def create_services(self): # RP client_config = { "base_url": "https://foodle.example.com", "issuer": SUNET_OP.iss, "client_id": "xxxxxxxxx", "client_secret": "2222222222", "redirect_uris": ["https://foodle.example.com/authz_cb/sunet_op"], "client_prefs": { "response_types": ["code"], "scope": ["openid", "profile", "email"], "token_endpoint_auth_method": "client_secret_basic" } } _context = ServiceContext(config=client_config) FOODLE.context = 'registration' FOODLE.federation = FEIDE.iss _context.federation_entity = FOODLE self.service = build_services( { 'FedProviderInfoDiscovery': {}, 'FedRegistrationRequest': {} }, factory, _context, DB())
def get_service(): service_context = ServiceContext(keyjar=None, config=CLIENT_CONF) service_context.client_secret = "white boarding pass" service = service_factory('AccessToken', ['oidc'], state_db=InMemoryStateDataBase(), service_context=service_context) return service
def create_services(self): # OP fed_ent = FOODLE fed_ent.fo_priority = [SWAMID.iss, FEIDE.iss] fed_ent.federation = '' fed_ent.provider_federations = None fed_ent.registration_federations = None fed_ent.jwks_bundle = fo_keybundle client_config = { 'client_id': 'client_id', 'client_secret': 'password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'client_preferences': { 'id_token_signed_response_alg': 'RS384', 'userinfo_signed_response_alg': 'RS384' } } _context = ServiceContext(config=client_config) _context.federation_entity = fed_ent _context.issuer = SUNET_OP.iss self.service = build_services( { 'FedProviderInfoDiscovery': {}, 'FedRegistrationRequest': {} }, factory, _context, DB()) _context.service = self.service
def create_request(self): self._iss = ISS client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'issuer': self._iss, 'requests_dir': 'requests', 'base_url': 'https://example.com/cli/' } service_context = ServiceContext(config=client_config) service_context.keyjar = CLI_KEY service_context.behaviour = { 'userinfo_signed_response_alg': 'RS256', "userinfo_encrypted_response_alg": "RSA-OAEP", "userinfo_encrypted_response_enc": "A256GCM" } db = InMemoryStateDataBase() auth_response = AuthorizationResponse(code='access_code').to_json() idtval = { 'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'diana', 'iss': ISS, 'aud': 'client_id' } idt = create_jws(idtval) ver_idt = IdToken().from_jwt(idt, CLI_KEY) token_response = AccessTokenResponse( access_token='access_token', id_token=idt, __verified_id_token=ver_idt).to_json() db.set('abcde', State(token_response=token_response, auth_response=auth_response).to_json()) self.service = service_factory('UserInfo', ['oidc'], state_db=db, service_context=service_context)
def create_client(self): config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'behaviour': { 'response_types': ['code'] }, 'add_ons': { "pkce": { "function": "oidcservice.oidc.add_on.pkce.add_pkce_support", "kwargs": { "code_challenge_length": 64, "code_challenge_method": "S256" } } } } _cam = ca_factory _srvs = DEFAULT_SERVICES service_context = ServiceContext(CLI_KEY, client_id='client_id', issuer='https://www.example.org/as', config=config) self.service = init_services(_srvs, service_context, _cam) if 'add_ons' in config: do_add_ons(config['add_ons'], self.service) service_context.service = self.service
def create_client_info_instance(self): config = { 'client_id': 'client_id', 'issuer': 'issuer', 'client_secret': 'longenoughsupersecret', 'base_url': 'https://example.com', 'requests_dir': 'requests' } self.service_context = ServiceContext(config=config)
def test_client_filename(): config = { 'client_id': 'client_id', 'issuer': 'issuer', 'client_secret': 'longenoughsupersecret', 'base_url': 'https://example.com', 'requests_dir': 'requests' } ci = ServiceContext(config=config) fname = ci.filename_from_webname('https://example.com/rq12345') assert fname == 'rq12345'
def create_request(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(CLI_KEY, config=client_config) service_context.issuer = 'https://example.com' self.service = service_factory('Authorization', ['oidc'], state_db=InMemoryStateDataBase(), service_context=service_context)
def build_service_context() -> object: _service_context = ServiceContext( config={ "issuer": 'https://op.example.com', "client_preferences": { "application_type": "web", "application_name": "rphandler", "contacts": ["*****@*****.**"], "response_types": ["code"], "scope": ["openid", "profile", "email", "address", "phone"], "token_endpoint_auth_method": "client_secret_basic", }, "redirect_uris": ["{}/authz_cb".format(RP_BASEURL)], "jwks_uri": "{}/static/jwks.json".format(RP_BASEURL), 'jwks': RP_JWKS, 'db_conf': { 'keyjar': { 'handler': 'oidcmsg.storage.abfile.LabeledAbstractFileSystem', 'fdir': 'db/{issuer}/keyjar', 'key_conv': 'oidcmsg.storage.converter.QPKey', 'value_conv': 'cryptojwt.serialize.item.KeyIssuer', 'label': 'keyjar' }, 'default': { 'handler': 'oidcmsg.storage.abfile.AbstractFileSystem', 'fdir': 'db/{issuer}', 'key_conv': 'oidcmsg.storage.converter.QPKey', 'value_conv': 'oidcmsg.storage.converter.JSON' }, 'state': { 'handler': 'oidcmsg.storage.abfile.AbstractFileSystem', 'fdir': 'db/{issuer}/state', 'key_conv': 'oidcmsg.storage.converter.QPKey', 'value_conv': 'oidcmsg.storage.converter.JSON' } } }) service_spec = DEFAULT_SERVICES.copy() service_spec['WebFinger'] = {'class': WebFinger} _service = init_services(service_spec, service_context=_service_context) assert set(_service.keys()) == { 'accesstoken', 'authorization', 'webfinger', 'registration', 'refresh_token', 'userinfo', 'provider_info' } _service_context.service = _service return _service_context
def test_client_info_init(): config = { 'client_id': 'client_id', 'issuer': 'issuer', 'client_secret': 'client_secret_wordplay', 'base_url': 'https://example.com', 'requests_dir': 'requests' } ci = ServiceContext(config=config) for attr in config.keys(): try: val = getattr(ci, attr) except AttributeError: val = ci.get(attr) assert val == config[attr]
def __init__(self, state_db, ca_certs=None, client_authn_factory=None, keyjar=None, verify_ssl=True, config=None, client_cert=None, httplib=None, services=None, service_factory=None, jwks_uri='', module_dirs=None): """ :param ca_certs: Certificates used to verify HTTPS certificates :param client_authn_factory: Factory that this client can use to initiate a client authentication class. :param keyjar: A py:class:`oidcmsg.key_jar.KeyJar` instance :param verify_ssl: Whether the SSL certificate should be verified. :param config: Configuration information passed on to the :py:class:`oidcservice.service_context.ServiceContext` initialization :param client_cert: Certificate used by the HTTP client :param httplib: A HTTP client to use :param services: A list of service definitions :param service_factory: A factory to use when building the :py:class:`oidcservice.service.Service` instances :param jwks_uri: A jwks_uri :return: Client instance """ self.session_interface = StateInterface(state_db) self.http = httplib or HTTPLib( ca_certs=ca_certs, verify_ssl=verify_ssl, client_cert=client_cert) if not keyjar: keyjar = KeyJar() keyjar.verify_ssl = verify_ssl self.events = None self.service_context = ServiceContext(keyjar, config=config, jwks_uri=jwks_uri) if self.service_context.client_id: self.client_id = self.service_context.client_id _cam = client_authn_factory or ca_factory self.service_factory = service_factory or default_service_factory _srvs = services or DEFAULT_SERVICES if not module_dirs: module_dirs = ['oauth2'] self.service = build_services(_srvs, self.service_factory, module_dirs, self.service_context, state_db, _cam) self.service_context.service = self.service self.verify_ssl = verify_ssl
def test_access_token_srv_conf(): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) db = InMemoryStateDataBase() auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') _state = State(auth_request=auth_request.to_json(), auth_response=auth_response.to_json()) db.set('state', _state.to_json()) service = service_factory( 'AccessToken', ['oauth2'], state_db=db, service_context=service_context, conf={'default_authn_method': 'client_secret_post'}) req_args = { 'redirect_uri': 'https://example.com/cli/authz_cb', 'code': 'access_code' } service.endpoint = 'https://example.com/authorize' _info = service.get_request_parameters(request_args=req_args, state='state') assert _info msg = AccessTokenRequest().from_urlencoded( service.get_urlinfo(_info['body'])) assert 'client_secret' in msg
def test_access_token_srv_conf(): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) service = service_factory( 'AccessToken', ['oauth2'], service_context=service_context, conf={'default_authn_method': 'client_secret_post'}) auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') service.store_item(auth_request, "auth_request", 'state') service.store_item(auth_response, "auth_response", 'state') req_args = { 'redirect_uri': 'https://example.com/cli/authz_cb', 'code': 'access_code' } service.endpoint = 'https://example.com/authorize' _info = service.get_request_parameters(request_args=req_args, state='state') assert _info msg = AccessTokenRequest().from_urlencoded( service.get_urlinfo(_info['body'])) assert 'client_secret' in msg
def test_get_provider_specific_service(): service_context = ServiceContext() _srv = get_provider_specific_service('github', 'AccessToken', service_context=service_context, state_db=DB()) assert _srv.response_body_type == 'urlencoded'
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) service_context.set('redirect_uris', ['https://example.com/cli/authz_cb']) self.service = service_factory('AccessToken', ['oauth2'], service_context=service_context) auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') self.service.store_item(auth_request, 'auth_request', 'state') self.service.store_item(auth_response, 'auth_response', 'state')
def test_authz_service_conf(): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'behaviour': {'response_types': ['code']} } srv = service_factory( 'Authorization', ['oidc'], state_db=InMemoryStateDataBase(), service_context=ServiceContext(CLI_KEY, config=client_config), conf={ 'request_args': { 'claims': { "id_token": { "auth_time": {"essential": True}, "acr": {"values": ["urn:mace:incommon:iap:silver"]} } } } }) req = srv.construct() assert 'claims' in req assert set(req['claims'].keys()) == {'id_token'}
def test_get_provider_specific_service(): service_context = ServiceContext() srv_desc = { 'access_token': { 'class': 'oidcrp.provider.github.AccessToken' } } _srv = init_services(srv_desc, service_context) assert _srv['accesstoken'].response_body_type == 'urlencoded'
def create_request(self): self._iss = ISS client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'issuer': self._iss, 'requests_dir': 'requests', 'base_url': 'https://example.com/cli/' } service_context = ServiceContext(config=client_config) self.service = service_factory('Registration', ['oidc'], state_db=None, service_context=service_context)
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'behaviour': { 'response_types': ['code'] } } service_context = ServiceContext(config=client_config) self.service = service_factory('Authorization', ['oauth2'], service_context=service_context)
def __init__(self, state_db, client_authn_factory=None, keyjar=None, verify_ssl=True, config=None, httplib=None, services=None, jwks_uri='', httpc_params=None): """ :param client_authn_factory: Factory that this client can use to initiate a client authentication class. :param keyjar: A py:class:`oidcmsg.key_jar.KeyJar` instance :param config: Configuration information passed on to the :py:class:`oidcservice.service_context.ServiceContext` initialization :param httplib: A HTTP client to use :param services: A list of service definitions :param jwks_uri: A jwks_uri :param httpc_params: HTTP request arguments :return: Client instance """ self.session_interface = StateInterface(state_db) self.http = httplib or HTTPLib(httpc_params) if not keyjar: keyjar = KeyJar() keyjar.verify_ssl = verify_ssl self.events = None self.service_context = ServiceContext(keyjar, config=config, jwks_uri=jwks_uri, httpc_params=httpc_params) if self.service_context.client_id: self.client_id = self.service_context.client_id _cam = client_authn_factory or ca_factory _srvs = services or DEFAULT_SERVICES self.service = init_services(_srvs, self.service_context, state_db, _cam) if 'add_ons' in config: do_add_ons(config['add_ons'], self.service) self.service_context.service = self.service self.verify_ssl = verify_ssl
def create_request(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'callback': { 'code': 'https://example.com/cli/authz_cb', 'implicit': 'https://example.com/cli/authz_im_cb', 'form_post': 'https://example.com/cli/authz_fp_cb' } } service_context = ServiceContext(CLI_KEY, config=client_config) self.service = service_factory('Authorization', ['oidc'], state_db=InMemoryStateDataBase(), service_context=service_context)
def rp_service_setup(self): entity_id = 'https://foodle.uninett.no' service_context = ServiceContext(config={ 'issuer': 'https://op.ntnu.no', 'keys': {'key_defs': KEY_DEFS} }) http_cli = Publisher(os.path.join(BASE_PATH, 'base_data')) self.federation_entity = FederationEntity( entity_id, trusted_roots=ANCHOR, authority_hints=['https://ntnu.no'], httpd=http_cli, entity_type='openid_relying_party', opponent_entity_type='openid_provider', config={'keys': {'key_defs': KEY_DEFS}} ) # The test data collector self.federation_entity.collector = DummyCollector( trusted_roots=ANCHOR, httpd=http_cli, root_dir=os.path.join(BASE_PATH, 'base_data')) service_context.federation_entity = self.federation_entity service_context.redirect_uris = ['https://foodle.uninett.no/cb'] # Note that the keys used for OIDC base protocol communication are separate from those used # in the federation context # service_context.keyjar = init_key_jar(key_defs=KEY_DEFS, issuer_id=entity_id) service_context.client_preferences = { "grant_types": ['authorization_code', 'implicit', 'refresh_token'], "id_token_signed_response_alg": "ES256", "token_endpoint_auth_method": "client_secret_basic", "federation_type": ['automatic'] } self.service = { 'discovery': FedProviderInfoDiscovery(service_context), 'registration': Registration(service_context) }
def create_request(self): self._iss = ISS client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'issuer': self._iss, 'requests_dir': 'requests', 'base_url': 'https://example.com/cli/', 'post_logout_redirect_uris': ['https://example.com/post_logout'] } service_context = ServiceContext(config=client_config) self.service = service_factory('EndSession', ['oidc'], state_db=InMemoryStateDataBase(), service_context=service_context)
def create_client(self): config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'behaviour': { 'response_types': ['code'] }, 'add_ons': { "pushed_authorization": { "function": "oidcservice.oidc.add_on.pushed_authorization" ".add_pushed_authorization_support", "kwargs": { "body_format": "jws", "signing_algorthm": "RS256", "http_client": None, "merge_rule": "lax" } } } } _cam = ca_factory _srvs = DEFAULT_SERVICES service_context = ServiceContext(CLI_KEY, client_id='client_id', issuer='https://www.example.org/as', config=config) self.service = init_services(_srvs, service_context, InMemoryStateDataBase(), _cam) if 'add_ons' in config: do_add_ons(config['add_ons'], self.service) service_context.service = self.service service_context.provider_info = { "pushed_authorization_request_endpoint": "https://as.example.com/push" }
def test_request_object_encryption(): msg = AuthorizationRequest(state='ABCDE', redirect_uri='https://example.com/cb', response_type='code') conf = { 'redirect_uris': ['https://example.com/cli/authz_cb'], 'client_id': 'client_1', 'client_secret': 'abcdefghijklmnop', } service_context = ServiceContext(keyjar=keyjar, config=conf) service_context.behaviour["request_object_encryption_alg"] = 'RSA1_5' service_context.behaviour[ "request_object_encryption_enc"] = "A128CBC-HS256" _jwe = request_object_encryption(msg.to_json(), service_context, target=RECEIVER) assert _jwe _decryptor = factory(_jwe) assert _decryptor.jwt.verify_headers(alg='RSA1_5', enc='A128CBC-HS256')
def create_request(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(CLI_KEY, config=client_config) _db = InMemoryStateDataBase() auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state', response_type='code').to_json() auth_response = AuthorizationResponse(code='access_code').to_json() _db.set('state', State(auth_response=auth_response, auth_request=auth_request).to_json()) self.service = service_factory('AccessToken', ['oidc'], state_db=_db, service_context=service_context)
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) self.service = service_factory('RefreshAccessToken', ['oauth2'], service_context=service_context) auth_response = AuthorizationResponse(code='access_code') token_response = AccessTokenResponse(access_token='bearer_token', refresh_token='refresh') self.service.store_item(auth_response, 'auth_response', 'abcdef') self.service.store_item(token_response, 'token_response', 'abcdef') self.service.endpoint = 'https://example.com/token'
def test_add_jwks_uri_or_jwks_3(): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'issuer': ISS, 'client_preferences': { 'id_token_signed_response_alg': 'RS384', 'userinfo_signed_response_alg': 'RS384' } } service_context = ServiceContext(config=client_config, jwks='{"keys":[]}') service = service_factory('Registration', ['oidc'], state_db=None, service_context=service_context) req_args, post_args = add_jwks_uri_or_jwks({}, service) assert req_args['jwks'] == '{"keys":[]}' assert set(req_args.keys()) == {'jwks'}
def test_add_jwks_uri_or_jwks_0(): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'jwks_uri': 'https://example.com/jwks/jwks.json', 'issuer': ISS, 'client_preferences': { 'id_token_signed_response_alg': 'RS384', 'userinfo_signed_response_alg': 'RS384' } } service_context = ServiceContext(config=client_config) service = service_factory('Registration', ['oidc'], service_context=service_context) req_args, post_args = add_jwks_uri_or_jwks({}, service) assert req_args['jwks_uri'] == 'https://example.com/jwks/jwks.json'
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'another password' } service_context = ServiceContext(config=client_config) self.service = { 'token': service_factory("CCAccessToken", ['oauth2/client_credentials', 'oauth2'], service_context=service_context), 'refresh_token': service_factory("CCRefreshAccessToken", ['oauth2/client_credentials', 'oauth2'], service_context=service_context) } self.service['token'].endpoint = 'https://example.com/token' self.service['refresh_token'].endpoint = 'https://example.com/token'