entrouvert
/
pyoidc-ozwillo
Archived
17
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixed so all examples have a start.sh script and that all are working.

This commit is contained in:
Roland Hedberg 2014-11-13 09:29:46 +01:00
parent 1306a7ecde
commit 806b600fc4
13 changed files with 48 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
oidc_example/op1/claims_client.json Normal file
View File

@ -0,0 +1 @@
{"client_1":{"client_secret": "hemlig"}}

11
oidc_example/op1/oc_config.py.example
View File

@ -4,12 +4,11 @@
baseurl = "https://localhost"
#baseurl = "https://lingon.ladok.umu.se"
issuer = "%s:%%d" % baseurl
keys = {
"RSA": {
"key": "cp_keys/key.pem",
"usage": ["enc", "sig"]
}
}
keys = [
{"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"]},
{"type": "EC", "crv": "P-256", "use": ["sig"]},
{"type": "EC", "crv": "P-256", "use": ["enc"]}
]
CAS_SERVER = "https://cas.umu.se"
SERVICE_URL = "%s/verify" % issuer

32
oidc_example/op1/oc_server.py
View File

@ -1,5 +1,6 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import sys
import os
import traceback
@ -14,7 +15,7 @@ from urlparse import parse_qs
from oic.utils.authn.client import verify_client
from oic.utils.authz import AuthzHandling
from oic.utils.keyio import KeyBundle, dump_jwks
from oic.utils.keyio import KeyBundle, dump_jwks, keyjar_init
from oic.utils.userinfo import UserInfo
from oic.utils.webfinger import WebFinger
from oic.utils.webfinger import OIC_ISSUER
@ -592,28 +593,19 @@ if __name__ == '__main__':
OAS.baseurl += "/"
try:
OAS.keyjar[""] = []
kbl = []
for typ, info in config.keys.items():
typ = typ.upper()
LOGGER.info("OC server key init: %s, %s" % (typ, info))
kb = KeyBundle(source="file://%s" % info["key"], fileformat="der",
keytype=typ)
OAS.keyjar.add_kb("", kb)
kbl.append(kb)
try:
new_name = "static/jwks.json"
dump_jwks(kbl, new_name)
OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name))
except KeyError:
pass
for b in OAS.keyjar[""]:
LOGGER.info("OC3 server keys: %s" % b)
jwks = keyjar_init(OAS, config.keys)
except Exception, err:
LOGGER.error("Key setup failed: %s" % err)
OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
else:
new_name = "static/jwks.json"
f = open(new_name, "w")
f.write(json.dumps(jwks))
f.close()
OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name))
for b in OAS.keyjar[""]:
LOGGER.info("OC3 server keys: %s" % b)
if config.USERINFO == "LDAP":
from oic.utils.userinfo.ldap_info import UserInfoLDAP

1
oidc_example/op1/start.sh
View File

@ -1,3 +1,2 @@
#!/bin/sh
./claims_provider.py -p 8093 -d cp_config.json &
./oc_server.py -p 8092 -d oc_config &

11
oidc_example/op2/config.py.example
View File

@ -3,12 +3,11 @@
baseurl = "https://localhost"
issuer = "%s:%%d" % baseurl
keys = {
"RSA": {
"key": "cp_keys/key.pem",
"usage": ["enc", "sig"]
}
}
keys = [
{"type": "RSA", "key": "cp_keys/key.pem", "use": ["enc", "sig"]},
{"type": "EC", "crv": "P-256", "use": ["sig"]},
{"type": "EC", "crv": "P-256", "use": ["enc"]}
]
SERVICE_URL = "%s/verify" % issuer

9
oidc_example/op2/server.py
View File

@ -553,16 +553,17 @@ if __name__ == '__main__':
if not OAS.baseurl.endswith("/"):
OAS.baseurl += "/"
jwks = keyjar_init(OAS, config.keys)
try:
jwks = keyjar_init(OAS, config.keys)
except Exception, err:
LOGGER.error("Key setup failed: %s" % err)
OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
else:
new_name = "static/jwks.json"
f = open(new_name, "w")
f.write(json.dumps(jwks))
f.close()
OAS.jwks_uri.append("%s%s" % (OAS.baseurl, new_name))
except KeyError:
pass
for b in OAS.keyjar[""]:
LOGGER.info("OC3 server keys: %s" % b)

175
oidc_example/op2/sp_conf.py.example
View File

@ -1,175 +0,0 @@
import os
from saml2 import saml
from saml2 import BINDING_HTTP_REDIRECT
from saml2 import BINDING_HTTP_POST
from saml2.extension.idpdisc import BINDING_DISCO
from saml2.saml import NAME_FORMAT_URI
from saml2.entity_category.edugain import COC
from saml2.entity_category.swamid import RESEARCH_AND_EDUCATION
from saml2.entity_category.swamid import HEI
from saml2.entity_category.swamid import SFS_1993_1153
from saml2.entity_category.swamid import NREN
from saml2.entity_category.swamid import EU
try:
from saml2.sigver import get_xmlsec_binary
except ImportError:
get_xmlsec_binary = None
if get_xmlsec_binary:
xmlsec_path = get_xmlsec_binary(["/opt/local/bin", "/usr/local/bin"])
else:
xmlsec_path = '/usr/local/bin/xmlsec1'
#Url to a discovery server for SAML. None implies not using one.
DISCOSRV = None
#DISCOSRV = "http://localhost/idp.ds"
#Url to a wayf for SAML. None implies not using one.
WAYF = None
#Full URL to the SP. You must have the same base as the OP.
BASE = "https://localhost:8092"#"%s"
#Discovery endpoint
DISCOENDPOINT = "saml_verify_disco"
#The BASE url where the Idp performs the redirect after a authn request from the SP.
#For the cookies to work do not use subfolders.
ASCREDIRECT = 'saml_verify_redirect'
#The BASE url where the Idp performs a post after a authn request from the SP.
#For the cookies to work do not use subfolders.
ASCPOST = 'saml_verify_post'
MULTI_AUTH_POST = "multi_saml_pass_verify"
MULTI_AUTH_DISCO_END_POINT = "multi_saml_pass_disco"
MULTI_ASC_REDIRECT = "multi_saml_pass_redirect"
#Must point to the complete path on disk to this file!
#Needed by the script create_metadata.sh and the SP to find all configurations.
#No need to change this!
FULL_PATH = os.path.dirname(os.path.abspath(__file__))
#This is the directory for the SP.
WORKING_DIR = FULL_PATH + "/"
#This is a map for Open Id connect to Saml2.
#The proxy will give the same response for OAuth2.
OPENID2SAMLMAP = {
"sub": "uid",
"name": "displayName",
"given_name": "givenname",
"family_name": "sn",
"middle_name": "",
"nickname": "eduPersonNickname",
"preferred_username": "uid",
"profile": "member",
#STUDENTNESS example for studentness
#"profile": "eduPersonScopedAffiliation",
"picture": "jpegPhoto",
"website": "labeledURI",
"email": "email",
#"email_verified": "Missing
"gender": "",
"birthdate": "norEduPersonNIN",
#zoneinfo timezone
"locale": "c",
"phone_number": "telephoneNumber",
#phone_number_verified
"address": "registeredAddress",
"updated_at": "" # When information was updated
}
#Traditional pysaml2 configuration for a SP. View more documentation for pysaml2.
CONFIG = {
"entityid": "%s/testpyoidcsp.xml" % BASE,
"description": "Test pyoidc SP",
"entity_category": [COC, RESEARCH_AND_EDUCATION, HEI, SFS_1993_1153, NREN, EU],
"service": {
"sp": {
"name": "Test pyoidc SP",
"authn_requests_signed": "true",
"want_response_signed": "true",
"endpoints": {
"assertion_consumer_service": [
(BASE + "/" + ASCREDIRECT, BINDING_HTTP_REDIRECT, 0),
(BASE + "/" + MULTI_ASC_REDIRECT, BINDING_HTTP_REDIRECT, 1),
(BASE + "/" + ASCPOST, BINDING_HTTP_POST, 0),
(BASE + "/" + MULTI_AUTH_POST, BINDING_HTTP_POST, 1),
],
"required_attributes": ["uid"],
"discovery_response": [
("%s/%s" % (BASE, DISCOENDPOINT), BINDING_DISCO),
("%s/%s" % (BASE, MULTI_AUTH_DISCO_END_POINT), BINDING_DISCO)
],
}
},
},
"key_file": WORKING_DIR+"sp_cert/localhost.key",
"cert_file": WORKING_DIR+"sp_cert/localhost.crt",
"xmlsec_binary": xmlsec_path,
"metadata": {
"local": ["[..]/pysaml2/example/idp2/idp.xml"],
#"remote": [{"url": "http://localhost/idp.xml", "cert": None}],
},
"name_form": NAME_FORMAT_URI,
"organization": {
"name": "Test pyoidc SP",
"display_name": [("Test pyoidc SP", "en")],
"url": BASE,
},
"contact_person": [
{
"contact_type": "technical",
"given_name": "Test",
"sur_name": "Testsson",
"email_address": "test.testsson@test.se"
},
],
"logger": {
"rotating": {
"filename": "sp.log",
"maxBytes": 100000,
"backupCount": 5,
},
"loglevel": "debug",
}
}
#Cache for transferring information between SAML authn and user info AA
SAML_CACHE = {}
# If AA_ATTRIBUTE_SAML_IDP is true the AA attributes and the IDP attributes will be concatenated. Else only the
# attributes listed in AA_ATTRIBUTE_SAML_IDP_WHITELIST will be returned. If AA_ATTRIBUTE_SAML_IDP_WHITELIST is None all
# attributes will be returned
AA_ATTRIBUTE_SAML_IDP = True
AA_ATTRIBUTE_SAML_IDP_WHITELIST = None
#STUDENTNESS example for studentness
#AA_ATTRIBUTE_SAML_IDP_WHITELIST = ["eduPersonScopedAffiliation"]
AA_REQUEST_ATTRIBUTES = None
#Contains all valid attributes and valid values for that attribute.
VALID_ATTRIBUTE_RESPONSE=None
#STUDENTNESS example configuration for studentness
#VALID_ATTRIBUTE_RESPONSE = {
# "eduPersonScopedAffiliation": ["student"]
#}
#Contains all attributes that will be returned.
#Only value that contains the values in the value list will be returned. If None will all values be returned.
ATTRIBUTE_WHITELIST=None
#STUDENTNESS example configuration for studentness
#ATTRIBUTE_WHITELIST = {
# "eduPersonScopedAffiliation": ["student"]
#}
#Attribute authority only used if USERINFO = "AA" in config.py
AA_ENTITY_ID = None
# If None name id is used otherwise the first value for the given attribute name in the SAML response will be used.
AA_NAMEID_ATTRIBUTE = None
#AA_NAMEID_ATTRIBUTE = "eduPersonTargetedID"
AA_NAMEID_FORMAT = saml.NAMEID_FORMAT_PERSISTENT

2
oidc_example/op2/start.sh Executable file
View File

@ -0,0 +1,2 @@
#!/bin/sh
./server.py -p 8092 -d config &

25
oidc_example/rp2/oidc.py
View File

@ -13,8 +13,6 @@ from oic.oic.message import AuthorizationRequest
from oic.oic.message import AccessTokenResponse
from oic.utils.webfinger import WebFinger
__author__ = 'rolandh'
logger = logging.getLogger(__name__)
@ -57,13 +55,13 @@ class OpenIDConnect(object):
self.authn_method = None
self.registration_info = registration_info
def dynamic(self, server_env, callback, logoutCallback, session, key):
def dynamic(self, server_env, callback, logout_callback, session, key):
try:
client = server_env["OIC_CLIENT"][key]
except KeyError:
client = self.client_cls(client_authn_method=CLIENT_AUTHN_METHOD)
client.redirect_uris = [callback]
client.post_logout_redirect_uris = [logoutCallback]
client.post_logout_redirect_uris = [logout_callback]
_me = self.registration_info.copy()
_me["redirect_uris"] = [callback]
@ -86,14 +84,14 @@ class OpenIDConnect(object):
server_env["OIC_CLIENT"] = {key: client}
return client
def static(self, server_env, callback, logoutCallback, key):
def static(self, server_env, callback, logout_callback, key):
try:
client = server_env["OIC_CLIENT"][key]
logger.debug("Static client: %s" % server_env["OIC_CLIENT"])
except KeyError:
client = self.client_cls(client_authn_method=CLIENT_AUTHN_METHOD)
client.redirect_uris = [callback]
client.post_logout_redirect_uris = [logoutCallback]
client.post_logout_redirect_uris = [logout_callback]
for typ in ["authorization", "token", "userinfo"]:
endpoint = "%s_endpoint" % typ
setattr(client, endpoint, self.extra[endpoint])
@ -130,13 +128,17 @@ class OpenIDConnect(object):
if not resp.ok and resp.status_code == 400:
client = None
server_env["OIC_CLIENT"].pop(key, None)
_state = ""
if client is None:
callback = server_env["base_url"] + key
logoutCallback = server_env["base_url"]
logout_callback = server_env["base_url"]
if self.srv_discovery_url:
client = self.dynamic(server_env, callback, logoutCallback, session, key)
client = self.dynamic(server_env, callback, logout_callback,
session, key)
else:
client = self.static(server_env, callback, logoutCallback, key)
client = self.static(server_env, callback, logout_callback,
key)
_state = session.getState()
session.setClient(client)
@ -144,10 +146,11 @@ class OpenIDConnect(object):
try:
acr_values = client.provider_info["acr_values_supported"]
session.set_acr_values(acr_values)
except:
except KeyError:
acr_values = None
if acr_value is None and acr_values is not None and len(acr_values) > 1:
if acr_value is None and acr_values is not None and \
len(acr_values) > 1:
resp_headers = [("Location", str("/rpAcr"))]
start_response("302 Found", resp_headers)
return []

0
oidc_example/rp2/rp_server.py → oidc_example/rp2/rp2.py
View File

2
oidc_example/rp2/start.sh Executable file
View File

@ -0,0 +1,2 @@
#!/bin/bash
./rp2.py &

0
oidc_example/rp3/rp.py → oidc_example/rp3/rp3.py
View File

2
oidc_example/rp3/start.sh Executable file
View File

@ -0,0 +1,2 @@
#!/bin/bash
./rp3.py conf &