def create_authorization_url(self, **kwargs):
# type: (Any) -> Tuple[str, str, str]
"""Create the authorization URL.
Additionnal *kwargs* are passed to the underlying level.
"""
code_verifier = generate_token(48)
code_challenge = create_s256_code_challenge(code_verifier)
uri, state = self._request(
self._client.create_authorization_url,
self._authorization_endpoint,
code_challenge=code_challenge,
code_challenge_method="S256",
**kwargs
)
return uri, state, code_verifier
def code_verifier_and_challenge(code_challenge_method):
from authlib.oauth2.rfc7636 import create_s256_code_challenge # type: ignore
code_verifier = urlsafe_b64encode(os.urandom(33)).decode("utf-8")
if code_challenge_method == "plain":
return code_challenge_method, code_verifier, code_verifier
elif code_challenge_method == "S256":
return (
code_challenge_method,
code_verifier,
create_s256_code_challenge(code_verifier),
)
else:
raise AssertionError
def submitNewSession(self, pkce=True):
"""Submit new authorization session
:param bool pkce: use PKCE
:return: S_OK(str)/S_ERROR()
"""
session = {}
params = dict(state=generate_token(10))
# Create PKCE verifier
if pkce:
session["code_verifier"] = generate_token(48)
params["code_challenge_method"] = "S256"
params["code_challenge"] = create_s256_code_challenge(session["code_verifier"])
url, state = self.create_authorization_url(self.get_metadata("authorization_endpoint"), **params)
return url, state, session
def test_s256_code_challenge_success(self):
self.prepare_data()
code_challenge = create_s256_code_challenge('foo')
url = self.authorize_url + '&code_challenge=' + code_challenge
url += '&code_challenge_method=S256'
rv = self.client.post(url, data={'user_id': '1'})
self.assertIn('code=', rv.location)
params = dict(url_decode(urlparse.urlparse(rv.location).query))
code = params['code']
rv = self.client.post('/oauth/token', data={
'grant_type': 'authorization_code',
'code': code,
'code_verifier': 'foo',
'client_id': 'code-client',
})
resp = json.loads(rv.data)
self.assertIn('access_token', resp)
def test_s256_code_challenge_success_client_secret_post(self, client, oauth):
code_verifier = generate_token(48)
code_challenge = create_s256_code_challenge(code_verifier)
client.login()
response = client.post(url_for(
'oauth.authorize',
response_type='code',
client_id=oauth.client_id,
code_challenge=code_challenge,
code_challenge_method='S256'
), {
'scope': 'default',
'accept': '',
})
assert 'code=' in response.location
params = dict(url_decode(urlparse.urlparse(response.location).query))
code = params['code']
response = client.post(url_for('oauth.token'), {
'grant_type': 'authorization_code',
'code': code,
'code_verifier': code_verifier,
'client_id': oauth.client_id,
'client_secret': oauth.secret
})
assert200(response)
assert response.content_type == 'application/json'
assert 'access_token' in response.json
token = response.json['access_token']
response = client.post(url_for('api.fake'), headers={
'Authorization': ' '.join(['Bearer', token])
})
assert200(response)
assert response.content_type == 'application/json'
assert response.json == {'success': True}
from authlib.oauth2.rfc7636 import create_s256_code_challenge
import uuid
import datetime
# get IdP OID configuration
res = r.get('http://127.0.0.1:8000/.well-known/openid_configuration')
res.status_code
res.json()
# this is stored in session memory
random_secret = secrets.token_hex(10)
# ascii encode, sha256 hash, b64 encode tmp secret
code_challenge = create_s256_code_challenge(random_secret)
#code_challenge = base64.b64encode(hashlib.sha256(random_secret.encode('ascii')).digest())
# request an authorisation code from IdP
auth_endpoint = res.json()['authorization_endpoint']
token_endpoint = res.json()['token_endpoint']
auth_params = {
'response_type': 'code',
'redirect_uri': 'http://127.0.0.1:8001/callback',
'scope': 'open_id profile offline_access',
'client_id': 'http://127.0.0.1:8001/webid#this',
'code_challenge_method': 'S256',
'code_challenge': code_challenge
}
def get_base_url():
url = ""
if env == "development":
url += "http://localhost:8000/"
else:
url += "https://online.ntnu.no/"
if oauth_or_OIDC == "OIDC":
url += "openid/"
else:
url += "sso/o/"
return url
oauth_access_token = None
scope = "oidc read write"
code_verifier = secrets.token_urlsafe()
code_challenge = create_s256_code_challenge(code_verifier)
authorize_url = f"{get_base_url()}authorize"
session = OAuth2Session(
client_id,
scope=scope,
redirect_uri="http://127.0.0.1:7777",
response_type="code")
def getAuthorizedUser():
global oauth_access_token
thread = ServerThread()
thread.daemon = True
thread.start()
uri, state = session.create_authorization_url(
authorize_url,
