def create_services(self):
# RP
client_config = {
"base_url": "https://foodle.example.com",
"issuer": SUNET_OP.iss,
"client_id": "xxxxxxxxx",
"client_secret": "2222222222",
"redirect_uris": ["https://foodle.example.com/authz_cb/sunet_op"],
"client_prefs": {
"response_types": ["code"],
"scope": ["openid", "profile", "email"],
"token_endpoint_auth_method": "client_secret_basic"
}
}
_context = ServiceContext(config=client_config)
FOODLE.context = 'registration'
FOODLE.federation = FEIDE.iss
_context.federation_entity = FOODLE
self.service = build_services(
{
'FedProviderInfoDiscovery': {},
'FedRegistrationRequest': {}
}, factory, _context, DB())
def get_service():
service_context = ServiceContext(keyjar=None, config=CLIENT_CONF)
service_context.client_secret = "white boarding pass"
service = service_factory('AccessToken', ['oidc'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
return service
def create_services(self):
# OP
fed_ent = FOODLE
fed_ent.fo_priority = [SWAMID.iss, FEIDE.iss]
fed_ent.federation = ''
fed_ent.provider_federations = None
fed_ent.registration_federations = None
fed_ent.jwks_bundle = fo_keybundle
client_config = {
'client_id': 'client_id',
'client_secret': 'password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_preferences': {
'id_token_signed_response_alg': 'RS384',
'userinfo_signed_response_alg': 'RS384'
}
}
_context = ServiceContext(config=client_config)
_context.federation_entity = fed_ent
_context.issuer = SUNET_OP.iss
self.service = build_services(
{
'FedProviderInfoDiscovery': {},
'FedRegistrationRequest': {}
}, factory, _context, DB())
_context.service = self.service
def create_request(self):
self._iss = ISS
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': self._iss, 'requests_dir': 'requests',
'base_url': 'https://example.com/cli/'
}
service_context = ServiceContext(config=client_config)
service_context.keyjar = CLI_KEY
service_context.behaviour = {
'userinfo_signed_response_alg': 'RS256',
"userinfo_encrypted_response_alg": "RSA-OAEP",
"userinfo_encrypted_response_enc": "A256GCM"
}
db = InMemoryStateDataBase()
auth_response = AuthorizationResponse(code='access_code').to_json()
idtval = {
'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'diana',
'iss': ISS, 'aud': 'client_id'
}
idt = create_jws(idtval)
ver_idt = IdToken().from_jwt(idt, CLI_KEY)
token_response = AccessTokenResponse(
access_token='access_token', id_token=idt,
__verified_id_token=ver_idt).to_json()
db.set('abcde', State(token_response=token_response,
auth_response=auth_response).to_json())
self.service = service_factory('UserInfo', ['oidc'], state_db=db,
service_context=service_context)
def create_client(self):
config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {
'response_types': ['code']
},
'add_ons': {
"pkce": {
"function":
"oidcservice.oidc.add_on.pkce.add_pkce_support",
"kwargs": {
"code_challenge_length": 64,
"code_challenge_method": "S256"
}
}
}
}
_cam = ca_factory
_srvs = DEFAULT_SERVICES
service_context = ServiceContext(CLI_KEY,
client_id='client_id',
issuer='https://www.example.org/as',
config=config)
self.service = init_services(_srvs, service_context, _cam)
if 'add_ons' in config:
do_add_ons(config['add_ons'], self.service)
service_context.service = self.service
def create_client_info_instance(self):
config = {
'client_id': 'client_id', 'issuer': 'issuer',
'client_secret': 'longenoughsupersecret',
'base_url': 'https://example.com',
'requests_dir': 'requests'
}
self.service_context = ServiceContext(config=config)
def test_client_filename():
config = {
'client_id': 'client_id', 'issuer': 'issuer',
'client_secret': 'longenoughsupersecret', 'base_url': 'https://example.com',
'requests_dir': 'requests'
}
ci = ServiceContext(config=config)
fname = ci.filename_from_webname('https://example.com/rq12345')
assert fname == 'rq12345'
def create_request(self):
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(CLI_KEY, config=client_config)
service_context.issuer = 'https://example.com'
self.service = service_factory('Authorization', ['oidc'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
def build_service_context() -> object:
_service_context = ServiceContext(
config={
"issuer": 'https://op.example.com',
"client_preferences": {
"application_type": "web",
"application_name": "rphandler",
"contacts": ["*****@*****.**"],
"response_types": ["code"],
"scope": ["openid", "profile", "email", "address", "phone"],
"token_endpoint_auth_method": "client_secret_basic",
},
"redirect_uris": ["{}/authz_cb".format(RP_BASEURL)],
"jwks_uri": "{}/static/jwks.json".format(RP_BASEURL),
'jwks': RP_JWKS,
'db_conf': {
'keyjar': {
'handler':
'oidcmsg.storage.abfile.LabeledAbstractFileSystem',
'fdir': 'db/{issuer}/keyjar',
'key_conv': 'oidcmsg.storage.converter.QPKey',
'value_conv': 'cryptojwt.serialize.item.KeyIssuer',
'label': 'keyjar'
},
'default': {
'handler': 'oidcmsg.storage.abfile.AbstractFileSystem',
'fdir': 'db/{issuer}',
'key_conv': 'oidcmsg.storage.converter.QPKey',
'value_conv': 'oidcmsg.storage.converter.JSON'
},
'state': {
'handler': 'oidcmsg.storage.abfile.AbstractFileSystem',
'fdir': 'db/{issuer}/state',
'key_conv': 'oidcmsg.storage.converter.QPKey',
'value_conv': 'oidcmsg.storage.converter.JSON'
}
}
})
service_spec = DEFAULT_SERVICES.copy()
service_spec['WebFinger'] = {'class': WebFinger}
_service = init_services(service_spec, service_context=_service_context)
assert set(_service.keys()) == {
'accesstoken', 'authorization', 'webfinger', 'registration',
'refresh_token', 'userinfo', 'provider_info'
}
_service_context.service = _service
return _service_context
def test_client_info_init():
config = {
'client_id': 'client_id', 'issuer': 'issuer',
'client_secret': 'client_secret_wordplay',
'base_url': 'https://example.com',
'requests_dir': 'requests'
}
ci = ServiceContext(config=config)
for attr in config.keys():
try:
val = getattr(ci, attr)
except AttributeError:
val = ci.get(attr)
assert val == config[attr]
def __init__(self,
state_db,
ca_certs=None,
client_authn_factory=None,
keyjar=None,
verify_ssl=True,
config=None,
client_cert=None,
httplib=None,
services=None,
service_factory=None,
jwks_uri='',
module_dirs=None):
"""
:param ca_certs: Certificates used to verify HTTPS certificates
:param client_authn_factory: Factory that this client can use to
initiate a client authentication class.
:param keyjar: A py:class:`oidcmsg.key_jar.KeyJar` instance
:param verify_ssl: Whether the SSL certificate should be verified.
:param config: Configuration information passed on to the
:py:class:`oidcservice.service_context.ServiceContext`
initialization
:param client_cert: Certificate used by the HTTP client
:param httplib: A HTTP client to use
:param services: A list of service definitions
:param service_factory: A factory to use when building the
:py:class:`oidcservice.service.Service` instances
:param jwks_uri: A jwks_uri
:return: Client instance
"""
self.session_interface = StateInterface(state_db)
self.http = httplib or HTTPLib(
ca_certs=ca_certs, verify_ssl=verify_ssl, client_cert=client_cert)
if not keyjar:
keyjar = KeyJar()
keyjar.verify_ssl = verify_ssl
self.events = None
self.service_context = ServiceContext(keyjar,
config=config,
jwks_uri=jwks_uri)
if self.service_context.client_id:
self.client_id = self.service_context.client_id
_cam = client_authn_factory or ca_factory
self.service_factory = service_factory or default_service_factory
_srvs = services or DEFAULT_SERVICES
if not module_dirs:
module_dirs = ['oauth2']
self.service = build_services(_srvs, self.service_factory, module_dirs,
self.service_context, state_db, _cam)
self.service_context.service = self.service
self.verify_ssl = verify_ssl
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
_state = State(auth_request=auth_request.to_json(),
auth_response=auth_response.to_json())
db.set('state', _state.to_json())
service = service_factory(
'AccessToken', ['oauth2'],
state_db=db,
service_context=service_context,
conf={'default_authn_method': 'client_secret_post'})
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
service.endpoint = 'https://example.com/authorize'
_info = service.get_request_parameters(request_args=req_args,
state='state')
assert _info
msg = AccessTokenRequest().from_urlencoded(
service.get_urlinfo(_info['body']))
assert 'client_secret' in msg
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
service = service_factory(
'AccessToken', ['oauth2'],
service_context=service_context,
conf={'default_authn_method': 'client_secret_post'})
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
service.store_item(auth_request, "auth_request", 'state')
service.store_item(auth_response, "auth_response", 'state')
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
service.endpoint = 'https://example.com/authorize'
_info = service.get_request_parameters(request_args=req_args,
state='state')
assert _info
msg = AccessTokenRequest().from_urlencoded(
service.get_urlinfo(_info['body']))
assert 'client_secret' in msg
def test_get_provider_specific_service():
service_context = ServiceContext()
_srv = get_provider_specific_service('github',
'AccessToken',
service_context=service_context,
state_db=DB())
assert _srv.response_body_type == 'urlencoded'
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
service_context.set('redirect_uris',
['https://example.com/cli/authz_cb'])
self.service = service_factory('AccessToken', ['oauth2'],
service_context=service_context)
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
self.service.store_item(auth_request, 'auth_request', 'state')
self.service.store_item(auth_response, 'auth_response', 'state')
def test_authz_service_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {'response_types': ['code']}
}
srv = service_factory(
'Authorization', ['oidc'], state_db=InMemoryStateDataBase(),
service_context=ServiceContext(CLI_KEY, config=client_config),
conf={
'request_args': {
'claims': {
"id_token":
{
"auth_time": {"essential": True},
"acr": {"values": ["urn:mace:incommon:iap:silver"]}
}
}
}
})
req = srv.construct()
assert 'claims' in req
assert set(req['claims'].keys()) == {'id_token'}
def test_get_provider_specific_service():
service_context = ServiceContext()
srv_desc = {
'access_token': {
'class': 'oidcrp.provider.github.AccessToken'
}
}
_srv = init_services(srv_desc, service_context)
assert _srv['accesstoken'].response_body_type == 'urlencoded'
def create_request(self):
self._iss = ISS
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': self._iss, 'requests_dir': 'requests',
'base_url': 'https://example.com/cli/'
}
service_context = ServiceContext(config=client_config)
self.service = service_factory('Registration', ['oidc'], state_db=None,
service_context=service_context)
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {
'response_types': ['code']
}
}
service_context = ServiceContext(config=client_config)
self.service = service_factory('Authorization', ['oauth2'],
service_context=service_context)
def __init__(self,
state_db,
client_authn_factory=None,
keyjar=None,
verify_ssl=True,
config=None,
httplib=None,
services=None,
jwks_uri='',
httpc_params=None):
"""
:param client_authn_factory: Factory that this client can use to
initiate a client authentication class.
:param keyjar: A py:class:`oidcmsg.key_jar.KeyJar` instance
:param config: Configuration information passed on to the
:py:class:`oidcservice.service_context.ServiceContext`
initialization
:param httplib: A HTTP client to use
:param services: A list of service definitions
:param jwks_uri: A jwks_uri
:param httpc_params: HTTP request arguments
:return: Client instance
"""
self.session_interface = StateInterface(state_db)
self.http = httplib or HTTPLib(httpc_params)
if not keyjar:
keyjar = KeyJar()
keyjar.verify_ssl = verify_ssl
self.events = None
self.service_context = ServiceContext(keyjar,
config=config,
jwks_uri=jwks_uri,
httpc_params=httpc_params)
if self.service_context.client_id:
self.client_id = self.service_context.client_id
_cam = client_authn_factory or ca_factory
_srvs = services or DEFAULT_SERVICES
self.service = init_services(_srvs, self.service_context, state_db,
_cam)
if 'add_ons' in config:
do_add_ons(config['add_ons'], self.service)
self.service_context.service = self.service
self.verify_ssl = verify_ssl
def create_request(self):
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'callback': {
'code': 'https://example.com/cli/authz_cb',
'implicit': 'https://example.com/cli/authz_im_cb',
'form_post': 'https://example.com/cli/authz_fp_cb'
}
}
service_context = ServiceContext(CLI_KEY, config=client_config)
self.service = service_factory('Authorization', ['oidc'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
def rp_service_setup(self):
entity_id = 'https://foodle.uninett.no'
service_context = ServiceContext(config={
'issuer': 'https://op.ntnu.no',
'keys': {'key_defs': KEY_DEFS}
})
http_cli = Publisher(os.path.join(BASE_PATH, 'base_data'))
self.federation_entity = FederationEntity(
entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
httpd=http_cli,
entity_type='openid_relying_party',
opponent_entity_type='openid_provider',
config={'keys': {'key_defs': KEY_DEFS}}
)
# The test data collector
self.federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, httpd=http_cli, root_dir=os.path.join(BASE_PATH, 'base_data'))
service_context.federation_entity = self.federation_entity
service_context.redirect_uris = ['https://foodle.uninett.no/cb']
# Note that the keys used for OIDC base protocol communication are separate from those used
# in the federation context
# service_context.keyjar = init_key_jar(key_defs=KEY_DEFS, issuer_id=entity_id)
service_context.client_preferences = {
"grant_types": ['authorization_code', 'implicit', 'refresh_token'],
"id_token_signed_response_alg": "ES256",
"token_endpoint_auth_method": "client_secret_basic",
"federation_type": ['automatic']
}
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': Registration(service_context)
}
def create_request(self):
self._iss = ISS
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': self._iss, 'requests_dir': 'requests',
'base_url': 'https://example.com/cli/',
'post_logout_redirect_uris': ['https://example.com/post_logout']
}
service_context = ServiceContext(config=client_config)
self.service = service_factory('EndSession', ['oidc'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
def create_client(self):
config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {
'response_types': ['code']
},
'add_ons': {
"pushed_authorization": {
"function": "oidcservice.oidc.add_on.pushed_authorization"
".add_pushed_authorization_support",
"kwargs": {
"body_format": "jws",
"signing_algorthm": "RS256",
"http_client": None,
"merge_rule": "lax"
}
}
}
}
_cam = ca_factory
_srvs = DEFAULT_SERVICES
service_context = ServiceContext(CLI_KEY,
client_id='client_id',
issuer='https://www.example.org/as',
config=config)
self.service = init_services(_srvs, service_context,
InMemoryStateDataBase(), _cam)
if 'add_ons' in config:
do_add_ons(config['add_ons'], self.service)
service_context.service = self.service
service_context.provider_info = {
"pushed_authorization_request_endpoint":
"https://as.example.com/push"
}
def test_request_object_encryption():
msg = AuthorizationRequest(state='ABCDE',
redirect_uri='https://example.com/cb',
response_type='code')
conf = {
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
}
service_context = ServiceContext(keyjar=keyjar, config=conf)
service_context.behaviour["request_object_encryption_alg"] = 'RSA1_5'
service_context.behaviour[
"request_object_encryption_enc"] = "A128CBC-HS256"
_jwe = request_object_encryption(msg.to_json(),
service_context,
target=RECEIVER)
assert _jwe
_decryptor = factory(_jwe)
assert _decryptor.jwt.verify_headers(alg='RSA1_5', enc='A128CBC-HS256')
def create_request(self):
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(CLI_KEY, config=client_config)
_db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb',
state='state', response_type='code').to_json()
auth_response = AuthorizationResponse(code='access_code').to_json()
_db.set('state', State(auth_response=auth_response,
auth_request=auth_request).to_json())
self.service = service_factory('AccessToken', ['oidc'], state_db=_db,
service_context=service_context)
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
self.service = service_factory('RefreshAccessToken', ['oauth2'],
service_context=service_context)
auth_response = AuthorizationResponse(code='access_code')
token_response = AccessTokenResponse(access_token='bearer_token',
refresh_token='refresh')
self.service.store_item(auth_response, 'auth_response', 'abcdef')
self.service.store_item(token_response, 'token_response', 'abcdef')
self.service.endpoint = 'https://example.com/token'
def test_add_jwks_uri_or_jwks_3():
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': ISS,
'client_preferences': {
'id_token_signed_response_alg': 'RS384',
'userinfo_signed_response_alg': 'RS384'
}
}
service_context = ServiceContext(config=client_config, jwks='{"keys":[]}')
service = service_factory('Registration', ['oidc'], state_db=None,
service_context=service_context)
req_args, post_args = add_jwks_uri_or_jwks({}, service)
assert req_args['jwks'] == '{"keys":[]}'
assert set(req_args.keys()) == {'jwks'}
def test_add_jwks_uri_or_jwks_0():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'jwks_uri': 'https://example.com/jwks/jwks.json',
'issuer': ISS,
'client_preferences': {
'id_token_signed_response_alg': 'RS384',
'userinfo_signed_response_alg': 'RS384'
}
}
service_context = ServiceContext(config=client_config)
service = service_factory('Registration', ['oidc'],
service_context=service_context)
req_args, post_args = add_jwks_uri_or_jwks({}, service)
assert req_args['jwks_uri'] == 'https://example.com/jwks/jwks.json'
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'another password'
}
service_context = ServiceContext(config=client_config)
self.service = {
'token': service_factory("CCAccessToken",
['oauth2/client_credentials', 'oauth2'],
service_context=service_context),
'refresh_token': service_factory("CCRefreshAccessToken",
['oauth2/client_credentials',
'oauth2'],
service_context=service_context)
}
self.service['token'].endpoint = 'https://example.com/token'
self.service['refresh_token'].endpoint = 'https://example.com/token'
