def create_endpoint(self):
# First the RP
_config = copy.deepcopy(RP_CONFIG)
_config['behaviour'] = {'federation_types_supported': ['explicit']}
entity = FederationRP(config=_config)
self.rp_federation_entity = entity.client_get(
"service_context").federation_entity
# The test data collector
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR,
httpd=HTTPC,
root_dir=os.path.join(BASE_PATH, 'base_data'))
# The RP has/supports 3 services
self.service = {
'discovery':
FedProviderInfoDiscovery(entity.client_get),
'registration':
Registration(entity.client_get),
'authorization':
FedAuthorization(entity.client_get,
conf={"request_object_expires_in": 300}),
}
# and now for the OP
_config = copy.copy(OP_CONF)
_config['add_on'] = {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
'client_registration_authn_methods_supported': {
"ar": ['request_object']
},
'where': ['authorization']
}
}
}
server = FederationServer(_config)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
federation_entity = server.server_get(
"endpoint_context").federation_entity
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
def rp_service_setup(self):
entity_id = 'https://foodle.uninett.no'
entity = Entity(config={
'issuer': 'https://op.ntnu.no',
'keys': {
'key_defs': KEY_DEFS
}
})
service_context = entity.get_service_context()
http_cli = Publisher(os.path.join(BASE_PATH, 'base_data'))
self.federation_entity = FederationEntity(
entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
httpd=http_cli,
entity_type='openid_relying_party',
opponent_entity_type='openid_provider',
config={'keys': {
'key_defs': KEY_DEFS
}})
# The test data collector
self.federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR,
httpd=http_cli,
root_dir=os.path.join(BASE_PATH, 'base_data'))
service_context.federation_entity = self.federation_entity
service_context.redirect_uris = ['https://foodle.uninett.no/cb']
# Note that the keys used for OIDC base protocol communication are separate from those used
# in the federation context
# service_context.keyjar = init_key_jar(key_defs=KEY_DEFS, issuer_id=entity_id)
service_context.client_preferences = {
"grant_types": ['authorization_code', 'implicit', 'refresh_token'],
"id_token_signed_response_alg": "ES256",
"token_endpoint_auth_method": "client_secret_basic",
"federation_type": ['automatic']
}
self.service = {
'discovery':
FedProviderInfoDiscovery(client_get=entity.client_get),
'registration': Registration(client_get=entity.client_get)
}
def create_endpoint(self):
# First the RP
_config = copy.deepcopy(RP_CONFIG)
_config['behaviour'] = {'federation_types_supported': ['explicit']}
entity = FederationRP(config=_config)
self.rp_federation_entity = entity.client_get(
"service_context").federation_entity
# The test data collector
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR,
httpd=HTTPC,
root_dir=os.path.join(BASE_PATH, 'base_data'))
entity._service = {
'discovery':
FedProviderInfoDiscovery(entity.client_get),
'registration':
Registration(entity.client_get),
'authorization':
FedAuthorization(entity.client_get,
conf={"request_object_expires_in": 300}),
}
self.rp = entity
# and now for the OP
_config = copy.copy(OP_CONF)
server = FederationServer(_config)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
federation_entity = server.server_get(
"endpoint_context").federation_entity
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
def create_endpoint(self):
# First the RP
entity = FederationRP(config=RP_CONFIG)
_fe = entity.client_get("service_context").federation_entity
# The test data collector
_fe.collector = DummyCollector(trusted_roots=ANCHOR,
httpd=HTTPC,
root_dir=os.path.join(
BASE_PATH, 'base_data'))
# The RP has/supports 3 services
self.service = {
'discovery': FedProviderInfoDiscovery(entity.client_get),
'registration': Registration(entity.client_get),
'authorization': FedAuthorization(entity.client_get),
}
# and now for the OP
server = FederationServer(OP_CONF, httpc=HTTPC)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
# === Federation stuff =======
federation_entity = server.server_get(
"endpoint_context").federation_entity
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
def create_endpoint(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
# the federation part of the RP
self.rp_federation_entity = FederationEntity(
entity_id=ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=ENTITY_ID)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': Registration(service_context),
'authorization': FedAuthorization(service_context),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
'provider_info': {
'path': '.well-known/openid-federation',
'class': provider_config.ProviderConfiguration,
'kwargs': {
'client_authn_method': None
}
},
'registration': {
'path': 'fed_registration',
'class': registration.Registration,
'kwargs': {
'client_authn_method': None
}
},
'authorization': {
'path': 'authorization',
'class': authorization.Authorization,
'kwargs': {
"response_modes_supported":
['query', 'fragment', 'form_post'],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"client_authn_method": ['request_param']
}
}
},
"keys": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template'
}
endpoint_context = EndpointContext(conf)
self.registration_endpoint = endpoint_context.endpoint["registration"]
self.authorization_endpoint = endpoint_context.endpoint[
"authorization"]
self.provider_endpoint = endpoint_context.endpoint["provider_config"]
# === Federation stuff =======
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.registration_endpoint.endpoint_context.federation_entity = federation_entity
def create_setup(self):
# First the RP
service_context = ServiceContext(
config={
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
self.rp_federation_entity = FederationEntity(
entity_id=RP_ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=RP_ENTITY_ID)
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 2 services
self.service = {
'discovery': FedProviderInfoDiscovery(service_context),
'registration': RPRegistration(service_context),
'authorization': FedAuthorization(service_context),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "code"
},
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "refresh"
},
],
},
"code": {
"lifetime": 600
},
"token": {
"class": "oidcendpoint.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {
"lifetime": 86400
},
},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"cookie_dealer": {
"class": CookieDealer,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"default_values": {
"name": "oidcop",
"domain": "127.0.0.1",
"path": "/",
"max_age": 3600,
},
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
}
}
endpoint_context = EndpointContext(conf)
_clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.pushed_authorization_endpoint = endpoint_context.endpoint[
"pushed_authorization"]
self.authorization_endpoint = endpoint_context.endpoint[
"authorization"]
self.registration_endpoint = endpoint_context.endpoint["registration"]
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.authorization_endpoint.endpoint_context.federation_entity = federation_entity
class TestEndpoint(object):
@pytest.fixture(autouse=True)
def create_setup(self):
# First the RP
entity = Entity(
config={
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
service_context = entity.get_service_context()
self.rp_federation_entity = FederationEntity(
entity_id=RP_ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=RP_ENTITY_ID)
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.discovery_service = FedProviderInfoDiscovery(entity.client_get)
self.registration_service = RPRegistration(entity.client_get)
# self.authorization_service = FedAuthorization(entity.client_get)
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "code"
},
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "refresh"
},
],
},
"code": {
"lifetime": 600
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {
"lifetime": 86400
},
},
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
}
}
server = Server(conf)
endpoint_context = server.get_endpoint_context()
_clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.pushed_authorization_endpoint = server.server_get(
"endpoint", "pushed_authorization")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.registration_endpoint = server.server_get("endpoint",
"registration")
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
# federation_entity.keyjar.import_jwks(
# read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'),
# 'op.ntnu.no', 'jwks'),
# issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.authorization_endpoint.server_get(
"endpoint_context").federation_entity = federation_entity
def test_pushed_auth_urlencoded(self):
# since all endpoint used the same endpoint_context I can grab anyone
_context = self.registration_endpoint.server_get("endpoint_context")
# This is cheating. Getting the OP's provider info
_fe = self.registration_service.client_get(
"service_context").federation_entity
trust_chain = TrustChain()
trust_chain.metadata = _context.provider_info
trust_chain.anchor = "https://feide.no"
trust_chain.verified_chain = [{'iss': "https://ntnu.no"}]
self.discovery_service.update_service_context([trust_chain])
# and the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=_context.provider_info['issuer'])
# Add RP's keys to the OP's keyjar.
_context.keyjar.import_jwks(
self.discovery_service.client_get(
"service_context").keyjar.export_jwks(issuer_id=""),
RP_ENTITY_ID)
authn_request = AuthorizationRequest(
response_type="code",
state="af0ifjsldkj",
client_id=RP_ENTITY_ID,
redirect_uri="{}/callback".format(RP_ENTITY_ID),
code_challenge="K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8U",
code_challenge_method="S256",
scope=["ais", "openid"])
# Create the private_key_jwt assertion
_jwt = JWT(
self.registration_service.client_get("service_context").keyjar,
iss=RP_ENTITY_ID,
sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack({
"aud":
[_context.provider_info["pushed_authorization_request_endpoint"]]
})
authn_request.update({
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
})
_req = self.pushed_authorization_endpoint.parse_request(authn_request)
assert isinstance(_req, AuthorizationRequest)
assert set(_req.keys()) == {
"state", "redirect_uri", "response_type", "scope",
"code_challenge_method", "client_id", "code_challenge",
"client_assertion", "client_assertion_type",
'__verified_client_assertion'
}
# Should have a registered client now
assert set(_context.cdb.keys()) == {RP_ENTITY_ID}
def test_pushed_auth_urlencoded_process(self):
# since all endpoint used the same endpoint_context I can grab anyone
_context = self.registration_endpoint.server_get("endpoint_context")
# This is cheating. Getting the OP's provider info
_fe = self.registration_service.client_get(
"service_context").federation_entity
trust_chain = TrustChain()
trust_chain.metadata = _context.provider_info
trust_chain.anchor = "https://feide.no"
trust_chain.verified_chain = [{'iss': "https://ntnu.no"}]
self.discovery_service.update_service_context([trust_chain])
# and the OP's federation keys
self.rp_federation_entity.keyjar.import_jwks(
read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no',
'jwks'),
issuer_id=_context.provider_info['issuer'])
# Add RP's keys to the OP's keyjar.
_context.keyjar.import_jwks(
self.discovery_service.client_get(
"service_context").keyjar.export_jwks(issuer_id=""),
RP_ENTITY_ID)
authn_request = AuthorizationRequest(
response_type="code",
state="af0ifjsldkj",
client_id=RP_ENTITY_ID,
redirect_uri="{}/callback".format(RP_ENTITY_ID),
code_challenge="K2-ltc83acc4h0c9w6ESC_rEMTJ3bww-uCHaoeK1t8U",
code_challenge_method="S256",
scope=["ais", "openid"])
# Create the private_key_jwt assertion
_jwt = JWT(
self.registration_service.client_get("service_context").keyjar,
iss=RP_ENTITY_ID,
sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack({
"aud":
[_context.provider_info["pushed_authorization_request_endpoint"]]
})
authn_request.update({
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
})
_req = self.pushed_authorization_endpoint.parse_request(authn_request)
assert isinstance(_req, AuthorizationRequest)
assert set(_req.keys()) == {
"state", "redirect_uri", "response_type", "scope",
"code_challenge_method", "client_id", "code_challenge",
"client_assertion", "client_assertion_type",
"__verified_client_assertion"
}
_resp = self.pushed_authorization_endpoint.process_request(_req)
assert _resp["return_uri"] == authn_request["redirect_uri"]
# And now for the authorization request with the OP provided request_uri
authn_request["request_uri"] = _resp["http_response"]["request_uri"]
for parameter in [
"code_challenge", "code_challenge_method", "client_assertion",
"client_assertion_type"
]:
del authn_request[parameter]
_req = self.authorization_endpoint.parse_request(authn_request)
assert "code_challenge" in _req
def create_endpoint(self):
# First the RP
entity = Entity(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
},
"httpc_param": {
'verify': False,
"timeout": 2
},
})
# the federation part of the RP
self.rp_federation_entity = FederationEntity(
entity_id=ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=ENTITY_ID)
# add the federation part to the service context
entity.client_get(
"service_context").federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.service = {
'discovery':
FedProviderInfoDiscovery(entity.client_get),
'registration':
Registration(entity.client_get),
'authorization':
FedAuthorization(entity.client_get,
conf={"request_object_expires_in": 300}),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"httpc_param": {
'verify': False,
"timeout": 2
},
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
"endpoint": {
'provider_info': {
'path': '.well-known/openid-federation',
'class': provider_config.ProviderConfiguration,
'kwargs': {
'client_authn_method': None
}
},
'registration': {
'path': 'fed_registration',
'class': registration.Registration,
'kwargs': {
'client_authn_method': None
}
},
'authorization': {
'path': 'authorization',
'class': authorization.Authorization,
'kwargs': {
"response_modes_supported":
['query', 'fragment', 'form_post'],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"client_authn_method": ['request_param']
}
}
},
"keys": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template',
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
'client_registration_authn_methods_supported': {
"ar": ['request_object']
},
'where': ['authorization']
}
}
}
}
server = Server(conf)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
# === Federation stuff =======
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.registration_endpoint.server_get(
"endpoint_context").federation_entity = federation_entity
def create_setup(self):
# First the RP
config = {
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {'key_defs': KEYSPEC},
"federation": {
"endpoint": {
"fetch": {
"path": "fetch",
"class": Fetch,
"kwargs": {"client_authn_method": None},
}
},
'entity_id': RP_ENTITY_ID,
"trusted_roots": ANCHOR,
"authority_hints": ['https://ntnu.no'],
"entity_type": 'openid_relying_party',
"opponent_entity_type": 'openid_provider'
}
}
self.entity = FederationRP(config=config)
service_context = self.entity.get_service_context()
service_context.federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# The RP has/supports 2 services
self.discovery_service = FedProviderInfoDiscovery(self.entity.client_get)
self.registration_service = RPRegistration(self.entity.client_get)
# self.authorization_service = FedAuthorization(entity.client_get)
# and now for the OP
op_entity_id = "https://op.ntnu.no"
op_conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path": "private/token_jwks.json",
"read_only": False,
"key_defs": [
{"type": "oct", "bytes": 24, "use": ["enc"], "kid": "code"},
{"type": "oct", "bytes": 24, "use": ["enc"], "kid": "refresh"},
],
},
"code": {"lifetime": 600},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope": True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {"lifetime": 86400},
},
"claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYSPEC},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [
" ".join(x) for x in RESPONSE_TYPES_SUPPORTED
],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {"key_defs": COOKIE_KEYDEFS},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
},
"federation": {
"endpoint": {
"fetch": {
"path": "fetch",
"class": Fetch,
"kwargs": {"client_authn_method": None},
}
},
"entity_id": op_entity_id,
"trusted_roots": ANCHOR,
"authority_hints": ['https://ntnu.no'],
"entity_type": 'openid_relying_party',
"opponent_entity_type": 'openid_relying_party'
}
}
server = FederationServer(conf=op_conf)
endpoint_context = server.get_endpoint_context()
# _clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
# store keys under my own ID
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), op_conf["issuer"]
)
self.pushed_authorization_endpoint = server.server_get("endpoint", "pushed_authorization")
self.authorization_endpoint = server.server_get("endpoint", "authorization")
self.registration_endpoint = server.server_get("endpoint", "registration")
endpoint_context.federation_entity.collector = DummyCollector(
httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)