def left_hash(msg, func="HS256"):
""" 128 bits == 16 bytes """
if func == 'HS256':
return as_unicode(b64e(sha256_digest(msg)[:16]))
elif func == 'HS384':
return as_unicode(b64e(sha384_digest(msg)[:24]))
elif func == 'HS512':
return as_unicode(b64e(sha512_digest(msg)[:32]))
def verify_self_signed_jwks(sjwt):
"""
Verify the signature of a signed JWT containing a JWKS.
The JWT is signed by one of the keys in the JWKS.
In the JWT the JWKS is stored using this format ::
'jwks': {
'keys': [ ]
}
:param sjwt: Signed Jason Web Token
:return: Dictionary containing 'jwks' (the JWKS) and 'iss' (the issuer of
the JWT)
"""
_jws = factory(sjwt)
_json = _jws.jwt.part[1]
_body = json.loads(as_unicode(_json))
iss = _body['iss']
_jwks = _body['jwks']
_kj = jwks_to_keyjar(_jwks, iss)
try:
_kid = _jws.jwt.headers['kid']
except KeyError:
_keys = _kj.get_signing_key(owner=iss)
else:
_keys = _kj.get_signing_key(owner=iss, kid=_kid)
_ver = _jws.verify_compact(sjwt, _keys)
return {'jwks': _ver['jwks'], 'iss': iss}
def thumbprint(self, hash_function, members=None):
"""
Create a thumbprint of the key following the outline in
https://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-01
:param hash_function: A hash function to use for hashing the
information
:param members: Which attributes of the Key instance that should
be included when computing the hash value.
:return: A base64 encode hash over a set of Key attributes
"""
if members is None:
members = self.required
members.sort()
ser = self.serialize()
_se = []
for elem in members:
try:
_val = ser[elem]
except KeyError: # should never happen with the required set
pass
else:
if isinstance(_val, bytes):
_val = as_unicode(_val)
_se.append('"{}":{}'.format(elem, json.dumps(_val)))
_json = '{{{}}}'.format(','.join(_se))
return b64e(DIGEST_HASH[hash_function](_json))
def post_parse_request(request, client_id, endpoint_context, **kwargs):
"""
Expect http_info attribute in kwargs. http_info should be a dictionary
containing HTTP information.
:param request:
:param client_id:
:param endpoint_context:
:param kwargs:
:return:
"""
_http_info = kwargs.get("http_info")
if not _http_info:
return request
_dpop = DPoPProof().verify_header(_http_info["headers"]["dpop"])
# The signature of the JWS is verified, now for checking the
# content
if _dpop["htu"] != _http_info["url"]:
raise ValueError("htu in DPoP does not match the HTTP URI")
if _dpop["htm"] != _http_info["method"]:
raise ValueError("htm in DPoP does not match the HTTP method")
if not _dpop.key:
_dpop.key = key_from_jwk_dict(_dpop["jwk"])
# Need something I can add as a reference when minting tokens
request["dpop_jkt"] = as_unicode(_dpop.key.thumbprint("SHA-256"))
return request
def encryption_key(self, alg, **kwargs):
"""
Return an encryption key as per
http://openid.net/specs/openid-connect-core-1_0.html#Encryption
:param alg: encryption algorithm
:param kwargs:
:return: encryption key as byte string
"""
if not self.key:
self.deserialize()
tsize = ALG2KEYLEN[alg]
# _keylen = len(self.key)
if tsize <= 32:
# SHA256
_enc_key = sha256_digest(self.key)[:tsize]
elif tsize <= 48:
# SHA384
_enc_key = sha384_digest(self.key)[:tsize]
elif tsize <= 64:
# SHA512
_enc_key = sha512_digest(self.key)[:tsize]
else:
raise JWKException("No support for symmetric keys > 512 bits")
logger.debug('Symmetric encryption key: {}'.format(
as_unicode(b64e(_enc_key))))
return _enc_key
def get_sub(token):
_jwt = factory(token)
if _jwt:
return json.loads(as_unicode(_jwt.jwt.part[1]))['sub']
else:
return ''
def get_jwt_keys(jwt, keys, use):
try:
if use == 'sig':
_key_type = jws.alg2keytype(jwt.headers['alg'])
else:
_key_type = jwe.alg2keytype(jwt.headers['alg'])
except KeyError:
_key_type = ''
try:
_kid = jwt.headers['kid']
except KeyError:
_kid = '' # Unknown
# pick issuer keys
if use == 'sig':
payload = json.loads(as_unicode(jwt.part[1]))
try:
_keys = keys[payload['iss']]
except KeyError: # No issuer, not kosher
raise MissingValue('iss')
if not _kid:
try:
_kid = payload['kid']
except KeyError:
_kid = '' # Unknown
else:
_keys = keys
return pick_key(_keys, use, key_type=_key_type, kid=_kid)
def dump_attr(self,
cls,
item,
exclude_attributes: Optional[List[str]] = None) -> dict:
if cls in [None, 0, "", [], {}, bool, b'']:
if cls == b'':
val = as_unicode(item)
else:
val = item
elif cls == "DICT_TYPE":
if isinstance(item, dict):
val = item
else:
if isinstance(item,
DictType): # item should be a class instance
val = {
"DICT_TYPE": {
"class": fully_qualified_name(item),
"kwargs": item.kwargs
}
}
else:
raise ValueError("Expected a DictType class")
elif isinstance(item, Message):
val = {qualified_name(item.__class__): item.to_dict()}
elif cls == object:
val = qualified_name(item)
elif isinstance(cls, list):
val = [self.dump_attr(cls[0], v, exclude_attributes) for v in item]
else:
val = item.dump(exclude_attributes=exclude_attributes)
return val
def test_client_secret_basic():
_token = '{}:{}'.format(client_id, client_secret)
token = as_unicode(base64.b64encode(as_bytes(_token)))
authz_token = 'Basic {}'.format(token)
authn_info = ClientSecretBasic(endpoint_context).verify({}, authz_token)
assert authn_info['client_id'] == client_id
def val_hash(self, alg):
halg = "HS%s" % alg[-3:]
for attr, hash_attr in self.hashable.items():
try:
self[hash_attr] = left_hash(as_unicode(self[attr]), halg)
except KeyError:
pass
else:
del self[attr]
def test_parse_with_wrong_client_authn(self):
_context = self.introspection_endpoint.endpoint_context
_token = self._create_at("diana")
_basic_token = "{}:{}".format(
"client_1", _context.cdb["client_1"]["client_secret"])
_basic_token = as_unicode(base64.b64encode(as_bytes(_basic_token)))
_basic_authz = "Basic {}".format(_basic_token)
with pytest.raises(UnAuthorizedClient):
self.introspection_endpoint.parse_request({"token": _token},
_basic_authz)
def test_parse_with_wrong_client_authn(self):
_context = self.introspection_endpoint.endpoint_context
_ = setup_session(_context, AUTH_REQ, uid="diana")
_token = self._create_jwt("diana")
_basic_token = "{}:{}".format(
"client_1", _context.cdb["client_1"]["client_secret"])
_basic_token = as_unicode(base64.b64encode(as_bytes(_basic_token)))
_basic_authz = "Basic {}".format(_basic_token)
with pytest.raises(WrongAuthnMethod):
self.introspection_endpoint.parse_request({"token": _token},
_basic_authz)
def parse_cookie(name, seed, kaka, enc_key=None):
"""Parses and verifies a cookie value
Parses a cookie created by `make_cookie` and verifies
it has not been tampered with.
You need to provide the same `seed` and `enc_key`
used when creating the cookie, otherwise the verification
fails. See `make_cookie` for details about the verification.
:param seed: A seed key used for the HMAC signature
:type seed: bytes
:param kaka: The cookie
:param enc_key: The encryption key used.
:type enc_key: bytes or None
:raises InvalidCookieSign: When verification fails.
:return: A tuple consisting of (payload, timestamp) or None if parsing fails
"""
if not kaka:
return None
seed = as_unicode(seed)
parts = cookie_parts(name, kaka)
if parts is None:
return None
elif len(parts) == 3:
# verify the cookie signature
cleartext, timestamp, sig = parts
if not verify_cookie_signature(sig, seed, cleartext, timestamp):
raise InvalidCookieSign()
return cleartext, timestamp
elif len(parts) == 4:
# encrypted and signed
timestamp = parts[0]
iv = base64.b64decode(parts[1])
ciphertext = base64.b64decode(parts[2])
tag = base64.b64decode(parts[3])
ct = ciphertext + tag
# Make sure the key is 32-Bytes long
key = _make_hashed_key((enc_key, seed))
aesgcm = AESGCM(key)
# timestamp does not need to be encrypted, just MAC'ed,
# so we add it to 'Associated Data' only.
aad = timestamp.encode('utf-8')
try:
cleartext = aesgcm.decrypt(iv, ct, aad)
except JWEException:
raise InvalidCookieSign()
return cleartext.decode('utf-8'), timestamp
return None
def verify_cookie_signature(sig, key, *parts):
"""Constant time verifier for signatures
:param sig: The signature hexdigest to check
:type sig: str
:param key: The HMAC key to use.
:type key: bytes
:param parts: List of parts to include in the MAC
:type parts: list of bytes or strings
:raises: `InvalidCookieSign` when the signature is wrong
"""
return safe_str_cmp(as_unicode(sig), cookie_signature(key, *parts))
def test_encryption_key():
sk = SYMKey(key='df34db91c16613deba460752522d28f6ebc8a73d0d9185836270c26b')
_enc = sk.encryption_key(alg='A128KW')
_v = as_unicode(b64e(_enc))
assert _v == 'xCo9VhtommCTGMWi-RyWBw'
sk = SYMKey(key='df34db91c16613deba460752522d28f6ebc8a73d0d9185836270c26b')
_enc = sk.encryption_key(alg='A192KW')
_v = as_unicode(b64e(_enc))
assert _v == 'xCo9VhtommCTGMWi-RyWB14GQqHAGC86'
sk = SYMKey(key='df34db91c16613deba460752522d28f6ebc8a73d0d9185836270c26b')
_enc = sk.encryption_key(alg='A256KW')
_v = as_unicode(b64e(_enc))
assert _v == 'xCo9VhtommCTGMWi-RyWB14GQqHAGC86vweU_Pi62X8'
ek = sha256_digest(
'YzE0MjgzNmRlODI5Yzg2MGYyZTRjNGE0NTZlMzBkZDRiNzJkNDA5MzUzNjM0ODkzM2E2MDk3ZWY'
)[:16]
assert as_unicode(b64e(ek)) == 'yf_UUkAFZ8Pn_prxPPgu9w'
sk = SYMKey(
key=
'YzE0MjgzNmRlODI5Yzg2MGYyZTRjNGE0NTZlMzBkZDRiNzJkNDA5MzUzNjM0ODkzM2E2MDk3ZWY'
)
_enc = sk.encryption_key(alg='A128KW')
_v = as_unicode(b64e(_enc))
assert _v == as_unicode(b64e(ek))
def __init__(self,
kty="",
alg="",
use="",
kid="",
key=None,
x5c=None,
x5t="",
x5u="",
**kwargs):
self.key = key
self.extra_args = kwargs
# want kty, alg, use and kid to be strings
if isinstance(kty, str):
self.kty = kty
else:
self.kty = as_unicode(kty)
if isinstance(alg, str):
self.alg = alg
else:
self.alg = as_unicode(alg)
if isinstance(use, str):
self.use = use
else:
self.use = as_unicode(use)
if isinstance(kid, str):
self.kid = kid
else:
self.kid = as_unicode(kid)
self.x5c = x5c or []
self.x5t = x5t
self.x5u = x5u
self.inactive_since = 0
def test_pack_metadata_statement_other_alg():
_keyjar = build_keyjar(KEYDEFS)[1]
op = Operator(keyjar=_keyjar, iss='https://example.com/')
req = MetadataStatement(issuer='https://example.org/op')
sms = op.pack_metadata_statement(req, alg='ES256')
assert sms # Should be a signed JWT
_jwt = factory(sms)
_body = json.loads(as_unicode(_jwt.jwt.part[1]))
assert _body['iss'] == 'https://example.com/'
# verify signature
_kj = public_keys_keyjar(_keyjar, '', None, op.iss)
r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss))
assert r
def cookie_parts(name, kaka):
"""
Give me the parts of the cookie payload
:param name: A name of a cookie object
:param kaka: The cookie
:return: A list of parts or None if there is no cookie object with the
given name
"""
cookie_obj = SimpleCookie(as_unicode(kaka))
morsel = cookie_obj.get(name)
if morsel:
return morsel.value.split("|")
else:
return None
def test_parse_with_wrong_client_authn(self):
access_token = self._get_access_token(AUTH_REQ)
_basic_token = "{}:{}".format(
"client_1",
self.introspection_endpoint.server_get(
"endpoint_context").cdb["client_1"]["client_secret"],
)
_basic_token = as_unicode(base64.b64encode(as_bytes(_basic_token)))
_basic_authz = "Basic {}".format(_basic_token)
http_info = {"headers": {"authorization": _basic_authz}}
with pytest.raises(UnAuthorizedClient):
self.introspection_endpoint.parse_request(
{"token": access_token.value}, http_info=http_info)
def backchannel_logout(client, request='', request_args=None):
"""
:param request: URL encoded logout request
:return:
"""
if request:
req = BackChannelLogoutRequest().from_urlencoded(as_unicode(request))
elif request_args:
req = BackChannelLogoutRequest(**request_args)
else:
raise MissingRequiredAttribute('logout_token')
_context = client.client_get("service_context")
kwargs = {
'aud':
client.get_client_id(),
'iss':
_context.get('issuer'),
'keyjar':
_context.keyjar,
'allowed_sign_alg':
_context.get('registration_response').get(
"id_token_signed_response_alg", "RS256")
}
logger.debug(f"(backchannel_logout) Verifying request using: {kwargs}")
try:
req.verify(**kwargs)
except (MessageException, ValueError, NotForMe) as err:
raise MessageException('Bogus logout request: {}'.format(err))
else:
logger.debug("Request verified OK")
# Find the subject through 'sid' or 'sub'
sub = req[verified_claim_name('logout_token')].get('sub')
sid = None
if not sub:
sid = req[verified_claim_name('logout_token')].get('sid')
if not sub and not sid:
raise MessageException('Neither "sid" nor "sub"')
elif sub:
_state = _context.state.get_state_by_sub(sub)
elif sid:
_state = _context.state.get_state_by_sid(sid)
return _state
def parse_response(self, response):
if 200 <= response.status_code < 300:
_jw = factory(response.text)
# First Just checking the issuer ID *not* verifying the Signature
body = json.loads(as_unicode(_jw.jwt.part[1]))
assert body['iss'] == self.iss
# Now verifying the signature
try:
_jw.verify_compact(response.text,
self.keyjar.get_verify_key(owner=self.iss))
except AssertionError:
raise JWSException('JWS signature verification error')
location = response.headers['Location']
return {'sms': response.text, 'loc': location}
else:
raise SigningServiceError("{}: {}".format(response.status_code,
response.text))
def check_session_iframe():
if request.method == 'GET':
req_args = request.args.to_dict()
else:
if request.data:
req_args = json.loads(as_unicode(request.data))
else:
req_args = dict([(k, v) for k, v in request.form.items()])
if req_args:
# will contain client_id and origin
if req_args['origin'] != current_app.endpoint_context.issuer:
return 'error'
if req_args['client_id'] != current_app.endpoint_context.cdb:
return 'error'
return 'OK'
current_app.srv_config.logger.debug(
'check_session_iframe: {}'.format(req_args))
doc = open('templates/check_session_iframe.html').read()
return doc
def test_pack_metadata_statement():
jb = FSJWKSBundle('', None, 'fo_jwks',
key_conv={'to': quote_plus, 'from': unquote_plus})
_keyjar = build_keyjar(KEYDEFS)[1]
self_signer = InternalSigningService('https://example.com/op',
keyjar=_keyjar)
op = Operator(self_signer=self_signer, jwks_bundle=jb,
iss='https://example.com/op')
req = MetadataStatement(issuer='https://example.org/op')
sms = op.pack_metadata_statement(req)
assert sms # Should be a signed JWT
_jwt = factory(sms)
assert _jwt
assert _jwt.jwt.headers['alg'] == 'RS256'
_body = json.loads(as_unicode(_jwt.jwt.part[1]))
assert _body['iss'] == op.iss
assert _body['issuer'] == 'https://example.org/op'
# verify signature
_kj = public_keys_keyjar(_keyjar, '', None, op.iss)
r = _jwt.verify_compact(sms, _kj.get_signing_key(owner=op.iss))
assert r
def verify_request_signed_by_signing_keys(smsreq):
"""
Verify that a JWT is signed with a key that is inside the JWT.
:param smsreq: Signed Metadata Statement signing request
:return: Dictionary containing 'ms' (the signed request) and 'iss' (the
issuer of the JWT).
"""
_jws = factory(smsreq)
_json = _jws.jwt.part[1]
_body = json.loads(as_unicode(_json))
iss = _body['iss']
_jwks = _body['signing_keys']
_kj = jwks_to_keyjar(_jwks, iss)
try:
_kid = _jws.jwt.headers['kid']
except KeyError:
_keys = _kj.get_signing_key(owner=iss)
else:
_keys = _kj.get_signing_key(owner=iss, kid=_kid)
_ver = _jws.verify_compact(smsreq, _keys)
# remove the JWT specific claims
for k in JsonWebToken.c_param.keys():
try:
del _ver[k]
except KeyError:
pass
try:
del _ver['kid']
except KeyError:
pass
return {'ms': MetadataStatement(**_ver), 'iss': iss}
def process_request(self, request=None, cookie=None, **kwargs):
"""
Perform user logout
:param request:
:param cookie:
:param kwargs:
:return:
"""
_cntx = self.endpoint_context
_sdb = _cntx.sdb
if "post_logout_redirect_uri" in request:
if "id_token_hint" not in request:
raise InvalidRequest(
"If post_logout_redirect_uri then id_token_hint is a MUST")
_cookie_name = self.endpoint_context.cookie_name["session"]
try:
part = self.endpoint_context.cookie_dealer.get_cookie_value(
cookie, cookie_name=_cookie_name)
except IndexError:
raise InvalidRequest("Cookie error")
except KeyError:
part = None
if part:
# value is a base64 encoded JSON document
_cookie_info = json.loads(as_unicode(b64d(as_bytes(part[0]))))
logger.debug("Cookie info: {}".format(_cookie_info))
_sid = _cookie_info["sid"]
else:
logger.debug("No relevant cookie")
_sid = ""
_cookie_info = {}
if "id_token_hint" in request:
logger.debug("ID token hint: {}".format(
request[verified_claim_name("id_token_hint")]))
auds = request[verified_claim_name("id_token_hint")]["aud"]
_ith_sid = ""
_sids = _sdb.sso_db.get_sids_by_sub(
request[verified_claim_name("id_token_hint")]["sub"])
if _sids is None:
raise ValueError("Unknown subject identifier")
for _isid in _sids:
if _sdb[_isid]["authn_req"]["client_id"] in auds:
_ith_sid = _isid
break
if not _ith_sid:
raise ValueError("Unknown subject")
if _sid:
if _ith_sid != _sid: # someone's messing with me
raise ValueError("Wrong ID Token hint")
else:
_sid = _ith_sid
else:
auds = []
try:
session = _sdb[_sid]
except KeyError:
raise ValueError("Can't find any corresponding session")
client_id = session["authn_req"]["client_id"]
# Does this match what's in the cookie ?
if _cookie_info:
if client_id != _cookie_info["client_id"]:
logger.warning(
"Client ID in authz request and in cookie does not match")
raise ValueError("Wrong Client")
if auds:
if client_id not in auds:
raise ValueError("Incorrect ID Token hint")
_cinfo = _cntx.cdb[client_id]
# verify that the post_logout_redirect_uri if present are among the ones
# registered
try:
_uri = request["post_logout_redirect_uri"]
except KeyError:
if _cntx.issuer.endswith("/"):
_uri = "{}{}".format(_cntx.issuer,
self.kwargs["post_logout_uri_path"])
else:
_uri = "{}/{}".format(_cntx.issuer,
self.kwargs["post_logout_uri_path"])
plur = False
else:
plur = True
verify_uri(_cntx,
request,
"post_logout_redirect_uri",
client_id=client_id)
payload = {
"sid": _sid,
"client_id": client_id,
"user": session["authn_event"]["uid"],
}
# redirect user to OP logout verification page
if plur and "state" in request:
_uri = "{}?{}".format(_uri, urlencode({"state": request["state"]}))
payload["state"] = request["state"]
payload["redirect_uri"] = _uri
logger.debug("JWS payload: {}".format(payload))
# From me to me
_jws = JWT(
_cntx.keyjar,
iss=_cntx.issuer,
lifetime=86400,
sign_alg=self.kwargs["signing_alg"],
)
sjwt = _jws.pack(payload=payload, recv=_cntx.issuer)
location = "{}?{}".format(self.kwargs["logout_verify_url"],
urlencode({"sjwt": sjwt}))
return {"redirect_location": location}
def ec_construct_public(num):
ecpn = ec.EllipticCurvePublicNumbers(num['x'], num['y'],
NIST2SEC[as_unicode(num['crv'])]())
return ecpn.public_key(default_backend())
def ec_construct_private(num):
pub_ecpn = ec.EllipticCurvePublicNumbers(
num['x'], num['y'], NIST2SEC[as_unicode(num['crv'])]())
priv_ecpn = ec.EllipticCurvePrivateNumbers(num['d'], pub_ecpn)
return priv_ecpn.private_key(default_backend())
def setup_auth(
self,
request: Optional[Union[Message, dict]],
redirect_uri: str,
cinfo: dict,
cookie: List[dict] = None,
acr: str = None,
**kwargs,
):
"""
:param request: The authorization/authentication request
:param redirect_uri:
:param cinfo: client info
:param cookie: List of cookies
:param acr: Default ACR, if nothing else is specified
:param kwargs:
:return:
"""
res = self.pick_authn_method(request, redirect_uri, acr, **kwargs)
authn = res["method"]
authn_class_ref = res["acr"]
client_id = request.get("client_id")
_context = self.server_get("endpoint_context")
try:
_auth_info = kwargs.get("authn", "")
if "upm_answer" in request and request["upm_answer"] == "true":
_max_age = 0
else:
_max_age = max_age(request)
identity, _ts = authn.authenticated_as(client_id,
cookie,
authorization=_auth_info,
max_age=_max_age)
except (NoSuchAuthentication, TamperAllert):
identity = None
_ts = 0
except ToOld:
logger.info("Too old authentication")
identity = None
_ts = 0
except UnknownToken:
logger.info("Unknown Token")
identity = None
_ts = 0
else:
if identity:
try: # If identity['uid'] is in fact a base64 encoded JSON string
_id = b64d(as_bytes(identity["uid"]))
except BadSyntax:
pass
else:
identity = json.loads(as_unicode(_id))
try:
_csi = _context.session_manager[identity.get("sid")]
except Revoked:
identity = None
else:
if _csi.is_active() is False:
identity = None
authn_args = authn_args_gather(request, authn_class_ref, cinfo,
**kwargs)
_mngr = _context.session_manager
_session_id = ""
# To authenticate or Not
if not identity: # No!
logger.info("No active authentication")
logger.debug("Known clients: {}".format(list(_context.cdb.keys())))
if "prompt" in request and "none" in request["prompt"]:
# Need to authenticate but not allowed
return {
"error": "login_required",
"return_uri": redirect_uri,
"return_type": request["response_type"],
}
else:
return {"function": authn, "args": authn_args}
else:
logger.info("Active authentication")
if re_authenticate(request, authn):
# demand re-authentication
return {"function": authn, "args": authn_args}
else:
# I got back a dictionary
user = identity["uid"]
if "req_user" in kwargs:
if user != kwargs["req_user"]:
logger.debug("Wanted to be someone else!")
if "prompt" in request and "none" in request["prompt"]:
# Need to authenticate but not allowed
return {
"error": "login_required",
"return_uri": redirect_uri,
}
else:
return {"function": authn, "args": authn_args}
if "sid" in identity:
_session_id = identity["sid"]
# make sure the client is the same
_uid, _cid, _gid = _mngr.decrypt_session_id(_session_id)
if request["client_id"] != _cid:
return {"function": authn, "args": authn_args}
grant = _mngr[_session_id]
if grant.is_active() is False:
return {"function": authn, "args": authn_args}
elif request != grant.authorization_request:
authn_event = _mngr.get_authentication_event(
session_id=_session_id)
if authn_event.is_valid(
) is False: # if not valid, do new login
return {"function": authn, "args": authn_args}
# create new grant
_session_id = _mngr.create_grant(
authn_event=authn_event,
auth_req=request,
user_id=user,
client_id=request["client_id"],
)
if _session_id:
authn_event = _mngr.get_authentication_event(
session_id=_session_id)
if authn_event.is_valid() is False: # if not valid, do new login
return {"function": authn, "args": authn_args}
else:
_session_id = self.create_session(request, identity["uid"],
authn_class_ref, _ts, authn)
return {"session_id": _session_id, "identity": identity, "user": user}
def authz_part2(self, request, session_id, **kwargs):
"""
After the authentication this is where you should end up
:param request: The Authorization Request
:param session_id: Session identifier
:param kwargs: possible other parameters
:return: A redirect to the redirect_uri of the client
"""
try:
resp_info = self.post_authentication(request, session_id, **kwargs)
except Exception as err:
return self.error_response({}, "server_error", err)
_context = self.server_get("endpoint_context")
if "check_session_iframe" in _context.provider_info:
salt = rndstr()
try:
authn_event = _context.session_manager.get_authentication_event(
session_id)
except KeyError:
return self.error_response({}, "server_error",
"No such session")
else:
if authn_event.is_valid() is False:
return self.error_response({}, "server_error",
"Authentication has timed out")
_state = b64e(
as_bytes(json.dumps({"authn_time":
authn_event["authn_time"]})))
_session_cookie_content = _context.new_cookie(
name=_context.cookie_handler.name["session_management"],
state=as_unicode(_state),
)
opbs_value = _session_cookie_content["value"]
logger.debug(
"compute_session_state: client_id=%s, origin=%s, opbs=%s, salt=%s",
request["client_id"],
resp_info["return_uri"],
opbs_value,
salt,
)
_session_state = compute_session_state(opbs_value, salt,
request["client_id"],
resp_info["return_uri"])
if _session_cookie_content:
if "cookie" in resp_info:
resp_info["cookie"].append(_session_cookie_content)
else:
resp_info["cookie"] = [_session_cookie_content]
resp_info["response_args"]["session_state"] = _session_state
# Mix-Up mitigation
resp_info["response_args"]["iss"] = _context.issuer
resp_info["response_args"]["client_id"] = request["client_id"]
return resp_info
def get_payload(self, self_signed_statement):
_jws = as_unicode(self_signed_statement)
_jwt = factory(_jws)
return _jwt.jwt.payload()
