def test_client_claims_scopes_and_request_claims_no_match(self):
session_id = self._create_session(AREQRC)
grant = self.session_manager[session_id]
self.session_manager.token_handler["id_token"].kwargs[
"add_claims_by_scope"] = True
_claims = self.endpoint_context.claims_interface.get_claims(
session_id=session_id,
scopes=AREQRC["scope"],
claims_release_point="id_token")
grant.claims = {"id_token": _claims}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
# User information, from scopes -> claims
assert "address" in res
assert "email" in res
# User info, requested by claims parameter
assert "nickname" in res
def test_client_claims_scopes_and_request_claims_one_match(self):
_req = AREQS.copy()
_req["claims"] = {
"id_token": {
"email": {
"value": "*****@*****.**"
}
}
}
session_id = self._create_session(_req)
grant = self.session_manager[session_id]
self.session_manager.token_handler["id_token"].kwargs[
"add_claims_by_scope"] = True
_claims = self.endpoint_context.claims_interface.get_claims(
session_id=session_id,
scopes=_req["scope"],
claims_release_point="id_token")
grant.claims = {"id_token": _claims}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
# Email didn't match
assert "email" not in res
# Scope -> claims
assert "address" in res
def test_client_claims(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
self.session_manager.token_handler["id_token"].kwargs[
"enable_claims_per_client"] = True
self.endpoint_context.cdb["client_1"]["id_token_claims"] = {
"address": None
}
_claims = self.endpoint_context.claims_interface.get_claims(
session_id=session_id,
scopes=AREQ["scope"],
claims_release_point="id_token")
grant.claims = {"id_token": _claims}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
assert "address" in res
assert "nickname" not in res
def _keyjar(self, keyjar=None, db_conf=None, conf=None, entity_id=''):
if keyjar is None:
_storage = None
if db_conf:
_cnf = get_storage_conf(db_conf, 'keyjar')
if _cnf:
_storage = storage_factory(_cnf)
if 'keys' in conf:
args = {k: v for k, v in conf["keys"].items() if k != "uri_path"}
args.update({'storage': _storage})
_keyjar = init_key_jar(**args)
else:
_keyjar = KeyJar(storage=_storage)
if 'jwks' in conf:
_keyjar.import_jwks(conf['jwks'], '')
if '' in _keyjar and entity_id:
# make sure I have the keys under my own name too (if I know it)
_keyjar.import_jwks_as_json(_keyjar.export_jwks_as_json(True, ''), entity_id)
_httpc_params = conf.get('httpc_params')
if _httpc_params:
_keyjar.httpc_params = _httpc_params
return _keyjar
else:
return keyjar
def _keyjar(self, keyjar=None, conf=None, entity_id=""):
if keyjar is None:
if "keys" in conf:
keys_args = {
k: v
for k, v in conf["keys"].items() if k != "uri_path"
}
_keyjar = init_key_jar(**keys_args)
elif "key_conf" in conf:
keys_args = {
k: v
for k, v in conf["key_conf"].items() if k != "uri_path"
}
_keyjar = init_key_jar(**keys_args)
else:
_keyjar = KeyJar()
if "jwks" in conf:
_keyjar.import_jwks(conf["jwks"], "")
if "" in _keyjar and entity_id:
# make sure I have the keys under my own name too (if I know it)
_keyjar.import_jwks_as_json(
_keyjar.export_jwks_as_json(True, ""), entity_id)
_httpc_params = conf.get("httpc_params")
if _httpc_params:
_keyjar.httpc_params = _httpc_params
return _keyjar
else:
return keyjar
def fetch_entity(fetch_endpoint, iss, sub, iss_entity_statement):
_response = requests.request("GET", fetch_endpoint, verify=False,
params={'iss': iss, 'sub': sub})
_jws = factory(_response.text)
_key_jar = KeyJar()
_key_jar.import_jwks(iss_entity_statement['jwks'], iss)
_keys = _key_jar.get_jwt_verify_keys(_jws.jwt)
_res = _jws.verify_compact(keys=_keys)
return _res
def get_self_signed_entity_statement(entity_id):
_url = entity_id + "/.well-known/openid-federation"
_response = requests.request("GET", _url, verify=False)
_jws = factory(_response.text)
_payload = _jws.jwt.payload()
entity_statement = EntityStatement(**_payload)
_key_jar = KeyJar()
# verify entity_statement["iss"]
_key_jar.import_jwks(entity_statement['jwks'], entity_id)
_keys = _key_jar.get_jwt_verify_keys(_jws.jwt)
_res = _jws.verify_compact(keys=_keys)
return _res
def test_no_available_claims(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
grant.claims = {"id_token": {"foobar": None}}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
assert "foobar" not in res
def test_lifetime_default(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
assert res["exp"] - res["iat"] == LIFETIME
def verify_self_signed_signature(config):
"""
Verify signature. Will raise exception if signature verification fails.
:param config: Signed JWT
:return: Payload of the signed JWT
"""
payload = unverified_entity_statement(config)
keyjar = KeyJar()
keyjar.import_jwks(payload['jwks'], payload['iss'])
_jwt = JWT(key_jar=keyjar)
_val = _jwt.unpack(config)
return _val
def test_sign_encrypt_id_token(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
id_token = self._mint_id_token(grant, session_id)
_jws = factory(id_token.value)
assert _jws.jwt.headers["alg"] == "RS256"
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
assert isinstance(res, dict)
assert res["aud"] == ["client_1"]
def test_client_claims_with_default(self):
session_id = self._create_session(AREQ)
grant = self.session_manager[session_id]
_claims = self.endpoint_context.claims_interface.get_claims(
session_id=session_id,
scopes=AREQ["scope"],
claims_release_point="id_token")
grant.claims = {"id_token": _claims}
id_token = self._mint_id_token(grant, session_id)
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(id_token.value)
# No user info claims should be there
assert "address" not in res
assert "nickname" not in res
def get_issuer_keyjar(jwks, issuer: str):
key_jar = KeyJar()
# "" means default, you can always point to a issuer identifier
key_jar.import_jwks(jwks, issuer_id=issuer)
return key_jar