def create_services(self):
# OP
fed_ent = FOODLE
fed_ent.fo_priority = [SWAMID.iss, FEIDE.iss]
fed_ent.federation = ''
fed_ent.provider_federations = None
fed_ent.registration_federations = None
fed_ent.jwks_bundle = fo_keybundle
client_config = {
'client_id': 'client_id',
'client_secret': 'password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_preferences': {
'id_token_signed_response_alg': 'RS384',
'userinfo_signed_response_alg': 'RS384'
}
}
_context = ServiceContext(config=client_config)
_context.federation_entity = fed_ent
_context.issuer = SUNET_OP.iss
self.service = build_services(
{
'FedProviderInfoDiscovery': {},
'FedRegistrationRequest': {}
}, factory, _context, DB())
_context.service = self.service
def create_services(self):
# RP
client_config = {
"base_url": "https://foodle.example.com",
"issuer": SUNET_OP.iss,
"client_id": "xxxxxxxxx",
"client_secret": "2222222222",
"redirect_uris": ["https://foodle.example.com/authz_cb/sunet_op"],
"client_prefs": {
"response_types": ["code"],
"scope": ["openid", "profile", "email"],
"token_endpoint_auth_method": "client_secret_basic"
}
}
_context = ServiceContext(config=client_config)
FOODLE.context = 'registration'
FOODLE.federation = FEIDE.iss
_context.federation_entity = FOODLE
self.service = build_services(
{
'FedProviderInfoDiscovery': {},
'FedRegistrationRequest': {}
}, factory, _context, DB())
def rp_service_setup(self):
entity_id = 'https://foodle.uninett.no'
service_context = ServiceContext(config={
'issuer': 'https://op.ntnu.no',
'keys': {'key_defs': KEY_DEFS}
})
http_cli = Publisher(os.path.join(BASE_PATH, 'base_data'))
self.federation_entity = FederationEntity(
entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
httpd=http_cli,
entity_type='openid_relying_party',
opponent_entity_type='openid_provider',
config={'keys': {'key_defs': KEY_DEFS}}
)
# The test data collector
self.federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, httpd=http_cli, root_dir=os.path.join(BASE_PATH, 'base_data'))
service_context.federation_entity = self.federation_entity
service_context.redirect_uris = ['https://foodle.uninett.no/cb']
# Note that the keys used for OIDC base protocol communication are separate from those used
# in the federation context
# service_context.keyjar = init_key_jar(key_defs=KEY_DEFS, issuer_id=entity_id)
service_context.client_preferences = {
"grant_types": ['authorization_code', 'implicit', 'refresh_token'],
"id_token_signed_response_alg": "ES256",
"token_endpoint_auth_method": "client_secret_basic",
"federation_type": ['automatic']
}
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': Registration(service_context)
}
def create_endpoint(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
# the federation part of the RP
self.rp_federation_entity = FederationEntity(
entity_id=ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=ENTITY_ID)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': Registration(service_context),
'authorization': FedAuthorization(service_context),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
'provider_info': {
'path': '.well-known/openid-federation',
'class': provider_config.ProviderConfiguration,
'kwargs': {
'client_authn_method': None
}
},
'registration': {
'path': 'fed_registration',
'class': registration.Registration,
'kwargs': {
'client_authn_method': None
}
},
'authorization': {
'path': 'authorization',
'class': authorization.Authorization,
'kwargs': {
"response_modes_supported":
['query', 'fragment', 'form_post'],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"client_authn_method": ['request_param']
}
}
},
"keys": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf)
self.registration_endpoint = endpoint_context.endpoint["registration"]
self.authorization_endpoint = endpoint_context.endpoint[
"authorization"]
self.provider_endpoint = endpoint_context.endpoint["provider_config"]
# === Federation stuff =======
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.registration_endpoint.endpoint_context.federation_entity = federation_entity
def create_setup(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
self.rp_federation_entity = FederationEntity(
entity_id=RP_ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=RP_ENTITY_ID)
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 2 services
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': RPRegistration(service_context),
'authorization': FedAuthorization(service_context),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "code"
},
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "refresh"
},
],
},
"code": {
"lifetime": 600
},
"token": {
"class": "oidcendpoint.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {
"lifetime": 86400
},
},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"cookie_dealer": {
"class": CookieDealer,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"default_values": {
"name": "oidcop",
"domain": "127.0.0.1",
"path": "/",
"max_age": 3600,
},
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
}
}
endpoint_context = EndpointContext(conf)
_clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.pushed_authorization_endpoint = endpoint_context.endpoint[
"pushed_authorization"]
self.authorization_endpoint = endpoint_context.endpoint[
"authorization"]
self.registration_endpoint = endpoint_context.endpoint["registration"]
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.authorization_endpoint.endpoint_context.federation_entity = federation_entity
