Only one OP per Client instance.

This commit is contained in:
Roland Hedberg 2014-12-17 10:24:26 +01:00
parent 7e095f658b
commit a40240a7f5
3 changed files with 21 additions and 41 deletions

View File

@ -102,16 +102,15 @@ necessary information::
>> provider_info["authorization_endpoint"]
'https://example.com/op/authz_endp'
The provider info is also automatically stored in the client instance.
Since a RP can potentially talk to more than one OP during it's life time
the provider information is store using the issuer name as the key::
The provider info is also automatically stored in the client instance.::
>> client.provider_info.keys()
['https://example.com/op']
>> client.provider_info["https://example.com/op"]["scopes_supported"]
>> client.provider_info["scopes_supported"]
['openid', 'profile', 'email']
For the simple Client it is expected it will only talk to one OP during its
lifetime.
Now, you know all about the OP. The next step would be to register the
client with the OP.
@ -309,8 +308,8 @@ If it's an AccessTokenResponse the information in the response will be stored
in the client instance with *state* as the key for future use.
One if the items in the response will be the ID Token which contains information
about the authentication.
One parameter (or claim as its also called) is the nonce you provider with
the authroization request.
One parameter (or claim as its also called) is the nonce you provide with
the authorization request.
And then the final request, the user info request::

View File

@ -757,7 +757,8 @@ class Client(oauth2.Client):
except KeyError:
args = {}
owner = self.endpoint2issuer(path, "userinfo_endpoint")
#owner = self.endpoint2issuer(path, "userinfo_endpoint")
owner = self.provider_info["issuer"]
keys = self.keyjar.get_signing_key(_kty, owner, **args)
return _schema().from_jwt(resp.text, keys)
@ -1123,34 +1124,6 @@ class Client(oauth2.Client):
#subject, host = self.normalization(principal)
return self.wf.discovery_query(principal)
def endpoint2issuer(self, url, endpoint=""):
"""
Given that I know which endpoint it's about and which URL was used
which issuer was it.
:param str endpoint: Which endpoint
:param str url: The endpoint url
:return: Issuer identifier if one matched otherwise ""
"""
if endpoint:
for issuer, pi in self.provider_info.items():
try:
if pi[endpoint] == url:
return issuer
except KeyError:
pass
else:
for issuer, pi in self.provider_info.items():
for endpoint in ENDPOINTS:
try:
if pi[endpoint] == url:
return issuer
except KeyError:
pass
return ""
# noinspection PyMethodOverriding
class Server(oauth2.Server):
@ -1375,6 +1348,10 @@ class Server(oauth2.Server):
if access_token:
_args["at_hash"] = jws.left_hash(access_token, halg)
# Should better be done elsewhere
if not issuer.endswith("/"):
issuer += "/"
idt = IdToken(iss=issuer, sub=session["sub"],
aud=session["client_id"],
exp=time_util.epoch_in_a_while(**inawhile), acr=loa,

View File

@ -4,6 +4,7 @@ import traceback
import urllib
import sys
from jwkest.jwe import JWE
from jwkest.jwk import SYMKey
from oic.utils.authn.user import NoSuchAuthentication
from oic.utils.authn.user import ToOld
from oic.utils.authn.user import TamperAllert
@ -35,7 +36,7 @@ from oic.oic.message import ProviderConfigurationResponse
from oic.oic.message import DiscoveryResponse
from jwkest import jws, jwe
from jwkest.jws import alg2keytype
from jwkest.jws import alg2keytype, left_hash
from jwkest.jws import NoSuitableSigningKeys
__author__ = 'rohe0002'
@ -283,6 +284,9 @@ class Provider(AProvider):
logger.debug("client_id: %s" % session["client_id"])
ckey = self.keyjar.get_signing_key(alg2keytype(alg),
session["client_id"])
if not ckey: # create a new key
_secret = self.cdb[session["client_id"]]["client_secret"]
ckey = [SYMKey(key=_secret)]
else:
if "" in self.keyjar:
for b in self.keyjar[""]:
@ -1510,9 +1514,9 @@ class Provider(AProvider):
"urn:ietf:params:oauth:grant-type:jwt-bearer"],
claim_types_supported=["normal", "aggregated", "distributed"],
claims_supported=_claims,
claims_parameter_supported="true",
request_parameter_supported="true",
request_uri_parameter_supported="true",
claims_parameter_supported=True,
request_parameter_supported=True,
request_uri_parameter_supported=True,
)
sign_algs = jws.SIGNER_ALGS.keys()