# In-Memory non-persistent SessionDB issuing DefaultTokens sessionDB = create_session_db(config.ISSUER, secret=rndstr(32), password=rndstr(32)) provider = Provider( name=config.ISSUER, # name sdb=sessionDB, # session database. cdb=clientDB, # client database authn_broker=authnBroker, # authn broker userinfo=None, # user information authz=authz, # authz client_authn=verify_client, # client authentication symkey=config.SYM_KEY, # Used for Symmetric key authentication # urlmap = None, # ? # keyjar = None, # ? # hostname = "", # ? template_renderer=mako_renderer, # Rendering custom templates # verify_ssl = True, # Enable SSL certs # capabilities = None, # ? # schema = OpenIDSchema, # ? # jwks_uri = '', # ? # jwks_name = '', # ? baseurl=config.ISSUER, # client_cert = None # ? ) # SessionDB: # This is database where the provider keeps information about # the authenticated/authorised users. It includes information # such as "what has been asked for (claims, scopes, and etc. )"
# In-Memory SessionDB issuing DefaultTokens sdb = create_session_db(config.baseurl, secret=rndstr(32), password=rndstr(32)) if args.test: URLS.append((r'tracelog', trace_log)) OAS = TestProvider(config.issuer, sdb, cdb, ac, None, authz, config.SYM_KEY) elif args.XpressConnect: from XpressConnect import XpressConnectProvider OAS = XpressConnectProvider(config.issuer, sdb, cdb, ac, None, authz, verify_client, config.SYM_KEY) else: OAS = Provider(config.issuer, sdb, cdb, ac, None, authz, verify_client, config.SYM_KEY, **kwargs) try: OAS.cookie_ttl = config.COOKIETTL except AttributeError: pass try: OAS.cookie_name = config.COOKIENAME except AttributeError: pass #print URLS if args.debug: OAS.debug = True if args.test:
sessionDB = create_session_db(config.ISSUER, secret=rndstr(32), password=rndstr(32)) provider = Provider( name=config.ISSUER, # name sdb=sessionDB, # session database. cdb=clientDB, # client database authn_broker=authnBroker, # authn broker userinfo=None, # user information authz=authz, # authz client_authn=verify_client, # client authentication symkey=config.SYM_KEY, # Used for Symmetric key authentication # urlmap = None, # ? # ca_certs = "", # ? # keyjar = None, # ? # hostname = "", # ? template_lookup=lookup, # ? template={"form_post": "form_response.mako"}, # ? # verify_ssl = True, # ? # capabilities = None, # ? # schema = OpenIDSchema, # ? # jwks_uri = '', # ? # jwks_name = '', # ? baseurl=config.ISSUER, # client_cert = None # ? ) # SessionDB: # This is database where the provider keeps information about # the authenticated/authorised users. It includes information
URLMAP = {CLIENT_ID: ["https://example.com/authz"]} PASSWD = {"user": "******"} ROOT = '../oc3/' tl = TemplateLookup(directories=[ROOT + 'templates', ROOT + 'htdocs'], module_directory=ROOT + 'modules', input_encoding='utf-8', output_encoding='utf-8') AUTHN_BROKER = AuthnBroker() AUTHN_BROKER.add( "1", UsernamePasswordMako(None, "login.mako", tl, PASSWD, "authenticated")) # dealing with authorization AUTHZ = AuthzHandling() SYMKEY = "symmetric key used to encrypt cookie info" USERINFO = UserInfo(USERDB) provider_init = Provider("pyoicserv", SessionDB(), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=KEYJAR)
def main(): parser = argparse.ArgumentParser(description='Example OIDC Provider.') parser.add_argument("-p", "--port", default=80, type=int) parser.add_argument("-b", "--base", default="https://localhost", type=str) parser.add_argument("-d", "--debug", action="store_true") parser.add_argument("settings") args = parser.parse_args() # Load configuration with open(args.settings, "r") as f: settings = yaml.safe_load(f) issuer = args.base.rstrip("/") template_dirs = settings["server"].get("template_dirs", "templates") jinja_env = Environment(loader=FileSystemLoader(template_dirs), autoescape=select_autoescape(['html'])) authn_broker, auth_routing = setup_authentication_methods( settings["authn"], jinja_env) # Setup userinfo userinfo_conf = settings["userinfo"] cls = make_cls_from_name(userinfo_conf["class"]) i = cls(**userinfo_conf["kwargs"]) userinfo = UserInfo(i) client_db = {} session_db = create_session_db(issuer, secret=rndstr(32), password=rndstr(32)) provider = Provider(issuer, session_db, client_db, authn_broker, userinfo, AuthzHandling(), verify_client, None) provider.baseurl = issuer provider.symkey = rndstr(16) # Setup keys path = os.path.join(os.path.dirname(__file__), "static") try: os.makedirs(path) except OSError as e: if e.errno != errno.EEXIST: raise e pass jwks = keyjar_init(provider, settings["provider"]["keys"]) name = "jwks.json" with open(os.path.join(path, name), "w") as f: f.write(json.dumps(jwks)) #TODO: I take this out and it still works, what was this for? #provider.jwks_uri.append( # "{}/static/{}".format(provider.baseurl, name)) # Mount the WSGI callable object (app) on the root directory app_routing = setup_endpoints(provider) app_routing["/.well-known/openid-configuration"] = pyoidcMiddleware( provider.providerinfo_endpoint) app_routing["/.well-known/webfinger"] = pyoidcMiddleware( partial(_webfinger, provider)) routing = dict(list(auth_routing.items()) + list(app_routing.items())) routing["/static"] = make_static_handler(path) dispatcher = WSGIPathInfoDispatcher(routing) server = wsgiserver.CherryPyWSGIServer(('0.0.0.0', args.port), dispatcher) # nosec # Setup SSL if provider.baseurl.startswith("https://"): server.ssl_adapter = BuiltinSSLAdapter( settings["server"]["cert"], settings["server"]["key"], settings["server"]["cert_chain"]) # Start the CherryPy WSGI web server try: print("Server started: {}".format(issuer)) server.start() except KeyboardInterrupt: server.stop()
}, # "template_args": {"form_post": {"action": "form_post"}} } # Should I care about verifying the certificates used by other entities if args.insecure: kwargs["verify_ssl"] = False else: kwargs["verify_ssl"] = True if args.capabilities: kwargs["capabilities"] = json.loads(open(args.capabilities).read()) else: pass OAS = Provider(_issuer, SessionDB(_issuer), cdb, ac, None, authz, verify_client, config.SYM_KEY, **kwargs) OAS.baseurl = _issuer for authn in ac: authn.srv = OAS if config.USERINFO == "SIMPLE": # User info is a simple dictionary in this case statically defined in # the configuration file OAS.userinfo = UserInfo(config.USERDB) elif config.USERINFO == "SAML": OAS.userinfo = UserInfo(config.SAML) elif config.USERINFO == "AA": OAS.userinfo = AaUserInfo(config.SP_CONFIG, config.issuer, config.SAML) else: raise Exception("Unsupported userinfo source")