def create_authorization_url(self, **kwargs): # type: (Any) -> Tuple[str, str, str] """Create the authorization URL. Additionnal *kwargs* are passed to the underlying level. """ code_verifier = generate_token(48) code_challenge = create_s256_code_challenge(code_verifier) uri, state = self._request( self._client.create_authorization_url, self._authorization_endpoint, code_challenge=code_challenge, code_challenge_method="S256", **kwargs ) return uri, state, code_verifier
def code_verifier_and_challenge(code_challenge_method): from authlib.oauth2.rfc7636 import create_s256_code_challenge # type: ignore code_verifier = urlsafe_b64encode(os.urandom(33)).decode("utf-8") if code_challenge_method == "plain": return code_challenge_method, code_verifier, code_verifier elif code_challenge_method == "S256": return ( code_challenge_method, code_verifier, create_s256_code_challenge(code_verifier), ) else: raise AssertionError
def submitNewSession(self, pkce=True): """Submit new authorization session :param bool pkce: use PKCE :return: S_OK(str)/S_ERROR() """ session = {} params = dict(state=generate_token(10)) # Create PKCE verifier if pkce: session["code_verifier"] = generate_token(48) params["code_challenge_method"] = "S256" params["code_challenge"] = create_s256_code_challenge(session["code_verifier"]) url, state = self.create_authorization_url(self.get_metadata("authorization_endpoint"), **params) return url, state, session
def test_s256_code_challenge_success(self): self.prepare_data() code_challenge = create_s256_code_challenge('foo') url = self.authorize_url + '&code_challenge=' + code_challenge url += '&code_challenge_method=S256' rv = self.client.post(url, data={'user_id': '1'}) self.assertIn('code=', rv.location) params = dict(url_decode(urlparse.urlparse(rv.location).query)) code = params['code'] rv = self.client.post('/oauth/token', data={ 'grant_type': 'authorization_code', 'code': code, 'code_verifier': 'foo', 'client_id': 'code-client', }) resp = json.loads(rv.data) self.assertIn('access_token', resp)
def test_s256_code_challenge_success_client_secret_post(self, client, oauth): code_verifier = generate_token(48) code_challenge = create_s256_code_challenge(code_verifier) client.login() response = client.post(url_for( 'oauth.authorize', response_type='code', client_id=oauth.client_id, code_challenge=code_challenge, code_challenge_method='S256' ), { 'scope': 'default', 'accept': '', }) assert 'code=' in response.location params = dict(url_decode(urlparse.urlparse(response.location).query)) code = params['code'] response = client.post(url_for('oauth.token'), { 'grant_type': 'authorization_code', 'code': code, 'code_verifier': code_verifier, 'client_id': oauth.client_id, 'client_secret': oauth.secret }) assert200(response) assert response.content_type == 'application/json' assert 'access_token' in response.json token = response.json['access_token'] response = client.post(url_for('api.fake'), headers={ 'Authorization': ' '.join(['Bearer', token]) }) assert200(response) assert response.content_type == 'application/json' assert response.json == {'success': True}
from authlib.oauth2.rfc7636 import create_s256_code_challenge import uuid import datetime # get IdP OID configuration res = r.get('http://127.0.0.1:8000/.well-known/openid_configuration') res.status_code res.json() # this is stored in session memory random_secret = secrets.token_hex(10) # ascii encode, sha256 hash, b64 encode tmp secret code_challenge = create_s256_code_challenge(random_secret) #code_challenge = base64.b64encode(hashlib.sha256(random_secret.encode('ascii')).digest()) # request an authorisation code from IdP auth_endpoint = res.json()['authorization_endpoint'] token_endpoint = res.json()['token_endpoint'] auth_params = { 'response_type': 'code', 'redirect_uri': 'http://127.0.0.1:8001/callback', 'scope': 'open_id profile offline_access', 'client_id': 'http://127.0.0.1:8001/webid#this', 'code_challenge_method': 'S256', 'code_challenge': code_challenge }
def get_base_url(): url = "" if env == "development": url += "http://localhost:8000/" else: url += "https://online.ntnu.no/" if oauth_or_OIDC == "OIDC": url += "openid/" else: url += "sso/o/" return url oauth_access_token = None scope = "oidc read write" code_verifier = secrets.token_urlsafe() code_challenge = create_s256_code_challenge(code_verifier) authorize_url = f"{get_base_url()}authorize" session = OAuth2Session( client_id, scope=scope, redirect_uri="http://127.0.0.1:7777", response_type="code") def getAuthorizedUser(): global oauth_access_token thread = ServerThread() thread.daemon = True thread.start() uri, state = session.create_authorization_url( authorize_url,