A couple of spelling errors in text.
Allow for 'none' algorithm for signing IDToken.
This commit is contained in:
parent
7bf839168b
commit
ad5eb40dc6
14
README.rst
14
README.rst
|
@ -1,14 +1,6 @@
|
||||||
A complete OpenID Connect implementation
|
A complete OpenID Connect implementation
|
||||||
========================================
|
========================================
|
||||||
|
|
||||||
This will eventually be a complete implementation of OpenID Connect.
|
This a fairly complete implementation of OpenID Connect as
|
||||||
And as a side effect a fairly complete implementation of OAuth2.0 .
|
specified in http://openid.net/specs/openid-connect-core-1_0.html.
|
||||||
|
And as a side effect a complete implementation of OAuth2.0 too.
|
||||||
But while the standards are in the flux they are, the best I can do is
|
|
||||||
to track them as close as possible.
|
|
||||||
|
|
||||||
Expect a certain time-laps between changes of the documents and the
|
|
||||||
corresponding change of the code. I will strive to keep the time lap as
|
|
||||||
short as possible.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -133,7 +133,7 @@ if __name__ == "__main__":
|
||||||
parser.add_argument('-d', dest='delete', action='store_true',
|
parser.add_argument('-d', dest='delete', action='store_true',
|
||||||
help="delete the entity with the given client_id")
|
help="delete the entity with the given client_id")
|
||||||
parser.add_argument('-c', dest='create', action='store_true',
|
parser.add_argument('-c', dest='create', action='store_true',
|
||||||
help=("create a new client, returns the stored" ""
|
help=("create a new client, returns the stored "
|
||||||
"information"))
|
"information"))
|
||||||
parser.add_argument('-s', dest='show', action='store_true',
|
parser.add_argument('-s', dest='show', action='store_true',
|
||||||
help=("show information connected to a specific"
|
help=("show information connected to a specific"
|
||||||
|
|
|
@ -611,7 +611,7 @@ class IdToken(OpenIDSchema):
|
||||||
assert self["azr"] in self["aud"]
|
assert self["azr"] in self["aud"]
|
||||||
except AssertionError:
|
except AssertionError:
|
||||||
raise VerificationError(
|
raise VerificationError(
|
||||||
"Missmatch between azr and aud claims", self)
|
"Mismatch between azr and aud claims", self)
|
||||||
|
|
||||||
if "azr" in self:
|
if "azr" in self:
|
||||||
if "client_id" in kwargs:
|
if "client_id" in kwargs:
|
||||||
|
|
|
@ -267,7 +267,11 @@ class Provider(AProvider):
|
||||||
if alg == "":
|
if alg == "":
|
||||||
alg = self.jwx_def["sign_alg"]["id_token"]
|
alg = self.jwx_def["sign_alg"]["id_token"]
|
||||||
|
|
||||||
logger.debug("Signing alg: %s [%s]" % (alg, alg2keytype(alg)))
|
if alg:
|
||||||
|
logger.debug("Signing alg: %s [%s]" % (alg, alg2keytype(alg)))
|
||||||
|
else:
|
||||||
|
alg = "none"
|
||||||
|
|
||||||
_idt = self.server.make_id_token(session, loa, self.baseurl, alg, code,
|
_idt = self.server.make_id_token(session, loa, self.baseurl, alg, code,
|
||||||
access_token, user_info, auth_time)
|
access_token, user_info, auth_time)
|
||||||
|
|
||||||
|
@ -754,7 +758,10 @@ class Provider(AProvider):
|
||||||
try:
|
try:
|
||||||
alg = client_info["id_token_signed_response_alg"]
|
alg = client_info["id_token_signed_response_alg"]
|
||||||
except KeyError:
|
except KeyError:
|
||||||
alg = self.jwx_def["sign_alg"]["id_token"]
|
try:
|
||||||
|
alg = self.jwx_def["sign_alg"]["id_token"]
|
||||||
|
except KeyError:
|
||||||
|
alg = "none"
|
||||||
|
|
||||||
id_token = self.id_token_as_signed_jwt(sinfo, alg=alg,
|
id_token = self.id_token_as_signed_jwt(sinfo, alg=alg,
|
||||||
code=code,
|
code=code,
|
||||||
|
@ -1123,12 +1130,18 @@ class Provider(AProvider):
|
||||||
|
|
||||||
if "redirect_uris" in request:
|
if "redirect_uris" in request:
|
||||||
ruri = []
|
ruri = []
|
||||||
client_type = request["application_type"]
|
try:
|
||||||
|
client_type = request["application_type"]
|
||||||
|
except KeyError: # default
|
||||||
|
client_type = "web"
|
||||||
|
|
||||||
if client_type == "web":
|
if client_type == "web":
|
||||||
if request["response_types"] == ["code"]:
|
try:
|
||||||
must_https = False
|
if request["response_types"] == ["code"]:
|
||||||
else: # one has to be implicit or hybrid
|
must_https = False
|
||||||
|
else: # one has to be implicit or hybrid
|
||||||
|
must_https = True
|
||||||
|
except KeyError:
|
||||||
must_https = True
|
must_https = True
|
||||||
else:
|
else:
|
||||||
must_https = False
|
must_https = False
|
||||||
|
|
|
@ -94,7 +94,18 @@ class UserAuthnMethod(CookieDealer):
|
||||||
|
|
||||||
return {"uid": uid}
|
return {"uid": uid}
|
||||||
|
|
||||||
def generate_return_url(self, return_to, uid):
|
def generate_return_url(self, return_to, uid, path=""):
|
||||||
|
"""
|
||||||
|
:param return_to: If it starts with '/' it's an absolute path otherwise
|
||||||
|
a relative path.
|
||||||
|
:param uid:
|
||||||
|
:param path: The verify path
|
||||||
|
"""
|
||||||
|
if not return_to.startswith("/"):
|
||||||
|
p = path.split("/")
|
||||||
|
p[-1] = return_to
|
||||||
|
return_to = "/".join(p)
|
||||||
|
|
||||||
return create_return_url(return_to, uid, **{self.query_param: "true"})
|
return create_return_url(return_to, uid, **{self.query_param: "true"})
|
||||||
|
|
||||||
def verify(self, **kwargs):
|
def verify(self, **kwargs):
|
||||||
|
@ -289,7 +300,8 @@ class UsernamePasswordMako(UserAuthnMethod):
|
||||||
try:
|
try:
|
||||||
return_to = self.generate_return_url(kwargs["return_to"], _qp)
|
return_to = self.generate_return_url(kwargs["return_to"], _qp)
|
||||||
except KeyError:
|
except KeyError:
|
||||||
return_to = self.generate_return_url(self.return_to, _qp)
|
return_to = self.generate_return_url(self.return_to, _qp,
|
||||||
|
kwargs["path"])
|
||||||
return Redirect(return_to, headers=[cookie]), True
|
return Redirect(return_to, headers=[cookie]), True
|
||||||
|
|
||||||
def done(self, areq):
|
def done(self, areq):
|
||||||
|
|
Reference in New Issue