summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoland Hedberg <roland.hedberg@adm.umu.se>2014-12-17 09:24:26 (GMT)
committerRoland Hedberg <roland.hedberg@adm.umu.se>2014-12-17 09:24:26 (GMT)
commita40240a7f505b28a3d989c09fe7988977b483b99 (patch)
tree881eb26b3b598e1557af722a5ff212bd079ab1aa
parent7e095f658b7a6bd97f1b99f38918f3b34e783f8c (diff)
downloadpyoidc-ozwillo-a40240a7f505b28a3d989c09fe7988977b483b99.zip
pyoidc-ozwillo-a40240a7f505b28a3d989c09fe7988977b483b99.tar.gz
pyoidc-ozwillo-a40240a7f505b28a3d989c09fe7988977b483b99.tar.bz2
Only one OP per Client instance.
-rw-r--r--doc/howto/rp.rst15
-rw-r--r--src/oic/oic/__init__.py35
-rw-r--r--src/oic/oic/provider.py12
3 files changed, 21 insertions, 41 deletions
diff --git a/doc/howto/rp.rst b/doc/howto/rp.rst
index 27dbfe8..397c486 100644
--- a/doc/howto/rp.rst
+++ b/doc/howto/rp.rst
@@ -102,16 +102,15 @@ necessary information::
>> provider_info["authorization_endpoint"]
'https://example.com/op/authz_endp'
-The provider info is also automatically stored in the client instance.
-Since a RP can potentially talk to more than one OP during it's life time
-the provider information is store using the issuer name as the key::
+The provider info is also automatically stored in the client instance.::
- >> client.provider_info.keys()
- ['https://example.com/op']
- >> client.provider_info["https://example.com/op"]["scopes_supported"]
+ >> client.provider_info["scopes_supported"]
['openid', 'profile', 'email']
+For the simple Client it is expected it will only talk to one OP during its
+lifetime.
+
Now, you know all about the OP. The next step would be to register the
client with the OP.
@@ -309,8 +308,8 @@ If it's an AccessTokenResponse the information in the response will be stored
in the client instance with *state* as the key for future use.
One if the items in the response will be the ID Token which contains information
about the authentication.
-One parameter (or claim as its also called) is the nonce you provider with
-the authroization request.
+One parameter (or claim as its also called) is the nonce you provide with
+the authorization request.
And then the final request, the user info request::
diff --git a/src/oic/oic/__init__.py b/src/oic/oic/__init__.py
index c24c2d9..ac97186 100644
--- a/src/oic/oic/__init__.py
+++ b/src/oic/oic/__init__.py
@@ -757,7 +757,8 @@ class Client(oauth2.Client):
except KeyError:
args = {}
- owner = self.endpoint2issuer(path, "userinfo_endpoint")
+ #owner = self.endpoint2issuer(path, "userinfo_endpoint")
+ owner = self.provider_info["issuer"]
keys = self.keyjar.get_signing_key(_kty, owner, **args)
return _schema().from_jwt(resp.text, keys)
@@ -1123,34 +1124,6 @@ class Client(oauth2.Client):
#subject, host = self.normalization(principal)
return self.wf.discovery_query(principal)
- def endpoint2issuer(self, url, endpoint=""):
- """
- Given that I know which endpoint it's about and which URL was used
- which issuer was it.
-
- :param str endpoint: Which endpoint
- :param str url: The endpoint url
- :return: Issuer identifier if one matched otherwise ""
- """
-
- if endpoint:
- for issuer, pi in self.provider_info.items():
- try:
- if pi[endpoint] == url:
- return issuer
- except KeyError:
- pass
- else:
- for issuer, pi in self.provider_info.items():
- for endpoint in ENDPOINTS:
- try:
- if pi[endpoint] == url:
- return issuer
- except KeyError:
- pass
-
- return ""
-
# noinspection PyMethodOverriding
class Server(oauth2.Server):
@@ -1375,6 +1348,10 @@ class Server(oauth2.Server):
if access_token:
_args["at_hash"] = jws.left_hash(access_token, halg)
+ # Should better be done elsewhere
+ if not issuer.endswith("/"):
+ issuer += "/"
+
idt = IdToken(iss=issuer, sub=session["sub"],
aud=session["client_id"],
exp=time_util.epoch_in_a_while(**inawhile), acr=loa,
diff --git a/src/oic/oic/provider.py b/src/oic/oic/provider.py
index f47e24a..87be3ce 100644
--- a/src/oic/oic/provider.py
+++ b/src/oic/oic/provider.py
@@ -4,6 +4,7 @@ import traceback
import urllib
import sys
from jwkest.jwe import JWE
+from jwkest.jwk import SYMKey
from oic.utils.authn.user import NoSuchAuthentication
from oic.utils.authn.user import ToOld
from oic.utils.authn.user import TamperAllert
@@ -35,7 +36,7 @@ from oic.oic.message import ProviderConfigurationResponse
from oic.oic.message import DiscoveryResponse
from jwkest import jws, jwe
-from jwkest.jws import alg2keytype
+from jwkest.jws import alg2keytype, left_hash
from jwkest.jws import NoSuitableSigningKeys
__author__ = 'rohe0002'
@@ -283,6 +284,9 @@ class Provider(AProvider):
logger.debug("client_id: %s" % session["client_id"])
ckey = self.keyjar.get_signing_key(alg2keytype(alg),
session["client_id"])
+ if not ckey: # create a new key
+ _secret = self.cdb[session["client_id"]]["client_secret"]
+ ckey = [SYMKey(key=_secret)]
else:
if "" in self.keyjar:
for b in self.keyjar[""]:
@@ -1510,9 +1514,9 @@ class Provider(AProvider):
"urn:ietf:params:oauth:grant-type:jwt-bearer"],
claim_types_supported=["normal", "aggregated", "distributed"],
claims_supported=_claims,
- claims_parameter_supported="true",
- request_parameter_supported="true",
- request_uri_parameter_supported="true",
+ claims_parameter_supported=True,
+ request_parameter_supported=True,
+ request_uri_parameter_supported=True,
)
sign_algs = jws.SIGNER_ALGS.keys()