESPONSE2ERROR.copy()
self.response2error["UserClaimsResponse"] = ["ErrorResponse"]
def __enter__(self):
self.patch_requests()
self.client = Client(client_authn_method=CLIENT_AUTHN_METHOD)
self.client.provider_config(self.https_issuer)
self.client.store_registration_info(
RegistrationRequest(
**{
'issuer': self.issuer,
'client_id': 'test-client',
'client_secret': 'test-secret',
'redirect_uris': 'http://example.com/oidc_callback'
}))
return self
def pedir_autorizacion(request):
cliente = Client()
hapax = rndstr()
estado = rndstr()
parametros = {
"authorization_endpoint": endpoint_autorizacion,
"client_id": llave,
"response_type": "code",
"scope": ["openid"],
"nonce": hapax,
"redirect_uri": callback
}
resultado = cliente.do_authorization_request(state=estado,
request_args=parametros)
request.session['estado'] = estado
return HttpResponseRedirect(resultado.headers['location'])
def setup_class(self):
self.client = Client(CLIENT_ID)
self.client.redirect_uris = ["http://example.com/redirect"]
self.client.client_secret = CLIENT_SECRET
self.client.keyjar[""] = KC_RSA
self.client.behaviour = {"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
self._state = ""
def test_construct_RegistrationRequest():
cli = Client()
cli.redirect_uris = ["http://example.com/authz"]
request_args = {
"type": "client_associate",
"client_id": CLIENT_ID,
"contacts": ["*****@*****.**"],
"application_type": "web",
"application_name": "EXAMPLE OIC service",
}
crr = cli.construct_RegistrationRequest(request_args=request_args)
print crr.keys()
assert _eq(crr.keys(), ["application_name", "application_type", "type", "client_id", "contacts", "redirect_uris"])
def __init__(
self,
session_db,
consumer_config,
client_config=None,
server_info=None,
debug=False,
client_prefs=None,
):
"""
Initialize a Consumer instance.
:param session_db: Where info are kept about sessions
:param config: Configuration of the consumer
:param client_config: Client configuration
:param server_info: Information about the server
:param client_prefs: Run time preferences, which are chosen depends
on what the server can do.
"""
if client_config is None:
client_config = {}
Client.__init__(self, **client_config)
self.consumer_config = consumer_config
if consumer_config:
try:
self.debug = consumer_config["debug"]
except KeyError:
self.debug = 0
if server_info:
for endpoint in ENDPOINTS:
try:
setattr(self, endpoint, server_info[endpoint])
except KeyError:
setattr(self, endpoint, "")
self.sdb = session_db
self.debug = debug
self.seed = ""
self.nonce = ""
self.request_filename = ""
self.request_uri = ""
self.user_info = None
self.registration_expires_at = 0
self.secret_type = "Bearer"
def test_fetch_distributed_claims_with_no_callback():
""" Mirrors the first lines in do_userinfo_request"""
client = Client(CLIENT_ID, client_authn_method=CLIENT_AUTHN_METHOD)
client.http_request = fake_request
userinfo = {
'sub': 'foobar',
'_claim_names': {'shoe_size': 'src1'},
'_claim_sources': {
"src1": {
"endpoint": "https://bank.example.com/claim_source"}}
}
_ui = client.fetch_distributed_claims(userinfo, callback=None)
assert _ui['shoe_size'] == 10
assert _ui['sub'] == 'foobar'
