def __init__(self, *pargs):
super(IdpProvider, self).__init__('openidc', 'OpenID Connect',
'openidc', *pargs)
self.mapping = InfoMapping()
self.keyset = None
self.admin = None
self.page = None
self.datastore = None
self.server = None
self.basepath = None
self.extensions = LoadExtensions()
self.description = """
Provides OpenID Connect authentication infrastructure. """
self.new_config(
self.name,
pconfig.String('database url',
'Database URL for OpenID Connect storage',
'openidc.sqlite'),
pconfig.String(
'static database url',
'Database URL for OpenID Connect static client configuration',
'openidc.static.sqlite'),
pconfig.Choice('enabled extensions',
'Choose the extensions to enable',
self.extensions.available().keys()),
pconfig.String('endpoint url',
'The Absolute URL of the OpenID Connect provider',
'http://localhost:8080/openidc/'),
pconfig.String(
'documentation url',
'The Absolute URL of the OpenID Connect documentation',
'https://ipsilonproject.org/doc/openidc/'),
pconfig.String('policy url',
'The Absolute URL of the OpenID Connect policy',
'http://www.example.com/'),
pconfig.String(
'tos url',
'The Absolute URL of the OpenID Connect terms of service',
'http://www.example.com/'),
pconfig.String('idp key file',
'The file where the OpenIDC keyset is stored.',
'openidc.key'),
pconfig.String('idp sig key id', 'The key to use for signing.',
''),
pconfig.String('idp subject salt',
'The salt used for pairwise subjects.', None),
pconfig.Condition(
'allow dynamic client registration',
'Allow Dynamic Client registrations for Relying Parties',
True),
pconfig.MappingList('default attribute mapping',
'Defines how to map attributes', [['*', '*']]),
pconfig.ComplexList(
'default allowed attributes',
'Defines a list of allowed attributes, applied after mapping',
['*']),
)
def __init__(self, *pargs):
super(IdpProvider, self).__init__("openidc", "openidc", *pargs)
self.mapping = InfoMapping()
self.keyset = None
self.page = None
self.datastore = None
self.server = None
self.basepath = None
self.extensions = LoadExtensions()
self.description = """
Provides OpenID Connect authentication infrastructure. """
self.new_config(
self.name,
pconfig.String("database url", "Database URL for OpenID Connect storage", "openidc.sqlite"),
pconfig.Choice("enabled extensions", "Choose the extensions to enable", self.extensions.available().keys()),
pconfig.String(
"endpoint url", "The Absolute URL of the OpenID Connect provider", "http://localhost:8080/idp/openidc/"
),
pconfig.String(
"documentation url",
"The Absolute URL of the OpenID Connect documentation",
"https://ipsilonproject.org/doc/openidc/",
),
pconfig.String("policy url", "The Absolute URL of the OpenID Connect policy", "http://www.example.com/"),
pconfig.String(
"tos url", "The Absolute URL of the OpenID Connect terms of service", "http://www.example.com/"
),
pconfig.String("idp key file", "The file where the OpenIDC keyset is stored.", "openidc.key"),
pconfig.String("idp sig key id", "The key to use for signing.", ""),
pconfig.String("idp subject salt", "The salt used for pairwise subjects.", None),
pconfig.MappingList("default attribute mapping", "Defines how to map attributes", [["*", "*"]]),
pconfig.ComplexList(
"default allowed attributes", "Defines a list of allowed attributes, applied after mapping", ["*"]
),
)
class IdpProvider(ProviderBase):
def __init__(self, *pargs):
super(IdpProvider, self).__init__('openidc', 'OpenID Connect',
'openidc', *pargs)
self.mapping = InfoMapping()
self.keyset = None
self.admin = None
self.page = None
self.datastore = None
self.server = None
self.basepath = None
self.extensions = LoadExtensions()
self.description = """
Provides OpenID Connect authentication infrastructure. """
self.new_config(
self.name,
pconfig.String('database url',
'Database URL for OpenID Connect storage',
'openidc.sqlite'),
pconfig.String(
'static database url',
'Database URL for OpenID Connect static client configuration',
'openidc.static.sqlite'),
pconfig.Choice('enabled extensions',
'Choose the extensions to enable',
self.extensions.available().keys()),
pconfig.String('endpoint url',
'The Absolute URL of the OpenID Connect provider',
'http://localhost:8080/openidc/'),
pconfig.String(
'documentation url',
'The Absolute URL of the OpenID Connect documentation',
'https://ipsilonproject.org/doc/openidc/'),
pconfig.String('policy url',
'The Absolute URL of the OpenID Connect policy',
'http://www.example.com/'),
pconfig.String(
'tos url',
'The Absolute URL of the OpenID Connect terms of service',
'http://www.example.com/'),
pconfig.String('idp key file',
'The file where the OpenIDC keyset is stored.',
'openidc.key'),
pconfig.String('idp sig key id', 'The key to use for signing.',
''),
pconfig.String('idp subject salt',
'The salt used for pairwise subjects.', None),
pconfig.Condition(
'allow dynamic client registration',
'Allow Dynamic Client registrations for Relying Parties',
True),
pconfig.MappingList('default attribute mapping',
'Defines how to map attributes', [['*', '*']]),
pconfig.ComplexList(
'default allowed attributes',
'Defines a list of allowed attributes, applied after mapping',
['*']),
)
@property
def endpoint_url(self):
url = self.get_config_value('endpoint url')
if url.endswith('/'):
return url
else:
return url + '/'
@property
def documentation_url(self):
url = self.get_config_value('documentation url')
if url.endswith('/'):
return url
else:
return url + '/'
@property
def policy_url(self):
url = self.get_config_value('policy url')
if url.endswith('/'):
return url
else:
return url + '/'
@property
def tos_url(self):
url = self.get_config_value('tos url')
if url.endswith('/'):
return url
else:
return url + '/'
@property
def enabled_extensions(self):
return self.get_config_value('enabled extensions')
@property
def idp_key_file(self):
return self.get_config_value('idp key file')
@property
def idp_sig_key_id(self):
return self.get_config_value('idp sig key id')
@property
def idp_subject_salt(self):
return self.get_config_value('idp subject salt')
@property
def allow_dynamic_client_registration(self):
return self.get_config_value('allow dynamic client registration')
@property
def default_attribute_mapping(self):
return self.get_config_value('default attribute mapping')
@property
def default_allowed_attributes(self):
return self.get_config_value('default allowed attributes')
@property
def supported_scopes(self):
supported = ['openid']
# Default scopes used in OpenID Connect claims
supported.extend(['profile', 'email', 'address', 'phone'])
for _, ext in self.extensions.available().items():
supported.extend(ext.get_scopes())
return supported
def get_tree(self, site):
self.page = OpenIDC(site, self)
self.admin = OpenIDCAdminPage(site, self)
return self.page
def used_datastores(self):
return [self.datastore, self.datastore.static_store]
def init_idp(self):
self.keyset = JWKSet()
with open(self.idp_key_file, 'r') as keyfile:
loaded_keys = json.loads(keyfile.read())
for key in loaded_keys['keys']:
self.keyset.add(JWK(**key))
static_store = OpenIDCStaticStore(
self.get_config_value('static database url'))
self.datastore = OpenIDCStore(self.get_config_value('database url'),
static_store)
def openid_connect_issuer_wf_rel(self, resource):
link = {
'rel': 'http://openid.net/specs/connect/1.0/issuer',
'href': self.endpoint_url
}
return {'links': [link]}
def on_enable(self):
super(IdpProvider, self).on_enable()
self.init_idp()
self.extensions.enable(self._config['enabled extensions'].get_value(),
self)
self._root.webfinger.register_rel(
'http://openid.net/specs/connect/1.0/issuer',
self.openid_connect_issuer_wf_rel)
def on_disable(self):
super(IdpProvider, self).on_enable()
self._root.webfinger.unregister_rel(
'http://openid.net/specs/connect/1.0/issuer')
def get_client_display_name(self, clientid):
return self.datastore.getClient(clientid)['client_name']
def consent_to_display(self, consentdata):
d = []
if len(consentdata['scopes']) > 0:
scopes = []
for dummy_n, e in self.extensions.available().items():
data = e.get_display_data(consentdata['scopes'])
if len(data) > 0:
scopes.append(e.get_display_name())
d.append('Scopes: %s' % ', '.join(sorted(scopes)))
if len(consentdata['claims']) > 0:
d.append('Claims: %s' % ', '.join(
[self.mapping.display_name(x) for x in consentdata['claims']]))
return d
def revoke_consent(self, user, clientid):
return self.datastore.revokeConsent(user, clientid)
def on_reconfigure(self):
super(IdpProvider, self).on_reconfigure()
self.init_idp()
self.extensions.enable(self._config['enabled extensions'].get_value(),
self)
class IdpProvider(ProviderBase):
def __init__(self, *pargs):
super(IdpProvider, self).__init__("openidc", "openidc", *pargs)
self.mapping = InfoMapping()
self.keyset = None
self.page = None
self.datastore = None
self.server = None
self.basepath = None
self.extensions = LoadExtensions()
self.description = """
Provides OpenID Connect authentication infrastructure. """
self.new_config(
self.name,
pconfig.String("database url", "Database URL for OpenID Connect storage", "openidc.sqlite"),
pconfig.Choice("enabled extensions", "Choose the extensions to enable", self.extensions.available().keys()),
pconfig.String(
"endpoint url", "The Absolute URL of the OpenID Connect provider", "http://localhost:8080/idp/openidc/"
),
pconfig.String(
"documentation url",
"The Absolute URL of the OpenID Connect documentation",
"https://ipsilonproject.org/doc/openidc/",
),
pconfig.String("policy url", "The Absolute URL of the OpenID Connect policy", "http://www.example.com/"),
pconfig.String(
"tos url", "The Absolute URL of the OpenID Connect terms of service", "http://www.example.com/"
),
pconfig.String("idp key file", "The file where the OpenIDC keyset is stored.", "openidc.key"),
pconfig.String("idp sig key id", "The key to use for signing.", ""),
pconfig.String("idp subject salt", "The salt used for pairwise subjects.", None),
pconfig.MappingList("default attribute mapping", "Defines how to map attributes", [["*", "*"]]),
pconfig.ComplexList(
"default allowed attributes", "Defines a list of allowed attributes, applied after mapping", ["*"]
),
)
@property
def endpoint_url(self):
url = self.get_config_value("endpoint url")
if url.endswith("/"):
return url
else:
return url + "/"
@property
def documentation_url(self):
url = self.get_config_value("documentation url")
if url.endswith("/"):
return url
else:
return url + "/"
@property
def policy_url(self):
url = self.get_config_value("policy url")
if url.endswith("/"):
return url
else:
return url + "/"
@property
def tos_url(self):
url = self.get_config_value("tos url")
if url.endswith("/"):
return url
else:
return url + "/"
@property
def enabled_extensions(self):
return self.get_config_value("enabled extensions")
@property
def idp_key_file(self):
return self.get_config_value("idp key file")
@property
def idp_sig_key_id(self):
return self.get_config_value("idp sig key id")
@property
def idp_subject_salt(self):
return self.get_config_value("idp subject salt")
@property
def default_attribute_mapping(self):
return self.get_config_value("default attribute mapping")
@property
def default_allowed_attributes(self):
return self.get_config_value("default allowed attributes")
@property
def supported_scopes(self):
supported = ["openid"]
# Default scopes used in OpenID Connect claims
supported.extend(["profile", "email", "address", "phone"])
for _, ext in self.extensions.available().items():
supported.extend(ext.get_scopes())
return supported
def get_tree(self, site):
self.page = OpenIDC(site, self)
# self.admin = AdminPage(site, self)
return self.page
def used_datastores(self):
return [self.datastore]
def init_idp(self):
self.keyset = JWKSet()
with open(self.idp_key_file, "r") as keyfile:
loaded_keys = json.loads(keyfile.read())
for key in loaded_keys["keys"]:
self.keyset.add(JWK(**key))
self.datastore = OpenIDCStore(self.get_config_value("database url"))
def openid_connect_issuer_wf_rel(self, resource):
link = {"rel": "http://openid.net/specs/connect/1.0/issuer", "href": self.endpoint_url}
return {"links": [link]}
def on_enable(self):
super(IdpProvider, self).on_enable()
self.init_idp()
self.extensions.enable(self._config["enabled extensions"].get_value(), self)
self._root.webfinger.register_rel(
"http://openid.net/specs/connect/1.0/issuer", self.openid_connect_issuer_wf_rel
)
def on_disable(self):
super(IdpProvider, self).on_enable()
self._root.webfinger.unregister_rel("http://openid.net/specs/connect/1.0/issuer")
