def __init__(self, *pargs): super(IdpProvider, self).__init__('openidc', 'OpenID Connect', 'openidc', *pargs) self.mapping = InfoMapping() self.keyset = None self.admin = None self.page = None self.datastore = None self.server = None self.basepath = None self.extensions = LoadExtensions() self.description = """ Provides OpenID Connect authentication infrastructure. """ self.new_config( self.name, pconfig.String('database url', 'Database URL for OpenID Connect storage', 'openidc.sqlite'), pconfig.String( 'static database url', 'Database URL for OpenID Connect static client configuration', 'openidc.static.sqlite'), pconfig.Choice('enabled extensions', 'Choose the extensions to enable', self.extensions.available().keys()), pconfig.String('endpoint url', 'The Absolute URL of the OpenID Connect provider', 'http://localhost:8080/openidc/'), pconfig.String( 'documentation url', 'The Absolute URL of the OpenID Connect documentation', 'https://ipsilonproject.org/doc/openidc/'), pconfig.String('policy url', 'The Absolute URL of the OpenID Connect policy', 'http://www.example.com/'), pconfig.String( 'tos url', 'The Absolute URL of the OpenID Connect terms of service', 'http://www.example.com/'), pconfig.String('idp key file', 'The file where the OpenIDC keyset is stored.', 'openidc.key'), pconfig.String('idp sig key id', 'The key to use for signing.', ''), pconfig.String('idp subject salt', 'The salt used for pairwise subjects.', None), pconfig.Condition( 'allow dynamic client registration', 'Allow Dynamic Client registrations for Relying Parties', True), pconfig.MappingList('default attribute mapping', 'Defines how to map attributes', [['*', '*']]), pconfig.ComplexList( 'default allowed attributes', 'Defines a list of allowed attributes, applied after mapping', ['*']), )
def __init__(self, *pargs): super(IdpProvider, self).__init__("openidc", "openidc", *pargs) self.mapping = InfoMapping() self.keyset = None self.page = None self.datastore = None self.server = None self.basepath = None self.extensions = LoadExtensions() self.description = """ Provides OpenID Connect authentication infrastructure. """ self.new_config( self.name, pconfig.String("database url", "Database URL for OpenID Connect storage", "openidc.sqlite"), pconfig.Choice("enabled extensions", "Choose the extensions to enable", self.extensions.available().keys()), pconfig.String( "endpoint url", "The Absolute URL of the OpenID Connect provider", "http://localhost:8080/idp/openidc/" ), pconfig.String( "documentation url", "The Absolute URL of the OpenID Connect documentation", "https://ipsilonproject.org/doc/openidc/", ), pconfig.String("policy url", "The Absolute URL of the OpenID Connect policy", "http://www.example.com/"), pconfig.String( "tos url", "The Absolute URL of the OpenID Connect terms of service", "http://www.example.com/" ), pconfig.String("idp key file", "The file where the OpenIDC keyset is stored.", "openidc.key"), pconfig.String("idp sig key id", "The key to use for signing.", ""), pconfig.String("idp subject salt", "The salt used for pairwise subjects.", None), pconfig.MappingList("default attribute mapping", "Defines how to map attributes", [["*", "*"]]), pconfig.ComplexList( "default allowed attributes", "Defines a list of allowed attributes, applied after mapping", ["*"] ), )
class IdpProvider(ProviderBase): def __init__(self, *pargs): super(IdpProvider, self).__init__('openidc', 'OpenID Connect', 'openidc', *pargs) self.mapping = InfoMapping() self.keyset = None self.admin = None self.page = None self.datastore = None self.server = None self.basepath = None self.extensions = LoadExtensions() self.description = """ Provides OpenID Connect authentication infrastructure. """ self.new_config( self.name, pconfig.String('database url', 'Database URL for OpenID Connect storage', 'openidc.sqlite'), pconfig.String( 'static database url', 'Database URL for OpenID Connect static client configuration', 'openidc.static.sqlite'), pconfig.Choice('enabled extensions', 'Choose the extensions to enable', self.extensions.available().keys()), pconfig.String('endpoint url', 'The Absolute URL of the OpenID Connect provider', 'http://localhost:8080/openidc/'), pconfig.String( 'documentation url', 'The Absolute URL of the OpenID Connect documentation', 'https://ipsilonproject.org/doc/openidc/'), pconfig.String('policy url', 'The Absolute URL of the OpenID Connect policy', 'http://www.example.com/'), pconfig.String( 'tos url', 'The Absolute URL of the OpenID Connect terms of service', 'http://www.example.com/'), pconfig.String('idp key file', 'The file where the OpenIDC keyset is stored.', 'openidc.key'), pconfig.String('idp sig key id', 'The key to use for signing.', ''), pconfig.String('idp subject salt', 'The salt used for pairwise subjects.', None), pconfig.Condition( 'allow dynamic client registration', 'Allow Dynamic Client registrations for Relying Parties', True), pconfig.MappingList('default attribute mapping', 'Defines how to map attributes', [['*', '*']]), pconfig.ComplexList( 'default allowed attributes', 'Defines a list of allowed attributes, applied after mapping', ['*']), ) @property def endpoint_url(self): url = self.get_config_value('endpoint url') if url.endswith('/'): return url else: return url + '/' @property def documentation_url(self): url = self.get_config_value('documentation url') if url.endswith('/'): return url else: return url + '/' @property def policy_url(self): url = self.get_config_value('policy url') if url.endswith('/'): return url else: return url + '/' @property def tos_url(self): url = self.get_config_value('tos url') if url.endswith('/'): return url else: return url + '/' @property def enabled_extensions(self): return self.get_config_value('enabled extensions') @property def idp_key_file(self): return self.get_config_value('idp key file') @property def idp_sig_key_id(self): return self.get_config_value('idp sig key id') @property def idp_subject_salt(self): return self.get_config_value('idp subject salt') @property def allow_dynamic_client_registration(self): return self.get_config_value('allow dynamic client registration') @property def default_attribute_mapping(self): return self.get_config_value('default attribute mapping') @property def default_allowed_attributes(self): return self.get_config_value('default allowed attributes') @property def supported_scopes(self): supported = ['openid'] # Default scopes used in OpenID Connect claims supported.extend(['profile', 'email', 'address', 'phone']) for _, ext in self.extensions.available().items(): supported.extend(ext.get_scopes()) return supported def get_tree(self, site): self.page = OpenIDC(site, self) self.admin = OpenIDCAdminPage(site, self) return self.page def used_datastores(self): return [self.datastore, self.datastore.static_store] def init_idp(self): self.keyset = JWKSet() with open(self.idp_key_file, 'r') as keyfile: loaded_keys = json.loads(keyfile.read()) for key in loaded_keys['keys']: self.keyset.add(JWK(**key)) static_store = OpenIDCStaticStore( self.get_config_value('static database url')) self.datastore = OpenIDCStore(self.get_config_value('database url'), static_store) def openid_connect_issuer_wf_rel(self, resource): link = { 'rel': 'http://openid.net/specs/connect/1.0/issuer', 'href': self.endpoint_url } return {'links': [link]} def on_enable(self): super(IdpProvider, self).on_enable() self.init_idp() self.extensions.enable(self._config['enabled extensions'].get_value(), self) self._root.webfinger.register_rel( 'http://openid.net/specs/connect/1.0/issuer', self.openid_connect_issuer_wf_rel) def on_disable(self): super(IdpProvider, self).on_enable() self._root.webfinger.unregister_rel( 'http://openid.net/specs/connect/1.0/issuer') def get_client_display_name(self, clientid): return self.datastore.getClient(clientid)['client_name'] def consent_to_display(self, consentdata): d = [] if len(consentdata['scopes']) > 0: scopes = [] for dummy_n, e in self.extensions.available().items(): data = e.get_display_data(consentdata['scopes']) if len(data) > 0: scopes.append(e.get_display_name()) d.append('Scopes: %s' % ', '.join(sorted(scopes))) if len(consentdata['claims']) > 0: d.append('Claims: %s' % ', '.join( [self.mapping.display_name(x) for x in consentdata['claims']])) return d def revoke_consent(self, user, clientid): return self.datastore.revokeConsent(user, clientid) def on_reconfigure(self): super(IdpProvider, self).on_reconfigure() self.init_idp() self.extensions.enable(self._config['enabled extensions'].get_value(), self)
class IdpProvider(ProviderBase): def __init__(self, *pargs): super(IdpProvider, self).__init__("openidc", "openidc", *pargs) self.mapping = InfoMapping() self.keyset = None self.page = None self.datastore = None self.server = None self.basepath = None self.extensions = LoadExtensions() self.description = """ Provides OpenID Connect authentication infrastructure. """ self.new_config( self.name, pconfig.String("database url", "Database URL for OpenID Connect storage", "openidc.sqlite"), pconfig.Choice("enabled extensions", "Choose the extensions to enable", self.extensions.available().keys()), pconfig.String( "endpoint url", "The Absolute URL of the OpenID Connect provider", "http://localhost:8080/idp/openidc/" ), pconfig.String( "documentation url", "The Absolute URL of the OpenID Connect documentation", "https://ipsilonproject.org/doc/openidc/", ), pconfig.String("policy url", "The Absolute URL of the OpenID Connect policy", "http://www.example.com/"), pconfig.String( "tos url", "The Absolute URL of the OpenID Connect terms of service", "http://www.example.com/" ), pconfig.String("idp key file", "The file where the OpenIDC keyset is stored.", "openidc.key"), pconfig.String("idp sig key id", "The key to use for signing.", ""), pconfig.String("idp subject salt", "The salt used for pairwise subjects.", None), pconfig.MappingList("default attribute mapping", "Defines how to map attributes", [["*", "*"]]), pconfig.ComplexList( "default allowed attributes", "Defines a list of allowed attributes, applied after mapping", ["*"] ), ) @property def endpoint_url(self): url = self.get_config_value("endpoint url") if url.endswith("/"): return url else: return url + "/" @property def documentation_url(self): url = self.get_config_value("documentation url") if url.endswith("/"): return url else: return url + "/" @property def policy_url(self): url = self.get_config_value("policy url") if url.endswith("/"): return url else: return url + "/" @property def tos_url(self): url = self.get_config_value("tos url") if url.endswith("/"): return url else: return url + "/" @property def enabled_extensions(self): return self.get_config_value("enabled extensions") @property def idp_key_file(self): return self.get_config_value("idp key file") @property def idp_sig_key_id(self): return self.get_config_value("idp sig key id") @property def idp_subject_salt(self): return self.get_config_value("idp subject salt") @property def default_attribute_mapping(self): return self.get_config_value("default attribute mapping") @property def default_allowed_attributes(self): return self.get_config_value("default allowed attributes") @property def supported_scopes(self): supported = ["openid"] # Default scopes used in OpenID Connect claims supported.extend(["profile", "email", "address", "phone"]) for _, ext in self.extensions.available().items(): supported.extend(ext.get_scopes()) return supported def get_tree(self, site): self.page = OpenIDC(site, self) # self.admin = AdminPage(site, self) return self.page def used_datastores(self): return [self.datastore] def init_idp(self): self.keyset = JWKSet() with open(self.idp_key_file, "r") as keyfile: loaded_keys = json.loads(keyfile.read()) for key in loaded_keys["keys"]: self.keyset.add(JWK(**key)) self.datastore = OpenIDCStore(self.get_config_value("database url")) def openid_connect_issuer_wf_rel(self, resource): link = {"rel": "http://openid.net/specs/connect/1.0/issuer", "href": self.endpoint_url} return {"links": [link]} def on_enable(self): super(IdpProvider, self).on_enable() self.init_idp() self.extensions.enable(self._config["enabled extensions"].get_value(), self) self._root.webfinger.register_rel( "http://openid.net/specs/connect/1.0/issuer", self.openid_connect_issuer_wf_rel ) def on_disable(self): super(IdpProvider, self).on_enable() self._root.webfinger.unregister_rel("http://openid.net/specs/connect/1.0/issuer")