def test_missing_token_endpoint():
conf = {
"issuer": "https://example.com/",
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"authorization": {
"path": "authorization",
"class": "oidcop.oauth2.authorization.Authorization",
"kwargs": {},
},
"introspection": {
"path": "introspection",
"class": "oidcop.oauth2.introspection.Introspection",
"kwargs": {},
},
},
}
configuration = OPConfiguration(conf,
base_path=BASEDIR,
domain="127.0.0.1",
port=443)
server = Server(configuration)
add_pkce_support(server.server_get("endpoints"))
assert "pkce" not in server.server_get("endpoint_context").args
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"webfinger": {
"path": ".well-known/webfinger",
"class": Discovery,
"kwargs": {
"client_authn_method": None
},
}
},
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint = server.server_get("endpoint", "discovery")
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {}
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
self.endpoint = server.server_get("endpoint", "provider_config")
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {"keys": {"key_defs": COOKIE_KEY_DEFS}},
},
"endpoint": {
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {"client_auth_method": None},
},
"registration_api": {
"path": "registration_api",
"class": RegistrationRead,
"kwargs": {"client_authn_method": ["bearer_header"]},
},
"authorization": {"path": "authorization", "class": Authorization, "kwargs": {},},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {"path": "userinfo", "class": UserInfo, "kwargs": {}},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
self.registration_endpoint = server.server_get("endpoint", "registration")
self.registration_api_endpoint = server.server_get("endpoint", "registration_read")
def create_endpoint(self):
try:
shutil.rmtree("db")
except FileNotFoundError:
pass
server1 = Server(OPConfiguration(conf=ENDPOINT_CONTEXT_CONFIG,
base_path=BASEDIR),
cwd=BASEDIR)
server2 = Server(OPConfiguration(conf=ENDPOINT_CONTEXT_CONFIG,
base_path=BASEDIR),
cwd=BASEDIR)
server1.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
_store = server1.endpoint_context.dump()
server2.endpoint_context.load(
_store,
init_args={
"server_get": server2.server_get,
"handler":
server2.endpoint_context.session_manager.token_handler,
},
)
self.endpoint = {
1: server1.server_get("endpoint", "userinfo"),
2: server2.server_get("endpoint", "userinfo"),
}
self.session_manager = {
1: server1.endpoint_context.session_manager,
2: server2.endpoint_context.session_manager,
}
self.user_id = "diana"
def create_endpoint_context(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
}
},
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"authentication": {
"anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},},
},
"cookie_handler": {
"class": "oidcop.cookie_handler.CookieHandler",
"kwargs": {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
)
self.endpoint = server.server_get("endpoint", "authorization")
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def create_endpoint(self, conf):
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
endpoint_context.keyjar.import_jwks(CLIENT_KEYJAR.export_jwks(), "client_1")
self.session_manager = endpoint_context.session_manager
self.token_endpoint = server.server_get("endpoint", "token")
self.user_id = "diana"
self.endpoint_context = endpoint_context
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_methods": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {
"path": "userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"claim_types_supported": [
"normal",
"aggregated",
"distributed",
],
"client_authn_method": ["bearer_header"],
},
},
},
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {
"db_file": full_path("users.json")
},
},
# "client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"add_on": {
"custom_scopes": {
"function":
"oidcop.oidc.add_on.custom_scopes.add_custom_scopes",
"kwargs": {
"research_and_scholarship": [
"name",
"given_name",
"family_name",
"email",
"email_verified",
"sub",
"eduperson_scoped_affiliation",
]
},
}
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
self.endpoint = server.server_get("endpoint", "userinfo")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
def create_endpoint(self):
conf = {
"issuer": ISSUER,
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"add_on": {
"dpop": {
"function": "oidcop.oauth2.add_on.dpop.add_support",
"kwargs": {
"dpop_signing_alg_values_supported": ["ES256"]
}
},
},
"keys": {"uri_path": "jwks.json", "key_defs": KEYDEFS},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {"lifetime": 600},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"base_claims": {"eduperson_scoped_affiliation": None},
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}},
},
"client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"template_dir": "template",
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {"db_file": "users.json"},
},
}
server = Server(OPConfiguration(conf, base_path=BASEDIR), keyjar=KEYJAR)
self.endpoint_context = server.endpoint_context
self.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
self.user_id = "diana"
self.token_endpoint = server.server_get("endpoint", "token")
self.session_manager = self.endpoint_context.session_manager
def create_setup(self):
# First the RP
entity = Entity(
config={
'behaviour': {
'federation_types_supported': ['automatic']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
service_context = entity.get_service_context()
self.rp_federation_entity = FederationEntity(
entity_id=RP_ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=RP_ENTITY_ID)
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.discovery_service = FedProviderInfoDiscovery(entity.client_get)
self.registration_service = RPRegistration(entity.client_get)
# self.authorization_service = FedAuthorization(entity.client_get)
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "code"
},
{
"type": "oct",
"bytes": 24,
"use": ["enc"],
"kid": "refresh"
},
],
},
"code": {
"lifetime": 600
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"]
},
},
"refresh": {
"lifetime": 86400
},
},
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": OPRegistration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
'add_on': {
"automatic_registration": {
"function":
"fedservice.op.add_on.automatic_registration.add_support",
"kwargs": {
"new_id": False, # default False
"where": ["pushed_authorization"]
}
}
}
}
server = Server(conf)
endpoint_context = server.get_endpoint_context()
_clients = yaml.safe_load(io.StringIO(client_yaml))
# endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.pushed_authorization_endpoint = server.server_get(
"endpoint", "pushed_authorization")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.registration_endpoint = server.server_get("endpoint",
"registration")
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
# federation_entity.keyjar.import_jwks(
# read_info(os.path.join(ROOT_DIR, 'op.ntnu.no'),
# 'op.ntnu.no', 'jwks'),
# issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.authorization_endpoint.server_get(
"endpoint_context").federation_entity = federation_entity
class TestVerify2:
@pytest.fixture(autouse=True)
def create_method(self):
self.server = Server(conf=CONF, keyjar=KEYJAR)
self.server.endpoint_context.cdb[client_id] = {
"client_secret": client_secret
}
self.endpoint_context = self.server.server_get("endpoint_context")
def test_verify_client_jws_authn_method(self):
client_keyjar = KeyJar()
client_keyjar.import_jwks(KEYJAR.export_jwks(private=True),
CONF["issuer"])
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# Audience is OP issuer ID
aud = CONF["issuer"] + "token"
_assertion = _jwt.pack({"aud": [aud]})
request = {
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
}
res = verify_client(
self.endpoint_context,
request,
endpoint=self.server.server_get("endpoint", "token"),
)
assert res["method"] == "client_secret_jwt"
assert res["client_id"] == "client_id"
def test_verify_client_bearer_body(self):
request = {"access_token": "1234567890", "client_id": client_id}
self.endpoint_context.registration_access_token[
"1234567890"] = client_id
res = verify_client(
self.endpoint_context,
request,
get_client_id_from_token=get_client_id_from_token,
endpoint=self.server.server_get("endpoint", "userinfo"),
)
assert set(res.keys()) == {"token", "method", "client_id"}
assert res["method"] == "bearer_body"
def test_verify_client_client_secret_post(self):
request = {"client_id": client_id, "client_secret": client_secret}
res = verify_client(
self.endpoint_context,
request,
endpoint=self.server.server_get("endpoint", "token"),
)
assert set(res.keys()) == {"method", "client_id"}
assert res["method"] == "client_secret_post"
def test_verify_client_client_secret_basic(self):
_token = "{}:{}".format(client_id, client_secret)
token = as_unicode(base64.b64encode(as_bytes(_token)))
authz_token = "Basic {}".format(token)
http_info = {"headers": {"authorization": authz_token}}
res = verify_client(
self.endpoint_context,
{},
http_info=http_info,
endpoint=self.server.server_get("endpoint", "token"),
)
assert set(res.keys()) == {"method", "client_id"}
assert res["method"] == "client_secret_basic"
def test_verify_client_bearer_header(self):
# A prerequisite for the get_client_id_from_token function
self.endpoint_context.registration_access_token[
"1234567890"] = client_id
token = "Bearer 1234567890"
http_info = {"headers": {"authorization": token}}
request = {"client_id": client_id}
res = verify_client(
self.endpoint_context,
request,
http_info=http_info,
get_client_id_from_token=get_client_id_from_token,
endpoint=self.server.server_get("endpoint", "authorization"),
)
assert set(res.keys()) == {"token", "method", "client_id"}
assert res["method"] == "bearer_header"
def test_verify_client_authorization_none(self):
# This is when it's explicitly said that no client auth method is allowed
request = {"client_id": client_id}
res = verify_client(
self.endpoint_context,
request,
endpoint=self.server.server_get("endpoint", "authorization"),
)
assert res["method"] == "none"
assert res["client_id"] == "client_id"
def test_verify_client_registration_none(self):
# This is when no special auth method is configured
request = {"redirect_uris": ["https://example.com/cb"]}
res = verify_client(
self.endpoint_context,
request,
endpoint=self.server.server_get("endpoint", "registration"),
)
assert res == {}
class TestGrant:
@pytest.fixture(autouse=True)
def create_session_manager(self):
self.server = Server(conf=conf)
self.endpoint_context = self.server.server_get("endpoint_context")
def _create_session(self, auth_req, sub_type="public", sector_identifier=""):
if sector_identifier:
authz_req = auth_req.copy()
authz_req["sector_identifier_uri"] = sector_identifier
else:
authz_req = auth_req
client_id = authz_req["client_id"]
ae = create_authn_event(USER_ID)
return self.server.endpoint_context.session_manager.create_session(
ae, authz_req, USER_ID, client_id=client_id, sub_type=sub_type
)
def test_mint_token(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
scope=["openid", "foo", "bar"],
)
assert access_token.scope == ["openid", "foo", "bar"]
def test_grant(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
)
refresh_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="refresh_token",
token_handler=TOKEN_HANDLER["refresh_token"],
based_on=code,
)
grant.revoke_token()
assert code.revoked is True
assert access_token.revoked is True
assert refresh_token.revoked is True
def test_get_token(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
scope=["openid", "foo", "bar"],
)
_code = grant.get_token(code.value)
assert _code.id == code.id
_token = grant.get_token(access_token.value)
assert _token.id == access_token.id
assert set(_token.scope) == {"openid", "foo", "bar"}
def test_grant_revoked_based_on(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
)
refresh_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="refresh_token",
token_handler=TOKEN_HANDLER["refresh_token"],
based_on=code,
)
code.register_usage()
if code.max_usage_reached():
grant.revoke_token(based_on=code.value)
assert code.is_active() is False
assert access_token.is_active() is False
assert refresh_token.is_active() is False
def test_revoke(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
)
grant.revoke_token(based_on=code.value)
assert code.is_active() is True
assert access_token.is_active() is False
access_token_2 = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
)
grant.revoke_token(value=code.value, recursive=True)
assert code.is_active() is False
assert access_token_2.is_active() is False
def test_json_conversion(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
)
_item = grant.dump()
_grant_copy = Grant().load(_item)
assert len(_grant_copy.issued_token) == 2
tt = {"code": 0, "access_token": 0}
for token in _grant_copy.issued_token:
if token.token_class == "authorization_code":
tt["code"] += 1
if token.token_class == "access_token":
tt["access_token"] += 1
assert tt == {"code": 1, "access_token": 1}
def test_json_no_token_map(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
grant.token_map = {}
with pytest.raises(ValueError):
grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
def test_json_custom_token_map(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
token_map = TOKEN_MAP.copy()
token_map["my_token"] = MyToken
grant.token_map = token_map
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
)
grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="my_token",
token_handler=DefaultToken("my_token", typ="M"),
)
_jstr = grant.dump()
_grant_copy = Grant(token_map=token_map).load(_jstr)
assert len(_grant_copy.issued_token) == 3
tt = {k: 0 for k, v in grant.token_map.items()}
for token in _grant_copy.issued_token:
for _type in tt.keys():
if token.token_class == _type:
tt[_type] += 1
assert tt == {
"access_token": 1,
"authorization_code": 1,
"my_token": 1,
"refresh_token": 0,
"id_token": 0,
}
def test_get_spec(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
grant.scope = ["openid", "email", "address"]
grant.claims = {"userinfo": {"given_name": None, "email": None}}
grant.resources = ["https://api.example.com"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
scope=["openid", "email", "eduperson"],
claims={"userinfo": {"given_name": None, "eduperson_affiliation": None}},
)
spec = grant.get_spec(access_token)
assert set(spec.keys()) == {"scope", "claims", "resources"}
assert spec["scope"] == ["openid", "email", "eduperson"]
assert spec["claims"] == {"userinfo": {"given_name": None, "eduperson_affiliation": None}}
assert spec["resources"] == ["https://api.example.com"]
def test_get_usage_rules(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
grant.scope = ["openid", "email", "address"]
grant.claims = {"userinfo": {"given_name": None, "email": None}}
grant.resources = ["https://api.example.com"]
# Default usage rules
self.endpoint_context.cdb["client_id"] = {}
rules = get_usage_rules("access_token", self.endpoint_context, grant, "client_id")
assert rules == {"supports_minting": [], "expires_in": 3600}
# client specific usage rules
self.endpoint_context.cdb["client_id"] = {"access_token": {"expires_in": 600}}
def test_assigned_scope(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
code.scope = ["openid", "email"]
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=code,
)
assert access_token.scope == code.scope
def test_assigned_scope_2nd(self):
session_id = self._create_session(AREQ)
session_info = self.endpoint_context.session_manager.get_session_info(
session_id=session_id, grant=True
)
grant = session_info["grant"]
code = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="authorization_code",
token_handler=TOKEN_HANDLER["authorization_code"],
)
code.scope = ["openid", "email"]
refresh_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="refresh_token",
token_handler=TOKEN_HANDLER["refresh_token"],
based_on=code,
)
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=refresh_token,
)
assert access_token.scope == code.scope
refresh_token.scope = ["openid", "xyz"]
access_token = grant.mint_token(
session_id,
endpoint_context=self.endpoint_context,
token_class="access_token",
token_handler=TOKEN_HANDLER["access_token"],
based_on=refresh_token,
)
assert access_token.scope == refresh_token.scope
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {"kwargs": {"lifetime": 600}},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
"given_name": {"essential": True},
"nickname": None,
}
},
},
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {"path": "{}/registration", "class": Registration, "kwargs": {},},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {
"path": "userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"db_file": "users.json",
"claim_types_supported": ["normal", "aggregated", "distributed",],
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"userinfo": {"class": UserInfo, "kwargs": {"db": USERINFO_db}},
"template_dir": "template",
"authz": {
"class": AuthzHandling,
"kwargs": {
"grant_config": {
"usage_rules": {
"authorization_code": {
"supports_minting": ["access_token", "refresh_token", "id_token",],
"max_usage": 1,
},
"access_token": {},
"refresh_token": {
"supports_minting": ["access_token", "refresh_token"],
},
},
"expires_in": 43200,
}
},
},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"login_hint2acrs": {
"class": LoginHint2Acrs,
"kwargs": {"scheme_map": {"email": [INTERNETPROTOCOLPASSWORD]}},
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
)
self.endpoint = server.server_get("endpoint", "authorization")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def create_endpoint(self):
conf = {
"issuer": ISS,
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {
"client_authn_method": None
},
},
"registration": {
"path": "{}/registration",
"class": Registration,
"kwargs": {
"client_authn_method": None
},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"client_authn_method": None
},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
"userinfo": {
"path": "{}/userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"db_file": "users.json"
},
},
"session": {
"path": "{}/end_session",
"class": Session,
"kwargs": {
"post_logout_uri_path": "post_logout",
"signing_alg": "ES256",
"logout_verify_url": "{}/verify_logout".format(ISS),
"client_authn_method": None,
},
},
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "code"
}],
},
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
},
}
cookie_conf = {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
}
self.cd = CookieHandler(**cookie_conf)
server = Server(
OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR,
cookie_handler=self.cd,
keyjar=KEYJAR,
)
endpoint_context = server.endpoint_context
endpoint_context.cdb = {
"client_1": {
"client_secret": "hemligt",
"redirect_uris": [("{}cb".format(CLI1), None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types":
["code", "token", "code id_token", "id_token"],
"post_logout_redirect_uris":
[("{}logout_cb".format(CLI1), "")],
},
"client_2": {
"client_secret": "hemligare",
"redirect_uris": [("{}cb".format(CLI2), None)],
"client_salt": "saltare",
"token_endpoint_auth_method": "client_secret_post",
"response_types":
["code", "token", "code id_token", "id_token"],
"post_logout_redirect_uris":
[("{}logout_cb".format(CLI2), "")],
},
}
self.session_manager = endpoint_context.session_manager
self.authn_endpoint = server.server_get("endpoint", "authorization")
self.session_endpoint = server.server_get("endpoint", "session")
self.token_endpoint = server.server_get("endpoint", "token")
self.user_id = "diana"
def create_endpoint(self):
conf = {
"issuer": ISSUER,
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {
"lifetime": 600
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"base_claims": {
"eduperson_scoped_affiliation": None
},
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "{}/registration",
"class": Registration,
"kwargs": {},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
"session": {
"path": "{}/end_session",
"class": Session
},
"introspection": {
"path": "{}/introspection",
"class": Introspection
},
},
"client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {
"db_file": full_path("users.json")
},
},
"authz": {
"class": AuthzHandling,
"kwargs": {
"grant_config": {
"usage_rules": {
"authorization_code": {
"supports_minting": [
"access_token",
"refresh_token",
"id_token",
],
"max_usage":
1,
},
"access_token": {},
"refresh_token": {
"supports_minting":
["access_token", "refresh_token"],
},
},
"expires_in": 43200,
}
},
},
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
}
server = Server(conf, keyjar=KEYJAR)
self.endpoint_context = server.endpoint_context
self.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
self.session_manager = self.endpoint_context.session_manager
self.user_id = "diana"
self.endpoint = server.server_get("endpoint", "session")
def create_endpoint(self):
# First the RP
entity = Entity(
config={
'behaviour': {
'federation_types_supported': ['explicit']
},
'issuer': "https://op.ntnu.no",
'keys': {
'key_defs': KEYSPEC
}
})
service_context = entity.client_get("service_context")
# the federation part of the RP
self.rp_federation_entity = FederationEntity(
entity_id=ENTITY_ID,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
opponent_entity_type='openid_provider')
self.rp_federation_entity.collector = DummyCollector(
trusted_roots=ANCHOR, root_dir=ROOT_DIR)
self.rp_federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'foodle.uninett.no'), 'foodle.uninett.no',
'jwks'),
issuer_id=ENTITY_ID)
# add the federation part to the service context
service_context.federation_entity = self.rp_federation_entity
# The RP has/supports 3 services
self.service = {
'discovery': FedProviderInfoDiscovery(entity.client_get),
'registration': Registration(entity.client_get),
'authorization': FedAuthorization(entity.client_get),
}
# and now for the OP
op_entity_id = "https://op.ntnu.no"
conf = {
"issuer": op_entity_id,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"httpc_param": {
'verify': False,
"timeout": 2
},
"claims_interface": {
"class": "oidcop.session.claims.ClaimsInterface",
"kwargs": {}
},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman"
}
},
},
"endpoint": {
'provider_info': {
'path': '.well-known/openid-federation',
'class': provider_config.ProviderConfiguration,
'kwargs': {
'client_authn_method': None
}
},
'registration': {
'path': 'fed_registration',
'class': registration.Registration,
'kwargs': {
'client_authn_method': None
}
},
'authorization': {
'path': 'authorization',
'class': authorization.Authorization,
'kwargs': {
"response_modes_supported":
['query', 'fragment', 'form_post'],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"client_authn_method": ['request_param']
}
}
},
"keys": {
"private_path": "own/jwks.json",
"uri_path": "static/jwks.json",
"key_defs": KEYSPEC
},
"authentication": {
"anon": {
'acr': UNSPECIFIED,
"class": NoAuthn,
"kwargs": {
"user": "******"
}
}
},
'template_dir': 'template'
}
server = Server(conf)
self.registration_endpoint = server.server_get("endpoint",
"registration")
self.authorization_endpoint = server.server_get(
"endpoint", "authorization")
self.provider_endpoint = server.server_get("endpoint",
"provider_config")
# === Federation stuff =======
federation_entity = FederationEntity(
op_entity_id,
trusted_roots=ANCHOR,
authority_hints=['https://ntnu.no'],
entity_type='openid_relying_party',
httpd=Publisher(ROOT_DIR),
opponent_entity_type='openid_relying_party')
federation_entity.keyjar.import_jwks(read_info(
os.path.join(ROOT_DIR, 'op.ntnu.no'), 'op.ntnu.no', 'jwks'),
issuer_id=op_entity_id)
federation_entity.collector = DummyCollector(httpd=Publisher(ROOT_DIR),
trusted_roots=ANCHOR,
root_dir=ROOT_DIR)
self.registration_endpoint.server_get(
"endpoint_context").federation_entity = federation_entity
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_handler_args": {
"jwks_def": {
"private_path": "private/token_jwks.json",
"read_only": False,
"key_defs": [
{"type": "oct", "bytes": 24, "use": ["enc"], "kid": "code"},
{"type": "oct", "bytes": 24, "use": ["enc"], "kid": "refresh"},
],
},
"code": {"lifetime": 600},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {"lifetime": 86400},
},
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {"path": "registration", "class": Registration, "kwargs": {},},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
},
"pushed_authorization": {
"path": "pushed_authorization",
"class": PushedAuthorization,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
}
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
)
self.rp_keyjar = init_key_jar(key_defs=KEYDEFS, issuer_id="s6BhdRkqt3")
# Add RP's keys to the OP's keyjar
endpoint_context.keyjar.import_jwks(
self.rp_keyjar.export_jwks(issuer_id="s6BhdRkqt3"), "s6BhdRkqt3"
)
self.pushed_authorization_endpoint = server.server_get("endpoint", "pushed_authorization")
self.authorization_endpoint = server.server_get("endpoint", "authorization")
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"request_cls":
JWTSecuredAuthorizationRequest,
},
}
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
}
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.endpoint = server.server_get("endpoint", "authorization")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1",
"hemligtkodord1234567890")
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": {
"subject_types_supported": ["public", "pairwise", "ephemeral"],
"grant_types_supported": [
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"refresh_token",
],
},
"token_handler_args": {
"jwks_def": {
"private_path": "private/token_jwks.json",
"read_only": False,
"key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}],
},
"code": {"kwargs": {"lifetime": 600}},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {"keys": {"key_defs": COOKIE_KEYDEFS}},
},
"keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
"endpoint": {
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {"client_auth_method": None},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claim_types_supported": ["normal", "aggregated", "distributed",],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {"path": "userinfo", "class": UserInfo, "kwargs": {}},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
self.endpoint = server.server_get("endpoint", "registration")
def create_endpoint(self, jwt_token):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
}
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"introspection": {
"path": "{}/intro",
"class": Introspection,
"kwargs": {
"client_authn_method": ["client_secret_post"],
"enable_claims_per_client": False,
},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt",
]
},
},
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"path": "{}/userinfo",
"class": UserInfo,
"kwargs": {
"db_file": full_path("users.json")
},
},
"client_authn": verify_client,
"template_dir": "template",
"authz": {
"class": AuthzHandling,
"kwargs": {
"grant_config": {
"usage_rules": {
"authorization_code": {
"supports_minting": [
"access_token",
"refresh_token",
"id_token",
],
"max_usage":
1,
},
"access_token": {},
"refresh_token": {
"supports_minting":
["access_token", "refresh_token"],
},
},
"expires_in": 43200,
}
},
},
}
if jwt_token:
conf["token_handler_args"]["token"] = {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {},
}
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
"introspection_claims": {
"nickname": None,
"eduperson_scoped_affiliation": None,
},
}
endpoint_context.keyjar.import_jwks_as_json(
endpoint_context.keyjar.export_jwks_as_json(private=True),
endpoint_context.issuer,
)
self.introspection_endpoint = server.server_get(
"endpoint", "introspection")
self.token_endpoint = server.server_get("endpoint", "token")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"token_handler_args": {
"jwks_def": {
"private_path": "private/token_jwks.json",
"read_only": False,
"key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}],
},
"code": {"kwargs": {"lifetime": 600}},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
}
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"userinfo": {"class": UserInfo, "kwargs": {"db": USERINFO_db}},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {"key_defs": COOKIE_KEYDEFS},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"authz": {
"class": AuthzHandling,
"kwargs": {
"grant_config": {
"usage_rules": {
"authorization_code": {
"supports_minting": ["access_token", "refresh_token", "id_token",],
"max_usage": 1,
},
"access_token": {},
"refresh_token": {
"supports_minting": ["access_token", "refresh_token", "id_token",],
},
},
"expires_in": 43200,
}
},
},
}
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
)
self.endpoint = server.server_get("endpoint", "authorization")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
self.endpoint.server_get("endpoint_context").keyjar.add_symmetric(
"client_1", "hemligtkodord1234567890"
)