From c019a3062617bab2d5571808ac72f38b2129f620 Mon Sep 17 00:00:00 2001 From: Roland Hedberg Date: Thu, 3 Feb 2022 09:04:44 +0100 Subject: [PATCH 1/5] Client_id value kept in service context. Only ! --- src/oidcrp/entity.py | 4 - src/oidcrp/oauth2/__init__.py | 1 - tests/pub_client.jwks | 2 +- tests/test_20_rp_handler_oidc.py | 28 +- tests/test_40_rp_handler_persistent.py | 342 +------------------------ 5 files changed, 32 insertions(+), 345 deletions(-) diff --git a/src/oidcrp/entity.py b/src/oidcrp/entity.py index 4c7702a..c8b5dcc 100644 --- a/src/oidcrp/entity.py +++ b/src/oidcrp/entity.py @@ -42,10 +42,6 @@ def __init__(self, self._service_context = ServiceContext(keyjar=keyjar, config=config, jwks_uri=jwks_uri, httpc_params=self.httpc_params) - _cid = self._service_context.get('client_id') - if _cid: - self.client_id = _cid - _cam = client_authn_factory or factory _srvs = services or DEFAULT_SERVICES diff --git a/src/oidcrp/oauth2/__init__.py b/src/oidcrp/oauth2/__init__.py index 6b7612e..2ee8fa3 100755 --- a/src/oidcrp/oauth2/__init__.py +++ b/src/oidcrp/oauth2/__init__.py @@ -99,7 +99,6 @@ def do_request(self, state=_state, **_info) def set_client_id(self, client_id): - self.client_id = client_id self._service_context.set('client_id', client_id) def get_response(self, diff --git a/tests/pub_client.jwks b/tests/pub_client.jwks index d16a636..a57e904 100644 --- a/tests/pub_client.jwks +++ b/tests/pub_client.jwks @@ -1 +1 @@ -{"keys": [{"kty": "RSA", "use": "sig", "kid": "SUswNi1MRFlDT0Y2YjU1Z1RfQlo2S3dEa3FTTkV3LThFcnhDTHF5elk2VQ", "e": "AQAB", "n": "0UkUx2ewKyc-XJ1o0ToyGjws_JybAMZj2oYjsPyyvQ_T5dhZ2VmRRRkhsaVJ2xE_GGc7mSG0IjmGFyXp5y0w4mJBcsAEE5-8eBTvQdYIryjW74r3jt6Fi4Hlm1yFMTie3apv8mw79BUj-jT0kh3_m-FiKKUvLsq45DcLtTJ4cx7Ize37dl1sFSpQcoYMk7eiUEM8fiNboiVwvBYNAWVMkUM-LnVUPm3UjvKp0LihYEkZFWOxmuQmj2x25SFUkjus38ERrRqJQBZduxdBHFrWtWg8yOA53BkMU0FFg_r0H3ctl-5GaKw-BWlogU4qXnsq85xy0EoenRk7FPV8g_ulJw"}, {"kty": "EC", "use": "sig", "kid": "NC1pdGRQN002bWM3bk1xX2R0SktscElqbFdtN29ITDV2WVd2b0hOYzREVQ", "crv": "P-256", "x": "kK7Qp1woSerI7rUOAwW_4sU6ZmwV3wwXKX3VU-v2fMI", "y": "iPWd_Pjq6EjxYy08KNFZ3PxhEwgWHgAQTTknlKMKJA0"}]} \ No newline at end of file +{"keys": [{"kty": "RSA", "use": "sig", "kid": "SUswNi1MRFlDT0Y2YjU1Z1RfQlo2S3dEa3FTTkV3LThFcnhDTHF5elk2VQ", "n": "0UkUx2ewKyc-XJ1o0ToyGjws_JybAMZj2oYjsPyyvQ_T5dhZ2VmRRRkhsaVJ2xE_GGc7mSG0IjmGFyXp5y0w4mJBcsAEE5-8eBTvQdYIryjW74r3jt6Fi4Hlm1yFMTie3apv8mw79BUj-jT0kh3_m-FiKKUvLsq45DcLtTJ4cx7Ize37dl1sFSpQcoYMk7eiUEM8fiNboiVwvBYNAWVMkUM-LnVUPm3UjvKp0LihYEkZFWOxmuQmj2x25SFUkjus38ERrRqJQBZduxdBHFrWtWg8yOA53BkMU0FFg_r0H3ctl-5GaKw-BWlogU4qXnsq85xy0EoenRk7FPV8g_ulJw", "e": "AQAB"}, {"kty": "EC", "use": "sig", "kid": "NC1pdGRQN002bWM3bk1xX2R0SktscElqbFdtN29ITDV2WVd2b0hOYzREVQ", "crv": "P-256", "x": "kK7Qp1woSerI7rUOAwW_4sU6ZmwV3wwXKX3VU-v2fMI", "y": "iPWd_Pjq6EjxYy08KNFZ3PxhEwgWHgAQTTknlKMKJA0"}]} \ No newline at end of file diff --git a/tests/test_20_rp_handler_oidc.py b/tests/test_20_rp_handler_oidc.py index 8c4dde1..05f7aa5 100644 --- a/tests/test_20_rp_handler_oidc.py +++ b/tests/test_20_rp_handler_oidc.py @@ -431,12 +431,13 @@ def test_get_tokens(self): client = self.rph.issuer2rp[_session['iss']] _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context = client.client_get("service_context") + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud @@ -479,16 +480,17 @@ def test_access_and_id_token(self): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) @@ -520,16 +522,17 @@ def test_access_and_id_token_by_reference(self): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) @@ -561,16 +564,17 @@ def test_get_user_info(self): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) @@ -612,9 +616,10 @@ def test_userinfo_in_id_token(self): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud, 'given_name': 'Diana', 'family_name': 'Krall', @@ -645,16 +650,17 @@ def rphandler_setup(self): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) diff --git a/tests/test_40_rp_handler_persistent.py b/tests/test_40_rp_handler_persistent.py index 737365b..5b70fbc 100644 --- a/tests/test_40_rp_handler_persistent.py +++ b/tests/test_40_rp_handler_persistent.py @@ -368,12 +368,13 @@ def test_get_tokens(self): client = rph_1.issuer2rp[_session['iss']] _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context = client.client_get("service_context") + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud @@ -419,16 +420,17 @@ def test_access_and_id_token(self): res = rph_1.begin(issuer_id='github') _session = rph_1.get_session_information(res['state']) client = rph_1.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) @@ -463,16 +465,17 @@ def test_access_and_id_token_by_reference(self): res = rph_1.begin(issuer_id='github') _session = rph_1.get_session_information(res['state']) client = rph_1.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) @@ -507,16 +510,17 @@ def test_get_user_info(self): res = rph_1.begin(issuer_id='github') _session = rph_1.get_session_information(res['state']) client = rph_1.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') - client.client_get("service_context").keyjar.import_jwks( + _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) @@ -561,9 +565,10 @@ def test_userinfo_in_id_token(self): res = rph_1.begin(issuer_id='github') _session = rph_1.get_session_information(res['state']) client = rph_1.issuer2rp[_session['iss']] + _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = client.client_id + _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud, 'given_name': 'Diana', 'family_name': 'Krall', @@ -575,322 +580,3 @@ def test_userinfo_in_id_token(self): userinfo = rph_1.userinfo_in_id_token(idts) assert set(userinfo.keys()) == {'sub', 'family_name', 'given_name', 'occupation'} - -# def test_get_provider_specific_service(): -# service_context = ServiceContext() -# srv_desc = { -# 'access_token': { -# 'class': 'oidcrp.provider.github.AccessToken' -# } -# } -# _srv = init_services(srv_desc, service_context) -# assert _srv['accesstoken'].response_body_type == 'urlencoded' -# -# -# class TestRPHandlerTier2(object): -# @pytest.fixture(autouse=True) -# def rphandler_setup(self): -# rph_1 = RPHandler(BASE_URL, CLIENT_CONFIG, keyjar=CLI_KEY) -# res = rph_1.begin(issuer_id='github') -# _session = rph_1.get_session_information(res['state']) -# client = rph_1.issuer2rp[_session['iss']] -# _nonce = _session['auth_request']['nonce'] -# _iss = _session['iss'] -# _aud = client.client_id -# idval = { -# 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, -# 'aud': _aud -# } -# -# _github_id = iss_id('github') -# client.client_get("service_context").keyjar.import_jwks( -# GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) -# -# idts = IdToken(**idval) -# _signed_jwt = idts.to_jwt( -# key=GITHUB_KEY.get_signing_key('rsa', issuer_id=_github_id), -# algorithm="RS256", lifetime=300) -# -# _info = { -# "access_token": "accessTok", "id_token": _signed_jwt, -# "token_type": "Bearer", "expires_in": 3600, -# 'refresh_token': 'refreshing' -# } -# -# at = AccessTokenResponse(**_info) -# _url = "https://github.com/token" -# with responses.RequestsMock() as rsps: -# rsps.add("POST", _url, body=at.to_json(), -# adding_headers={"Content-Type": "application/json"}, status=200) -# -# client.service['accesstoken'].endpoint = _url -# -# _response = AuthorizationResponse(code='access_code', -# state=res['state']) -# auth_response = rph_1.finalize_auth(client, _session['iss'], -# _response.to_dict()) -# -# token_resp = rph_1.get_access_and_id_token(auth_response, -# client=client) -# -# _url = "https://github.com/token" -# with responses.RequestsMock() as rsps: -# rsps.add("GET", _url, body='{"sub":"EndUserSubject"}', -# adding_headers={"Content-Type": "application/json"}, status=200) -# -# client.service['userinfo'].endpoint = _url -# rph_1.get_user_info(res['state'], client, -# token_resp['access_token']) -# self.state = res['state'] -# -# def test_init_authorization(self): -# _session = rph_1.get_session_information(self.state) -# client = rph_1.issuer2rp[_session['iss']] -# res = rph_1.init_authorization( -# client, req_args={'scope': ['openid', 'email']}) -# part = urlsplit(res['url']) -# _qp = parse_qs(part.query) -# assert _qp['scope'] == ['openid email'] -# -# def test_refresh_access_token(self): -# _session = rph_1.get_session_information(self.state) -# client = rph_1.issuer2rp[_session['iss']] -# -# _info = { -# "access_token": "2nd_accessTok", -# "token_type": "Bearer", "expires_in": 3600 -# } -# at = AccessTokenResponse(**_info) -# _url = "https://github.com/token" -# with responses.RequestsMock() as rsps: -# rsps.add("POST", _url, body=at.to_json(), -# adding_headers={"Content-Type": "application/json"}, status=200) -# -# client.service['refresh_token'].endpoint = _url -# res = rph_1.refresh_access_token(self.state, client, 'openid email') -# assert res['access_token'] == '2nd_accessTok' -# -# def test_get_user_info(self): -# _session = rph_1.get_session_information(self.state) -# client = rph_1.issuer2rp[_session['iss']] -# -# _url = "https://github.com/userinfo" -# with responses.RequestsMock() as rsps: -# rsps.add("GET", _url, body='{"sub":"EndUserSubject", "mail":"foo@example.com"}', -# adding_headers={"Content-Type": "application/json"}, status=200) -# client.service['userinfo'].endpoint = _url -# -# resp = rph_1.get_user_info(self.state, client) -# assert set(resp.keys()) == {'sub', 'mail'} -# assert resp['mail'] == 'foo@example.com' -# -# def test_has_active_authentication(self): -# assert rph_1.has_active_authentication(self.state) -# -# def test_get_valid_access_token(self): -# (token, expires_at) = rph_1.get_valid_access_token(self.state) -# assert token == 'accessTok' -# assert expires_at > 0 -# -# -# class MockResponse(): -# def __init__(self, status_code, text, headers=None): -# self.status_code = status_code -# self.text = text -# self.headers = headers or {} -# -# -# class MockOP(object): -# def __init__(self, issuer, keyjar=None): -# self.keyjar = keyjar -# self.issuer = issuer -# self.state = '' -# self.nonce = '' -# self.get_response = {} -# self.register_get_response('default', 'OK', 200) -# self.post_response = {} -# self.register_post_response('default', 'OK', 200) -# -# def register_get_response(self, path, data, status_code=200, -# headers=None): -# _headers = headers or {} -# self.get_response[path] = MockResponse(status_code, data, _headers) -# -# def register_post_response(self, path, data, status_code=200, headers=None): -# _headers = headers or {} -# self.post_response[path] = MockResponse(status_code, data, _headers) -# -# def __call__(self, url, method="GET", data=None, headers=None, **kwargs): -# if method == 'GET': -# p = urlparse(url) -# try: -# _resp = self.get_response[p.path] -# except KeyError: -# _resp = self.get_response['default'] -# -# if callable(_resp.text): -# _data = _resp.text(data) -# _resp = MockResponse(_resp.status_code, _data, _resp.headers) -# -# return _resp -# elif method == 'POST': -# p = urlparse(url) -# try: -# _resp = self.post_response[p.path] -# except KeyError: -# _resp = self.post_response['default'] -# -# if callable(_resp.text): -# _data = _resp.text(data) -# _resp = MockResponse(_resp.status_code, _data, _resp.headers) -# -# return _resp -# -# -# def construct_access_token_response(nonce, issuer, client_id, key_jar): -# _aud = client_id -# -# idval = { -# 'nonce': nonce, 'sub': 'EndUserSubject', 'iss': issuer, -# 'aud': _aud -# } -# -# idts = IdToken(**idval) -# _signed_jwt = idts.to_jwt( -# key=key_jar.get_signing_key('rsa', issuer_id=issuer), -# algorithm="RS256", lifetime=300) -# -# _info = { -# "access_token": "accessTok", "id_token": _signed_jwt, -# "token_type": "Bearer", "expires_in": 3600 -# } -# -# return AccessTokenResponse(**_info) -# -# -# def registration_callback(data): -# _req = json.loads(data) -# # add client_id and client_secret -# _req['client_id'] = 'client1' -# _req['client_secret'] = "ClientSecretString" -# return json.dumps(_req) -# -# -# class TestRPHandlerWithMockOP(object): -# @pytest.fixture(autouse=True) -# def rphandler_setup(self): -# self.issuer = 'https://github.com/login/oauth/authorize' -# self.mock_op = MockOP(issuer=self.issuer) -# rph_1 = RPHandler(BASE_URL, client_configs=CLIENT_CONFIG, -# http_lib=self.mock_op, keyjar=KeyJar()) -# -# def test_finalize(self): -# auth_query = rph_1.begin(issuer_id='github') -# # The authorization query is sent and after successful authentication -# client = rph_1.get_client_from_session_key( -# state=auth_query['state']) -# # register a response -# p = urlparse( -# CLIENT_CONFIG['github']['provider_info']['authorization_endpoint']) -# self.mock_op.register_get_response(p.path, 'Redirect', 302) -# -# _ = client.http(auth_query['url']) -# -# # the user is redirected back to the RP with a positive response -# auth_response = AuthorizationResponse(code='access_code', -# state=auth_query['state']) -# -# # need session information and the client instance -# _session = rph_1.get_session_information(auth_response['state']) -# client = rph_1.get_client_from_session_key( -# state=auth_response['state']) -# -# # Faking -# resp = construct_access_token_response( -# _session['auth_request']['nonce'], issuer=self.issuer, -# client_id=CLIENT_CONFIG['github']['client_id'], -# key_jar=GITHUB_KEY) -# -# p = urlparse( -# CLIENT_CONFIG['github']['provider_info']['token_endpoint']) -# self.mock_op.register_post_response( -# p.path, resp.to_json(), 200, {'content-type': "application/json"} -# ) -# -# _info = OpenIDSchema(sub='EndUserSubject', -# given_name='Diana', -# family_name='Krall', -# occupation='Jazz pianist') -# p = urlparse( -# CLIENT_CONFIG['github']['provider_info']['userinfo_endpoint']) -# self.mock_op.register_get_response( -# p.path, _info.to_json(), 200, {'content-type': "application/json"}) -# -# _github_id = iss_id('github') -# client.client_get("service_context").keyjar.import_jwks(GITHUB_KEY.export_jwks( -# issuer_id=_github_id), _github_id) -# -# # do the rest (= get access token and user info) -# # assume code flow -# resp = rph_1.finalize(_session['iss'], auth_response.to_dict()) -# -# assert set(resp.keys()) == {'userinfo', 'state', 'token', 'id_token'} -# -# def test_dynamic_setup(self): -# user_id = 'acct:foobar@example.com' -# _link = Link(rel="http://openid.net/specs/connect/1.0/issuer", -# href="https://server.example.com") -# webfinger_response = JRD(subject=user_id, -# links=[_link]) -# self.mock_op.register_get_response( -# '/.well-known/webfinger', webfinger_response.to_json(), 200, -# {'content-type': "application/json"}) -# -# resp = { -# "authorization_endpoint": -# "https://server.example.com/connect/authorize", -# "issuer": "https://server.example.com", -# "subject_types_supported": ['public'], -# "token_endpoint": "https://server.example.com/connect/token", -# "token_endpoint_auth_methods_supported": ["client_secret_basic", -# "private_key_jwt"], -# "userinfo_endpoint": "https://server.example.com/connect/user", -# "check_id_endpoint": "https://server.example.com/connect/check_id", -# "refresh_session_endpoint": -# "https://server.example.com/connect/refresh_session", -# "end_session_endpoint": -# "https://server.example.com/connect/end_session", -# "jwks_uri": "https://server.example.com/jwk.json", -# "registration_endpoint": -# "https://server.example.com/connect/register", -# "scopes_supported": ["openid", "profile", "email", "address", -# "phone"], -# "response_types_supported": ["code", "code id_token", -# "token id_token"], -# "acrs_supported": ["1", "2", -# "http://id.incommon.org/assurance/bronze"], -# "user_id_types_supported": ["public", "pairwise"], -# "userinfo_algs_supported": ["HS256", "RS256", "A128CBC", "A128KW", -# "RSA1_5"], -# "id_token_signing_alg_values_supported": ["HS256", "RS256", -# "A128CBC", "A128KW", -# "RSA1_5"], -# "request_object_algs_supported": ["HS256", "RS256", "A128CBC", -# "A128KW", -# "RSA1_5"] -# } -# -# pcr = ProviderConfigurationResponse(**resp) -# self.mock_op.register_get_response( -# '/.well-known/openid-configuration', pcr.to_json(), 200, -# {'content-type': "application/json"}) -# -# self.mock_op.register_post_response( -# '/connect/register', registration_callback, 200, -# {'content-type': "application/json"}) -# -# auth_query = rph_1.begin(user_id=user_id) -# assert auth_query -# client = rph_1.issuer2rp["https://server.example.com"] -# assert len(client.client_get("service_context").keyjar.owners()) == 3 -# assert 'client1' in client.client_get("service_context").keyjar From 9ad1f983e127156865991ca96df35863c87f43c4 Mon Sep 17 00:00:00 2001 From: Roland Hedberg Date: Fri, 4 Feb 2022 08:57:35 +0100 Subject: [PATCH 2/5] Use the get_client_id method to get client_id. --- src/oidcrp/__init__.py | 2 +- src/oidcrp/client_auth.py | 4 ++-- src/oidcrp/entity.py | 6 ++++++ src/oidcrp/rp_handler.py | 6 +++--- src/oidcrp/service.py | 5 ++--- tests/test_40_rp_handler_persistent.py | 4 ++-- 6 files changed, 16 insertions(+), 11 deletions(-) diff --git a/src/oidcrp/__init__.py b/src/oidcrp/__init__.py index 2df2491..9bee1c5 100644 --- a/src/oidcrp/__init__.py +++ b/src/oidcrp/__init__.py @@ -1,7 +1,7 @@ import logging __author__ = 'Roland Hedberg' -__version__ = '2.1.3' +__version__ = '2.1.4' logger = logging.getLogger(__name__) diff --git a/src/oidcrp/client_auth.py b/src/oidcrp/client_auth.py index 571f428..2a480bb 100755 --- a/src/oidcrp/client_auth.py +++ b/src/oidcrp/client_auth.py @@ -482,7 +482,7 @@ def _get_audience_and_algorithm(self, context, **kwargs): def _construct_client_assertion(self, service, **kwargs): _context = service.client_get("service_context") - + _entity = service.client_get("entity") audience, algorithm = self._get_audience_and_algorithm(_context, **kwargs) if 'kid' in kwargs: @@ -500,7 +500,7 @@ def _construct_client_assertion(self, service, **kwargs): # construct the signed JWT with the assertions and add # it as value to the 'client_assertion' claim of the request - return assertion_jwt(_context.client_id, signing_key, audience, algorithm, **_args) + return assertion_jwt(_entity.get_client_id(), signing_key, audience, algorithm, **_args) def modify_request(self, request, service, **kwargs): """ diff --git a/src/oidcrp/entity.py b/src/oidcrp/entity.py index c8b5dcc..69dffd6 100644 --- a/src/oidcrp/entity.py +++ b/src/oidcrp/entity.py @@ -74,3 +74,9 @@ def get_service_by_endpoint_name(self, endpoint_name, *arg): return service return None + + def get_entity(self): + return self + + def get_client_id(self): + return self._service_context.client_id diff --git a/src/oidcrp/rp_handler.py b/src/oidcrp/rp_handler.py index 63356ae..6d42ced 100644 --- a/src/oidcrp/rp_handler.py +++ b/src/oidcrp/rp_handler.py @@ -277,7 +277,7 @@ def do_client_registration(self, client=None, # if _context.callback.get("post_logout_redirect_uri") is None: # _context.callback["post_logout_redirect_uri"] = [self.base_url] - if not _context.client_id: # means I have to do dynamic client registration + if not client.get_client_id(): # means I have to do dynamic client registration if request_args is None: request_args = {} @@ -514,7 +514,7 @@ def get_tokens(self, state, client: Optional[Client] = None): 'state': state, 'redirect_uri': authorization_request['redirect_uri'], 'grant_type': 'authorization_code', - 'client_id': _context.get('client_id'), + 'client_id': client.get_client_id(), 'client_secret': _context.get('client_secret') } logger.debug('request_args: {}'.format(req_args)) @@ -956,7 +956,7 @@ def backchannel_logout(client, request='', request_args=None): _context = client.client_get("service_context") kwargs = { - 'aud': _context.get('client_id'), + 'aud': client.get_client_id(), 'iss': _context.get('issuer'), 'keyjar': _context.keyjar, 'allowed_sign_alg': _context.get('registration_response').get( diff --git a/src/oidcrp/service.py b/src/oidcrp/service.py index 3eaa025..de65528 100644 --- a/src/oidcrp/service.py +++ b/src/oidcrp/service.py @@ -460,9 +460,8 @@ def gather_verify_arguments(self, 'verify': True } - _client_id = _context.client_id - if _client_id: - kwargs['client_id'] = _client_id + _entity = _context.client_get("entity") + kwargs['client_id'] = _entity.get_client_id() if self.service_name == "provider_info": if _context.issuer.startswith("http://"): diff --git a/tests/test_40_rp_handler_persistent.py b/tests/test_40_rp_handler_persistent.py index 5b70fbc..70bff79 100644 --- a/tests/test_40_rp_handler_persistent.py +++ b/tests/test_40_rp_handler_persistent.py @@ -565,10 +565,10 @@ def test_userinfo_in_id_token(self): res = rph_1.begin(issuer_id='github') _session = rph_1.get_session_information(res['state']) client = rph_1.issuer2rp[_session['iss']] - _context = client.client_get("service_context") + #_context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] - _aud = _context.client_id + _aud = client.get_client_id() idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud, 'given_name': 'Diana', 'family_name': 'Krall', From fa124c573bae0ae2c1743052cf694b9d6cc2dae1 Mon Sep 17 00:00:00 2001 From: roland Date: Fri, 4 Feb 2022 09:42:05 +0100 Subject: [PATCH 3/5] Use get_client_id. --- src/oidcrp/oidc/access_token.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/oidcrp/oidc/access_token.py b/src/oidcrp/oidc/access_token.py index 7828b69..8a2b215 100644 --- a/src/oidcrp/oidc/access_token.py +++ b/src/oidcrp/oidc/access_token.py @@ -37,10 +37,10 @@ def gather_verify_arguments(self, :return: dictionary with arguments to the verify call """ _context = self.client_get("service_context") - # Default is RS256 + _entity = self.client_get("entity") kwargs = { - 'client_id': _context.client_id, + 'client_id': _entity.get_client_id(), 'iss': _context.issuer, 'keyjar': _context.keyjar, 'verify': True, From 9bd8ed36a0098ce6b259f6f72327846dfcb6d501 Mon Sep 17 00:00:00 2001 From: roland Date: Fri, 4 Feb 2022 09:54:35 +0100 Subject: [PATCH 4/5] Spelling error ? --- src/oidcrp/service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/oidcrp/service.py b/src/oidcrp/service.py index de65528..c4726a5 100644 --- a/src/oidcrp/service.py +++ b/src/oidcrp/service.py @@ -460,7 +460,7 @@ def gather_verify_arguments(self, 'verify': True } - _entity = _context.client_get("entity") + _entity = self.client_get("entity") kwargs['client_id'] = _entity.get_client_id() if self.service_name == "provider_info": From 463a734e268a553aba438c6863f71e7b1610d3e9 Mon Sep 17 00:00:00 2001 From: roland Date: Tue, 22 Feb 2022 10:50:27 +0100 Subject: [PATCH 5/5] Remove support for Python 3.6 --- .github/workflows/python-app.yml | 2 +- setup.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 8d9cdfa..3a43f69 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -18,10 +18,10 @@ jobs: fail-fast: false matrix: python-version: - - '3.6' - '3.7' - '3.8' - '3.9' + - '3.10' steps: - uses: actions/checkout@v2 diff --git a/setup.py b/setup.py index ba39a70..aefa6fc 100755 --- a/setup.py +++ b/setup.py @@ -68,13 +68,13 @@ def run_tests(self): classifiers=[ "Development Status :: 5 - Production/Stable", "License :: OSI Approved :: Apache Software License", - "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", "Topic :: Software Development :: Libraries :: Python Modules"], install_requires=[ - 'oidcmsg==1.5.4', + 'oidcmsg==1.6.0', 'pyyaml>=5.1.2', 'responses' ],