def __init__(
self,
conf: Dict,
entity_conf: Optional[List[dict]] = None,
base_path: Optional[str] = '',
domain: Optional[str] = "",
port: Optional[int] = 0,
file_attributes: Optional[List[str]] = None,
dir_attributes: Optional[List[str]] = None,
):
file_attributes = file_attributes or DEFAULT_FED_FILE_ATTRIBUTE_NAMES
dir_attributes = dir_attributes or DEFAULT_DIR_ATTRIBUTE_NAMES
OPConfiguration.__init__(self,
conf,
base_path=base_path,
file_attributes=file_attributes,
domain=domain,
port=port,
dir_attributes=dir_attributes)
self.federation = FedEntityConfiguration(
conf["federation"],
base_path=base_path,
domain=domain,
port=port,
file_attributes=self._file_attributes,
dir_attributes=self._dir_attributes)
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {}
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
self.endpoint = server.server_get("endpoint", "provider_config")
def test_missing_token_endpoint():
conf = {
"issuer": "https://example.com/",
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"authorization": {
"path": "authorization",
"class": "oidcop.oauth2.authorization.Authorization",
"kwargs": {},
},
"introspection": {
"path": "introspection",
"class": "oidcop.oauth2.introspection.Introspection",
"kwargs": {},
},
},
}
configuration = OPConfiguration(conf,
base_path=BASEDIR,
domain="127.0.0.1",
port=443)
server = Server(configuration)
add_pkce_support(server.server_get("endpoints"))
assert "pkce" not in server.server_get("endpoint_context").args
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"webfinger": {
"path": ".well-known/webfinger",
"class": Discovery,
"kwargs": {
"client_authn_method": None
},
}
},
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint = server.server_get("endpoint", "discovery")
def oidcop_application(conf=None):
conf = conf or settings.OIDCOP_CONFIG
domain = getattr(settings, 'DOMAIN', None)
port = getattr(settings, 'PORT', None)
config = OPConfiguration(conf=conf['op']['server_info'],
domain=domain,
port=port)
app = oidc_provider_init_app(config)
os.environ['OIDCOP_CONFIG'] = json.dumps(conf)
return app
def test_server_login_hint_lookup():
_str = open(full_path("op_config.json")).read()
_conf = json.loads(_str)
configuration = OPConfiguration(conf=_conf,
base_path=BASEDIR,
domain="127.0.0.1",
port=443)
server = Server(configuration)
assert server.endpoint_context.login_hint_lookup(
"tel:0907865000") == "diana"
def create_endpoint(self):
try:
shutil.rmtree("db")
except FileNotFoundError:
pass
server1 = Server(OPConfiguration(conf=ENDPOINT_CONTEXT_CONFIG,
base_path=BASEDIR),
cwd=BASEDIR)
server2 = Server(OPConfiguration(conf=ENDPOINT_CONTEXT_CONFIG,
base_path=BASEDIR),
cwd=BASEDIR)
server1.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
_store = server1.endpoint_context.dump()
server2.endpoint_context.load(
_store,
init_args={
"server_get": server2.server_get,
"handler":
server2.endpoint_context.session_manager.token_handler,
},
)
self.endpoint = {
1: server1.server_get("endpoint", "userinfo"),
2: server2.server_get("endpoint", "userinfo"),
}
self.session_manager = {
1: server1.endpoint_context.session_manager,
2: server2.endpoint_context.session_manager,
}
self.user_id = "diana"
def setup_token_handler(self):
password = "******"
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"keys": {
"key_defs": KEYDEFS,
"uri_path": "static/jwks.json"
},
"jwks_uri": "https://example.com/jwks.json",
"token_handler_args": {
"code": {
"kwargs": {
"lifetime": 600,
"password": password
}
},
"token": {
"kwargs": {
"lifetime": 900,
"password": password
}
},
"refresh": {
"kwargs": {
"lifetime": 86400,
"password": password
}
},
},
"endpoint": {
"authorization_endpoint": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token_endpoint": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
self.session_manager = self.endpoint_context.session_manager
def create_endpoint_context(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
}
},
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"authentication": {
"anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},},
},
"cookie_handler": {
"class": "oidcop.cookie_handler.CookieHandler",
"kwargs": {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
)
self.endpoint = server.server_get("endpoint", "authorization")
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def test_op_configure_default():
_str = open(full_path("op_config.json")).read()
_conf = json.loads(_str)
configuration = OPConfiguration(conf=_conf,
base_path=BASEDIR,
domain="127.0.0.1",
port=443)
assert configuration
assert "add_on" in configuration
authz = configuration["authz"]
assert set(authz.keys()) == {"kwargs", "class"}
id_token_conf = configuration.get("id_token", {})
assert set(id_token_conf.keys()) == {"kwargs", "class"}
assert id_token_conf["kwargs"] == {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
}
def test_capabilities_default():
_str = open(full_path("op_config.json")).read()
_conf = json.loads(_str)
configuration = OPConfiguration(conf=_conf, base_path=BASEDIR, domain="127.0.0.1", port=443)
server = Server(configuration)
assert set(server.endpoint_context.provider_info["response_types_supported"]) == {
"code",
"token",
"id_token",
"code token",
"code id_token",
"id_token token",
"code id_token token",
}
assert server.endpoint_context.provider_info["request_uri_parameter_supported"] is True
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {"keys": {"key_defs": COOKIE_KEY_DEFS}},
},
"endpoint": {
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {"client_auth_method": None},
},
"registration_api": {
"path": "registration_api",
"class": RegistrationRead,
"kwargs": {"client_authn_method": ["bearer_header"]},
},
"authorization": {"path": "authorization", "class": Authorization, "kwargs": {},},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {"path": "userinfo", "class": UserInfo, "kwargs": {}},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
self.registration_endpoint = server.server_get("endpoint", "registration")
self.registration_api_endpoint = server.server_get("endpoint", "registration_read")
def create_endpoint(self, conf):
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
endpoint_context.keyjar.import_jwks(CLIENT_KEYJAR.export_jwks(),
"client_1")
self.session_manager = endpoint_context.session_manager
self.token_endpoint = server.server_get("endpoint", "token")
self.user_id = "diana"
self.endpoint_context = endpoint_context
def create_endpoint_context(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
}
},
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"authentication": {
"user": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": UserPassJinja2,
"verify_endpoint": "verify/user",
"kwargs": {
"template": "user_pass.jinja2",
"sym_key": "24AA/LR6HighEnergy",
"db": {
"class": JSONDictDB,
"kwargs": {"filename": full_path("passwd.json")},
},
"page_header": "Testing log in",
"submit_btn": "Get me in!",
"user_label": "Nickname",
"passwd_label": "Secret sauce",
},
},
"anon": {"acr": UNSPECIFIED, "class": NoAuthn, "kwargs": {"user": "******"},},
},
"cookie_handler": {
"class": "oidcop.cookie_handler.CookieHandler",
"kwargs": {"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch"},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
def test_op_configure():
_str = open(full_path("op_config.json")).read()
_conf = json.loads(_str)
configuration = OPConfiguration(conf=_conf,
base_path=BASEDIR,
domain="127.0.0.1",
port=443)
assert configuration
assert "add_on" in configuration
authz_conf = configuration["authz"]
assert set(authz_conf.keys()) == {"kwargs", "class"}
id_token_conf = configuration.get("id_token")
assert set(id_token_conf.keys()) == {"kwargs", "class"}
with pytest.raises(KeyError):
_ = configuration["foobar"]
assert configuration.get("foobar", {}) == {}
userinfo_conf = configuration.get("userinfo")
assert userinfo_conf["kwargs"]["db_file"].startswith(BASEDIR)
args = dict(configuration.items())
assert "add_on" in args
def create_endpoint(self):
conf = {
"issuer": ISS,
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {
"client_authn_method": None
},
},
"registration": {
"path": "{}/registration",
"class": Registration,
"kwargs": {
"client_authn_method": None
},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"client_authn_method": None
},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
"userinfo": {
"path": "{}/userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"db_file": "users.json"
},
},
"session": {
"path": "{}/end_session",
"class": Session,
"kwargs": {
"post_logout_uri_path": "post_logout",
"signing_alg": "ES256",
"logout_verify_url": "{}/verify_logout".format(ISS),
"client_authn_method": None,
},
},
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_db
}
},
"template_dir": "template",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "code"
}],
},
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
},
}
cookie_conf = {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
}
self.cd = CookieHandler(**cookie_conf)
server = Server(
OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR,
cookie_handler=self.cd,
keyjar=KEYJAR,
)
endpoint_context = server.endpoint_context
endpoint_context.cdb = {
"client_1": {
"client_secret": "hemligt",
"redirect_uris": [("{}cb".format(CLI1), None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types":
["code", "token", "code id_token", "id_token"],
"post_logout_redirect_uris":
[("{}logout_cb".format(CLI1), "")],
},
"client_2": {
"client_secret": "hemligare",
"redirect_uris": [("{}cb".format(CLI2), None)],
"client_salt": "saltare",
"token_endpoint_auth_method": "client_secret_post",
"response_types":
["code", "token", "code id_token", "id_token"],
"post_logout_redirect_uris":
[("{}logout_cb".format(CLI2), "")],
},
}
self.session_manager = endpoint_context.session_manager
self.authn_endpoint = server.server_get("endpoint", "authorization")
self.session_endpoint = server.server_get("endpoint", "session")
self.token_endpoint = server.server_get("endpoint", "token")
self.user_id = "diana"
def setup_session_manager(self):
conf = {
"issuer": ISSUER,
"password": "******",
"token_expires_in": 600,
"grant_expires_in": 300,
"refresh_token_expires_in": 86400,
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {
"lifetime": 600
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime":
3600,
"add_claims": [
"email",
"email_verified",
"phone_number",
"phone_number_verified",
],
"add_claim_by_scope":
True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {},
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "{}/registration",
"class": Registration,
"kwargs": {},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}
},
"session": {
"path": "{}/end_session",
"class": Session
},
},
"client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {
"db_file": full_path("users.json")
},
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
keyjar=KEYJAR,
cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
self.session_manager = self.endpoint_context.session_manager
def create_endpoint_context(self):
conf = {
"userinfo": {
"class": UserInfo,
"kwargs": {
"db": USERINFO_DB
}
},
"password": "******",
"issuer": "https://example.com/op",
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "code"
}],
},
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": None,
"email_verified": None,
},
"enable_claims_per_client": True,
},
},
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "{}/registration",
"class": Registration,
"kwargs": {},
},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported":
[" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": [
"query",
"fragment",
"form_post",
],
"claims_parameter_supported":
True,
"request_parameter_supported":
True,
"request_uri_parameter_supported":
True,
},
},
"userinfo": {
"path": "userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"claim_types_supported": [
"normal",
"aggregated",
"distributed",
],
"client_authn_method": ["bearer_header"],
"base_claims": {
"eduperson_scoped_affiliation": None,
"email": None,
},
"add_claims_by_scope":
True,
"enable_claims_per_client":
True,
},
},
},
"keys": {
"public_path": "jwks.json",
"key_defs": KEYDEFS,
"uri_path": "static/jwks.json",
},
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
self.endpoint_context = server.endpoint_context
# Just has to be there
self.endpoint_context.cdb["client1"] = {}
self.session_manager = self.endpoint_context.session_manager
self.claims_interface = ClaimsInterface(server.server_get)
self.user_id = "diana"
self.server = server
def test_token_handler_from_config():
conf = {
"issuer": "https://example.com/op",
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"endpoint": {
"path": "endpoint",
"class": Endpoint,
"kwargs": {}
},
},
"token_handler_args": {
"jwks_def": {
"private_path":
"private/token_jwks.json",
"read_only":
False,
"key_defs": [{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "code"
}],
},
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
token_handler = server.endpoint_context.session_manager.token_handler
assert token_handler
assert len(token_handler.handler) == 4
assert set(token_handler.handler.keys()) == {
"authorization_code",
"access_token",
"refresh_token",
"id_token",
}
assert isinstance(token_handler.handler["authorization_code"],
DefaultToken)
assert isinstance(token_handler.handler["access_token"], JWTToken)
assert isinstance(token_handler.handler["refresh_token"], JWTToken)
assert isinstance(token_handler.handler["id_token"], IDToken)
assert token_handler.handler["authorization_code"].lifetime == 600
assert token_handler.handler["access_token"].alg == "ES256"
assert token_handler.handler["access_token"].kwargs == {
"add_claims_by_scope": True
}
assert token_handler.handler["access_token"].lifetime == 3600
assert token_handler.handler["access_token"].def_aud == [
"https://example.org/appl"
]
assert token_handler.handler["refresh_token"].alg == "ES256"
assert token_handler.handler["refresh_token"].kwargs == {}
assert token_handler.handler["refresh_token"].lifetime == 3600
assert token_handler.handler["refresh_token"].def_aud == [
"https://example.org/appl"
]
assert token_handler.handler["id_token"].lifetime == 300
assert "base_claims" in token_handler.handler["id_token"].kwargs
def test_file(jwks):
conf = {
"issuer": "https://example.com/op",
"keys": {
"uri_path": "static/jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"endpoint": {
"path": "endpoint",
"class": Endpoint,
"kwargs": {}
},
},
"token_handler_args": {
"code": {
"kwargs": {
"lifetime": 600
}
},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"aud": ["https://example.org/appl"],
},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {
"essential": True
},
"email_verified": {
"essential": True
},
}
},
},
},
}
for arg in ["jwks_file", "jwks_def"]:
try:
del conf["token_handler_args"][arg]
except KeyError:
pass
for _file in [
"private/token_jwks_1.json",
"private/token_jwks_2.json",
"private/token_jwks.json",
]:
if os.path.exists(full_path(_file)):
os.unlink(full_path(_file))
if jwks:
conf["token_handler_args"].update(jwks)
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
token_handler = server.endpoint_context.session_manager.token_handler
assert token_handler
if "jwks_file" in conf["token_handler_args"]:
assert os.path.exists(full_path("private/token_jwks_1.json"))
elif "jwks_def" in conf["token_handler_args"]:
assert os.path.exists(full_path("private/token_jwks_2.json"))
else:
assert os.path.exists(full_path("private/token_jwks.json"))
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"keys": {
"key_defs": COOKIE_KEYDEFS
},
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"keys": {
"uri_path": "jwks.json",
"key_defs": KEYDEFS
},
"endpoint": {
"provider_config": {
"path": ".well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_methods": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {
"path": "userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"claim_types_supported": [
"normal",
"aggregated",
"distributed",
],
"client_authn_method": ["bearer_header"],
},
},
},
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {
"db_file": full_path("users.json")
},
},
# "client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {
"user": "******"
},
}
},
"template_dir": "template",
"add_on": {
"custom_scopes": {
"function":
"oidcop.oidc.add_on.custom_scopes.add_custom_scopes",
"kwargs": {
"research_and_scholarship": [
"name",
"given_name",
"family_name",
"email",
"email_verified",
"sub",
"eduperson_scoped_affiliation",
]
},
}
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR),
cwd=BASEDIR)
endpoint_context = server.endpoint_context
endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
self.endpoint = server.server_get("endpoint", "userinfo")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
def create_endpoint(self):
conf = {
"issuer": ISSUER,
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"add_on": {
"dpop": {
"function": "oidcop.oauth2.add_on.dpop.add_support",
"kwargs": {
"dpop_signing_alg_values_supported": ["ES256"]
}
},
},
"keys": {"uri_path": "jwks.json", "key_defs": KEYDEFS},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {"lifetime": 600},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"base_claims": {"eduperson_scoped_affiliation": None},
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"], },
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
},
"endpoint": {
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {},
},
"token": {
"path": "{}/token",
"class": Token,
"kwargs": {}},
},
"client_authn": verify_client,
"authentication": {
"anon": {
"acr": INTERNETPROTOCOLPASSWORD,
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"template_dir": "template",
"userinfo": {
"class": user_info.UserInfo,
"kwargs": {"db_file": "users.json"},
},
}
server = Server(OPConfiguration(conf, base_path=BASEDIR), keyjar=KEYJAR)
self.endpoint_context = server.endpoint_context
self.endpoint_context.cdb["client_1"] = {
"client_secret": "hemligt",
"redirect_uris": [("https://example.com/cb", None)],
"client_salt": "salted",
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token", "code id_token", "id_token"],
}
self.user_id = "diana"
self.token_endpoint = server.server_get("endpoint", "token")
self.session_manager = self.endpoint_context.session_manager
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
"keys": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
"token_handler_args": {
"jwks_file": "private/token_jwks.json",
"code": {"kwargs": {"lifetime": 600}},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
"given_name": {"essential": True},
"nickname": None,
}
},
},
},
"endpoint": {
"provider_config": {
"path": "{}/.well-known/openid-configuration",
"class": ProviderConfiguration,
"kwargs": {},
},
"registration": {"path": "{}/registration", "class": Registration, "kwargs": {},},
"authorization": {
"path": "{}/authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {
"path": "userinfo",
"class": userinfo.UserInfo,
"kwargs": {
"db_file": "users.json",
"claim_types_supported": ["normal", "aggregated", "distributed",],
},
},
},
"authentication": {
"anon": {
"acr": "http://www.swamid.se/policy/assurance/al1",
"class": "oidcop.user_authn.user.NoAuthn",
"kwargs": {"user": "******"},
}
},
"userinfo": {"class": UserInfo, "kwargs": {"db": USERINFO_db}},
"template_dir": "template",
"authz": {
"class": AuthzHandling,
"kwargs": {
"grant_config": {
"usage_rules": {
"authorization_code": {
"supports_minting": ["access_token", "refresh_token", "id_token",],
"max_usage": 1,
},
"access_token": {},
"refresh_token": {
"supports_minting": ["access_token", "refresh_token"],
},
},
"expires_in": 43200,
}
},
},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {
"sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
"name": {
"session": "oidc_op",
"register": "oidc_op_reg",
"session_management": "oidc_op_sman",
},
},
},
"login_hint2acrs": {
"class": LoginHint2Acrs,
"kwargs": {"scheme_map": {"email": [INTERNETPROTOCOLPASSWORD]}},
},
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
endpoint_context = server.endpoint_context
_clients = yaml.safe_load(io.StringIO(client_yaml))
endpoint_context.cdb = _clients["oidc_clients"]
endpoint_context.keyjar.import_jwks(
endpoint_context.keyjar.export_jwks(True, ""), conf["issuer"]
)
self.endpoint = server.server_get("endpoint", "authorization")
self.session_manager = endpoint_context.session_manager
self.user_id = "diana"
self.rp_keyjar = KeyJar()
self.rp_keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
endpoint_context.keyjar.add_symmetric("client_1", "hemligtkodord1234567890")
def create_endpoint(self):
conf = {
"issuer": "https://example.com/",
"password": "******",
"verify_ssl": False,
"capabilities": {
"subject_types_supported": ["public", "pairwise", "ephemeral"],
"grant_types_supported": [
"authorization_code",
"implicit",
"urn:ietf:params:oauth:grant-type:jwt-bearer",
"refresh_token",
],
},
"token_handler_args": {
"jwks_def": {
"private_path": "private/token_jwks.json",
"read_only": False,
"key_defs": [{"type": "oct", "bytes": "24", "use": ["enc"], "kid": "code"}],
},
"code": {"kwargs": {"lifetime": 600}},
"token": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {
"lifetime": 3600,
"add_claims_by_scope": True,
"aud": ["https://example.org/appl"],
},
},
"refresh": {
"class": "oidcop.token.jwt_token.JWTToken",
"kwargs": {"lifetime": 3600, "aud": ["https://example.org/appl"],},
},
"id_token": {
"class": "oidcop.token.id_token.IDToken",
"kwargs": {
"base_claims": {
"email": {"essential": True},
"email_verified": {"essential": True},
}
},
},
},
"cookie_handler": {
"class": CookieHandler,
"kwargs": {"keys": {"key_defs": COOKIE_KEYDEFS}},
},
"keys": {"key_defs": KEYDEFS, "uri_path": "static/jwks.json"},
"endpoint": {
"registration": {
"path": "registration",
"class": Registration,
"kwargs": {"client_auth_method": None},
},
"authorization": {
"path": "authorization",
"class": Authorization,
"kwargs": {
"response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
"response_modes_supported": ["query", "fragment", "form_post"],
"claim_types_supported": ["normal", "aggregated", "distributed",],
"claims_parameter_supported": True,
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
},
},
"token": {
"path": "token",
"class": Token,
"kwargs": {
"client_authn_method": [
"client_secret_post",
"client_secret_basic",
"client_secret_jwt",
"private_key_jwt",
]
},
},
"userinfo": {"path": "userinfo", "class": UserInfo, "kwargs": {}},
},
"template_dir": "template",
}
server = Server(OPConfiguration(conf=conf, base_path=BASEDIR), cwd=BASEDIR)
self.endpoint = server.server_get("endpoint", "registration")