Only one OP per Client instance.
This commit is contained in:
parent
7e095f658b
commit
a40240a7f5
|
@ -102,16 +102,15 @@ necessary information::
|
|||
>> provider_info["authorization_endpoint"]
|
||||
'https://example.com/op/authz_endp'
|
||||
|
||||
The provider info is also automatically stored in the client instance.
|
||||
Since a RP can potentially talk to more than one OP during it's life time
|
||||
the provider information is store using the issuer name as the key::
|
||||
The provider info is also automatically stored in the client instance.::
|
||||
|
||||
>> client.provider_info.keys()
|
||||
['https://example.com/op']
|
||||
>> client.provider_info["https://example.com/op"]["scopes_supported"]
|
||||
>> client.provider_info["scopes_supported"]
|
||||
['openid', 'profile', 'email']
|
||||
|
||||
|
||||
For the simple Client it is expected it will only talk to one OP during its
|
||||
lifetime.
|
||||
|
||||
Now, you know all about the OP. The next step would be to register the
|
||||
client with the OP.
|
||||
|
||||
|
@ -309,8 +308,8 @@ If it's an AccessTokenResponse the information in the response will be stored
|
|||
in the client instance with *state* as the key for future use.
|
||||
One if the items in the response will be the ID Token which contains information
|
||||
about the authentication.
|
||||
One parameter (or claim as its also called) is the nonce you provider with
|
||||
the authroization request.
|
||||
One parameter (or claim as its also called) is the nonce you provide with
|
||||
the authorization request.
|
||||
|
||||
And then the final request, the user info request::
|
||||
|
||||
|
|
|
@ -757,7 +757,8 @@ class Client(oauth2.Client):
|
|||
except KeyError:
|
||||
args = {}
|
||||
|
||||
owner = self.endpoint2issuer(path, "userinfo_endpoint")
|
||||
#owner = self.endpoint2issuer(path, "userinfo_endpoint")
|
||||
owner = self.provider_info["issuer"]
|
||||
keys = self.keyjar.get_signing_key(_kty, owner, **args)
|
||||
|
||||
return _schema().from_jwt(resp.text, keys)
|
||||
|
@ -1123,34 +1124,6 @@ class Client(oauth2.Client):
|
|||
#subject, host = self.normalization(principal)
|
||||
return self.wf.discovery_query(principal)
|
||||
|
||||
def endpoint2issuer(self, url, endpoint=""):
|
||||
"""
|
||||
Given that I know which endpoint it's about and which URL was used
|
||||
which issuer was it.
|
||||
|
||||
:param str endpoint: Which endpoint
|
||||
:param str url: The endpoint url
|
||||
:return: Issuer identifier if one matched otherwise ""
|
||||
"""
|
||||
|
||||
if endpoint:
|
||||
for issuer, pi in self.provider_info.items():
|
||||
try:
|
||||
if pi[endpoint] == url:
|
||||
return issuer
|
||||
except KeyError:
|
||||
pass
|
||||
else:
|
||||
for issuer, pi in self.provider_info.items():
|
||||
for endpoint in ENDPOINTS:
|
||||
try:
|
||||
if pi[endpoint] == url:
|
||||
return issuer
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
# noinspection PyMethodOverriding
|
||||
class Server(oauth2.Server):
|
||||
|
@ -1375,6 +1348,10 @@ class Server(oauth2.Server):
|
|||
if access_token:
|
||||
_args["at_hash"] = jws.left_hash(access_token, halg)
|
||||
|
||||
# Should better be done elsewhere
|
||||
if not issuer.endswith("/"):
|
||||
issuer += "/"
|
||||
|
||||
idt = IdToken(iss=issuer, sub=session["sub"],
|
||||
aud=session["client_id"],
|
||||
exp=time_util.epoch_in_a_while(**inawhile), acr=loa,
|
||||
|
|
|
@ -4,6 +4,7 @@ import traceback
|
|||
import urllib
|
||||
import sys
|
||||
from jwkest.jwe import JWE
|
||||
from jwkest.jwk import SYMKey
|
||||
from oic.utils.authn.user import NoSuchAuthentication
|
||||
from oic.utils.authn.user import ToOld
|
||||
from oic.utils.authn.user import TamperAllert
|
||||
|
@ -35,7 +36,7 @@ from oic.oic.message import ProviderConfigurationResponse
|
|||
from oic.oic.message import DiscoveryResponse
|
||||
|
||||
from jwkest import jws, jwe
|
||||
from jwkest.jws import alg2keytype
|
||||
from jwkest.jws import alg2keytype, left_hash
|
||||
from jwkest.jws import NoSuitableSigningKeys
|
||||
|
||||
__author__ = 'rohe0002'
|
||||
|
@ -283,6 +284,9 @@ class Provider(AProvider):
|
|||
logger.debug("client_id: %s" % session["client_id"])
|
||||
ckey = self.keyjar.get_signing_key(alg2keytype(alg),
|
||||
session["client_id"])
|
||||
if not ckey: # create a new key
|
||||
_secret = self.cdb[session["client_id"]]["client_secret"]
|
||||
ckey = [SYMKey(key=_secret)]
|
||||
else:
|
||||
if "" in self.keyjar:
|
||||
for b in self.keyjar[""]:
|
||||
|
@ -1510,9 +1514,9 @@ class Provider(AProvider):
|
|||
"urn:ietf:params:oauth:grant-type:jwt-bearer"],
|
||||
claim_types_supported=["normal", "aggregated", "distributed"],
|
||||
claims_supported=_claims,
|
||||
claims_parameter_supported="true",
|
||||
request_parameter_supported="true",
|
||||
request_uri_parameter_supported="true",
|
||||
claims_parameter_supported=True,
|
||||
request_parameter_supported=True,
|
||||
request_uri_parameter_supported=True,
|
||||
)
|
||||
|
||||
sign_algs = jws.SIGNER_ALGS.keys()
|
||||
|
|
Reference in New Issue