def test_consumer_client_get_access_token_reques():
_session_db = {}
cons = Consumer(_session_db, client_config=CLIENT_CONFIG,
server_info=SERVER_INFO, **CONSUMER_CONFIG)
cons.client_secret = "secret0"
_state = "state"
cons.redirect_uris = ["https://www.example.com/oic/cb"]
resp1 = AuthorizationResponse(code="auth_grant", state=_state)
cons.parse_response(AuthorizationResponse, resp1.to_urlencoded(),
"urlencoded")
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer", expires_in=0,
state=_state)
cons.parse_response(AccessTokenResponse, resp2.to_urlencoded(),
"urlencoded")
url, body, http_args = cons.get_access_token_request(_state)
assert url == "http://localhost:8088/token"
print body
assert body == ("code=auth_grant&client_secret=secret0&"
"grant_type=authorization_code&client_id=number5&"
"redirect_uri=https%3A%2F%2Fwww.example.com%2Foic%2Fcb")
assert http_args == {'headers': {
'Content-type': 'application/x-www-form-urlencoded'}}
def test_consumer_client_get_access_token_reques():
_session_db = {}
cons = Consumer(_session_db,
client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
**CONSUMER_CONFIG)
cons.client_secret = "secret0"
cons.state = "state"
cons.redirect_uris = ["https://www.example.com/oic/cb"]
resp1 = AuthorizationResponse(code="auth_grant", state="state")
cons.parse_response(AuthorizationResponse, resp1.to_urlencoded(),
"urlencoded")
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer",
expires_in=0,
state="state")
cons.parse_response(AccessTokenResponse, resp2.to_urlencoded(),
"urlencoded")
url, body, http_args = cons.get_access_token_request()
assert url == "http://localhost:8088/token"
print body
assert body == ("code=auth_grant&client_secret=secret0&"
"grant_type=authorization_code&client_id=number5&"
"redirect_uri=https%3A%2F%2Fwww.example.com%2Foic%2Fcb")
assert http_args == {
'headers': {
'Content-type': 'application/x-www-form-urlencoded'
}
}
def test_consumer_client_get_access_token_reques():
_session_db = {}
cons = Consumer(_session_db,
client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
**CONSUMER_CONFIG)
cons.client_secret = "secret0"
_state = "state"
cons.redirect_uris = ["https://www.example.com/oic/cb"]
resp1 = AuthorizationResponse(code="auth_grant", state=_state)
cons.parse_response(AuthorizationResponse, resp1.to_urlencoded(),
"urlencoded")
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer",
expires_in=0,
state=_state)
cons.parse_response(AccessTokenResponse, resp2.to_urlencoded(),
"urlencoded")
url, body, http_args = cons.get_access_token_request(_state)
url_obj = URLObject.create(url)
expected_url_obj = URLObject.create("http://localhost:8088/token")
assert url_obj == expected_url_obj
body_splits = body.split('&')
expected_body_splits = "code=auth_grant&client_secret=secret0&" \
"grant_type=authorization_code&client_id=number5&" \
"redirect_uri=https%3A%2F%2Fwww.example.com%2Foic%2Fcb".split('&')
assert set(body_splits) == set(expected_body_splits)
assert http_args == {
'headers': {
'Content-type': 'application/x-www-form-urlencoded'
}
}
class TestConsumer(object):
@pytest.fixture(autouse=True)
def create_consumer(self):
self.consumer = Consumer({}, client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
**CONSUMER_CONFIG)
def test_init(self):
cons = Consumer({}, client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
**CONSUMER_CONFIG)
cons._backup("123456")
assert "123456" in cons.sdb
cons = Consumer({}, client_config=CLIENT_CONFIG, **CONSUMER_CONFIG)
assert cons.authorization_endpoint is None
cons = Consumer({}, **CONSUMER_CONFIG)
assert cons.authorization_endpoint is None
def test_begin(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
# state is dynamic
params = {"scope": "openid",
"state": sid,
"redirect_uri": "http://localhost:8087/authz",
"response_type": "code",
"client_id": "number5"}
url = "http://localhost:8088/authorization?{}".format(urlencode(params))
assert url_compare(loc, url)
def test_handle_authorization_response(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationResponse(code="SplxlOBeZQQYbYS6WxSbIA",
state=sid)
res = self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
assert isinstance(res, AuthorizationResponse)
assert self.consumer.grant[sid].code == "SplxlOBeZQQYbYS6WxSbIA"
def test_parse_authz_without_code(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationResponse(code="SplxlOBeZQQYbYS6WxSbIA",
state=sid)
adict = atr.to_dict()
del adict["code"]
with pytest.raises(MissingRequiredAttribute):
self.consumer.handle_authorization_response(query=urlencode(adict))
def test_parse_authz_access_denied(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationErrorResponse(error="access_denied", state=sid)
with pytest.raises(AuthzError):
self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
def test_parse_access_token(self):
# implicit flow test
self.consumer.response_type = ["token"]
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AccessTokenResponse(access_token="2YotnFZFEjr1zCsicMWpAA",
token_type="example",
refresh_token="tGzv3JOkF0XG5Qx2TlKWIA",
example_parameter="example_value",
state=sid)
res = self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
assert isinstance(res, AccessTokenResponse)
grant = self.consumer.grant[sid]
assert len(grant.tokens) == 1
token = grant.tokens[0]
assert token.access_token == "2YotnFZFEjr1zCsicMWpAA"
def test_parse_authz_invalid_client(self):
self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = TokenErrorResponse(error="invalid_client")
with pytest.raises(AuthzError):
self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
def test_consumer_client_auth_info(self):
self.consumer.client_secret = "secret0"
ra, ha, extra = self.consumer.client_auth_info()
assert ra == {'client_secret': 'secret0', 'client_id': 'number5'}
assert ha == {}
assert extra == {'auth_method': 'bearer_body'}
def test_client_get_access_token_request(self):
self.consumer.client_secret = "secret0"
_state = "state"
self.consumer.redirect_uris = ["https://www.example.com/oic/cb"]
resp1 = AuthorizationResponse(code="auth_grant", state=_state)
self.consumer.parse_response(AuthorizationResponse,
resp1.to_urlencoded(),
"urlencoded")
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer", expires_in=0,
state=_state)
self.consumer.parse_response(AccessTokenResponse, resp2.to_urlencoded(),
"urlencoded")
url, body, http_args = self.consumer.get_access_token_request(_state)
assert url_compare(url, "http://localhost:8088/token")
expected_params = 'code=auth_grant&redirect_uri=https%3A%2F%2Fwww' \
'.example.com%2Foic%2Fcb&client_id=number5' \
'&client_secret=secret0&grant_type=authorization_code&state_hash=S6aXNcpTdl7WpwnttWxuoja3GTo7KaazkMNG8PQ0Dk4%3D'
assert query_string_compare(body, expected_params)
assert http_args == {'headers': {
'Content-Type': 'application/x-www-form-urlencoded'}}
class TestConsumer(object):
@pytest.fixture(autouse=True)
def create_consumer(self):
self.consumer = Consumer(
DictSessionBackend(),
client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
settings=CLIENT_SETTINGS,
**CONSUMER_CONFIG,
)
def test_init(self):
cons = Consumer(
DictSessionBackend(),
client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
settings=CLIENT_SETTINGS,
**CONSUMER_CONFIG,
)
cons._backup("123456")
assert "123456" in cons.sdb
cons = Consumer(
DictSessionBackend(),
client_config=CLIENT_CONFIG,
settings=CLIENT_SETTINGS,
**CONSUMER_CONFIG,
)
assert cons.authorization_endpoint is None
cons = Consumer(DictSessionBackend, **CONSUMER_CONFIG)
assert cons.authorization_endpoint is None
def test_begin(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
# state is dynamic
params = {
"scope": "openid",
"state": sid,
"redirect_uri": "http://localhost:8087/authz",
"response_type": "code",
"client_id": "number5",
}
url = "http://localhost:8088/authorization?{}".format(
urlencode(params))
assert url_compare(loc, url)
def test_handle_authorization_response(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationResponse(code="SplxlOBeZQQYbYS6WxSbIA", state=sid)
res = self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
assert isinstance(res, AuthorizationResponse)
assert self.consumer.grant[sid].code == "SplxlOBeZQQYbYS6WxSbIA"
def test_parse_authz_without_code(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationResponse(code="SplxlOBeZQQYbYS6WxSbIA", state=sid)
adict = atr.to_dict()
del adict["code"]
with pytest.raises(MissingRequiredAttribute):
self.consumer.handle_authorization_response(query=urlencode(adict))
def test_parse_authz_access_denied(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationErrorResponse(error="access_denied", state=sid)
with pytest.raises(AuthzError):
self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
def test_parse_access_token(self):
# implicit flow test
self.consumer.response_type = ["token"]
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AccessTokenResponse(
access_token="2YotnFZFEjr1zCsicMWpAA",
token_type="example",
refresh_token="tGzv3JOkF0XG5Qx2TlKWIA",
example_parameter="example_value",
state=sid,
)
res = self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
assert isinstance(res, AccessTokenResponse)
grant = self.consumer.grant[sid]
assert len(grant.tokens) == 1
token = grant.tokens[0]
assert token.access_token == "2YotnFZFEjr1zCsicMWpAA"
def test_parse_authz_invalid_client(self):
self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = TokenErrorResponse(error="invalid_client")
with pytest.raises(AuthzError):
self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
def test_consumer_client_auth_info(self):
self.consumer.client_secret = "secret0"
ra, ha, extra = self.consumer.client_auth_info()
assert ra == {"client_secret": "secret0", "client_id": "number5"}
assert ha == {}
assert extra == {"auth_method": "bearer_body"}
def test_provider_config(self):
c = Consumer(None, None)
response = ASConfigurationResponse(
**{
"issuer": "https://example.com",
"end_session_endpoint": "https://example.com/end_session",
})
with responses.RequestsMock() as rsps:
rsps.add(
responses.GET,
"https://example.com/.well-known/openid-configuration",
json=response.to_dict(),
)
info = c.provider_config("https://example.com")
assert isinstance(info, ASConfigurationResponse)
assert _eq(info.keys(), ["issuer", "version", "end_session_endpoint"])
assert info[
"end_session_endpoint"] == "https://example.com/end_session"
def test_client_get_access_token_request(self):
self.consumer.client_secret = "secret0"
_state = "state"
self.consumer.redirect_uris = ["https://www.example.com/oic/cb"]
resp1 = AuthorizationResponse(code="auth_grant", state=_state)
self.consumer.parse_response(AuthorizationResponse,
resp1.to_urlencoded(), "urlencoded")
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer",
expires_in=0,
state=_state)
self.consumer.parse_response(AccessTokenResponse,
resp2.to_urlencoded(), "urlencoded")
url, body, http_args = self.consumer.get_access_token_request(_state)
assert url_compare(url, "http://localhost:8088/token")
expected_params = (
"redirect_uri=https%3A%2F%2Fwww.example.com%2Foic%2Fcb&client_id=number5&state=state&"
"code=auth_grant&grant_type=authorization_code&client_secret=secret0"
)
assert query_string_compare(body, expected_params)
assert http_args == {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
}
}
def test_access_token_storage_with_custom_response_class(self):
_state = "state"
# AccessTokenResponse custom class
class AccessTokenResponseWrapper(AccessTokenResponse):
"""Response wrapper to get "expires_in" in hours."""
c_param = AccessTokenResponse.c_param.copy()
c_param.update({"expires_in_hours": SINGLE_OPTIONAL_INT})
def __init__(self, **kwargs):
super(AccessTokenResponseWrapper, self).__init__(**kwargs)
if "expires_in" in self and self["expires_in"]:
self["expires_in_hours"] = self["expires_in"] // 3600
resp = AccessTokenResponseWrapper(
access_token="2YotnFZFEjr1zCsiAB",
token_type="Bearer",
expires_in=3600,
state=_state,
)
self.consumer.parse_response(AccessTokenResponseWrapper,
resp.to_urlencoded(), "urlencoded")
grant = self.consumer.grant[_state]
assert len(grant.tokens) == 1
assert grant.tokens[0].access_token == "2YotnFZFEjr1zCsiAB"
assert grant.tokens[
0].token_expiration_time > time_util.time_sans_frac()
assert grant.tokens[0].expires_in_hours == 1 # type: ignore
class _OAuthBackend(BackendModule):
"""
Backend module for OAuth 2.0, should not be directly used.
See satosa.backends.oauth.FacebookBackend.
"""
def __init__(self, outgoing, internal_attributes, config, base_url, name,
external_type, user_id_attr):
"""
:param outgoing: Callback should be called by the module after the authorization in the
backend is done.
:param internal_attributes: Mapping dictionary between SATOSA internal attribute names and
the names returned by underlying IdP's/OP's as well as what attributes the calling SP's and
RP's expects namevice.
:param config: Configuration parameters for the module.
:param base_url: base url of the service
:param name: name of the plugin
:param external_type: The name for this module in the internal attributes.
:type outgoing:
(satosa.context.Context, satosa.internal.InternalData) -> satosa.response.Response
:type internal_attributes: dict[string, dict[str, str | list[str]]]
:type config: dict[str, dict[str, str] | list[str]]
:type base_url: str
:type name: str
:type external_type: str
"""
super().__init__(outgoing, internal_attributes, base_url, name)
self.config = config
self.redirect_url = "%s/%s" % (self.config["base_url"],
self.config["authz_page"])
self.external_type = external_type
self.user_id_attr = user_id_attr
self.consumer = Consumer(session_db=None,
client_config=self.config["client_config"],
server_info=self.config["server_info"],
authz_page=self.config["authz_page"],
response_type=self.config["response_type"])
self.consumer.client_secret = self.config["client_secret"]
def start_auth(self, context, internal_request, get_state=stateID):
"""
See super class method satosa.backends.base#start_auth
:param get_state: Generates a state to be used in the authentication call.
:type get_state: Callable[[str, bytes], str]
:type context: satosa.context.Context
:type internal_request: satosa.internal.InternalData
:rtype satosa.response.Redirect
"""
request_args = self.get_request_args(get_state=get_state)
context.state[self.name] = {"state": request_args["state"]}
cis = self.consumer.construct_AuthorizationRequest(
request_args=request_args)
return Redirect(cis.request(self.consumer.authorization_endpoint))
def get_request_args(self, get_state=stateID):
oauth_state = get_state(self.config["base_url"], rndstr().encode())
request_args = {
"redirect_uri": self.redirect_url,
"state": oauth_state,
}
return request_args
def register_endpoints(self):
"""
Creates a list of all the endpoints this backend module needs to listen to. In this case
it's the authentication response from the underlying OP that is redirected from the OP to
the proxy.
:rtype: Sequence[(str, Callable[[satosa.context.Context], satosa.response.Response]]
:return: A list that can be used to map the request to SATOSA to this endpoint.
"""
return [("^%s$" % self.config["authz_page"], self._authn_response)]
def _verify_state(self, resp, state_data, state):
"""
Will verify the state and throw and error if the state is invalid.
:type resp: AuthorizationResponse
:type state_data: dict[str, str]
:type state: satosa.state.State
:param resp: The authorization response from the AS, created by pyoidc.
:param state_data: The state data for this backend.
:param state: The current state for the proxy and this backend.
Only used for raising errors.
"""
is_known_state = "state" in resp and "state" in state_data and resp[
"state"] == state_data["state"]
if not is_known_state:
received_state = resp.get("state", "")
msg = "Missing or invalid state [{}] in response!".format(
received_state)
logline = lu.LOG_FMT.format(id=lu.get_session_id(state),
message=msg)
logger.debug(logline)
raise SATOSAAuthenticationError(
state,
"Missing or invalid state [%s] in response!" % received_state)
def _authn_response(self, context):
"""
Handles the authentication response from the AS.
:type context: satosa.context.Context
:rtype: satosa.response.Response
:param context: The context in SATOSA
:return: A SATOSA response. This method is only responsible to call the callback function
which generates the Response object.
"""
state_data = context.state[self.name]
aresp = self.consumer.parse_response(AuthorizationResponse,
info=json.dumps(context.request))
self._verify_state(aresp, state_data, context.state)
rargs = {
"code": aresp["code"],
"redirect_uri": self.redirect_url,
"state": state_data["state"]
}
atresp = self.consumer.do_access_token_request(request_args=rargs,
state=aresp["state"])
if "verify_accesstoken_state" not in self.config or self.config[
"verify_accesstoken_state"]:
self._verify_state(atresp, state_data, context.state)
user_info = self.user_information(atresp["access_token"])
internal_response = InternalData(
auth_info=self.auth_info(context.request))
internal_response.attributes = self.converter.to_internal(
self.external_type, user_info)
internal_response.subject_id = user_info[self.user_id_attr]
del context.state[self.name]
return self.auth_callback_func(context, internal_response)
def auth_info(self, request):
"""
Creates the SATOSA authentication information object.
:type request: dict[str, str]
:rtype: AuthenticationInformation
:param request: The request parameters in the authentication response sent by the AS.
:return: How, who and when the autentication took place.
"""
raise NotImplementedError(
"Method 'auth_info' must be implemented in the subclass!")
def user_information(self, access_token):
"""
Will retrieve the user information data for the authenticated user.
:type access_token: str
:rtype: dict[str, str]
:param access_token: The access token to be used to retrieve the data.
:return: Dictionary with attribute name as key and attribute value as value.
"""
raise NotImplementedError(
"Method 'user_information' must be implemented in the subclass!")
def get_metadata_desc(self):
"""
See satosa.backends.oauth.get_metadata_desc
:rtype: satosa.metadata_creation.description.MetadataDescription
"""
return get_metadata_desc_for_oauth_backend(
self.config["server_info"]["authorization_endpoint"], self.config)
class TestConsumer(object):
@pytest.fixture(autouse=True)
def create_consumer(self):
self.consumer = Consumer({},
client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
**CONSUMER_CONFIG)
def test_init(self):
cons = Consumer({},
client_config=CLIENT_CONFIG,
server_info=SERVER_INFO,
**CONSUMER_CONFIG)
cons._backup("123456")
assert "123456" in cons.sdb
cons = Consumer({}, client_config=CLIENT_CONFIG, **CONSUMER_CONFIG)
assert cons.authorization_endpoint is None
cons = Consumer({}, **CONSUMER_CONFIG)
assert cons.authorization_endpoint is None
def test_begin(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
# state is dynamic
params = {
"scope": "openid",
"state": sid,
"redirect_uri": "http://localhost:8087/authz",
"response_type": "code",
"client_id": "number5"
}
url = "http://localhost:8088/authorization?{}".format(
urlencode(params))
assert url_compare(loc, url)
def test_handle_authorization_response(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationResponse(code="SplxlOBeZQQYbYS6WxSbIA", state=sid)
res = self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
assert isinstance(res, AuthorizationResponse)
assert self.consumer.grant[sid].code == "SplxlOBeZQQYbYS6WxSbIA"
def test_parse_authz_without_code(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationResponse(code="SplxlOBeZQQYbYS6WxSbIA", state=sid)
adict = atr.to_dict()
del adict["code"]
with pytest.raises(MissingRequiredAttribute):
self.consumer.handle_authorization_response(query=urlencode(adict))
def test_parse_authz_access_denied(self):
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AuthorizationErrorResponse(error="access_denied", state=sid)
with pytest.raises(AuthzError):
self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
def test_parse_access_token(self):
# implicit flow test
self.consumer.response_type = ["token"]
sid, loc = self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = AccessTokenResponse(access_token="2YotnFZFEjr1zCsicMWpAA",
token_type="example",
refresh_token="tGzv3JOkF0XG5Qx2TlKWIA",
example_parameter="example_value",
state=sid)
res = self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
assert isinstance(res, AccessTokenResponse)
grant = self.consumer.grant[sid]
assert len(grant.tokens) == 1
token = grant.tokens[0]
assert token.access_token == "2YotnFZFEjr1zCsicMWpAA"
def test_parse_authz_invalid_client(self):
self.consumer.begin("http://localhost:8087",
"http://localhost:8088/authorization")
atr = TokenErrorResponse(error="invalid_client")
with pytest.raises(AuthzError):
self.consumer.handle_authorization_response(
query=atr.to_urlencoded())
def test_consumer_client_auth_info(self):
self.consumer.client_secret = "secret0"
ra, ha, extra = self.consumer.client_auth_info()
assert ra == {'client_secret': 'secret0', 'client_id': 'number5'}
assert ha == {}
assert extra == {'auth_method': 'bearer_body'}
def test_client_get_access_token_request(self):
self.consumer.client_secret = "secret0"
_state = "state"
self.consumer.redirect_uris = ["https://www.example.com/oic/cb"]
resp1 = AuthorizationResponse(code="auth_grant", state=_state)
self.consumer.parse_response(AuthorizationResponse,
resp1.to_urlencoded(), "urlencoded")
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer",
expires_in=0,
state=_state)
self.consumer.parse_response(AccessTokenResponse,
resp2.to_urlencoded(), "urlencoded")
url, body, http_args = self.consumer.get_access_token_request(_state)
assert url_compare(url, "http://localhost:8088/token")
expected_params = 'redirect_uri=https%3A%2F%2Fwww.example.com%2Foic%2Fcb&client_id=number5&state=state&' \
'code=auth_grant&grant_type=authorization_code&client_secret=secret0'
assert query_string_compare(body, expected_params)
assert http_args == {
'headers': {
'Content-Type': 'application/x-www-form-urlencoded'
}
}
class _OAuthBackend(BackendModule):
"""
Backend module for OAuth 2.0, should not be directly used.
See satosa.backends.oauth.FacebookBackend.
"""
def __init__(self, outgoing, internal_attributes, config, base_url, name, external_type, user_id_attr):
"""
:param outgoing: Callback should be called by the module after the authorization in the
backend is done.
:param internal_attributes: Mapping dictionary between SATOSA internal attribute names and
the names returned by underlying IdP's/OP's as well as what attributes the calling SP's and
RP's expects namevice.
:param config: Configuration parameters for the module.
:param base_url: base url of the service
:param name: name of the plugin
:param external_type: The name for this module in the internal attributes.
:type outgoing:
(satosa.context.Context, satosa.internal_data.InternalResponse) -> satosa.response.Response
:type internal_attributes: dict[string, dict[str, str | list[str]]]
:type config: dict[str, dict[str, str] | list[str]]
:type base_url: str
:type name: str
:type external_type: str
"""
super().__init__(outgoing, internal_attributes, base_url, name)
self.config = config
self.redirect_url = "%s/%s" % (self.config["base_url"], self.config["authz_page"])
self.external_type = external_type
self.user_id_attr = user_id_attr
self.consumer = Consumer(
session_db=None,
client_config=self.config["client_config"],
server_info=self.config["server_info"],
authz_page=self.config["authz_page"],
response_type=self.config["response_type"])
self.consumer.client_secret = self.config["client_secret"]
def start_auth(self, context, internal_request, get_state=stateID):
"""
See super class method satosa.backends.base#start_auth
:param get_state: Generates a state to be used in the authentication call.
:type get_state: Callable[[str, bytes], str]
:type context: satosa.context.Context
:type internal_request: satosa.internal_data.InternalRequest
:rtype satosa.response.Redirect
"""
oauth_state = get_state(self.config["base_url"], rndstr().encode())
state_data = dict(state=oauth_state)
context.state[self.name] = state_data
request_args = {"redirect_uri": self.redirect_url, "state": oauth_state}
cis = self.consumer.construct_AuthorizationRequest(request_args=request_args)
return Redirect(cis.request(self.consumer.authorization_endpoint))
def register_endpoints(self):
"""
Creates a list of all the endpoints this backend module needs to listen to. In this case
it's the authentication response from the underlying OP that is redirected from the OP to
the proxy.
:rtype: Sequence[(str, Callable[[satosa.context.Context], satosa.response.Response]]
:return: A list that can be used to map the request to SATOSA to this endpoint.
"""
return [("^%s$" % self.config["authz_page"], self._authn_response)]
def _verify_state(self, resp, state_data, state):
"""
Will verify the state and throw and error if the state is invalid.
:type resp: AuthorizationResponse
:type state_data: dict[str, str]
:type state: satosa.state.State
:param resp: The authorization response from the AS, created by pyoidc.
:param state_data: The state data for this backend.
:param state: The current state for the proxy and this backend.
Only used for raising errors.
"""
is_known_state = "state" in resp and "state" in state_data and resp["state"] == state_data["state"]
if not is_known_state:
received_state = resp.get("state", "")
satosa_logging(logger, logging.DEBUG,
"Missing or invalid state [%s] in response!" % received_state, state)
raise SATOSAAuthenticationError(state,
"Missing or invalid state [%s] in response!" %
received_state)
def _authn_response(self, context):
"""
Handles the authentication response from the AS.
:type context: satosa.context.Context
:rtype: satosa.response.Response
:param context: The context in SATOSA
:return: A SATOSA response. This method is only responsible to call the callback function
which generates the Response object.
"""
state_data = context.state[self.name]
aresp = self.consumer.parse_response(AuthorizationResponse, info=json.dumps(context.request))
self._verify_state(aresp, state_data, context.state)
rargs = {"code": aresp["code"], "redirect_uri": self.redirect_url,
"state": state_data["state"]}
atresp = self.consumer.do_access_token_request(request_args=rargs, state=aresp["state"])
if "verify_accesstoken_state" not in self.config or self.config["verify_accesstoken_state"]:
self._verify_state(atresp, state_data, context.state)
user_info = self.user_information(atresp["access_token"])
internal_response = InternalResponse(auth_info=self.auth_info(context.request))
internal_response.attributes = self.converter.to_internal(self.external_type, user_info)
internal_response.user_id = user_info[self.user_id_attr]
del context.state[self.name]
return self.auth_callback_func(context, internal_response)
def auth_info(self, request):
"""
Creates the SATOSA authentication information object.
:type request: dict[str, str]
:rtype: AuthenticationInformation
:param request: The request parameters in the authentication response sent by the AS.
:return: How, who and when the autentication took place.
"""
raise NotImplementedError("Method 'auth_info' must be implemented in the subclass!")
def user_information(self, access_token):
"""
Will retrieve the user information data for the authenticated user.
:type access_token: str
:rtype: dict[str, str]
:param access_token: The access token to be used to retrieve the data.
:return: Dictionary with attribute name as key and attribute value as value.
"""
raise NotImplementedError("Method 'user_information' must be implemented in the subclass!")
def get_metadata_desc(self):
"""
See satosa.backends.oauth.get_metadata_desc
:rtype: satosa.metadata_creation.description.MetadataDescription
"""
return get_metadata_desc_for_oauth_backend(self.config, self.config["server_info"]["authorization_endpoint"])
