def _run(self): if self.skip: return self.conv.events.store( EV_REQUEST, "op_args: {}, req_args: {}".format(self.op_args, self.req_args), direction=OUTGOING) if 'authn_method' not in self.op_args: _ent = self.conv.entity try: #use the registered authn method self.op_args['authn_method'] = _ent.registration_response['token_endpoint_auth_method'] except KeyError: #use the first mutually supported authn method for am in _ent.client_authn_method.keys(): if am in _ent.provider_info['token_endpoint_auth_methods_supported']: self.op_args['authn_method'] = am break try: atr = self.catch_exception_and_error( self.conv.entity.do_access_token_request, request_args=self.req_args, **self.op_args) except HttpError: return None if atr is None or isinstance(atr, ErrorResponse): return atr try: msg = atr['id_token'] except KeyError: pass else: display_jwx_headers(msg, self.conv) try: _jws_alg = atr["id_token"].jws_header['alg'] except (KeyError, AttributeError): pass else: if _jws_alg == "none": pass elif "kid" not in atr[ "id_token"].jws_header and _jws_alg != "HS256": keys = self.conv.entity.keyjar.keys_by_alg_and_usage( self.conv.info["issuer"], _jws_alg, "ver") if len(keys) > 1: raise ParameterError("No 'kid' in id_token header!") if not same_issuer(self.conv.info["issuer"], atr["id_token"]["iss"]): raise IssuerMismatch(" {} != {}".format(self.conv.info["issuer"], atr["id_token"]["iss"])) # assert isinstance(atr, AccessTokenResponse) return atr
def handle_response(self, r, csi): data = self.conv.events.last_item(EV_REQUEST) state = data['state'] if 300 < r.status_code < 400: resp = self.conv.entity.parse_response(self.response, info=r.headers['location'], sformat="urlencoded", state=state) elif r.status_code == 200: if "response_mode" in csi and csi["response_mode"] == "form_post": resp = self.response() forms = BeautifulSoup(r.content).findAll('form') for inp in forms[0].find_all("input"): resp[inp.attrs["name"]] = inp.attrs["value"] else: resp = self.conv.entity.parse_response( self.response, info=r.headers['location'], sformat="urlencoded", state=state) resp.verify(keyjar=self.conv.entity.keyjar) else: resp = r if not isinstance(resp, Response): # Not a HTTP response try: try: _id_token = resp["id_token"] except KeyError: pass else: if "kid" not in _id_token.jws_header and not \ _id_token.jws_header["alg"] == "HS256": for key, value in \ self.conv.entity.keyjar.issuer_keys.items(): if not key == "" and (len(value) > 1 or len( list(value[0].keys())) > 1): raise PyoidcError( "No 'kid' in id_token header!") if self.req_args['nonce'] != _id_token['nonce']: raise PyoidcError("invalid nonce! {} != {}".format( self.req_args['nonce'], _id_token['nonce'])) if not same_issuer(self.conv.info["issuer"], _id_token["iss"]): raise IssuerMismatch(" {} != {}".format( self.conv.info["issuer"], _id_token["iss"])) self.conv.entity.id_token = _id_token except KeyError: pass return resp
def handle_response(self, r, csi): data = self.conv.events.last_item(EV_REQUEST) state = data['state'] if 300 < r.status_code < 400: resp = self.conv.entity.parse_response( self.response, info=r.headers['location'], sformat="urlencoded", state=state) elif r.status_code == 200: if "response_mode" in csi and csi["response_mode"] == "form_post": resp = self.response() forms = BeautifulSoup(r.content).findAll('form') for inp in forms[0].find_all("input"): resp[inp.attrs["name"]] = inp.attrs["value"] else: resp = self.conv.entity.parse_response( self.response, info=r.headers['location'], sformat="urlencoded", state=state) resp.verify(keyjar=self.conv.entity.keyjar) else: resp = r if not isinstance(resp, Response): # Not a HTTP response try: try: _id_token = resp["id_token"] except KeyError: pass else: if "kid" not in _id_token.jws_header and not \ _id_token.jws_header["alg"] == "HS256": for key, value in \ self.conv.entity.keyjar.issuer_keys.items(): if not key == "" and (len(value) > 1 or len( list(value[0].keys())) > 1): raise PyoidcError( "No 'kid' in id_token header!") if self.req_args['nonce'] != _id_token['nonce']: raise PyoidcError( "invalid nonce! {} != {}".format( self.req_args['nonce'], _id_token['nonce'])) if not same_issuer(self.conv.info["issuer"], _id_token["iss"]): raise IssuerMismatch( " {} != {}".format(self.conv.info["issuer"], _id_token["iss"])) self.conv.entity.id_token = _id_token except KeyError: pass return resp
def _run(self): if self.skip: return self.conv.events.store(EV_REQUEST, "op_args: {}, req_args: {}".format( self.op_args, self.req_args), direction=OUTGOING) atr = self.conv.entity.do_access_token_request( request_args=self.req_args, **self.op_args) if "error" in atr: self.conv.events.store(EV_PROTOCOL_RESPONSE, atr, direction=INCOMING) return False try: _jws_alg = atr["id_token"].jws_header["alg"] except (KeyError, AttributeError): pass else: if _jws_alg == "none": pass elif "kid" not in atr[ "id_token"].jws_header and not _jws_alg == "HS256": keys = self.conv.entity.keyjar.keys_by_alg_and_usage( self.conv.info["issuer"], _jws_alg, "ver") if len(keys) > 1: raise PyoidcError("No 'kid' in id_token header!") if not same_issuer(self.conv.info["issuer"], atr["id_token"]["iss"]): raise IssuerMismatch(" {} != {}".format(self.conv.info["issuer"], atr["id_token"]["iss"])) #assert isinstance(atr, AccessTokenResponse) return atr
def _run(self): if self.skip: return self.conv.events.store( EV_REQUEST, "op_args: {}, req_args: {}".format(self.op_args, self.req_args), direction=OUTGOING) atr = self.conv.entity.do_access_token_request( request_args=self.req_args, **self.op_args) if "error" in atr: self.conv.events.store(EV_PROTOCOL_RESPONSE, atr, direction=INCOMING) return False try: _jws_alg = atr["id_token"].jws_header["alg"] except (KeyError, AttributeError): pass else: if _jws_alg == "none": pass elif "kid" not in atr[ "id_token"].jws_header and not _jws_alg == "HS256": keys = self.conv.entity.keyjar.keys_by_alg_and_usage( self.conv.info["issuer"], _jws_alg, "ver") if len(keys) > 1: raise PyoidcError("No 'kid' in id_token header!") if not same_issuer(self.conv.info["issuer"], atr["id_token"]["iss"]): raise IssuerMismatch(" {} != {}".format(self.conv.info["issuer"], atr["id_token"]["iss"])) # assert isinstance(atr, AccessTokenResponse) return atr