def test_automatic_registration_new_client_id(self):
_registration_service = self.service['registration']
# This is cheating. Getting the OP's provider info
_fe = _registration_service.service_context.federation_entity
statement = Statement()
statement.metadata = self.registration_endpoint.endpoint_context.provider_info
statement.fo = "https://feide.no"
statement.verified_chain = [{'iss': "https://ntnu.no"}]
self.service['discovery'].update_service_context([statement])
# and the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=self.registration_endpoint.endpoint_context.
provider_info['issuer'])
_context = self.service['authorization'].service_context
_context.set('issuer', 'https://op.ntnu.no')
_context.set('redirect_uris', ['https://foodle.uninett.no/callback'])
_context.set('entity_id', self.rp_federation_entity.entity_id)
_context.set('client_id', self.rp_federation_entity.entity_id)
_context.set('behaviour', {'response_types': ['code']})
_context.set(
'provider_info',
self.authorization_endpoint.endpoint_context.provider_info)
# The client not registered and the OP not supporting automatic client registration
with pytest.raises(OtherError):
self.service['authorization'].construct()
def test_automatic_registration_keep_client_id(self):
# This is cheating. Getting the OP provider info
_registration_service = self.service['registration']
_fe = _registration_service.service_context.federation_entity
statement = Statement()
statement.metadata = self.registration_endpoint.endpoint_context.provider_info
statement.fo = "https://feide.no"
statement.verified_chain = [{'iss': "https://ntnu.no"}]
self.service['discovery'].update_service_context([statement])
# and the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=self.registration_endpoint.endpoint_context.
provider_info['issuer'])
service_context = self.service['authorization'].service_context
service_context.set('issuer', 'https://op.ntnu.no')
service_context.set('redirect_uris',
['https://foodle.uninett.no/callback'])
service_context.set('entity_id', self.rp_federation_entity.entity_id)
service_context.set('client_id', self.rp_federation_entity.entity_id)
service_context.set('behaviour', {'response_types': ['code']})
service_context.set(
'provider_info',
self.authorization_endpoint.endpoint_context.provider_info)
authn_request = self.service['authorization'].construct()
# Have to provide the OP with clients keys
self.authorization_endpoint.endpoint_context.keyjar.import_jwks(
_registration_service.service_context.keyjar.export_jwks(),
ENTITY_ID)
# get rid of the earlier client registrations
for k in self.authorization_endpoint.endpoint_context.cdb.keys():
del self.authorization_endpoint.endpoint_context.cdb[k]
# Have to provide the OP with clients keys
self.authorization_endpoint.endpoint_context.keyjar.import_jwks(
_registration_service.service_context.keyjar.export_jwks(),
ENTITY_ID)
# set new_id to False
self.authorization_endpoint.automatic_registration_endpoint.kwargs[
"new_id"] = False
# THe OP handles the authorization request
req = self.authorization_endpoint.parse_request(
authn_request.to_dict())
assert "response_type" in req
# reg_resp = self.registration_endpoint.do_response(**res)
# assert set(reg_resp.keys()) == {'response', 'http_headers', 'cookie'}
client_ids = list(
self.authorization_endpoint.endpoint_context.cdb.keys())
assert len(client_ids) == 1
assert client_ids[0] == ENTITY_ID
def test_explicit_registration(self):
_registration_service = self.service['registration']
# Using the RP's federation entity instance
_fe = _registration_service.client_get(
"service_context").federation_entity
_endpoint_context = self.registration_endpoint.server_get(
"endpoint_context")
# This is cheating. Getting the OP provider info
trust_chain = TrustChain()
trust_chain.metadata = _endpoint_context.provider_info
trust_chain.anchor = "https://feide.no"
trust_chain.verified_chain = [{'iss': "https://ntnu.no"}]
self.service['discovery'].update_service_context([trust_chain])
# add the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=_endpoint_context.provider_info['issuer'])
# construct the client registration request
req_args = {
'entity_id': self.rp_federation_entity.entity_id,
'redirect_uris': ['https://foodle.uninett.no/cb']
}
self.rp_federation_entity.proposed_authority_hints = [
'https://ntnu.no'
]
jws = _registration_service.construct(request_args=req_args)
assert jws
# THe OP handles the registration request
res = self.registration_endpoint.process_request(jws)
assert res
reg_resp = self.registration_endpoint.do_response(**res)
assert set(reg_resp.keys()) == {'response', 'http_headers', 'cookie'}
# The RP parses the OP's response
args = _registration_service.parse_response(reg_resp['response'],
request=jws)
assert set(args.keys()) == {
'entity_id', 'client_id', 'contacts', 'application_type',
'redirect_uris', 'response_types', 'client_id_issued_at',
'client_secret', 'grant_types', 'client_secret_expires_at'
}
def test_automatic_registration_new_client_id(self):
_registration_service = self.service['registration']
self.authorization_endpoint.endpoint_context.provider_info[
'client_registration_authn_methods_supported'] = {
"ar": ['request_object']
}
# This is cheating. Getting the OP's provider info
_fe = _registration_service.service_context.federation_entity
statement = Statement()
statement.metadata = self.registration_endpoint.endpoint_context.provider_info
statement.fo = "https://feide.no"
statement.verified_chain = [{'iss': "https://ntnu.no"}]
self.service['discovery'].update_service_context([statement])
# and the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=self.registration_endpoint.endpoint_context.
provider_info['issuer'])
_context = self.service['authorization'].service_context
_context.set('issuer', 'https://op.ntnu.no')
_context.set('redirect_uris', ['https://foodle.uninett.no/callback'])
_context.set('entity_id', self.rp_federation_entity.entity_id)
_context.set('client_id', self.rp_federation_entity.entity_id)
_context.set('behaviour', {'response_types': ['code']})
_context.set(
'provider_info',
self.authorization_endpoint.endpoint_context.provider_info)
authn_request = self.service['authorization'].construct()
# Have to provide the OP with clients keys
self.authorization_endpoint.endpoint_context.keyjar.import_jwks(
_registration_service.service_context.keyjar.export_jwks(),
ENTITY_ID)
# The OP handles the authorization request
req = self.authorization_endpoint.parse_request(
authn_request.to_dict())
assert "response_type" in req
client_ids = list(
self.authorization_endpoint.endpoint_context.cdb.keys())
assert len(client_ids) == 2
assert ENTITY_ID in client_ids
def create_endpoint(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
# the federation part of the RP
self.rp_federation_entity = FederationEntity(
entity_id=ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=ENTITY_ID)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': Registration(service_context),
'authorization': FedAuthorization(service_context),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
'provider_info': {
'path': '.well-known/openid-federation',
'class': provider_config.ProviderConfiguration,
'kwargs': {
'client_authn_method': None
}
},
'registration': {
'path': 'fed_registration',
'class': registration.Registration,
'kwargs': {
'client_authn_method': None
}
},
'authorization': {
'path': 'authorization',
'class': authorization.Authorization,
'kwargs': {
"response_modes_supported":
['query', 'fragment', 'form_post'],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"client_authn_method": ['request_param']
}
}
},
"keys": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf)
self.registration_endpoint = endpoint_context.endpoint["registration"]
self.authorization_endpoint = endpoint_context.endpoint[
"authorization"]
self.provider_endpoint = endpoint_context.endpoint["provider_config"]
# === Federation stuff =======
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.registration_endpoint.endpoint_context.federation_entity = federation_entity
{
"type": "RSA",
"use": ["sig"]
},
{
"type": "EC",
"crv": "P-256",
"use": ["sig"]
},
]
ENTITY_ID = 'https://foodle.uninett.no'
ANCHOR = {
'https://feide.no':
read_info(os.path.join(ROOT_DIR, 'feide.no'), "feide.no", "jwks")
}
class TestExplicit(object):
@pytest.fixture(autouse=True)
def create_endpoint(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
def create_setup(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
self.rp_federation_entity = FederationEntity(
entity_id=RP_ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=RP_ENTITY_ID)
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 2 services
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': RPRegistration(service_context),
'authorization': FedAuthorization(service_context),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "code"
},
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "refresh"
},
],
},
"code": {
"lifetime": 600
},
"token": {
"class": "oidcendpoint.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {
"lifetime": 86400
},
},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"cookie_dealer": {
"class": CookieDealer,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"default_values": {
"name": "oidcop",
"domain": "127.0.0.1",
"path": "/",
"max_age": 3600,
},
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
}
}
endpoint_context = EndpointContext(conf)
_clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.pushed_authorization_endpoint = endpoint_context.endpoint[
"pushed_authorization"]
self.authorization_endpoint = endpoint_context.endpoint[
"authorization"]
self.registration_endpoint = endpoint_context.endpoint["registration"]
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.authorization_endpoint.endpoint_context.federation_entity = federation_entity
def test_pushed_auth_urlencoded_process(self):
# This is cheating. Getting the OP's provider info
_fe = self.service['registration'].service_context.federation_entity
statement = Statement()
statement.metadata = self.registration_endpoint.endpoint_context.provider_info
statement.fo = "https://feide.no"
statement.verified_chain = [{'iss': "https://ntnu.no"}]
self.service['discovery'].update_service_context([statement])
# and the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=self.registration_endpoint.endpoint_context.
provider_info['issuer'])
# Add RP's keys to the OP's keyjar.
self.registration_endpoint.endpoint_context.keyjar.import_jwks(
self.service["discovery"].service_context.keyjar.export_jwks(
issuer_id=""), RP_ENTITY_ID)
authn_request = AuthorizationRequest(
response_type="code",
state="af0ifjsldkj",
client_id=RP_ENTITY_ID,
redirect_uri="{}/callback".format(RP_ENTITY_ID),
code_challenge="K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8U",
code_challenge_method="S256",
scope=["ais", "openid"])
# Create the private_key_jwt assertion
_jwt = JWT(self.service['registration'].service_context.keyjar,
iss=RP_ENTITY_ID,
sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack({
"aud": [
self.pushed_authorization_endpoint.endpoint_context.
provider_info["pushed_authorization_request_endpoint"]
]
})
authn_request.update({
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
})
_req = self.pushed_authorization_endpoint.parse_request(authn_request)
assert isinstance(_req, AuthorizationRequest)
assert set(_req.keys()) == {
"state", "redirect_uri", "response_type", "scope",
"code_challenge_method", "client_id", "code_challenge",
"client_assertion", "client_assertion_type",
"__verified_client_assertion"
}
_resp = self.pushed_authorization_endpoint.process_request(_req)
assert _resp["return_uri"] == authn_request["redirect_uri"]
# And now for the authorization request with the OP provided request_uri
authn_request["request_uri"] = _resp["http_response"]["request_uri"]
for parameter in [
"code_challenge", "code_challenge_method", "client_assertion",
"client_assertion_type"
]:
del authn_request[parameter]
_req = self.authorization_endpoint.parse_request(authn_request)
assert "code_challenge" in _req
def test_pushed_auth_urlencoded(self):
# since all endpoint used the same endpoint_context I can grab anyone
_context = self.registration_endpoint.server_get("endpoint_context")
# This is cheating. Getting the OP's provider info
_fe = self.registration_service.client_get(
"service_context").federation_entity
trust_chain = TrustChain()
trust_chain.metadata = _context.provider_info
trust_chain.anchor = "https://feide.no"
trust_chain.verified_chain = [{'iss': "https://ntnu.no"}]
self.discovery_service.update_service_context([trust_chain])
# and the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=_context.provider_info['issuer'])
# Add RP's keys to the OP's keyjar.
_context.keyjar.import_jwks(
self.discovery_service.client_get(
"service_context").keyjar.export_jwks(issuer_id=""),
RP_ENTITY_ID)
authn_request = AuthorizationRequest(
response_type="code",
state="af0ifjsldkj",
client_id=RP_ENTITY_ID,
redirect_uri="{}/callback".format(RP_ENTITY_ID),
code_challenge="K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8U",
code_challenge_method="S256",
scope=["ais", "openid"])
# Create the private_key_jwt assertion
_jwt = JWT(
self.registration_service.client_get("service_context").keyjar,
iss=RP_ENTITY_ID,
sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack({
"aud":
[_context.provider_info["pushed_authorization_request_endpoint"]]
})
authn_request.update({
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
})
_req = self.pushed_authorization_endpoint.parse_request(authn_request)
assert isinstance(_req, AuthorizationRequest)
assert set(_req.keys()) == {
"state", "redirect_uri", "response_type", "scope",
"code_challenge_method", "client_id", "code_challenge",
"client_assertion", "client_assertion_type",
'__verified_client_assertion'
}
# Should have a registered client now
assert set(_context.cdb.keys()) == {RP_ENTITY_ID}
def test_automatic_registration_new_client_id(self):
_registration_service = self.service['registration']
self.authorization_endpoint.server_get(
"endpoint_context"
).provider_info['client_registration_authn_methods_supported'] = {
"ar": ['request_object']
}
self.authorization_endpoint.automatic_registration_endpoint.kwargs[
'new_id'] = True
# This is cheating. Getting the OP's provider info
_fe = _registration_service.client_get(
"service_context").federation_entity
statement = TrustChain()
statement.metadata = self.registration_endpoint.server_get(
"endpoint_context").provider_info
statement.anchor = "https://feide.no"
statement.verified_chain = [{'iss': "https://ntnu.no"}]
with responses.RequestsMock() as rsps:
_jwks = self.authorization_endpoint.server_get(
"endpoint_context").keyjar.export_jwks()
rsps.add("GET",
'https://op.ntnu.no/static/jwks.json',
body=_jwks,
adding_headers={"Content-Type": "application/json"},
status=200)
self.service['discovery'].update_service_context([statement])
# and the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=self.registration_endpoint.server_get(
"endpoint_context").provider_info['issuer'])
_context = self.service['authorization'].client_get("service_context")
_context.issuer = 'https://op.ntnu.no'
_context.redirect_uris = ['https://foodle.uninett.no/callback']
_context.entity_id = self.rp_federation_entity.entity_id
_context.client_id = self.rp_federation_entity.entity_id
_context.behaviour = {'response_types': ['code']}
_context.provider_info = self.authorization_endpoint.server_get(
"endpoint_context").provider_info
authn_request = self.service['authorization'].construct()
# Have to provide the OP with clients keys
self.authorization_endpoint.server_get(
"endpoint_context").keyjar.import_jwks(
_registration_service.client_get(
"service_context").keyjar.export_jwks(), ENTITY_ID)
# The OP handles the authorization request
req = self.authorization_endpoint.parse_request(
authn_request.to_dict())
assert "response_type" in req
client_ids = list(
self.authorization_endpoint.server_get(
"endpoint_context").cdb.keys())
assert len(client_ids) == 2 # dynamic and entity_id
assert ENTITY_ID in client_ids
def create_endpoint(self):
# First the RP
entity = Entity(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
},
"httpc_param": {
'verify': False,
"timeout": 2
},
})
# the federation part of the RP
self.rp_federation_entity = FederationEntity(
entity_id=ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=ENTITY_ID)
# add the federation part to the service context
entity.client_get(
"service_context").federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.service = {
'discovery':
FedProviderInfoDiscovery(entity.client_get),
'registration':
Registration(entity.client_get),
'authorization':
FedAuthorization(entity.client_get,
conf={"request_object_expires_in": 300}),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"httpc_param": {
'verify': False,
"timeout": 2
},
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
"endpoint": {
'provider_info': {
'path': '.well-known/openid-federation',
'class': provider_config.ProviderConfiguration,
'kwargs': {
'client_authn_method': None
}
},
'registration': {
'path': 'fed_registration',
'class': registration.Registration,
'kwargs': {
'client_authn_method': None
}
},
'authorization': {
'path': 'authorization',
'class': authorization.Authorization,
'kwargs': {
"response_modes_supported":
['query', 'fragment', 'form_post'],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"client_authn_method": ['request_param']
}
}
},
"keys": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template',
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
'client_registration_authn_methods_supported': {
"ar": ['request_object']
},
'where': ['authorization']
}
}
}
}
server = Server(conf)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
# === Federation stuff =======
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.registration_endpoint.server_get(
"endpoint_context").federation_entity = federation_entity
from fedservice.op.provider_config import ProviderConfiguration
from tests.utils import DummyCollector
from tests.utils import Publisher
BASE_PATH = os.path.abspath(os.path.dirname(__file__))
ROOT_DIR = os.path.join(BASE_PATH, 'base_data')
KEYSPEC = [
{"type": "RSA", "use": ["sig"]},
{"type": "EC", "crv": "P-256", "use": ["sig"]},
]
ENTITY_ID = 'https://op.ntnu.no'
ANCHOR = {'https://feide.no': read_info(os.path.join(ROOT_DIR, 'feide.no'), "feide.no", "jwks")}
class TestEndpoint(object):
@pytest.fixture(autouse=True)
def create_endpoint(self):
conf = {
"issuer": ENTITY_ID,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
'keys': {
'key_defs': KEYSPEC,
