def test_client_claims(self): session_id = self._create_session(AREQ) grant = self.session_manager[session_id] self.session_manager.token_handler["id_token"].kwargs[ "enable_claims_per_client"] = True self.endpoint_context.cdb["client_1"]["id_token_claims"] = { "address": None } _claims = self.endpoint_context.claims_interface.get_claims( session_id=session_id, scopes=AREQ["scope"], claims_release_point="id_token") grant.claims = {"id_token": _claims} id_token = self._mint_id_token(grant, session_id) client_keyjar = KeyJar() _jwks = self.endpoint_context.keyjar.export_jwks() client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer) _jwt = JWT(key_jar=client_keyjar, iss="client_1") res = _jwt.unpack(id_token.value) assert "address" in res assert "nickname" not in res
def test_client_claims_scopes_and_request_claims_no_match(self): session_id = self._create_session(AREQRC) grant = self.session_manager[session_id] self.session_manager.token_handler["id_token"].kwargs[ "add_claims_by_scope"] = True _claims = self.endpoint_context.claims_interface.get_claims( session_id=session_id, scopes=AREQRC["scope"], claims_release_point="id_token") grant.claims = {"id_token": _claims} id_token = self._mint_id_token(grant, session_id) client_keyjar = KeyJar() _jwks = self.endpoint_context.keyjar.export_jwks() client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer) _jwt = JWT(key_jar=client_keyjar, iss="client_1") res = _jwt.unpack(id_token.value) # User information, from scopes -> claims assert "address" in res assert "email" in res # User info, requested by claims parameter assert "nickname" in res
def test_eval_chains(): target = 'https://foodle.uninett.no' collector = DummyCollector(trusted_roots=ANCHOR, httpd=Publisher( os.path.join(BASE_PATH, 'base_data')), root_dir=os.path.join(BASE_PATH, 'base_data')) entity_statement = collector.get_entity_statement(target, issuer=target, subject=target) _config = verify_self_signed_signature(entity_statement) assert _config tree = collector.collect_superiors(_config['iss'], entity_statement) _node = {target: (entity_statement, tree)} chains = branch2lists(_node) key_jar = KeyJar() key_jar.import_jwks_as_json(jwks, 'https://feide.no') statements = [ eval_chain(c, key_jar, 'openid_relying_party') for c in chains ] assert len(statements) == 1 statement = statements[0] assert statement.fo == "https://feide.no" assert set(statement.metadata.keys()) == { 'response_types', 'claims', 'contacts', 'application_type', 'redirect_uris', 'id_token_signing_alg_values_supported', 'jwks_uri' }
def test_client_claims_scopes_and_request_claims_one_match(self): _req = AREQS.copy() _req["claims"] = { "id_token": { "email": { "value": "*****@*****.**" } } } session_id = self._create_session(_req) grant = self.session_manager[session_id] self.session_manager.token_handler["id_token"].kwargs[ "add_claims_by_scope"] = True _claims = self.endpoint_context.claims_interface.get_claims( session_id=session_id, scopes=_req["scope"], claims_release_point="id_token") grant.claims = {"id_token": _claims} id_token = self._mint_id_token(grant, session_id) client_keyjar = KeyJar() _jwks = self.endpoint_context.keyjar.export_jwks() client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer) _jwt = JWT(key_jar=client_keyjar, iss="client_1") res = _jwt.unpack(id_token.value) # Email didn't match assert "email" not in res # Scope -> claims assert "address" in res
def _keyjar(self, keyjar=None, conf=None, entity_id=""): if keyjar is None: if "keys" in conf: keys_args = { k: v for k, v in conf["keys"].items() if k != "uri_path" } _keyjar = init_key_jar(**keys_args) elif "key_conf" in conf: keys_args = { k: v for k, v in conf["key_conf"].items() if k != "uri_path" } _keyjar = init_key_jar(**keys_args) else: _keyjar = KeyJar() if "jwks" in conf: _keyjar.import_jwks(conf["jwks"], "") if "" in _keyjar and entity_id: # make sure I have the keys under my own name too (if I know it) _keyjar.import_jwks_as_json( _keyjar.export_jwks_as_json(True, ""), entity_id) _httpc_params = conf.get("httpc_params") if _httpc_params: _keyjar.httpc_params = _httpc_params return _keyjar else: return keyjar
def _keyjar(self, keyjar=None, db_conf=None, conf=None, entity_id=''): if keyjar is None: _storage = None if db_conf: _cnf = get_storage_conf(db_conf, 'keyjar') if _cnf: _storage = storage_factory(_cnf) if 'keys' in conf: args = {k: v for k, v in conf["keys"].items() if k != "uri_path"} args.update({'storage': _storage}) _keyjar = init_key_jar(**args) else: _keyjar = KeyJar(storage=_storage) if 'jwks' in conf: _keyjar.import_jwks(conf['jwks'], '') if '' in _keyjar and entity_id: # make sure I have the keys under my own name too (if I know it) _keyjar.import_jwks_as_json(_keyjar.export_jwks_as_json(True, ''), entity_id) _httpc_params = conf.get('httpc_params') if _httpc_params: _keyjar.httpc_params = _httpc_params return _keyjar else: return keyjar
def key_setup(): # Copy dynamically created files to there places in the base_data information tree. key_jar = KeyJar() key_jar.import_jwks_from_file(os.path.join(dir_path, "flask_op/static/fed_keys.json"), "") _jwks = key_jar.export_jwks_as_json(issuer="") with open('base_data/umu.se/https%3A%2F%2F127.0.0.1%3A5000/jwks.json', "w") as fp: fp.write(_jwks) for _key_file, _port in [(os.path.join(dir_path, "flask_rp/static/fed_keys.json"), 4000), (os.path.join(dir_path, "flask_rp/static/fed_keys_auto.json"), 4001)]: if os.path.isfile(_key_file): key_jar = KeyJar() key_jar.import_jwks_from_file(_key_file, "") _jwks = key_jar.export_jwks_as_json(issuer="") _file = 'base_data/lu.se/https%3A%2F%2F127.0.0.1%3A{}/jwks.json'.format(_port) with open(_file, "w") as fp: fp.write(_jwks)
def fetch_entity(fetch_endpoint, iss, sub, iss_entity_statement): _response = requests.request("GET", fetch_endpoint, verify=False, params={'iss': iss, 'sub': sub}) _jws = factory(_response.text) _key_jar = KeyJar() _key_jar.import_jwks(iss_entity_statement['jwks'], iss) _keys = _key_jar.get_jwt_verify_keys(_jws.jwt) _res = _jws.verify_compact(keys=_keys) return _res
def __init__(self, iss, entity_id_pattern): self.iss = iss self.keyjar = KeyJar() self.entity_id_pattern = entity_id_pattern self.url_prefix = '' self.fe_base_path = "" self.auth_base_path = "" self.conf = None self.federation_fetch_endpoint = ""
def get_self_signed_entity_statement(entity_id): _url = entity_id + "/.well-known/openid-federation" _response = requests.request("GET", _url, verify=False) _jws = factory(_response.text) _payload = _jws.jwt.payload() entity_statement = EntityStatement(**_payload) _key_jar = KeyJar() # verify entity_statement["iss"] _key_jar.import_jwks(entity_statement['jwks'], entity_id) _keys = _key_jar.get_jwt_verify_keys(_jws.jwt) _res = _jws.verify_compact(keys=_keys) return _res
def test_no_available_claims(self): session_id = self._create_session(AREQ) grant = self.session_manager[session_id] grant.claims = {"id_token": {"foobar": None}} id_token = self._mint_id_token(grant, session_id) client_keyjar = KeyJar() _jwks = self.endpoint_context.keyjar.export_jwks() client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer) _jwt = JWT(key_jar=client_keyjar, iss="client_1") res = _jwt.unpack(id_token.value) assert "foobar" not in res
def test_lifetime_default(self): session_id = self._create_session(AREQ) grant = self.session_manager[session_id] id_token = self._mint_id_token(grant, session_id) client_keyjar = KeyJar() _jwks = self.endpoint_context.keyjar.export_jwks() client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer) _jwt = JWT(key_jar=client_keyjar, iss="client_1") res = _jwt.unpack(id_token.value) assert res["exp"] - res["iat"] == LIFETIME
def create_endpoint_context(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, }, } }, "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS}, "authentication": { "anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},}, }, "cookie_handler": { "class": "oidcop.cookie_handler.CookieHandler", "kwargs": { "sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch", "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, }, }, "template_dir": "template", } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["oidc_clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"] ) self.endpoint = server.server_get("endpoint", "authorization") self.rp_keyjar = KeyJar() self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890") endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def verify_self_signed_signature(config): """ Verify signature. Will raise exception if signature verification fails. :param config: Signed JWT :return: Payload of the signed JWT """ payload = unverified_entity_statement(config) keyjar = KeyJar() keyjar.import_jwks(payload['jwks'], payload['iss']) _jwt = JWT(key_jar=keyjar) _val = _jwt.unpack(config) return _val
def key_jar_from_config(config: dict) -> KeyJar: """Get key jar from dict by issuer""" kj = KeyJar() logger = logging.getLogger(__name__).getChild("key_jar_from_config") for (issuer, v) in config.items(): if "jwks_url" in v: url = v.get("jwks_url") logger.info("Reading keys for issuer %s from %s", issuer, url) kj.add_url(issuer, url) elif "jwks_path" in v: filename = v.get("jwks_path") logger.info("Reading keys for issuer %s from %s", issuer, filename) kj.import_jwks_from_file(filename, issuer) else: logger.warning("No keys defined for issuer %s", issuer) return kj
def test_sign_encrypt_id_token(self): session_id = self._create_session(AREQ) grant = self.session_manager[session_id] id_token = self._mint_id_token(grant, session_id) _jws = factory(id_token.value) assert _jws.jwt.headers["alg"] == "RS256" client_keyjar = KeyJar() _jwks = self.endpoint_context.keyjar.export_jwks() client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer) _jwt = JWT(key_jar=client_keyjar, iss="client_1") res = _jwt.unpack(id_token.value) assert isinstance(res, dict) assert res["aud"] == ["client_1"]
def init_oidc_rp_handler(app): _rp_conf = app.config if _rp_conf.get('rp_keys'): _kj = init_key_jar(**_rp_conf['rp_keys']) _path = _rp_conf['rp_keys']['public_path'] # removes ./ and / from the begin of the string _path = re.sub('^(.)/', '', _path) else: _kj = KeyJar() _path = '' _kj.httpc_params = _rp_conf['httpc_params'] hash_seed = app.config.get('hash_seed', "BabyHoldOn") rph = RPHandler(_rp_conf['base_url'], _rp_conf['clients'], services=_rp_conf['services'], hash_seed=hash_seed, keyjar=_kj, jwks_path=_path, httpc_params=_rp_conf['httpc_params']) #, verify_ssl=False) return rph
def init_oidc_rp_handler(app): _rp_conf = app.rp_config if _rp_conf.rp_keys: _kj = init_key_jar(**_rp_conf.rp_keys) _path = _rp_conf.rp_keys['public_path'] # removes ./ and / from the begin of the string _path = re.sub('^(.)/', '', _path) else: _kj = KeyJar() _path = '' _kj.httpc_params = _rp_conf.httpc_params rph = RPHandler(_rp_conf.base_url, _rp_conf.clients, services=_rp_conf.services, hash_seed=_rp_conf.hash_seed, keyjar=_kj, jwks_path=_path, httpc_params=_rp_conf.httpc_params) return rph
def create(iss, sub, domain, root_dir): kj = KeyJar() iss_id = "https://{}".format(iss) iss_jwks_file = os.path.join(root_dir, iss, "{}.jwks.json".format(iss)) kj.import_jwks_as_json(open(iss_jwks_file).read(), iss_id) sub_id = "https://{}".format(sub) sub_jwks_file = os.path.join(root_dir, iss, "{}.jwks.json".format(sub)) kj.import_jwks_as_json(open(sub_jwks_file).read(), sub_id) metadata_file = os.path.join(root_dir, iss, "{}.metadata.json".format(sub)) if os.path.isfile(metadata_file): metadata = json.loads(open(metadata_file).read()) else: metadata = None if metadata: for typ, conf in metadata.items(): for key, val in conf.items(): if '<DOMAIN>' in val: metadata[typ][key] = val.replace('<DOMAIN>', domain) policy_file = os.path.join(root_dir, iss, "{}.policy.json".format(sub)) if os.path.isfile(policy_file): policy = json.loads(open(policy_file).read()) else: policy = None authority_file = os.path.join(root_dir, iss, "{}.authority.json".format(sub)) if os.path.isfile(authority_file): _auth = json.loads(open(authority_file).read()) for key, vals in _auth.items(): if '<DOMAIN>' in key: _key = key.replace('<DOMAIN>', domain) _vals = [v.replace('<DOMAIN>', domain) for v in vals] del _auth[key] _auth[_key] = _vals _jwt = create_entity_statement(iss_id, sub_id, kj, metadata, policy, _auth) else: _jwt = create_entity_statement(iss_id, sub_id, kj, metadata, policy) return _jwt
def __init__(self, kb: KeyBundle, issuer: str, lifetime: int) -> None: self.logger = logging.getLogger(__name__).getChild( self.__class__.__name__) self.issuer = issuer self.kj = KeyJar() self.kj.add_kb(self.issuer, kb) sign_alg = None enc_alg = None enc_enc = None kid = None for key in self.kj.get(key_use="enc", issuer_id=issuer): kid = key.kid if key.kty == "oct": sign_alg = "HS256" enc_alg = None enc_enc = None break elif key.kty == "EC": sign_alg = "ES256" enc_alg = "ECDH-ES" enc_enc = "A128GCM" break elif key.kty == "RSA": sign_alg = "RS256" enc_alg = "RSA1_5" enc_enc = "A128GCM" break if kid is None: raise Exception("No challenge key found") sign = sign_alg is not None encrypt = enc_alg is not None self.logger.info("Using challenge key kid=%s sign=%s encrypt=%s", kid, sign, encrypt) self.jwt = JWT( key_jar=self.kj, iss=self.issuer, lifetime=lifetime, sign=sign, sign_alg=sign_alg, encrypt=encrypt, enc_alg=enc_alg, enc_enc=enc_enc, )
def test_client_claims_with_default(self): session_id = self._create_session(AREQ) grant = self.session_manager[session_id] _claims = self.endpoint_context.claims_interface.get_claims( session_id=session_id, scopes=AREQ["scope"], claims_release_point="id_token") grant.claims = {"id_token": _claims} id_token = self._mint_id_token(grant, session_id) client_keyjar = KeyJar() _jwks = self.endpoint_context.keyjar.export_jwks() client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer) _jwt = JWT(key_jar=client_keyjar, iss="client_1") res = _jwt.unpack(id_token.value) # No user info claims should be there assert "address" not in res assert "nickname" not in res
def get_issuer_keyjar(jwks, issuer: str): key_jar = KeyJar() # "" means default, you can always point to a issuer identifier key_jar.import_jwks(jwks, issuer_id=issuer) return key_jar
def test_collect(): jwks = open( os.path.join(BASE_PATH, 'base_data', 'feide.no', 'feide.no', 'jwks.json')).read() ANCHOR = {'https://feide.no': json.loads(jwks)} KEYJAR = KeyJar() KEYJAR.import_jwks_as_json(jwks, 'https://feide.no') chain = [] _collector = Collector(trust_anchors=ANCHOR) subject = "foodle.uninett.no" with responses.RequestsMock() as rsps: _msg = open( os.path.join(BASE_PATH, 'base_data', subject, subject, 'jws')).read() rsps.add(rsps.GET, "https://foodle.uninett.no/.well-known/openid-federation", body=_msg) # Get the self-signed entity statement from a leaf _self_signed = _collector.get_configuration_information( "https://foodle.uninett.no") chain.append(_self_signed) _statement = verify_self_signed_signature(_self_signed) assert _statement authority = "" while authority not in _collector.trusted_anchors: authority = _statement['authority_hints'][0] netloc = authority[8:] with responses.RequestsMock() as rsps: _msg = open( os.path.join(BASE_PATH, 'base_data', netloc, netloc, "jws")).read() _url = "https://{}/.well-known/openid-federation".format(netloc) rsps.add(rsps.GET, _url, body=_msg) # Get the self-signed entity statement from a leaf _self_signed = _collector.get_configuration_information(authority) _statement = verify_self_signed_signature(_self_signed) assert _statement _api_endpoint = _statement['metadata']['federation_entity'][ 'federation_api_endpoint'] with responses.RequestsMock() as rsps: _msg = open( os.path.join(BASE_PATH, 'base_data', netloc, subject, "jws")).read() _url = construct_entity_statement_query( _api_endpoint, authority, "https://{}".format(subject)) rsps.add(rsps.GET, _url, body=_msg) # Get the self-signed entity statement from a leaf _signed_statement = _collector.get_entity_statement( _api_endpoint, authority, "https://{}".format(subject)) chain.append(_signed_statement) _jwt = factory(_signed_statement) _statement = _jwt.jwt.payload() subject = _statement['iss'][8:] # Now I have the chain should be 3 items in it assert len(chain) == 3 # verify the trust chain chain.reverse() verified_chain = verify_trust_chain(chain, KEYJAR) # The result is the verified statements assert len(verified_chain) == 3 # Check that the constraints are met assert meets_restrictions(verified_chain)
def __init__(self) -> None: super().__init__() self.trusted_keyjar: KeyJar = KeyJar() self.trusted_algs: Set[str] = set(TRUSTED_ALGS)
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "capabilities": CAPABILITIES, "jwks": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "id_token": { "class": IDToken, "kwargs": { "default_claims": { "email": { "essential": True }, "email_verified": { "essential": True }, } }, }, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, "request_cls": JWTSecuredAuthorizationRequest, }, } }, "authentication": { "anon": { "acr": "http://www.swamid.se/policy/assurance/al1", "class": "oidcendpoint.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "userinfo": { "class": UserInfo, "kwargs": { "db": USERINFO_db } }, "template_dir": "template", "cookie_dealer": { "class": CookieDealer, "kwargs": { "sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch", "default_values": { "name": "oidcop", "domain": "127.0.0.1", "path": "/", "max_age": 3600, }, }, }, } endpoint_context = EndpointContext(conf) _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]) self.endpoint = endpoint_context.endpoint["authorization"] self.rp_keyjar = KeyJar() self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890") self.endpoint.endpoint_context.keyjar.add_symmetric( "client_1", "hemligtkodord1234567890")
app.register_blueprint(sigserv_views) # Initialize the oidc_provider after views to be able to set correct urls app.signing_service = init_sign_service(app) return app if __name__ == "__main__": domain = '127.0.0.1' op_port = 5000 rp_spec = [("../flask_rp/static/fed_keys.json", 4000), ("../flask_rp/static/fed_keys_auto.json", 4001)] # Copy dynamically created files to there places in the base_data information tree. key_jar = KeyJar() key_jar.import_jwks_from_file("../flask_op/static/fed_keys.json", "") _jwks = key_jar.export_jwks_as_json(issuer_id="") with open( 'base_data/umu.se/https%3A%2F%2F{}%3A{}/jwks.json'.format( domain, op_port), "w") as fp: fp.write(_jwks) for _key_file, _port in rp_spec: if os.path.isfile(_key_file): key_jar = KeyJar() key_jar.import_jwks_from_file(_key_file, "") _jwks = key_jar.export_jwks_as_json(issuer_id="") _file = 'base_data/lu.se/https%3A%2F%2F{}%3A{}%2Flocal/jwks.json'.format( domain, _port) with open(_file, "w") as fp:
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "keys": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, "request_cls": JWTSecuredAuthorizationRequest, }, } }, "authentication": { "anon": { "acr": "http://www.swamid.se/policy/assurance/al1", "class": "oidcop.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "userinfo": { "class": UserInfo, "kwargs": { "db": USERINFO_db } }, "template_dir": "template", "cookie_handler": { "class": CookieHandler, "kwargs": { "sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch", "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, }, }, } server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]) self.endpoint = server.server_get("endpoint", "authorization") self.session_manager = endpoint_context.session_manager self.user_id = "diana" self.rp_keyjar = KeyJar() self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890") endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS}, "token_handler_args": { "jwks_file": "private/token_jwks.json", "code": {"kwargs": {"lifetime": 600}}, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],}, }, "id_token": { "class": "oidcop.token.id_token.IDToken", "kwargs": { "base_claims": { "email": {"essential": True}, "email_verified": {"essential": True}, "given_name": {"essential": True}, "nickname": None, } }, }, }, "endpoint": { "provider_config": { "path": "{}/.well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": {}, }, "registration": {"path": "{}/registration", "class": Registration, "kwargs": {},}, "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, }, }, "token": { "path": "token", "class": Token, "kwargs": { "client_authn_method": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", ] }, }, "userinfo": { "path": "userinfo", "class": userinfo.UserInfo, "kwargs": { "db_file": "users.json", "claim_types_supported": ["normal", "aggregated", "distributed",], }, }, }, "authentication": { "anon": { "acr": "http://www.swamid.se/policy/assurance/al1", "class": "oidcop.user_authn.user.NoAuthn", "kwargs": {"user": "******"}, } }, "userinfo": {"class": UserInfo, "kwargs": {"db": USERINFO_db}}, "template_dir": "template", "authz": { "class": AuthzHandling, "kwargs": { "grant_config": { "usage_rules": { "authorization_code": { "supports_minting": ["access_token", "refresh_token", "id_token",], "max_usage": 1, }, "access_token": {}, "refresh_token": { "supports_minting": ["access_token", "refresh_token"], }, }, "expires_in": 43200, } }, }, "cookie_handler": { "class": CookieHandler, "kwargs": { "sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch", "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, }, }, "login_hint2acrs": { "class": LoginHint2Acrs, "kwargs": {"scheme_map": {"email": [INTERNETPROTOCOLPASSWORD]}}, }, } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["oidc_clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"] ) self.endpoint = server.server_get("endpoint", "authorization") self.session_manager = endpoint_context.session_manager self.user_id = "diana" self.rp_keyjar = KeyJar() self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890") endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def __init__(self, iss, entity_id_pattern): self.iss = iss self.keyjar = KeyJar() self.entity_id_pattern = entity_id_pattern self.url_prefix = '' self.base_path = ""
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS}, "token_handler_args": { "jwks_def": { "private_path": "private/token_jwks.json", "read_only": False, "key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}], }, "code": {"kwargs": {"lifetime": 600}}, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],}, }, "id_token": { "class": "oidcop.token.id_token.IDToken", "kwargs": { "base_claims": { "email": {"essential": True}, "email_verified": {"essential": True}, } }, }, }, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, }, } }, "authentication": { "anon": { "acr": "http://www.swamid.se/policy/assurance/al1", "class": "oidcop.user_authn.user.NoAuthn", "kwargs": {"user": "******"}, } }, "userinfo": {"class": UserInfo, "kwargs": {"db": USERINFO_db}}, "template_dir": "template", "cookie_handler": { "class": CookieHandler, "kwargs": { "keys": {"key_defs": COOKIE_KEYDEFS}, "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, }, }, "authz": { "class": AuthzHandling, "kwargs": { "grant_config": { "usage_rules": { "authorization_code": { "supports_minting": ["access_token", "refresh_token", "id_token",], "max_usage": 1, }, "access_token": {}, "refresh_token": { "supports_minting": ["access_token", "refresh_token", "id_token",], }, }, "expires_in": 43200, } }, }, } server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"] ) self.endpoint = server.server_get("endpoint", "authorization") self.session_manager = endpoint_context.session_manager self.user_id = "diana" self.rp_keyjar = KeyJar() self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890") self.endpoint.server_get("endpoint_context").keyjar.add_symmetric( "client_1", "hemligtkodord1234567890" )