def test_missing_token_endpoint(): conf = { "issuer": "https://example.com/", "capabilities": CAPABILITIES, "keys": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "endpoint": { "authorization": { "path": "authorization", "class": "oidcop.oauth2.authorization.Authorization", "kwargs": {}, }, "introspection": { "path": "introspection", "class": "oidcop.oauth2.introspection.Introspection", "kwargs": {}, }, }, } configuration = OPConfiguration(conf, base_path=BASEDIR, domain="127.0.0.1", port=443) server = Server(configuration) add_pkce_support(server.server_get("endpoints")) assert "pkce" not in server.server_get("endpoint_context").args
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "endpoint": { "webfinger": { "path": ".well-known/webfinger", "class": Discovery, "kwargs": { "client_authn_method": None }, } }, "keys": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcop.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "template_dir": "template", } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) self.endpoint = server.server_get("endpoint", "discovery")
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "keys": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "endpoint": { "provider_config": { "path": ".well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": {}, }, "token": { "path": "token", "class": Token, "kwargs": {} }, }, "template_dir": "template", } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) self.endpoint_context = server.endpoint_context self.endpoint = server.server_get("endpoint", "provider_config")
def create_endpoint_context(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, }, } }, "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS}, "authentication": { "anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},}, }, "cookie_handler": { "class": "oidcop.cookie_handler.CookieHandler", "kwargs": { "sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch", "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, }, }, "template_dir": "template", } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["oidc_clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"] ) self.endpoint = server.server_get("endpoint", "authorization") self.rp_keyjar = KeyJar() self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890") endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def create_endpoint(self, conf): server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context endpoint_context.cdb["client_1"] = { "client_secret": "hemligt", "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", "endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], } endpoint_context.keyjar.import_jwks(CLIENT_KEYJAR.export_jwks(), "client_1") self.session_manager = endpoint_context.session_manager self.token_endpoint = server.server_get("endpoint", "token") self.user_id = "diana" self.endpoint_context = endpoint_context
def __init__(self, conf: Union[dict, OPConfiguration, ASConfiguration], keyjar: Optional[KeyJar] = None, cwd: Optional[str] = "", cookie_handler: Optional[Any] = None, httpc: Optional[Any] = None): Server.__init__(self, conf=conf, keyjar=keyjar, cwd=cwd, cookie_handler=cookie_handler, httpc=httpc) fed_conf = conf.get("federation") if fed_conf: self.endpoint_context.federation_entity = FederationEntity( config=fed_conf, httpc=httpc, cwd=cwd)
def test_capabilities_subset2(): _cnf = copy(conf) _cnf["capabilities"] = {"response_types_supported": ["code", "id_token"]} server = Server(_cnf) assert set(server.endpoint_context.provider_info["response_types_supported"]) == { "code", "id_token", }
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "capabilities": CAPABILITIES, "keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"}, "cookie_handler": { "class": CookieHandler, "kwargs": {"keys": {"key_defs": COOKIE_KEY_DEFS}}, }, "endpoint": { "registration": { "path": "registration", "class": Registration, "kwargs": {"client_auth_method": None}, }, "registration_api": { "path": "registration_api", "class": RegistrationRead, "kwargs": {"client_authn_method": ["bearer_header"]}, }, "authorization": {"path": "authorization", "class": Authorization, "kwargs": {},}, "token": { "path": "token", "class": Token, "kwargs": { "client_authn_method": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", ] }, }, "userinfo": {"path": "userinfo", "class": UserInfo, "kwargs": {}}, }, "template_dir": "template", } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) self.registration_endpoint = server.server_get("endpoint", "registration") self.registration_api_endpoint = server.server_get("endpoint", "registration_read")
def create_server(config): server = Server(ASConfiguration(conf=config, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["oidc_clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), config["issuer"]) return server
def test_server_login_hint_lookup(): _str = open(full_path("op_config.json")).read() _conf = json.loads(_str) configuration = OPConfiguration(conf=_conf, base_path=BASEDIR, domain="127.0.0.1", port=443) server = Server(configuration) assert server.endpoint_context.login_hint_lookup( "tel:0907865000") == "diana"
def setup_token_handler(self): password = "******" conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "keys": { "key_defs": KEYDEFS, "uri_path": "static/jwks.json" }, "jwks_uri": "https://example.com/jwks.json", "token_handler_args": { "code": { "kwargs": { "lifetime": 600, "password": password } }, "token": { "kwargs": { "lifetime": 900, "password": password } }, "refresh": { "kwargs": { "lifetime": 86400, "password": password } }, }, "endpoint": { "authorization_endpoint": { "path": "{}/authorization", "class": Authorization, "kwargs": {}, }, "token_endpoint": { "path": "{}/token", "class": Token, "kwargs": {} }, }, "template_dir": "template", } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) self.endpoint_context = server.endpoint_context self.session_manager = self.endpoint_context.session_manager
def init_oidc_op_endpoints(app): op_config = app.srv_config op_config['issuer'] server = Server(op_config, cwd=folder) for endp in server.endpoint.values(): p = urlparse(endp.endpoint_path) _vpath = p.path.split('/') endp.vpath = _vpath return server
def init_oidc_op(app): _op_config = app.srv_config server = Server(_op_config, cwd=folder) for endp in server.endpoint.values(): p = urlparse(endp.endpoint_path) _vpath = p.path.split('/') if _vpath[0] == '': endp.vpath = _vpath[1:] else: endp.vpath = _vpath return server
def create_session_manager(self): server = Server(conf) self.endpoint_context = server.endpoint_context self.endpoint_context.cdb["client_1"] = { "client_secret": "hemligtochintekort", "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], } self.endpoint_context.keyjar.add_symmetric("client_1", "hemligtochintekort", ["sig", "enc"]) self.session_manager = self.endpoint_context.session_manager self.user_id = USER_ID
def test_capabilities_default(): _str = open(full_path("op_config.json")).read() _conf = json.loads(_str) configuration = OPConfiguration(conf=_conf, base_path=BASEDIR, domain="127.0.0.1", port=443) server = Server(configuration) assert set(server.endpoint_context.provider_info["response_types_supported"]) == { "code", "token", "id_token", "code token", "code id_token", "id_token token", "code id_token token", } assert server.endpoint_context.provider_info["request_uri_parameter_supported"] is True
def create_endpoint(self): conf = { "issuer": ENTITY_ID, "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "claims_interface": {"class": "oidcop.session.claims.ClaimsInterface", "kwargs": {}}, 'keys': { 'key_defs': KEYSPEC, "private_path": "own/jwks.json", "uri_path": "static/jwks.json" }, "endpoint": {}, "authentication": { "anon": { 'acr': UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"} } }, 'template_dir': 'template' } server = Server(conf) endpoint_context = server.endpoint_context self.endpoint = ProviderConfiguration(server.server_get) # === Federation stuff ======= fe_conf = { 'keys': {'key_defs': KEYSPEC} } federation_entity = FederationEntity( ENTITY_ID, trusted_roots=ANCHOR, authority_hints={'https://ntnu.no': ['https://feide.no']}, httpd=Publisher(ROOT_DIR), config=fe_conf, entity_type='openid_relying_party', opponent_entity_type='openid_provider') federation_entity.collector = DummyCollector( httpd=Publisher(os.path.join(BASE_PATH, 'data')), trusted_roots=ANCHOR, root_dir=ROOT_DIR) self.fedent = federation_entity self.endpoint.server_get("endpoint_context").federation_entity = federation_entity
def create_endpoint_context(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": {}, } }, "keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS}, "authentication": { "user": { "acr": INTERNETPROTOCOLPASSWORD, "class": UserPassJinja2, "verify_endpoint": "verify/user", "kwargs": { "template": "user_pass.jinja2", "sym_key": "24AA/LR6HighEnergy", "db": { "class": JSONDictDB, "kwargs": {"filename": full_path("passwd.json")}, }, "page_header": "Testing log in", "submit_btn": "Get me in!", "user_label": "Nickname", "passwd_label": "Secret sauce", }, }, "anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},}, }, "cookie_handler": { "class": "oidcop.cookie_handler.CookieHandler", "kwargs": {"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"}, }, "template_dir": "template", } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) self.endpoint_context = server.endpoint_context
def create_endpoint(self): try: shutil.rmtree("db") except FileNotFoundError: pass server1 = Server(OPConfiguration(conf=ENDPOINT_CONTEXT_CONFIG, base_path=BASEDIR), cwd=BASEDIR) server2 = Server(OPConfiguration(conf=ENDPOINT_CONTEXT_CONFIG, base_path=BASEDIR), cwd=BASEDIR) server1.endpoint_context.cdb["client_1"] = { "client_secret": "hemligt", "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], } _store = server1.endpoint_context.dump() server2.endpoint_context.load( _store, init_args={ "server_get": server2.server_get, "handler": server2.endpoint_context.session_manager.token_handler, }, ) self.endpoint = { 1: server1.server_get("endpoint", "userinfo"), 2: server2.server_get("endpoint", "userinfo"), } self.session_manager = { 1: server1.endpoint_context.session_manager, 2: server2.endpoint_context.session_manager, } self.user_id = "diana"
def create_endpoint(self, jwt_token): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "keys": { "uri_path": "jwks.json", "key_defs": KEYDEFS }, "token_handler_args": { "jwks_file": "private/token_jwks.json", "code": { "kwargs": { "lifetime": 600 } }, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "aud": ["https://example.org/appl"], }, }, "id_token": { "class": "oidcop.token.id_token.IDToken", } }, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": {}, }, "introspection": { "path": "{}/intro", "class": Introspection, "kwargs": { "client_authn_method": ["client_secret_post"], "enable_claims_per_client": False, }, }, "token": { "path": "token", "class": Token, "kwargs": { "client_authn_method": [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", ] }, }, }, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcop.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "userinfo": { "path": "{}/userinfo", "class": UserInfo, "kwargs": { "db_file": full_path("users.json") }, }, "client_authn": verify_client, "template_dir": "template", "authz": { "class": AuthzHandling, "kwargs": { "grant_config": { "usage_rules": { "authorization_code": { "supports_minting": [ "access_token", "refresh_token", "id_token", ], "max_usage": 1, }, "access_token": {}, "refresh_token": { "supports_minting": ["access_token", "refresh_token"], }, }, "expires_in": 43200, } }, }, } if jwt_token: conf["token_handler_args"]["token"] = { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": {}, } server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context endpoint_context.cdb["client_1"] = { "client_secret": "hemligt", "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], "introspection_claims": { "nickname": None, "eduperson_scoped_affiliation": None, }, } endpoint_context.keyjar.import_jwks_as_json( endpoint_context.keyjar.export_jwks_as_json(private=True), endpoint_context.issuer, ) self.introspection_endpoint = server.server_get( "endpoint", "introspection") self.token_endpoint = server.server_get("endpoint", "token") self.session_manager = endpoint_context.session_manager self.user_id = "diana"
def create_endpoint(self): conf = { "issuer": ISS, "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "keys": { "uri_path": "jwks.json", "key_defs": KEYDEFS }, "endpoint": { "provider_config": { "path": "{}/.well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": { "client_authn_method": None }, }, "registration": { "path": "{}/registration", "class": Registration, "kwargs": { "client_authn_method": None }, }, "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "client_authn_method": None }, }, "token": { "path": "{}/token", "class": Token, "kwargs": {} }, "userinfo": { "path": "{}/userinfo", "class": userinfo.UserInfo, "kwargs": { "db_file": "users.json" }, }, "session": { "path": "{}/end_session", "class": Session, "kwargs": { "post_logout_uri_path": "post_logout", "signing_alg": "ES256", "logout_verify_url": "{}/verify_logout".format(ISS), "client_authn_method": None, }, }, }, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcop.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "userinfo": { "class": UserInfo, "kwargs": { "db": USERINFO_db } }, "template_dir": "template", "token_handler_args": { "jwks_def": { "private_path": "private/token_jwks.json", "read_only": False, "key_defs": [{ "type": "oct", "bytes": "24", "use": ["enc"], "kid": "code" }], }, "code": { "kwargs": { "lifetime": 600 } }, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "aud": ["https://example.org/appl"], }, }, "id_token": { "class": "oidcop.token.id_token.IDToken", "kwargs": { "base_claims": { "email": { "essential": True }, "email_verified": { "essential": True }, } }, }, }, } cookie_conf = { "sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch", "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, } self.cd = CookieHandler(**cookie_conf) server = Server( OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR, cookie_handler=self.cd, keyjar=KEYJAR, ) endpoint_context = server.endpoint_context endpoint_context.cdb = { "client_1": { "client_secret": "hemligt", "redirect_uris": [("{}cb".format(CLI1), None)], "client_salt": "salted", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], "post_logout_redirect_uris": [("{}logout_cb".format(CLI1), "")], }, "client_2": { "client_secret": "hemligare", "redirect_uris": [("{}cb".format(CLI2), None)], "client_salt": "saltare", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], "post_logout_redirect_uris": [("{}logout_cb".format(CLI2), "")], }, } self.session_manager = endpoint_context.session_manager self.authn_endpoint = server.server_get("endpoint", "authorization") self.session_endpoint = server.server_get("endpoint", "session") self.token_endpoint = server.server_get("endpoint", "token") self.user_id = "diana"
def create_authn_broker(self): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "keys": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "endpoint": { "provider_config": { "path": "{}/.well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": {}, }, "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": {}, }, "token": { "path": "{}/token", "class": Token, "kwargs": {} }, }, "authentication": METHOD, "userinfo": { "class": UserInfo, "kwargs": { "db": USERINFO_db } }, "template_dir": "template", "claims_interface": { "class": "oidcop.session.claims.ClaimsInterface", "kwargs": {} }, } cookie_conf = { "sign_key": SYMKey(k="ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"), "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, } cookie_handler = CookieHandler(**cookie_conf) server = Server(conf, cookie_handler=cookie_handler) endpoint_context = server.endpoint_context endpoint_context.cdb["client_1"] = { "client_secret": "hemligt", "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", "token_endpoint_auth_method": "client_secret_post", "response_types": [ "code", "token", "code id_token", "id_token", "code id_token token", ], } endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]) self.server = server
def test_token_handler_from_config(): conf = { "issuer": "https://example.com/op", "keys": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "endpoint": { "endpoint": { "path": "endpoint", "class": Endpoint, "kwargs": {} }, }, "token_handler_args": { "jwks_def": { "private_path": "private/token_jwks.json", "read_only": False, "key_defs": [{ "type": "oct", "bytes": "24", "use": ["enc"], "kid": "code" }], }, "code": { "kwargs": { "lifetime": 600 } }, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "aud": ["https://example.org/appl"], }, }, "id_token": { "class": "oidcop.token.id_token.IDToken", "kwargs": { "base_claims": { "email": { "essential": True }, "email_verified": { "essential": True }, } }, }, }, } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) token_handler = server.endpoint_context.session_manager.token_handler assert token_handler assert len(token_handler.handler) == 4 assert set(token_handler.handler.keys()) == { "authorization_code", "access_token", "refresh_token", "id_token", } assert isinstance(token_handler.handler["authorization_code"], DefaultToken) assert isinstance(token_handler.handler["access_token"], JWTToken) assert isinstance(token_handler.handler["refresh_token"], JWTToken) assert isinstance(token_handler.handler["id_token"], IDToken) assert token_handler.handler["authorization_code"].lifetime == 600 assert token_handler.handler["access_token"].alg == "ES256" assert token_handler.handler["access_token"].kwargs == { "add_claims_by_scope": True } assert token_handler.handler["access_token"].lifetime == 3600 assert token_handler.handler["access_token"].def_aud == [ "https://example.org/appl" ] assert token_handler.handler["refresh_token"].alg == "ES256" assert token_handler.handler["refresh_token"].kwargs == {} assert token_handler.handler["refresh_token"].lifetime == 3600 assert token_handler.handler["refresh_token"].def_aud == [ "https://example.org/appl" ] assert token_handler.handler["id_token"].lifetime == 300 assert "base_claims" in token_handler.handler["id_token"].kwargs
def setup_session_manager(self): conf = { "issuer": ISSUER, "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "capabilities": CAPABILITIES, "keys": { "uri_path": "jwks.json", "key_defs": KEYDEFS }, "token_handler_args": { "jwks_file": "private/token_jwks.json", "code": { "lifetime": 600 }, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims": [ "email", "email_verified", "phone_number", "phone_number_verified", ], "add_claim_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": {}, }, "endpoint": { "provider_config": { "path": "{}/.well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": {}, }, "registration": { "path": "{}/registration", "class": Registration, "kwargs": {}, }, "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": {}, }, "token": { "path": "{}/token", "class": Token, "kwargs": {} }, "session": { "path": "{}/end_session", "class": Session }, }, "client_authn": verify_client, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcop.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "template_dir": "template", "userinfo": { "class": user_info.UserInfo, "kwargs": { "db_file": full_path("users.json") }, }, } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), keyjar=KEYJAR, cwd=BASEDIR) self.endpoint_context = server.endpoint_context self.session_manager = self.endpoint_context.session_manager
def test_file(jwks): conf = { "issuer": "https://example.com/op", "keys": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "endpoint": { "endpoint": { "path": "endpoint", "class": Endpoint, "kwargs": {} }, }, "token_handler_args": { "code": { "kwargs": { "lifetime": 600 } }, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "aud": ["https://example.org/appl"], }, }, "id_token": { "class": "oidcop.token.id_token.IDToken", "kwargs": { "base_claims": { "email": { "essential": True }, "email_verified": { "essential": True }, } }, }, }, } for arg in ["jwks_file", "jwks_def"]: try: del conf["token_handler_args"][arg] except KeyError: pass for _file in [ "private/token_jwks_1.json", "private/token_jwks_2.json", "private/token_jwks.json", ]: if os.path.exists(full_path(_file)): os.unlink(full_path(_file)) if jwks: conf["token_handler_args"].update(jwks) server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) token_handler = server.endpoint_context.session_manager.token_handler assert token_handler if "jwks_file" in conf["token_handler_args"]: assert os.path.exists(full_path("private/token_jwks_1.json")) elif "jwks_def" in conf["token_handler_args"]: assert os.path.exists(full_path("private/token_jwks_2.json")) else: assert os.path.exists(full_path("private/token_jwks.json"))
def create_session_manager(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "keys": { "key_defs": KEYDEFS, "uri_path": "static/jwks.json" }, "jwks_uri": "https://example.com/jwks.json", "token_handler_args": { "jwks_def": { "private_path": "private/token_jwks.json", "read_only": False, "key_defs": [{ "type": "oct", "bytes": "24", "use": ["enc"], "kid": "code" }], }, "code": { "lifetime": 600 }, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims": True, "add_claim_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "aud": ["https://example.org/appl"], }, }, }, "endpoint": { "authorization_endpoint": { "path": "{}/authorization", "class": Authorization, "kwargs": {}, }, "token_endpoint": { "path": "{}/token", "class": Token, "kwargs": {} }, }, "template_dir": "template", "claims_interface": { "class": "oidcop.session.claims.ClaimsInterface", "kwargs": {} }, } server = Server(conf) self.server = server self.endpoint_context = server.endpoint_context self.session_manager = server.endpoint_context.session_manager self.authn_event = AuthnEvent(uid="uid", valid_until=time_sans_frac() + 1, authn_info="authn_class_ref") self.dummy_session_id = self.session_manager.encrypted_session_id( "user_id", "client_id", "grant.id")
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "keys": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, "request_cls": JWTSecuredAuthorizationRequest, }, } }, "authentication": { "anon": { "acr": "http://www.swamid.se/policy/assurance/al1", "class": "oidcop.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "userinfo": { "class": UserInfo, "kwargs": { "db": USERINFO_db } }, "template_dir": "template", "cookie_handler": { "class": CookieHandler, "kwargs": { "sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch", "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, }, }, } server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]) self.endpoint = server.server_get("endpoint", "authorization") self.session_manager = endpoint_context.session_manager self.user_id = "diana" self.rp_keyjar = KeyJar() self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890") endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "cookie_handler": { "class": CookieHandler, "kwargs": { "keys": { "key_defs": COOKIE_KEYDEFS }, "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman", }, }, }, "keys": { "uri_path": "jwks.json", "key_defs": KEYDEFS }, "endpoint": { "provider_config": { "path": ".well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": {}, }, "registration": { "path": "registration", "class": Registration, "kwargs": {}, }, "authorization": { "path": "authorization", "class": Authorization, "kwargs": {}, }, "token": { "path": "token", "class": Token, "kwargs": { "client_authn_methods": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", ] }, }, "userinfo": { "path": "userinfo", "class": userinfo.UserInfo, "kwargs": { "claim_types_supported": [ "normal", "aggregated", "distributed", ], "client_authn_method": ["bearer_header"], }, }, }, "userinfo": { "class": user_info.UserInfo, "kwargs": { "db_file": full_path("users.json") }, }, # "client_authn": verify_client, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcop.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "template_dir": "template", "add_on": { "custom_scopes": { "function": "oidcop.oidc.add_on.custom_scopes.add_custom_scopes", "kwargs": { "research_and_scholarship": [ "name", "given_name", "family_name", "email", "email_verified", "sub", "eduperson_scoped_affiliation", ] }, } }, } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) endpoint_context = server.endpoint_context endpoint_context.cdb["client_1"] = { "client_secret": "hemligt", "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], } self.endpoint = server.server_get("endpoint", "userinfo") self.session_manager = endpoint_context.session_manager self.user_id = "diana"
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "verify_ssl": False, "capabilities": { "subject_types_supported": ["public", "pairwise", "ephemeral"], "grant_types_supported": [ "authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token", ], }, "token_handler_args": { "jwks_def": { "private_path": "private/token_jwks.json", "read_only": False, "key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}], }, "code": {"kwargs": {"lifetime": 600}}, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],}, }, "id_token": { "class": "oidcop.token.id_token.IDToken", "kwargs": { "base_claims": { "email": {"essential": True}, "email_verified": {"essential": True}, } }, }, }, "cookie_handler": { "class": CookieHandler, "kwargs": {"keys": {"key_defs": COOKIE_KEYDEFS}}, }, "keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"}, "endpoint": { "registration": { "path": "registration", "class": Registration, "kwargs": {"client_auth_method": None}, }, "authorization": { "path": "authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claim_types_supported": ["normal", "aggregated", "distributed",], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, }, }, "token": { "path": "token", "class": Token, "kwargs": { "client_authn_method": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", ] }, }, "userinfo": {"path": "userinfo", "class": UserInfo, "kwargs": {}}, }, "template_dir": "template", } server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR) self.endpoint = server.server_get("endpoint", "registration")
def create_endpoint(self): conf = { "issuer": ISSUER, "password": "******", "verify_ssl": False, "capabilities": CAPABILITIES, "add_on": { "dpop": { "function": "oidcop.oauth2.add_on.dpop.add_support", "kwargs": { "dpop_signing_alg_values_supported": ["ES256"] } }, }, "keys": {"uri_path": "jwks.json", "key_defs": KEYDEFS}, "token_handler_args": { "jwks_file": "private/token_jwks.json", "code": {"lifetime": 600}, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "base_claims": {"eduperson_scoped_affiliation": None}, "add_claims_by_scope": True, "aud": ["https://example.org/appl"], }, }, "refresh": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], }, }, "id_token": { "class": "oidcop.token.id_token.IDToken", "kwargs": { "base_claims": { "email": {"essential": True}, "email_verified": {"essential": True}, } }, }, }, "endpoint": { "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": {}, }, "token": { "path": "{}/token", "class": Token, "kwargs": {}}, }, "client_authn": verify_client, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcop.user_authn.user.NoAuthn", "kwargs": {"user": "******"}, } }, "template_dir": "template", "userinfo": { "class": user_info.UserInfo, "kwargs": {"db_file": "users.json"}, }, } server = Server(OPConfiguration(conf, base_path=BASEDIR), keyjar=KEYJAR) self.endpoint_context = server.endpoint_context self.endpoint_context.cdb["client_1"] = { "client_secret": "hemligt", "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], } self.user_id = "diana" self.token_endpoint = server.server_get("endpoint", "token") self.session_manager = self.endpoint_context.session_manager
def create_setup(self): # First the RP entity = Entity( config={ 'behaviour': { 'federation_types_supported': ['automatic'] }, 'issuer': "https://op.ntnu.no", 'keys': { 'key_defs': KEYSPEC } }) service_context = entity.get_service_context() self.rp_federation_entity = FederationEntity( entity_id=RP_ENTITY_ID, trusted_roots=ANCHOR, authority_hints=['https://ntnu.no'], entity_type='openid_relying_party', opponent_entity_type='openid_provider') self.rp_federation_entity.keyjar.import_jwks(read_info( os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no', 'jwks'), issuer_id=RP_ENTITY_ID) self.rp_federation_entity.collector = DummyCollector( trusted_roots=ANCHOR, root_dir=ROOT_DIR) # add the federation part to the service context service_context.federation_entity = self.rp_federation_entity # The RP has/supports 3 services self.discovery_service = FedProviderInfoDiscovery(entity.client_get) self.registration_service = RPRegistration(entity.client_get) # self.authorization_service = FedAuthorization(entity.client_get) # and now for the OP op_entity_id = "https://op.ntnu.no" conf = { "issuer": op_entity_id, "password": "******", "token_handler_args": { "jwks_def": { "private_path": "private/token_jwks.json", "read_only": False, "key_defs": [ { "type": "oct", "bytes": 24, "use": ["enc"], "kid": "code" }, { "type": "oct", "bytes": 24, "use": ["enc"], "kid": "refresh" }, ], }, "code": { "lifetime": 600 }, "token": { "class": "oidcop.token.jwt_token.JWTToken", "kwargs": { "lifetime": 3600, "add_claims": [ "email", "email_verified", "phone_number", "phone_number_verified", ], "add_claim_by_scope": True, "aud": ["https://example.org/appl"] }, }, "refresh": { "lifetime": 86400 }, }, "claims_interface": { "class": "oidcop.session.claims.ClaimsInterface", "kwargs": {} }, "verify_ssl": False, "capabilities": CAPABILITIES, "keys": { "uri_path": "static/jwks.json", "key_defs": KEYSPEC }, "id_token": { "class": IDToken, "kwargs": { "default_claims": { "email": { "essential": True }, "email_verified": { "essential": True }, } }, }, "endpoint": { "provider_config": { "path": ".well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": {}, }, "registration": { "path": "registration", "class": OPRegistration, "kwargs": {}, }, "authorization": { "path": "authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, }, }, "pushed_authorization": { "path": "pushed_authorization", "class": PushedAuthorization, "kwargs": { "client_authn_method": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", ] }, }, }, "authentication": { "anon": { "acr": "http://www.swamid.se/policy/assurance/al1", "class": "oidcop.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "template_dir": "template", "cookie_handler": { "class": CookieHandler, "kwargs": { "keys": { "key_defs": COOKIE_KEYDEFS }, "name": { "session": "oidc_op", "register": "oidc_op_reg", "session_management": "oidc_op_sman" } }, }, 'add_on': { "automatic_registration": { "function": "fedservice.op.add_on.automatic_registration.add_support", "kwargs": { "new_id": False, # default False "where": ["pushed_authorization"] } } } } server = Server(conf) endpoint_context = server.get_endpoint_context() _clients = yaml.safe_load(io.StringIO(client_yaml)) # endpoint_context.cdb = _clients["oidc_clients"] endpoint_context.keyjar.import_jwks( endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]) self.pushed_authorization_endpoint = server.server_get( "endpoint", "pushed_authorization") self.authorization_endpoint = server.server_get( "endpoint", "authorization") self.registration_endpoint = server.server_get("endpoint", "registration") federation_entity = FederationEntity( op_entity_id, trusted_roots=ANCHOR, authority_hints=['https://ntnu.no'], entity_type='openid_relying_party', httpd=Publisher(ROOT_DIR), opponent_entity_type='openid_relying_party') # federation_entity.keyjar.import_jwks( # read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'), # 'op.ntnu.no', 'jwks'), # issuer_id=op_entity_id) federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR), trusted_roots=ANCHOR, root_dir=ROOT_DIR) self.authorization_endpoint.server_get( "endpoint_context").federation_entity = federation_entity