Only one OP per Client instance.
This commit is contained in:
parent
7e095f658b
commit
a40240a7f5
|
@ -102,16 +102,15 @@ necessary information::
|
||||||
>> provider_info["authorization_endpoint"]
|
>> provider_info["authorization_endpoint"]
|
||||||
'https://example.com/op/authz_endp'
|
'https://example.com/op/authz_endp'
|
||||||
|
|
||||||
The provider info is also automatically stored in the client instance.
|
The provider info is also automatically stored in the client instance.::
|
||||||
Since a RP can potentially talk to more than one OP during it's life time
|
|
||||||
the provider information is store using the issuer name as the key::
|
|
||||||
|
|
||||||
>> client.provider_info.keys()
|
>> client.provider_info["scopes_supported"]
|
||||||
['https://example.com/op']
|
|
||||||
>> client.provider_info["https://example.com/op"]["scopes_supported"]
|
|
||||||
['openid', 'profile', 'email']
|
['openid', 'profile', 'email']
|
||||||
|
|
||||||
|
|
||||||
|
For the simple Client it is expected it will only talk to one OP during its
|
||||||
|
lifetime.
|
||||||
|
|
||||||
Now, you know all about the OP. The next step would be to register the
|
Now, you know all about the OP. The next step would be to register the
|
||||||
client with the OP.
|
client with the OP.
|
||||||
|
|
||||||
|
@ -309,8 +308,8 @@ If it's an AccessTokenResponse the information in the response will be stored
|
||||||
in the client instance with *state* as the key for future use.
|
in the client instance with *state* as the key for future use.
|
||||||
One if the items in the response will be the ID Token which contains information
|
One if the items in the response will be the ID Token which contains information
|
||||||
about the authentication.
|
about the authentication.
|
||||||
One parameter (or claim as its also called) is the nonce you provider with
|
One parameter (or claim as its also called) is the nonce you provide with
|
||||||
the authroization request.
|
the authorization request.
|
||||||
|
|
||||||
And then the final request, the user info request::
|
And then the final request, the user info request::
|
||||||
|
|
||||||
|
|
|
@ -757,7 +757,8 @@ class Client(oauth2.Client):
|
||||||
except KeyError:
|
except KeyError:
|
||||||
args = {}
|
args = {}
|
||||||
|
|
||||||
owner = self.endpoint2issuer(path, "userinfo_endpoint")
|
#owner = self.endpoint2issuer(path, "userinfo_endpoint")
|
||||||
|
owner = self.provider_info["issuer"]
|
||||||
keys = self.keyjar.get_signing_key(_kty, owner, **args)
|
keys = self.keyjar.get_signing_key(_kty, owner, **args)
|
||||||
|
|
||||||
return _schema().from_jwt(resp.text, keys)
|
return _schema().from_jwt(resp.text, keys)
|
||||||
|
@ -1123,34 +1124,6 @@ class Client(oauth2.Client):
|
||||||
#subject, host = self.normalization(principal)
|
#subject, host = self.normalization(principal)
|
||||||
return self.wf.discovery_query(principal)
|
return self.wf.discovery_query(principal)
|
||||||
|
|
||||||
def endpoint2issuer(self, url, endpoint=""):
|
|
||||||
"""
|
|
||||||
Given that I know which endpoint it's about and which URL was used
|
|
||||||
which issuer was it.
|
|
||||||
|
|
||||||
:param str endpoint: Which endpoint
|
|
||||||
:param str url: The endpoint url
|
|
||||||
:return: Issuer identifier if one matched otherwise ""
|
|
||||||
"""
|
|
||||||
|
|
||||||
if endpoint:
|
|
||||||
for issuer, pi in self.provider_info.items():
|
|
||||||
try:
|
|
||||||
if pi[endpoint] == url:
|
|
||||||
return issuer
|
|
||||||
except KeyError:
|
|
||||||
pass
|
|
||||||
else:
|
|
||||||
for issuer, pi in self.provider_info.items():
|
|
||||||
for endpoint in ENDPOINTS:
|
|
||||||
try:
|
|
||||||
if pi[endpoint] == url:
|
|
||||||
return issuer
|
|
||||||
except KeyError:
|
|
||||||
pass
|
|
||||||
|
|
||||||
return ""
|
|
||||||
|
|
||||||
|
|
||||||
# noinspection PyMethodOverriding
|
# noinspection PyMethodOverriding
|
||||||
class Server(oauth2.Server):
|
class Server(oauth2.Server):
|
||||||
|
@ -1375,6 +1348,10 @@ class Server(oauth2.Server):
|
||||||
if access_token:
|
if access_token:
|
||||||
_args["at_hash"] = jws.left_hash(access_token, halg)
|
_args["at_hash"] = jws.left_hash(access_token, halg)
|
||||||
|
|
||||||
|
# Should better be done elsewhere
|
||||||
|
if not issuer.endswith("/"):
|
||||||
|
issuer += "/"
|
||||||
|
|
||||||
idt = IdToken(iss=issuer, sub=session["sub"],
|
idt = IdToken(iss=issuer, sub=session["sub"],
|
||||||
aud=session["client_id"],
|
aud=session["client_id"],
|
||||||
exp=time_util.epoch_in_a_while(**inawhile), acr=loa,
|
exp=time_util.epoch_in_a_while(**inawhile), acr=loa,
|
||||||
|
|
|
@ -4,6 +4,7 @@ import traceback
|
||||||
import urllib
|
import urllib
|
||||||
import sys
|
import sys
|
||||||
from jwkest.jwe import JWE
|
from jwkest.jwe import JWE
|
||||||
|
from jwkest.jwk import SYMKey
|
||||||
from oic.utils.authn.user import NoSuchAuthentication
|
from oic.utils.authn.user import NoSuchAuthentication
|
||||||
from oic.utils.authn.user import ToOld
|
from oic.utils.authn.user import ToOld
|
||||||
from oic.utils.authn.user import TamperAllert
|
from oic.utils.authn.user import TamperAllert
|
||||||
|
@ -35,7 +36,7 @@ from oic.oic.message import ProviderConfigurationResponse
|
||||||
from oic.oic.message import DiscoveryResponse
|
from oic.oic.message import DiscoveryResponse
|
||||||
|
|
||||||
from jwkest import jws, jwe
|
from jwkest import jws, jwe
|
||||||
from jwkest.jws import alg2keytype
|
from jwkest.jws import alg2keytype, left_hash
|
||||||
from jwkest.jws import NoSuitableSigningKeys
|
from jwkest.jws import NoSuitableSigningKeys
|
||||||
|
|
||||||
__author__ = 'rohe0002'
|
__author__ = 'rohe0002'
|
||||||
|
@ -283,6 +284,9 @@ class Provider(AProvider):
|
||||||
logger.debug("client_id: %s" % session["client_id"])
|
logger.debug("client_id: %s" % session["client_id"])
|
||||||
ckey = self.keyjar.get_signing_key(alg2keytype(alg),
|
ckey = self.keyjar.get_signing_key(alg2keytype(alg),
|
||||||
session["client_id"])
|
session["client_id"])
|
||||||
|
if not ckey: # create a new key
|
||||||
|
_secret = self.cdb[session["client_id"]]["client_secret"]
|
||||||
|
ckey = [SYMKey(key=_secret)]
|
||||||
else:
|
else:
|
||||||
if "" in self.keyjar:
|
if "" in self.keyjar:
|
||||||
for b in self.keyjar[""]:
|
for b in self.keyjar[""]:
|
||||||
|
@ -1510,9 +1514,9 @@ class Provider(AProvider):
|
||||||
"urn:ietf:params:oauth:grant-type:jwt-bearer"],
|
"urn:ietf:params:oauth:grant-type:jwt-bearer"],
|
||||||
claim_types_supported=["normal", "aggregated", "distributed"],
|
claim_types_supported=["normal", "aggregated", "distributed"],
|
||||||
claims_supported=_claims,
|
claims_supported=_claims,
|
||||||
claims_parameter_supported="true",
|
claims_parameter_supported=True,
|
||||||
request_parameter_supported="true",
|
request_parameter_supported=True,
|
||||||
request_uri_parameter_supported="true",
|
request_uri_parameter_supported=True,
|
||||||
)
|
)
|
||||||
|
|
||||||
sign_algs = jws.SIGNER_ALGS.keys()
|
sign_algs = jws.SIGNER_ALGS.keys()
|
||||||
|
|
Reference in New Issue