def create_request(self):
self._iss = ISS
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': self._iss, 'requests_dir': 'requests',
'base_url': 'https://example.com/cli/'
}
service_context = ServiceContext(config=client_config)
service_context.keyjar = CLI_KEY
service_context.behaviour = {
'userinfo_signed_response_alg': 'RS256',
"userinfo_encrypted_response_alg": "RSA-OAEP",
"userinfo_encrypted_response_enc": "A256GCM"
}
db = InMemoryStateDataBase()
auth_response = AuthorizationResponse(code='access_code').to_json()
idtval = {
'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'diana',
'iss': ISS, 'aud': 'client_id'
}
idt = create_jws(idtval)
ver_idt = IdToken().from_jwt(idt, CLI_KEY)
token_response = AccessTokenResponse(
access_token='access_token', id_token=idt,
__verified_id_token=ver_idt).to_json()
db.set('abcde', State(token_response=token_response,
auth_response=auth_response).to_json())
self.service = service_factory('UserInfo', ['oidc'], state_db=db,
service_context=service_context)
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
_state = State(auth_request=auth_request.to_json(),
auth_response=auth_response.to_json())
db.set('state', _state.to_json())
service = service_factory(
'AccessToken', ['oauth2'],
state_db=db,
service_context=service_context,
conf={'default_authn_method': 'client_secret_post'})
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
service.endpoint = 'https://example.com/authorize'
_info = service.get_request_parameters(request_args=req_args,
state='state')
assert _info
msg = AccessTokenRequest().from_urlencoded(
service.get_urlinfo(_info['body']))
assert 'client_secret' in msg
def services():
db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(redirect_uri="http://example.com",
state='ABCDE').to_json()
auth_response = AuthorizationResponse(access_token="token",
state='ABCDE').to_json()
db.set(
'ABCDE',
State(iss='Issuer',
auth_request=auth_request,
auth_response=auth_response).to_json())
return init_services(DEFAULT_SERVICES, get_service_context(), db)
def create_request(self):
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(CLI_KEY, config=client_config)
_db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb',
state='state', response_type='code').to_json()
auth_response = AuthorizationResponse(code='access_code').to_json()
_db.set('state', State(auth_response=auth_response,
auth_request=auth_request).to_json())
self.service = service_factory('AccessToken', ['oidc'], state_db=_db,
service_context=service_context)
def __init__(self, base_url='', hash_seed="", keyjar=None, verify_ssl=True,
services=None, service_factory=None, client_configs=None,
client_authn_factory=None, client_cls=None,
state_db=None, http_lib=None, module_dirs=None, **kwargs):
self.base_url = base_url
self.hash_seed = as_bytes(hash_seed)
self.verify_ssl = verify_ssl
self.keyjar = keyjar
if state_db:
self.state_db = state_db
else:
self.state_db = InMemoryStateDataBase()
self.session_interface = StateInterface(self.state_db)
try:
self.jwks_uri = add_path(base_url, kwargs['jwks_path'])
except KeyError:
pass
self.extra = kwargs
self.client_cls = client_cls or oidc.RP
self.services = services
self.service_factory = service_factory or factory
self.client_authn_factory = client_authn_factory
self.client_configs = client_configs
self.module_dirs = module_dirs or ['oidc', 'oauth2']
# keep track on which RP instance that serves with OP
self.issuer2rp = {}
self.hash2issuer = {}
self.httplib = http_lib
def test_authz_service_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {'response_types': ['code']}
}
srv = service_factory(
'Authorization', ['oidc'], state_db=InMemoryStateDataBase(),
service_context=ServiceContext(CLI_KEY, config=client_config),
conf={
'request_args': {
'claims': {
"id_token":
{
"auth_time": {"essential": True},
"acr": {"values": ["urn:mace:incommon:iap:silver"]}
}
}
}
})
req = srv.construct()
assert 'claims' in req
assert set(req['claims'].keys()) == {'id_token'}
def create_client(self):
config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {'response_types': ['code']},
'add_ons': {
"pkce": {
"function": "oidcservice.oidc.add_on.pkce.add_pkce_support",
"kwargs": {
"code_challenge_length": 64,
"code_challenge_method": "S256"
}
}
}
}
_cam = ca_factory
_srvs = DEFAULT_SERVICES
service_context = ServiceContext(CLI_KEY, client_id='client_id',
issuer='https://www.example.org/as',
config=config)
self.service = init_services(_srvs, service_context, InMemoryStateDataBase(), _cam)
if 'add_ons' in config:
do_add_ons(config['add_ons'], self.service)
service_context.service = self.service
def get_service():
service_context = ServiceContext(keyjar=None, config=CLIENT_CONF)
service_context.client_secret = "white boarding pass"
service = service_factory('AccessToken', ['oidc'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
return service
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
db = InMemoryStateDataBase()
auth_response = AuthorizationResponse(code='access_code')
token_response = AccessTokenResponse(access_token='bearer_token',
refresh_token='refresh')
_state = State(auth_response=auth_response.to_json(),
token_response=token_response.to_json())
db.set('abcdef', _state.to_json())
self.service = service_factory('RefreshAccessToken', ['oauth2'],
state_db=db,
service_context=service_context)
self.service.endpoint = 'https://example.com/token'
def create_request(self):
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(CLI_KEY, config=client_config)
service_context.issuer = 'https://example.com'
self.service = service_factory('Authorization', ['oidc'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
def create_request(self):
self._iss = ISS
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': self._iss, 'requests_dir': 'requests',
'base_url': 'https://example.com/cli/'
}
service_context = ServiceContext(config=client_config)
self.service = service_factory('CheckID', ['oidc'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
def create_request(self):
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'callback': {
'code': 'https://example.com/cli/authz_cb',
'implicit': 'https://example.com/cli/authz_im_cb',
'form_post': 'https://example.com/cli/authz_fp_cb'
}
}
service_context = ServiceContext(CLI_KEY, config=client_config)
self.service = service_factory('Authorization', ['oidc'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {
'response_types': ['code']
}
}
service_context = ServiceContext(config=client_config)
self.service = service_factory('Authorization', ['oauth2'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
def __init__(self,
base_url='',
hash_seed="",
keyjar=None,
verify_ssl=True,
services=None,
client_configs=None,
client_authn_factory=None,
client_cls=None,
state_db=None,
http_lib=None,
httpc_params=None,
**kwargs):
self.base_url = base_url
self.hash_seed = as_bytes(hash_seed)
self.keyjar = keyjar
if state_db:
self.state_db = state_db
else:
self.state_db = InMemoryStateDataBase()
self.session_interface = StateInterface(self.state_db)
try:
self.jwks_uri = add_path(base_url, kwargs['jwks_path'])
except KeyError:
self.jwks_uri = ""
self.extra = kwargs
self.client_cls = client_cls or oidc.RP
self.services = services
self.client_authn_factory = client_authn_factory
self.client_configs = client_configs
# keep track on which RP instance that serves with OP
self.issuer2rp = {}
self.hash2issuer = {}
self.httplib = http_lib
if not httpc_params:
self.httpc_params = {'verify': verify_ssl}
else:
self.httpc_params = httpc_params
if not getattr(self.keyjar, 'httpc_params', None):
self.keyjar.httpc_params = self.httpc_params
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'another password'
}
service_context = ServiceContext(config=client_config)
db = InMemoryStateDataBase()
self.service = {
'token':
service_factory("CCAccessToken",
['oauth2/client_credentials', 'oauth2'],
state_db=db,
service_context=service_context),
'refresh_token':
service_factory("CCRefreshAccessToken",
['oauth2/client_credentials', 'oauth2'],
state_db=db,
service_context=service_context)
}
self.service['token'].endpoint = 'https://example.com/token'
self.service['refresh_token'].endpoint = 'https://example.com/token'
def create_client(self):
config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {
'response_types': ['code']
},
'add_ons': {
"pushed_authorization": {
"function": "oidcservice.oidc.add_on.pushed_authorization"
".add_pushed_authorization_support",
"kwargs": {
"body_format": "jws",
"signing_algorthm": "RS256",
"http_client": None,
"merge_rule": "lax"
}
}
}
}
_cam = ca_factory
_srvs = DEFAULT_SERVICES
service_context = ServiceContext(CLI_KEY,
client_id='client_id',
issuer='https://www.example.org/as',
config=config)
self.service = init_services(_srvs, service_context,
InMemoryStateDataBase(), _cam)
if 'add_ons' in config:
do_add_ons(config['add_ons'], self.service)
service_context.service = self.service
service_context.provider_info = {
"pushed_authorization_request_endpoint":
"https://as.example.com/push"
}
def create_service(self):
self._iss = 'https://example.com/as'
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
"client_preferences": {
"application_type": "web",
"application_name": "rphandler",
"contacts": ["*****@*****.**"],
"response_types": ["code"],
"scope": ["openid", "profile", "email", "address", "phone"],
"token_endpoint_auth_method": "client_secret_basic",
},
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': self._iss
}
service_context = ServiceContext(config=client_config)
self.service = service_factory('ProviderInfoDiscovery', ['oauth2'],
state_db=InMemoryStateDataBase(),
service_context=service_context)
self.service.endpoint = '{}/.well-known/openid-configuration'.format(
self._iss)
def service_factory(req_name, module_dirs, **kwargs):
pwd = dirname(__file__)
if pwd not in sys.path:
sys.path.insert(0, pwd)
for dir in module_dirs:
for x in glob(join(pwd, dir, '*.py')):
_mod = basename(x)[:-3]
if not _mod.startswith('__'):
if '/' in dir:
dir = dir.replace('/', '.')
_dir_mod = '{}.{}'.format(dir, basename(x)[:-3])
if _dir_mod not in sys.modules:
__import__(_dir_mod, globals(), locals())
for name, obj in inspect.getmembers(sys.modules[_dir_mod]):
if inspect.isclass(obj) and issubclass(obj, Service):
try:
if obj.__name__ == req_name:
return obj(**kwargs)
except AttributeError:
pass
if __name__ == "__main__":
from oidcservice.state_interface import InMemoryStateDataBase
srv = service_factory('AccessToken', ['oidc'], state_db=InMemoryStateDataBase(),
service_context=None)
print(srv.service_name)
"web",
"application_name":
"rphandler",
"contacts": ["*****@*****.**"],
"response_types": ["code"],
"scope": ["openid", "profile", "email", "address", "phone"],
"token_endpoint_auth_method":
["client_secret_basic", 'client_secret_post'],
},
"redirect_uris": ["{}/authz_cb".format(RP_BASEURL)],
"jwks_uri": "{}/static/jwks.json".format(RP_BASEURL)
})
service = build_services(service_spec,
factory,
state_db=InMemoryStateDataBase(),
service_context=service_context)
service_context.service = service
# ======================== WebFinger ========================
info = service['webfinger'].get_request_parameters(
resource='*****@*****.**')
print(info)
webfinger_response = json.dumps({
"subject":
"acct:[email protected]",
"links": [{
def test_conversation():
service_context = ServiceContext(
RP_KEYJAR, {
"client_preferences": {
"application_type": "web",
"application_name": "rphandler",
"contacts": ["*****@*****.**"],
"response_types": ["code"],
"scope": ["openid", "profile", "email", "address", "phone"],
"token_endpoint_auth_method": "client_secret_basic",
},
"redirect_uris": ["{}/authz_cb".format(RP_BASEURL)],
"jwks_uri": "{}/static/jwks.json".format(RP_BASEURL)
})
service_spec = DEFAULT_SERVICES.copy()
service_spec['WebFinger'] = {'class': WebFinger}
service = init_services(service_spec,
state_db=InMemoryStateDataBase(),
service_context=service_context)
assert set(service.keys()) == {
'accesstoken', 'authorization', 'webfinger', 'registration',
'refresh_token', 'userinfo', 'provider_info'
}
service_context.service = service
# ======================== WebFinger ========================
info = service['webfinger'].get_request_parameters(
request_args={'resource': '*****@*****.**'})
assert info[
'url'] == 'https://example.org/.well-known/webfinger?rel=http' \
'%3A%2F' \
'%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer' \
'&resource' \
'=acct%3Afoobar%40example.org'
webfinger_response = json.dumps({
"subject":
"acct:[email protected]",
"links": [{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://example.org/op"
}],
"expires":
"2018-02-04T11:08:41Z"
})
response = service['webfinger'].parse_response(webfinger_response)
assert isinstance(response, JRD)
assert set(response.keys()) == {'subject', 'links', 'expires'}
assert response['links'] == [
Link(rel='http://openid.net/specs/connect/1.0/issuer',
href='https://example.org/op')
]
service['webfinger'].update_service_context(resp=response)
assert service_context.issuer == OP_BASEURL
# =================== Provider info discovery ====================
info = service['provider_info'].get_request_parameters()
assert info[
'url'] == 'https://example.org/op/.well-known/openid' \
'-configuration'
provider_info_response = json.dumps({
"version":
"3.0",
"token_endpoint_auth_methods_supported": [
"client_secret_post", "client_secret_basic", "client_secret_jwt",
"private_key_jwt"
],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"require_request_uri_registration":
True,
"grant_types_supported": [
"authorization_code", "implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer", "refresh_token"
],
"response_types_supported": [
"code", "id_token", "id_token token", "code id_token",
"code token", "code id_token token"
],
"response_modes_supported": ["query", "fragment", "form_post"],
"subject_types_supported": ["public", "pairwise"],
"claim_types_supported": ["normal", "aggregated", "distributed"],
"claims_supported": [
"birthdate", "address", "nickname", "picture", "website", "email",
"gender", "sub", "phone_number_verified", "given_name", "profile",
"phone_number", "updated_at", "middle_name", "name", "locale",
"email_verified", "preferred_username", "zoneinfo", "family_name"
],
"scopes_supported": [
"openid", "profile", "email", "address", "phone", "offline_access",
"openid"
],
"userinfo_signing_alg_values_supported": [
"RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256",
"HS384", "HS512", "PS256", "PS384", "PS512", "none"
],
"id_token_signing_alg_values_supported": [
"RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256",
"HS384", "HS512", "PS256", "PS384", "PS512", "none"
],
"request_object_signing_alg_values_supported": [
"RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256",
"HS384", "HS512", "PS256", "PS384", "PS512", "none"
],
"token_endpoint_auth_signing_alg_values_supported": [
"RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256",
"HS384", "HS512", "PS256", "PS384", "PS512"
],
"userinfo_encryption_alg_values_supported": [
"RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW",
"ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
],
"id_token_encryption_alg_values_supported": [
"RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW",
"ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
],
"request_object_encryption_alg_values_supported": [
"RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW",
"ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
],
"userinfo_encryption_enc_values_supported": [
"A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM",
"A192GCM", "A256GCM"
],
"id_token_encryption_enc_values_supported": [
"A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM",
"A192GCM", "A256GCM"
],
"request_object_encryption_enc_values_supported": [
"A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM",
"A192GCM", "A256GCM"
],
"acr_values_supported": ["PASSWORD"],
"issuer":
OP_BASEURL,
"jwks_uri":
"{}/static/jwks_tE2iLbOAqXhe8bqh.json".format(OP_BASEURL),
"authorization_endpoint":
"{}/authorization".format(OP_BASEURL),
"token_endpoint":
"{}/token".format(OP_BASEURL),
"userinfo_endpoint":
"{}/userinfo".format(OP_BASEURL),
"registration_endpoint":
"{}/registration".format(OP_BASEURL),
"end_session_endpoint":
"{}/end_session".format(OP_BASEURL)
})
resp = service['provider_info'].parse_response(provider_info_response)
assert isinstance(resp, ProviderConfigurationResponse)
service['provider_info'].update_service_context(resp)
assert service_context.provider_info['issuer'] == OP_BASEURL
assert service_context.provider_info[
'authorization_endpoint'] == \
'https://example.org/op/authorization'
assert service_context.provider_info[
'registration_endpoint'] == 'https://example.org/op/registration'
# =================== Client registration ====================
info = service['registration'].get_request_parameters()
assert info['url'] == 'https://example.org/op/registration'
_body = json.loads(info['body'])
assert _body == {
"application_type": "web",
"response_types": ["code"],
"contacts": ["*****@*****.**"],
"jwks_uri": "https://example.com/rp/static/jwks.json",
"redirect_uris": ["{}/authz_cb".format(RP_BASEURL)],
'token_endpoint_auth_method': 'client_secret_basic',
"grant_types": ["authorization_code"]
}
assert info['headers'] == {'Content-Type': 'application/json'}
now = int(time.time())
op_client_registration_response = json.dumps({
"client_id":
"zls2qhN1jO6A",
"client_secret":
"c8434f28cf9375d9a7",
"registration_access_token":
"NdGrGR7LCuzNtixvBFnDphGXv7wRcONn",
"registration_client_uri":
"{}/registration?client_id=zls2qhN1jO6A".format(RP_BASEURL),
"client_secret_expires_at":
now + 3600,
"client_id_issued_at":
now,
"application_type":
"web",
"response_types": ["code"],
"contacts": ["*****@*****.**"],
"redirect_uris": ["{}/authz_cb".format(RP_BASEURL)],
"token_endpoint_auth_method":
"client_secret_basic",
"grant_types": ["authorization_code"]
})
response = service['registration'].parse_response(
op_client_registration_response)
service['registration'].update_service_context(response)
assert service_context.client_id == 'zls2qhN1jO6A'
assert service_context.client_secret == 'c8434f28cf9375d9a7'
assert isinstance(service_context.registration_response,
RegistrationResponse)
assert set(service_context.registration_response.keys()) == {
'client_secret_expires_at', 'contacts', 'client_id',
'token_endpoint_auth_method', 'redirect_uris', 'response_types',
'client_id_issued_at', 'client_secret', 'application_type',
'registration_client_uri', 'registration_access_token', 'grant_types'
}
# =================== Authorization ====================
STATE = 'Oh3w3gKlvoM2ehFqlxI3HIK5'
NONCE = 'UvudLKz287YByZdsY3AJoPAlEXQkJ0dK'
info = service['authorization'].get_request_parameters(request_args={
'state': STATE,
'nonce': NONCE
})
p = urlparse(info['url'])
_query = parse_qs(p.query)
assert set(_query.keys()) == {
'state', 'nonce', 'response_type', 'scope', 'client_id', 'redirect_uri'
}
assert _query['scope'] == ['openid']
assert _query['nonce'] == [NONCE]
assert _query['state'] == [STATE]
op_authz_resp = {
'state': STATE,
'scope': 'openid',
'code': 'Z0FBQUFBQmFkdFFjUVpFWE81SHU5N1N4N01',
'iss': OP_BASEURL,
'client_id': 'zls2qhN1jO6A'
}
_authz_rep = AuthorizationResponse(**op_authz_resp)
_resp = service['authorization'].parse_response(_authz_rep.to_urlencoded())
service['authorization'].update_service_context(_resp, key=STATE)
_item = service['authorization'].get_item(AuthorizationResponse,
'auth_response', STATE)
assert _item['code'] == 'Z0FBQUFBQmFkdFFjUVpFWE81SHU5N1N4N01'
# =================== Access token ====================
request_args = {
'state': STATE,
'redirect_uri': service_context.redirect_uris[0]
}
info = service['accesstoken'].get_request_parameters(
request_args=request_args)
assert info['url'] == 'https://example.org/op/token'
_qp = parse_qs(info['body'])
assert _qp == {
'grant_type': ['authorization_code'],
'redirect_uri': ['https://example.com/rp/authz_cb'],
'client_id': ['zls2qhN1jO6A'],
'state': ['Oh3w3gKlvoM2ehFqlxI3HIK5'],
'code': ['Z0FBQUFBQmFkdFFjUVpFWE81SHU5N1N4N01']
}
assert info['headers'] == {
'Authorization': 'Basic '
'emxzMnFoTjFqTzZBOmM4NDM0ZjI4Y2Y5Mzc1ZDlhNw==',
'Content-Type': 'application/x-www-form-urlencoded'
}
# create the IdToken
_jwt = JWT(OP_KEYJAR,
OP_BASEURL,
lifetime=3600,
sign=True,
sign_alg='RS256')
payload = {
'sub': '1b2fc9341a16ae4e30082965d537',
'acr': 'PASSWORD',
'auth_time': 1517736988,
'nonce': NONCE
}
_jws = _jwt.pack(payload=payload, recv='zls2qhN1jO6A')
_resp = {
"state": "Oh3w3gKlvoM2ehFqlxI3HIK5",
"scope": "openid",
"access_token": "Z0FBQUFBQmFkdFF",
"token_type": "Bearer",
'expires_in': 600,
"id_token": _jws
}
service_context.issuer = OP_BASEURL
_resp = service['accesstoken'].parse_response(json.dumps(_resp),
state=STATE)
assert isinstance(_resp, AccessTokenResponse)
assert set(_resp['__verified_id_token'].keys()) == {
'iss', 'nonce', 'acr', 'auth_time', 'aud', 'iat', 'exp', 'sub'
}
service['accesstoken'].update_service_context(_resp, key=STATE)
_item = service['authorization'].get_item(AccessTokenResponse,
'token_response', STATE)
assert set(_item.keys()) == {
'state', 'scope', 'access_token', 'token_type', 'id_token',
'__verified_id_token', 'expires_in', '__expires_at'
}
assert _item['token_type'] == 'Bearer'
assert _item['access_token'] == 'Z0FBQUFBQmFkdFF'
# =================== User info ====================
info = service['userinfo'].get_request_parameters(state=STATE)
assert info['url'] == 'https://example.org/op/userinfo'
assert info['headers'] == {'Authorization': 'Bearer Z0FBQUFBQmFkdFF'}
op_resp = {"sub": "1b2fc9341a16ae4e30082965d537"}
_resp = service['userinfo'].parse_response(json.dumps(op_resp),
state=STATE)
service['userinfo'].update_service_context(_resp, key=STATE)
assert isinstance(_resp, OpenIDSchema)
assert _resp.to_dict() == {'sub': '1b2fc9341a16ae4e30082965d537'}
_item = service['authorization'].get_item(OpenIDSchema, 'user_info', STATE)
assert _item.to_dict() == {'sub': '1b2fc9341a16ae4e30082965d537'}
def test_service():
req = Service(state_db=InMemoryStateDataBase(),
service_context=ServiceContext(None),
client_authn_method=None)
assert isinstance(req, Service)
def create_service(self):
service_context = ServiceContext(None)
self.service = Service(service_context,
state_db=InMemoryStateDataBase(),
client_authn_method=None)
def create_service(self):
service_context = ServiceContext(client_id='client_id',
issuer='https://www.example.org/as')
db = InMemoryStateDataBase()
db.set('state', State(iss='Issuer').to_json())
self.service = DummyService(service_context, state_db=db)
def __init__(self,
base_url,
client_configs=None,
services=None,
keyjar=None,
hash_seed="",
verify_ssl=True,
client_authn_factory=None,
client_cls=None,
state_db=None,
http_lib=None,
httpc_params=None,
**kwargs):
self.base_url = base_url
if hash_seed:
self.hash_seed = as_bytes(hash_seed)
else:
self.hash_seed = as_bytes(rndstr(32))
_jwks_path = kwargs.get('jwks_path')
if keyjar is None:
self.keyjar = init_key_jar(**DEFAULT_RP_KEY_DEFS, issuer_id='')
self.keyjar.import_jwks_as_json(
self.keyjar.export_jwks_as_json(True, ''), base_url)
if _jwks_path is None:
_jwks_path = DEFAULT_RP_KEY_DEFS['public_path']
else:
self.keyjar = keyjar
if _jwks_path:
self.jwks_uri = add_path(base_url, _jwks_path)
else:
self.jwks_uri = ""
if len(self.keyjar):
self.jwks = self.keyjar.export_jwks()
else:
self.jwks = {}
if state_db:
self.state_db = state_db
else:
self.state_db = InMemoryStateDataBase()
# self.session_interface = StateInterface(self.state_db)
self.extra = kwargs
self.client_cls = client_cls or oidc.RP
if services is None:
self.services = DEFAULT_SEVICES
else:
self.services = services
self.client_authn_factory = client_authn_factory
if client_configs is None:
self.client_configs = DEFAULT_CLIENT_CONFIGS
else:
self.client_configs = client_configs
# keep track on which RP instance that serves with OP
self.issuer2rp = {}
self.hash2issuer = {}
self.httplib = http_lib
if not httpc_params:
self.httpc_params = {'verify': verify_ssl}
else:
self.httpc_params = httpc_params
if not self.keyjar.httpc_params:
self.keyjar.httpc_params = self.httpc_params
