Merge pull request #13 from IdentityPython/develop

Verifying client configuration

Author: rohe

doc/move.rst

@@ -0,0 +1,113 @@
+.. _move:
+
+********************************************************
+How to move from oidcmsg,oidcrp and oidc-op to idpy-oidc
+********************************************************
+
+Since you are here the chance that you are using OidcRP and/or oidc-op is very
+high. Hopefully you are happy with what the packages has provided you with
+so far. But somehow you have now learned that idpy-oidc is where the
+action will be in the future so you want to know what it takes to move
+from OidcRP and/or oidc-op to idpy-oidc.
+
+idpy-oidc is collecting the three original packages into one:
+
+* OidcMsg -> idpy-oidc/message
+* OidcRP -> idpy-oidc/client
+* oidc-op -> idpy-oidc/server
+
+Some of the functionality that was in OidcMsg because it was needed by
+both OidcRP and oidc-op is now placed at the root of idpy-oidc.
+We will do them one by one
+
+OidcRP
+------
+
+If you have kept yourself to always using the high level api moving
+
+You probably can get away only doing what I descibe below.
+These are the steps I had to take to get the example/flask_rp RP working.
+
+1) Created a file, named script_py.sed with this content::
+
+    s/from oidcop.server import Server/from idpyoidc.server import Server/g
+    s/oidcop/idpyoidc.server/g
+    s/oidcrp/idpyoidc.client/g
+    s/oidcmsg/idpyoidc.message/g
+    s/idpyoidc.message.configure/idpyoidc.configure/g
+    s/idpyoidc.message.client/idpyoidc.client/g
+    s/idpyoidc.message.ssl_context/idpyoidc.ssl_context/g
+    s/from idpyoidc.client.util import create_context/from idpyoidc.ssl_context import create_context/g
+
+2) Create another file, named script_json.sed with this content::
+
+    s/oidcop/idpyoidc.server/g
+    s/oidcrp/idpyoidc.client/g
+    s/oidcmsg/idpyoidc.message/g
+
+3) Ran the commands::
+
+    find . -name "*.py" -exec sed -i '' -f script_py.sed {} \;
+    find . -name "*.json" -exec sed -i '' -f script_json.sed {} \;
+
+And I was able to successfully launch the RP.
+This worked for me, it might be enough for you too. If not you can probably
+figure out what needs changing. If you do I'd appreciate letting me know
+so I can add those steps to this document.
+
+oidc-op
+-------
+
+Getting oidc-op/example/flask_op running was a bit trickier but not a lot.
+
+Started of with creating the sed script files:
+
+1) Created a file, named script_py.sed with this content::
+
+    s/from oidcop.server import Server/from idpyoidc.server import Server/g
+    s/oidcop/idpyoidc.server/g
+    s/oidcrp/idpyoidc.client/g
+    s/oidcmsg/idpyoidc.message/g
+    s/idpyoidc.message.configure/idpyoidc.configure/g
+    s/idpyoidc.message.client/idpyoidc.client/g
+    s/idpyoidc.message.ssl_context/idpyoidc.ssl_context/g
+    s/from idpyoidc.server.utils import create_context/from idpyoidc.ssl_context import create_context/g
+
+2) Create another file, named script_json.sed with this content::
+
+    s/oidcop/idpyoidc.server/g
+    s/oidcrp/idpyoidc.client/g
+    s/oidcmsg/idpyoidc.message/g
+
+3) Ran the commands::
+
+    find . -name "*.py" -exec sed -i '' -f script_py.sed {} \;
+    find . -name "*.json" -exec sed -i '' -f script_json.sed {} \;
+
+Now, I had to edit 2 files.
+
+views.py
+++++++++
+
+Removed the single line (22)::
+
+    from oidcop.exception import TokenAuthenticationError
+
+and the lines (233-238::
+
+         except TokenAuthenticationError as err:
+             _log.error(err)
+             return make_response(json.dumps({
+                 'error': 'invalid_token',
+                 'error_description': str(err)
+             }), 401)
+
+
+config.json
++++++++++++
+
+Removed the line (312) ::
+
+    "jwks_file": "private/token_jwks.json",
+
+And that was it.

example/flask_op/views.py

@@ -221,6 +221,7 @@ def service_endpoint(endpoint):
         # name is not unique
         "cookie": [{"name": k, "value": v} for k, v in request.cookies.items()]
     }
+    _log.info(f"http_info: {http_info}")
 
     if request.method == 'GET':
         try:

pyproject.toml

@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
 
 [metadata]
 name = "idpyoidc"
-version = "1.0.7"
+version = "1.0.9"
 author = "Roland Hedberg"
 author_email = "roland@catalogix.se"
 description = "Everything OAuth2 and OIDC"

src/idpyoidc/__init__.py

@@ -1,5 +1,5 @@
 __author__ = "Roland Hedberg"
-__version__ = "1.0.7"
+__version__ = "1.0.9"
 
 import os
 from typing import Dict

src/idpyoidc/client/oidc/registration.py

@@ -171,7 +171,7 @@ def add_callbacks(context, ignore: Optional[List[str]] = None):
 
 
 CALLBACK_URIS = [
-    "post_logout_redirect_uris",
+    "post_logout_redirect_uri",
     "backchannel_logout_uri",
     "frontchannel_logout_uri",
     "request_uris",

src/idpyoidc/client/service_context.py

@@ -93,7 +93,7 @@ class ServiceContext(OidcContext):
             "httpc_params": None,
             "issuer": None,
             "kid": None,
-            "post_logout_redirect_uris": None,
+            "post_logout_redirect_uri": None,
             "provider_info": None,
             "redirect_uris": None,
             "requests_dir": None,
@@ -128,7 +128,7 @@ def __init__(self, base_url="", keyjar=None, config=None, state=None, **kwargs):
         self.client_secret_expires_at = 0
         self.behaviour = {}
         self.provider_info = {}
-        self.post_logout_redirect_uris = []
+        self.post_logout_redirect_uri = ""
         self.redirect_uris = []
         self.register_args = {}
         self.registration_response = {}

src/idpyoidc/configure.py

@@ -5,10 +5,7 @@
 from typing import Optional
 from typing import Union
 
-from cryptojwt.key_jar import init_key_jar
-
 from idpyoidc.logging import configure_logging
-from idpyoidc.util import instantiate
 from idpyoidc.util import load_config_file
 
 DEFAULT_FILE_ATTRIBUTE_NAMES = [

src/idpyoidc/message/oidc/backchannel_authentication.py

@@ -35,6 +35,7 @@ class AuthenticationRequest(Message):
     }
 
     def verify(self, **kwargs):
+        super(AuthenticationRequest, self).verify(**kwargs)
         if "request" in self:
             _vc_name = verified_claim_name("request")
             if _vc_name in self:
@@ -102,16 +103,16 @@ class AuthenticationRequestJWT(Message):
     }
 
     def verify(self, **kwargs):
-        def verify(self, **kwargs):
-            _iss = kwargs.get("issuer")
-            if _iss:
-                if _iss not in self["aud"]:
-                    raise ParameterError("Not among audience")
-
-            _client_id = kwargs.get("client_id")
-            if _client_id:
-                if _client_id != self["iss"]:
-                    raise ParameterError("Issuer mismatch")
+        Message.verify(self, **kwargs)
+        _iss = kwargs.get("issuer")
+        if _iss:
+            if _iss not in self["aud"]:
+                raise ParameterError("Not among audience")
+
+        _client_id = kwargs.get("client_id")
+        if _client_id:
+            if _client_id != self["iss"]:
+                raise ParameterError("Issuer mismatch")
 
 
 class AuthenticationResponse(ResponseMessage):

src/idpyoidc/server/__init__.py

@@ -1,11 +1,13 @@
 # Server specific defaults and a basic Server class
+import logging
 from typing import Any
 from typing import Optional
 from typing import Union
 
 from cryptojwt import KeyJar
 
 from idpyoidc.impexp import ImpExp
+from idpyoidc.message.oidc import RegistrationRequest
 from idpyoidc.server import authz
 from idpyoidc.server.client_authn import client_auth_setup
 from idpyoidc.server.configure import ASConfiguration
@@ -20,6 +22,8 @@
 from idpyoidc.server.util import allow_refresh_token
 from idpyoidc.server.util import build_endpoints
 
+logger = logging.getLogger(__name__)
+
 
 def do_endpoints(conf, server_get):
     _endpoints = conf.get("endpoint")

src/idpyoidc/server/client_configure.py

@@ -0,0 +1,82 @@
+import logging
+from typing import Callable
+from typing import Optional
+
+from idpyoidc.message import OPTIONAL_LIST_OF_STRINGS
+from idpyoidc.message.oidc import SINGLE_OPTIONAL_BOOLEAN
+from idpyoidc.message.oidc import SINGLE_OPTIONAL_DICT
+from idpyoidc.message.oidc import RegistrationResponse
+from idpyoidc.server.session.token import TOKEN_MAP
+
+logger = logging.getLogger(__name__)
+
+
+class ClientConfiguration(RegistrationResponse):
+    c_param = RegistrationResponse.c_param.copy()
+    c_param.update(
+        {
+            "token_usage_rules": SINGLE_OPTIONAL_DICT,
+            "token_exchange": SINGLE_OPTIONAL_DICT,
+            "add_claims": SINGLE_OPTIONAL_DICT,
+            "pkce_essential": SINGLE_OPTIONAL_BOOLEAN,
+            "revoke_refresh_on_issue": SINGLE_OPTIONAL_BOOLEAN,
+            "allowed_scopes": OPTIONAL_LIST_OF_STRINGS,
+            "scopes_to_claims": SINGLE_OPTIONAL_DICT,
+            #
+            # These may be added dynamically at run time
+            # "dpop_jkt": SINGLE_OPTIONAL_STRING,
+            # "si_redirects": OPTIONAL_LIST_OF_STRINGS,
+            # "sector_id": SINGLE_OPTIONAL_STRING,
+            # "client_secret_expires_at": SINGLE_OPTIONAL_INT,
+            # "registration_access_token": SINGLE_OPTIONAL_STRING
+            # "auth_method": SINGLE_OPTIONAL_DICT,
+        }
+    )
+
+    def verify(self, **kwargs):
+        RegistrationResponse.verify(self, **kwargs)
+        _server_get = kwargs.get("server_get")
+        if _server_get:
+            _endpoint_context = _server_get("endpoint_context")
+        else:
+            _endpoint_context = None
+
+        if "add_claims" in self:
+            if not set(self["add_claims"].keys()).issubset({"always", "by_scope"}):
+                _diff = set(self["add_claims"].keys()).difference({"always", "by_scope"})
+                logger.warning(f"Undefined add_claims parameter '{_diff}' used")
+
+        if "token_usage_rules" in self:
+            for _typ, _rule in self["token_usage_rules"].items():
+                # The allowed rules are: expires_in, supports_minting, max_usage
+                if _typ not in TOKEN_MAP.keys():
+                    logger.warning(f"Undefined token type '{_typ}' used")
+
+                if not set(_rule.keys()).issubset({"expires_in", "supports_minting", "max_usage"}):
+                    _diff = set(_rule.keys()).difference(
+                        {"expires_in", "supports_minting", "max_usage"}
+                    )
+                    logger.warning(f"Undefined token_usage_rules parameter '{_diff}' used")
+
+                _supports = _rule.get("supports_minting")
+                if _supports:
+                    if not set(_supports).issubset(set(TOKEN_MAP.keys())):
+                        _diff = set(_supports).difference(set(TOKEN_MAP.keys()))
+                        logger.warning(f"Unknown supports_minting token '{_diff}' used")
+
+        if "token_exchange" in self:
+            pass
+
+
+def verify_oidc_client_information(
+    conf: dict, server_get: Optional[Callable] = None, **kwargs
+) -> dict:
+    res = {}
+    for key, item in conf.items():
+        _rr = ClientConfiguration(**item)
+        _rr.verify(server_get=server_get, **kwargs)
+        if _rr.extra():
+            logger.info(f"Extras: {_rr.extra()}")
+        res[key] = _rr
+
+    return res