def test_client_claims_scopes_and_request_claims_no_match(self):
session_id = self._create_session(AREQRC)
grant = self.session_manager[session_id]
self.session_manager.token_handler["id_token"].kwargs[
"add_claims_by_scope"] = True
_claims = self.endpoint_context.claims_interface.get_claims(
session_id=session_id,
scopes=AREQRC["scope"],
claims_release_point="id_token")
grant.claims = {"id_token": _claims}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
# User information, from scopes -> claims
assert "address" in res
assert "email" in res
# User info, requested by claims parameter
assert "nickname" in res
def test_client_claims_scopes_and_request_claims_one_match(self):
_req = AREQS.copy()
_req["claims"] = {
"id_token": {
"email": {
"value": "*****@*****.**"
}
}
}
session_id = self._create_session(_req)
grant = self.session_manager[session_id]
self.session_manager.token_handler["id_token"].kwargs[
"add_claims_by_scope"] = True
_claims = self.endpoint_context.claims_interface.get_claims(
session_id=session_id,
scopes=_req["scope"],
claims_release_point="id_token")
grant.claims = {"id_token": _claims}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
# Email didn't match
assert "email" not in res
# Scope -> claims
assert "address" in res
def test_eval_chains():
target = 'https://foodle.uninett.no'
collector = DummyCollector(trusted_roots=ANCHOR,
httpd=Publisher(
os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
entity_statement = collector.get_entity_statement(target,
issuer=target,
subject=target)
_config = verify_self_signed_signature(entity_statement)
assert _config
tree = collector.collect_superiors(_config['iss'], entity_statement)
_node = {target: (entity_statement, tree)}
chains = branch2lists(_node)
key_jar = KeyJar()
key_jar.import_jwks_as_json(jwks, 'https://feide.no')
statements = [
eval_chain(c, key_jar, 'openid_relying_party') for c in chains
]
assert len(statements) == 1
statement = statements[0]
assert statement.fo == "https://feide.no"
assert set(statement.metadata.keys()) == {
'response_types', 'claims', 'contacts', 'application_type',
'redirect_uris', 'id_token_signing_alg_values_supported', 'jwks_uri'
}
def test_client_claims(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
self.session_manager.token_handler["id_token"].kwargs[
"enable_claims_per_client"] = True
self.endpoint_context.cdb["client_1"]["id_token_claims"] = {
"address": None
}
_claims = self.endpoint_context.claims_interface.get_claims(
session_id=session_id,
scopes=AREQ["scope"],
claims_release_point="id_token")
grant.claims = {"id_token": _claims}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
assert "address" in res
assert "nickname" not in res
class Challenger(object):
def __init__(self, kb: KeyBundle, issuer: str, lifetime: int) -> None:
self.logger = logging.getLogger(__name__).getChild(
self.__class__.__name__)
self.issuer = issuer
self.kj = KeyJar()
self.kj.add_kb(self.issuer, kb)
sign_alg = None
enc_alg = None
enc_enc = None
kid = None
for key in self.kj.get(key_use="enc", issuer_id=issuer):
kid = key.kid
if key.kty == "oct":
sign_alg = "HS256"
enc_alg = None
enc_enc = None
break
elif key.kty == "EC":
sign_alg = "ES256"
enc_alg = "ECDH-ES"
enc_enc = "A128GCM"
break
elif key.kty == "RSA":
sign_alg = "RS256"
enc_alg = "RSA1_5"
enc_enc = "A128GCM"
break
if kid is None:
raise Exception("No challenge key found")
sign = sign_alg is not None
encrypt = enc_alg is not None
self.logger.info("Using challenge key kid=%s sign=%s encrypt=%s", kid,
sign, encrypt)
self.jwt = JWT(
key_jar=self.kj,
iss=self.issuer,
lifetime=lifetime,
sign=sign,
sign_alg=sign_alg,
encrypt=encrypt,
enc_alg=enc_alg,
enc_enc=enc_enc,
)
def issue_bytes(self, payload: dict) -> bytes:
"""Issue token challenge"""
return str(self.jwt.pack(payload=payload, recv=self.issuer)).encode()
def verify_bytes(self, challenge: bytes) -> dict:
"""Verify challenge and return payload"""
token = challenge.decode()
payload = self.jwt.unpack(token)
now = time.time()
if "nbf" in payload and now < int(payload.get("nbf")):
raise BadSignature("Token not yet valid (t < nbf)")
if "exp" in payload and now >= int(payload.get("exp")):
raise BadSignature("Token expired (t >= exp)")
return dict(payload)
def fetch_entity(fetch_endpoint, iss, sub, iss_entity_statement):
_response = requests.request("GET", fetch_endpoint, verify=False,
params={'iss': iss, 'sub': sub})
_jws = factory(_response.text)
_key_jar = KeyJar()
_key_jar.import_jwks(iss_entity_statement['jwks'], iss)
_keys = _key_jar.get_jwt_verify_keys(_jws.jwt)
_res = _jws.verify_compact(keys=_keys)
return _res
def get_self_signed_entity_statement(entity_id):
_url = entity_id + "/.well-known/openid-federation"
_response = requests.request("GET", _url, verify=False)
_jws = factory(_response.text)
_payload = _jws.jwt.payload()
entity_statement = EntityStatement(**_payload)
_key_jar = KeyJar()
# verify entity_statement["iss"]
_key_jar.import_jwks(entity_statement['jwks'], entity_id)
_keys = _key_jar.get_jwt_verify_keys(_jws.jwt)
_res = _jws.verify_compact(keys=_keys)
return _res
def test_no_available_claims(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
grant.claims = {"id_token": {"foobar": None}}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
assert "foobar" not in res
def test_lifetime_default(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
assert res["exp"] - res["iat"] == LIFETIME
def create_endpoint_context(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
}
},
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"authentication": {
"anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},},
},
"cookie_handler": {
"class": "oidcop.cookie_handler.CookieHandler",
"kwargs": {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
)
self.endpoint = server.server_get("endpoint", "authorization")
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def _keyjar(self, keyjar=None, db_conf=None, conf=None, entity_id=''):
if keyjar is None:
_storage = None
if db_conf:
_cnf = get_storage_conf(db_conf, 'keyjar')
if _cnf:
_storage = storage_factory(_cnf)
if 'keys' in conf:
args = {k: v for k, v in conf["keys"].items() if k != "uri_path"}
args.update({'storage': _storage})
_keyjar = init_key_jar(**args)
else:
_keyjar = KeyJar(storage=_storage)
if 'jwks' in conf:
_keyjar.import_jwks(conf['jwks'], '')
if '' in _keyjar and entity_id:
# make sure I have the keys under my own name too (if I know it)
_keyjar.import_jwks_as_json(_keyjar.export_jwks_as_json(True, ''), entity_id)
_httpc_params = conf.get('httpc_params')
if _httpc_params:
_keyjar.httpc_params = _httpc_params
return _keyjar
else:
return keyjar
def _keyjar(self, keyjar=None, conf=None, entity_id=""):
if keyjar is None:
if "keys" in conf:
keys_args = {
k: v
for k, v in conf["keys"].items() if k != "uri_path"
}
_keyjar = init_key_jar(**keys_args)
elif "key_conf" in conf:
keys_args = {
k: v
for k, v in conf["key_conf"].items() if k != "uri_path"
}
_keyjar = init_key_jar(**keys_args)
else:
_keyjar = KeyJar()
if "jwks" in conf:
_keyjar.import_jwks(conf["jwks"], "")
if "" in _keyjar and entity_id:
# make sure I have the keys under my own name too (if I know it)
_keyjar.import_jwks_as_json(
_keyjar.export_jwks_as_json(True, ""), entity_id)
_httpc_params = conf.get("httpc_params")
if _httpc_params:
_keyjar.httpc_params = _httpc_params
return _keyjar
else:
return keyjar
def verify_self_signed_signature(config):
"""
Verify signature. Will raise exception if signature verification fails.
:param config: Signed JWT
:return: Payload of the signed JWT
"""
payload = unverified_entity_statement(config)
keyjar = KeyJar()
keyjar.import_jwks(payload['jwks'], payload['iss'])
_jwt = JWT(key_jar=keyjar)
_val = _jwt.unpack(config)
return _val
def test_sign_encrypt_id_token(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
id_token = self._mint_id_token(grant, session_id)
_jws = factory(id_token.value)
assert _jws.jwt.headers["alg"] == "RS256"
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
assert isinstance(res, dict)
assert res["aud"] == ["client_1"]
def key_setup():
# Copy dynamically created files to there places in the base_data information tree.
key_jar = KeyJar()
key_jar.import_jwks_from_file(os.path.join(dir_path, "flask_op/static/fed_keys.json"), "")
_jwks = key_jar.export_jwks_as_json(issuer="")
with open('base_data/umu.se/https%3A%2F%2F127.0.0.1%3A5000/jwks.json', "w") as fp:
fp.write(_jwks)
for _key_file, _port in [(os.path.join(dir_path, "flask_rp/static/fed_keys.json"), 4000),
(os.path.join(dir_path, "flask_rp/static/fed_keys_auto.json"), 4001)]:
if os.path.isfile(_key_file):
key_jar = KeyJar()
key_jar.import_jwks_from_file(_key_file, "")
_jwks = key_jar.export_jwks_as_json(issuer="")
_file = 'base_data/lu.se/https%3A%2F%2F127.0.0.1%3A{}/jwks.json'.format(_port)
with open(_file, "w") as fp:
fp.write(_jwks)
def init_oidc_rp_handler(app):
_rp_conf = app.config
if _rp_conf.get('rp_keys'):
_kj = init_key_jar(**_rp_conf['rp_keys'])
_path = _rp_conf['rp_keys']['public_path']
# removes ./ and / from the begin of the string
_path = re.sub('^(.)/', '', _path)
else:
_kj = KeyJar()
_path = ''
_kj.httpc_params = _rp_conf['httpc_params']
hash_seed = app.config.get('hash_seed', "BabyHoldOn")
rph = RPHandler(_rp_conf['base_url'], _rp_conf['clients'], services=_rp_conf['services'],
hash_seed=hash_seed, keyjar=_kj, jwks_path=_path,
httpc_params=_rp_conf['httpc_params']) #, verify_ssl=False)
return rph
def __init__(self, iss, entity_id_pattern):
self.iss = iss
self.keyjar = KeyJar()
self.entity_id_pattern = entity_id_pattern
self.url_prefix = ''
self.fe_base_path = ""
self.auth_base_path = ""
self.conf = None
self.federation_fetch_endpoint = ""
def init_oidc_rp_handler(app):
_rp_conf = app.rp_config
if _rp_conf.rp_keys:
_kj = init_key_jar(**_rp_conf.rp_keys)
_path = _rp_conf.rp_keys['public_path']
# removes ./ and / from the begin of the string
_path = re.sub('^(.)/', '', _path)
else:
_kj = KeyJar()
_path = ''
_kj.httpc_params = _rp_conf.httpc_params
rph = RPHandler(_rp_conf.base_url, _rp_conf.clients, services=_rp_conf.services,
hash_seed=_rp_conf.hash_seed, keyjar=_kj, jwks_path=_path,
httpc_params=_rp_conf.httpc_params)
return rph
def __init__(self, kb: KeyBundle, issuer: str, lifetime: int) -> None:
self.logger = logging.getLogger(__name__).getChild(
self.__class__.__name__)
self.issuer = issuer
self.kj = KeyJar()
self.kj.add_kb(self.issuer, kb)
sign_alg = None
enc_alg = None
enc_enc = None
kid = None
for key in self.kj.get(key_use="enc", issuer_id=issuer):
kid = key.kid
if key.kty == "oct":
sign_alg = "HS256"
enc_alg = None
enc_enc = None
break
elif key.kty == "EC":
sign_alg = "ES256"
enc_alg = "ECDH-ES"
enc_enc = "A128GCM"
break
elif key.kty == "RSA":
sign_alg = "RS256"
enc_alg = "RSA1_5"
enc_enc = "A128GCM"
break
if kid is None:
raise Exception("No challenge key found")
sign = sign_alg is not None
encrypt = enc_alg is not None
self.logger.info("Using challenge key kid=%s sign=%s encrypt=%s", kid,
sign, encrypt)
self.jwt = JWT(
key_jar=self.kj,
iss=self.issuer,
lifetime=lifetime,
sign=sign,
sign_alg=sign_alg,
encrypt=encrypt,
enc_alg=enc_alg,
enc_enc=enc_enc,
)
def test_client_claims_with_default(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
_claims = self.endpoint_context.claims_interface.get_claims(
session_id=session_id,
scopes=AREQ["scope"],
claims_release_point="id_token")
grant.claims = {"id_token": _claims}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
# No user info claims should be there
assert "address" not in res
assert "nickname" not in res
def key_jar_from_config(config: dict) -> KeyJar:
"""Get key jar from dict by issuer"""
kj = KeyJar()
logger = logging.getLogger(__name__).getChild("key_jar_from_config")
for (issuer, v) in config.items():
if "jwks_url" in v:
url = v.get("jwks_url")
logger.info("Reading keys for issuer %s from %s", issuer, url)
kj.add_url(issuer, url)
elif "jwks_path" in v:
filename = v.get("jwks_path")
logger.info("Reading keys for issuer %s from %s", issuer, filename)
kj.import_jwks_from_file(filename, issuer)
else:
logger.warning("No keys defined for issuer %s", issuer)
return kj
def create(iss, sub, domain, root_dir):
kj = KeyJar()
iss_id = "https://{}".format(iss)
iss_jwks_file = os.path.join(root_dir, iss, "{}.jwks.json".format(iss))
kj.import_jwks_as_json(open(iss_jwks_file).read(), iss_id)
sub_id = "https://{}".format(sub)
sub_jwks_file = os.path.join(root_dir, iss, "{}.jwks.json".format(sub))
kj.import_jwks_as_json(open(sub_jwks_file).read(), sub_id)
metadata_file = os.path.join(root_dir, iss, "{}.metadata.json".format(sub))
if os.path.isfile(metadata_file):
metadata = json.loads(open(metadata_file).read())
else:
metadata = None
if metadata:
for typ, conf in metadata.items():
for key, val in conf.items():
if '<DOMAIN>' in val:
metadata[typ][key] = val.replace('<DOMAIN>', domain)
policy_file = os.path.join(root_dir, iss, "{}.policy.json".format(sub))
if os.path.isfile(policy_file):
policy = json.loads(open(policy_file).read())
else:
policy = None
authority_file = os.path.join(root_dir, iss, "{}.authority.json".format(sub))
if os.path.isfile(authority_file):
_auth = json.loads(open(authority_file).read())
for key, vals in _auth.items():
if '<DOMAIN>' in key:
_key = key.replace('<DOMAIN>', domain)
_vals = [v.replace('<DOMAIN>', domain) for v in vals]
del _auth[key]
_auth[_key] = _vals
_jwt = create_entity_statement(iss_id, sub_id, kj, metadata, policy, _auth)
else:
_jwt = create_entity_statement(iss_id, sub_id, kj, metadata, policy)
return _jwt
class TestEndpoint(object):
@pytest.fixture(autouse=True)
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"jwks": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"request_cls":
JWTSecuredAuthorizationRequest,
},
}
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"cookie_dealer": {
"class": CookieDealer,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"default_values": {
"name": "oidcop",
"domain": "127.0.0.1",
"path": "/",
"max_age": 3600,
},
},
},
}
endpoint_context = EndpointContext(conf)
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.endpoint = endpoint_context.endpoint["authorization"]
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
self.endpoint.endpoint_context.keyjar.add_symmetric(
"client_1", "hemligtkodord1234567890")
def test_parse_request_parameter(self):
_jwt = JWT(key_jar=self.rp_keyjar, iss="client_1", sign_alg="HS256")
_jws = _jwt.pack(
AUTH_REQ_DICT,
aud=self.endpoint.endpoint_context.provider_info["issuer"])
# -----------------
_req = self.endpoint.parse_request({
"request":
_jws,
"redirect_uri":
AUTH_REQ.get("redirect_uri"),
"response_type":
AUTH_REQ.get("response_type"),
"client_id":
AUTH_REQ.get("client_id"),
"scope":
AUTH_REQ.get("scope"),
})
assert "__verified_request" in _req
def test_parse_request_uri(self):
_jwt = JWT(key_jar=self.rp_keyjar, iss="client_1", sign_alg="HS256")
_jws = _jwt.pack(
AUTH_REQ_DICT,
aud=self.endpoint.endpoint_context.provider_info["issuer"])
request_uri = "https://client.example.com/req"
# -----------------
with responses.RequestsMock() as rsps:
rsps.add("GET", request_uri, body=_jws, status=200)
_req = self.endpoint.parse_request({
"request_uri":
request_uri,
"redirect_uri":
AUTH_REQ.get("redirect_uri"),
"response_type":
AUTH_REQ.get("response_type"),
"client_id":
AUTH_REQ.get("client_id"),
"scope":
AUTH_REQ.get("scope"),
})
assert "__verified_request" in _req
app.register_blueprint(sigserv_views)
# Initialize the oidc_provider after views to be able to set correct urls
app.signing_service = init_sign_service(app)
return app
if __name__ == "__main__":
domain = '127.0.0.1'
op_port = 5000
rp_spec = [("../flask_rp/static/fed_keys.json", 4000),
("../flask_rp/static/fed_keys_auto.json", 4001)]
# Copy dynamically created files to there places in the base_data information tree.
key_jar = KeyJar()
key_jar.import_jwks_from_file("../flask_op/static/fed_keys.json", "")
_jwks = key_jar.export_jwks_as_json(issuer_id="")
with open(
'base_data/umu.se/https%3A%2F%2F{}%3A{}/jwks.json'.format(
domain, op_port), "w") as fp:
fp.write(_jwks)
for _key_file, _port in rp_spec:
if os.path.isfile(_key_file):
key_jar = KeyJar()
key_jar.import_jwks_from_file(_key_file, "")
_jwks = key_jar.export_jwks_as_json(issuer_id="")
_file = 'base_data/lu.se/https%3A%2F%2F{}%3A{}%2Flocal/jwks.json'.format(
domain, _port)
with open(_file, "w") as fp:
def get_issuer_keyjar(jwks, issuer: str):
key_jar = KeyJar()
# "" means default, you can always point to a issuer identifier
key_jar.import_jwks(jwks, issuer_id=issuer)
return key_jar
def test_collect():
jwks = open(
os.path.join(BASE_PATH, 'base_data', 'feide.no', 'feide.no',
'jwks.json')).read()
ANCHOR = {'https://feide.no': json.loads(jwks)}
KEYJAR = KeyJar()
KEYJAR.import_jwks_as_json(jwks, 'https://feide.no')
chain = []
_collector = Collector(trust_anchors=ANCHOR)
subject = "foodle.uninett.no"
with responses.RequestsMock() as rsps:
_msg = open(
os.path.join(BASE_PATH, 'base_data', subject, subject,
'jws')).read()
rsps.add(rsps.GET,
"https://foodle.uninett.no/.well-known/openid-federation",
body=_msg)
# Get the self-signed entity statement from a leaf
_self_signed = _collector.get_configuration_information(
"https://foodle.uninett.no")
chain.append(_self_signed)
_statement = verify_self_signed_signature(_self_signed)
assert _statement
authority = ""
while authority not in _collector.trusted_anchors:
authority = _statement['authority_hints'][0]
netloc = authority[8:]
with responses.RequestsMock() as rsps:
_msg = open(
os.path.join(BASE_PATH, 'base_data', netloc, netloc,
"jws")).read()
_url = "https://{}/.well-known/openid-federation".format(netloc)
rsps.add(rsps.GET, _url, body=_msg)
# Get the self-signed entity statement from a leaf
_self_signed = _collector.get_configuration_information(authority)
_statement = verify_self_signed_signature(_self_signed)
assert _statement
_api_endpoint = _statement['metadata']['federation_entity'][
'federation_api_endpoint']
with responses.RequestsMock() as rsps:
_msg = open(
os.path.join(BASE_PATH, 'base_data', netloc, subject,
"jws")).read()
_url = construct_entity_statement_query(
_api_endpoint, authority, "https://{}".format(subject))
rsps.add(rsps.GET, _url, body=_msg)
# Get the self-signed entity statement from a leaf
_signed_statement = _collector.get_entity_statement(
_api_endpoint, authority, "https://{}".format(subject))
chain.append(_signed_statement)
_jwt = factory(_signed_statement)
_statement = _jwt.jwt.payload()
subject = _statement['iss'][8:]
# Now I have the chain should be 3 items in it
assert len(chain) == 3
# verify the trust chain
chain.reverse()
verified_chain = verify_trust_chain(chain, KEYJAR)
# The result is the verified statements
assert len(verified_chain) == 3
# Check that the constraints are met
assert meets_restrictions(verified_chain)
def __init__(self) -> None:
super().__init__()
self.trusted_keyjar: KeyJar = KeyJar()
self.trusted_algs: Set[str] = set(TRUSTED_ALGS)
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"jwks": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"id_token": {
"class": IDToken,
"kwargs": {
"default_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"request_cls":
JWTSecuredAuthorizationRequest,
},
}
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcendpoint.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"cookie_dealer": {
"class": CookieDealer,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"default_values": {
"name": "oidcop",
"domain": "127.0.0.1",
"path": "/",
"max_age": 3600,
},
},
},
}
endpoint_context = EndpointContext(conf)
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.endpoint = endpoint_context.endpoint["authorization"]
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
self.endpoint.endpoint_context.keyjar.add_symmetric(
"client_1", "hemligtkodord1234567890")
def __init__(self, iss, entity_id_pattern):
self.iss = iss
self.keyjar = KeyJar()
self.entity_id_pattern = entity_id_pattern
self.url_prefix = ''
self.base_path = ""
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported":
["query", "fragment", "form_post"],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
"request_cls":
JWTSecuredAuthorizationRequest,
},
}
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"sign_key":
"ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
}
server = Server(ASConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"])
self.endpoint = server.server_get("endpoint", "authorization")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1",
"hemligtkodord1234567890")