The stricter crypto alg control has some effects.

Author: rohe

chrp/config.py

@@ -17,7 +17,7 @@
 KEYDEFS = [
     {"type": "RSA", "key": '', "use": ["sig"]},
     {"type": "EC", "crv": "P-256", "use": ["sig"]}
-]
+    ]
 
 PRIVATE_JWKS_PATH = "jwks_dir/jwks.json"
 PUBLIC_JWKS_PATH = 'static/jwks.json'
@@ -35,7 +35,7 @@
     "scope": ["openid", "profile", "email", "address", "phone"],
     "token_endpoint_auth_method": ["client_secret_basic", 'client_secret_post'],
     'services': SERVICES
-}
+    }
 
 # The keys in this dictionary are the OPs short user friendly name
 # not the issuer (iss) name.
@@ -55,8 +55,8 @@
             'AccessToken': {},
             'RefreshAccessToken': {},
             'UserInfo': {}
-        }
-    },
+            }
+        },
     # Supports OP information lookup but not client registration
     "google": {
         "issuer": "https://accounts.google.com/",
@@ -68,19 +68,19 @@
             "scope": ["openid", "profile", "email"],
             "token_endpoint_auth_method": ["client_secret_basic",
                                            'client_secret_post']
-        },
+            },
         "allow": {
             "issuer_mismatch": True
-        },
+            },
         # "userinfo_request_method": "GET",
         "services": {
             'ProviderInfoDiscovery': {},
             'Authorization': {},
             'AccessToken': {},
             'RefreshAccessToken': {},
             'UserInfo': {}
-        }
-    },
+            }
+        },
     "linkedin": {
         "issuer": "https://www.linkedin.com/oauth/v2/",
         "client_id": "xxxxxxx",
@@ -90,27 +90,27 @@
             "response_types": ["code"],
             "scope": ["r_basicprofile", "r_emailaddress"],
             "token_endpoint_auth_method": ['client_secret_post']
-        },
+            },
         "provider_info": {
             "authorization_endpoint":
                 "https://www.linkedin.com/oauth/v2/authorization",
             "token_endpoint": "https://www.linkedin.com/oauth/v2/accessToken",
             "userinfo_endpoint":
                 "https://api.linkedin.com/v1/people/~?format=json"
-        },
+            },
         'services': {
             'Authorization': {},
             'linkedin.AccessToken': {},
             'linkedin.UserInfo': {}
-        }
-    },
+            }
+        },
     "facebook": {
         "issuer": "https://www.facebook.com/v2.11/dialog/oauth",
         "behaviour": {
             "response_types": ["code"],
             "scope": ["email", "public_profile"],
             "token_endpoint_auth_method": ['']
-        },
+            },
         "redirect_uris": ["{}/authz_cb/facebook".format(BASEURL)],
         "provider_info": {
             "authorization_endpoint":
@@ -119,13 +119,13 @@
                 "https://graph.facebook.com/v2.11/oauth/access_token",
             "userinfo_endpoint":
                 "https://graph.facebook.com/me"
-        },
+            },
         'services': {
             'Authorization': {},
             'AccessToken': {'default_authn_method': ''},
-            'UserInfo': {'default_authn_method':''}
-        }
-    },
+            'UserInfo': {'default_authn_method': ''}
+            }
+        },
     'github': {
         "issuer": "https://github.com/login/oauth/authorize",
         'client_id': 'eeeeeeeee',
@@ -135,21 +135,21 @@
             "response_types": ["code"],
             "scope": ["user", "public_repo"],
             "token_endpoint_auth_method": ['']
-        },
+            },
         "provider_info": {
             "authorization_endpoint":
                 "https://github.com/login/oauth/authorize",
             "token_endpoint":
                 "https://github.com/login/oauth/access_token",
             "userinfo_endpoint":
                 "https://api.github.com/user"
-        },
+            },
         'services': {
             'Authorization': {},
             'AccessToken': {},
             'UserInfo': {'default_authn_method': ''}
-        }
-    },
+            }
+        },
     "salesforce": {
         "issuer": "https://login.salesforce.com",
         "client_id": "xxxxxxxxx.yyy",
@@ -160,7 +160,7 @@
             "scope": ["openid", "profile", "email"],
             "token_endpoint_auth_method": ["client_secret_basic",
                                            'client_secret_post']
-        },
+            },
         # "allow": {
         #     "issuer_mismatch": True
         # },
@@ -171,9 +171,9 @@
             'AccessToken': {},
             'RefreshAccessToken': {},
             'UserInfo': {}
-        },
+            },
         "keys": {'file': {"https://login.salesforce.com": 'salesforce.jwks'}}
-    },
+        },
     "okta": {
         "issuer": "https://dev-968755.oktapreview.com/",
         "client_id": "123456789",
@@ -184,7 +184,7 @@
             "scope": ["openid", "profile", "email"],
             "token_endpoint_auth_method": ["client_secret_basic",
                                            'client_secret_post']
-        },
+            },
         "provider_info": {
             "authorization_endpoint":
                 "https://dev-968755.oktapreview.com/oauth2/default/v1"
@@ -193,15 +193,64 @@
                 "https://dev-968755.oktapreview.com/oauth2/default/v1/token",
             "userinfo_endpoint":
                 "https://dev-968755.oktapreview.com/oauth2/v1/userinfo"
-        },
+            },
         # "userinfo_request_method": "GET",
         "services": {
             'Authorization': {},
             'AccessToken': {},
             'UserInfo': {}
+            }
+        },
+    'microsoft': {
+        'issuer': 'https://login.microsoftonline.com/<UUID>>/v2.0',
+        'client_id': '1234567890',
+        'client_secret': 'abcdefghijklmnop',
+        "redirect_uris": ["{}/authz_cb/microsoft".format(BASEURL)],
+        "client_preferences": {
+            "response_types": ["id_token"],
+            "scope": ["openid"],
+            "token_endpoint_auth_method": ["private_key_jwt",
+                                           'client_secret_post'],
+            "response_mode": 'form_post'
+            },
+        "allow": {
+            "issuer_mismatch": True
+            },
+        "services": {
+            'ProviderInfoDiscovery',
+            'Authorization'
+            }
+        },
+    "aws": {
+        "issuer": "https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1",
+        'client_id': '1234567890',
+        'client_secret': 'abcdefghijklmnop',
+        "redirect_uris": ["{}/authz_cb/aws".format(BASEURL)],
+        "behaviour": {
+            "response_types": ["code"],
+            "scope": ["email", "openid"],
+            "token_endpoint_auth_method": ['']
+            },
+        "provider_info": {
+            "authorization_endpoint":
+                "https://catalogix.auth.eu-central-1.amazoncognito.com/oauth2"
+                "/authorize",
+            "token_endpoint":
+                "https://catalogix.auth.eu-central-1.amazoncognito.com/oauth2"
+                "/token"
+            },
+        'services': {
+            'Authorization': {},
+            'AccessToken': {}
+            },
+        'keys': {
+            'url': {
+                'https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1':
+                    'https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1/.well-known/jwks.json'
+                }
+            }
         }
     }
-}
 
 # Whether an attempt to fetch the userinfo should be made
 USERINFO = True

chrp/utils.py

@@ -284,6 +284,10 @@ def do_client_registration(self, client=None, iss_id='', state=''):
             client.service_context.post_logout_redirect_uris
         except AttributeError:
             client.service_context.post_logout_redirect_uris = [self.base_url]
+        else:
+            if not client.service_context.post_logout_redirect_uris:
+                client.service_context.post_logout_redirect_uris = [
+                    self.base_url]
 
         if not client.service_context.client_id:
             load_registration_response(client)

src/oidcrp/__init__.py

@@ -75,6 +75,30 @@ def _cookies(self):
 
         return cookie_dict
 
+    def add_cookies(self, kwargs):
+        if self.cookiejar:
+            kwargs["cookies"] = self._cookies()
+            logger.debug("SENT {} COOKIES".format(len(kwargs["cookies"])))
+        return kwargs
+
+    def run_req_callback(self, url, method, kwargs):
+        if self.req_callback is not None:
+            kwargs = self.req_callback(method, url, **kwargs)
+        return kwargs
+
+    def set_cookie(self, response):
+        try:
+            _cookie = response.headers["set-cookie"]
+            logger.debug("RECEIVED COOKIE")
+            try:
+                # add received cookies to the cookie jar
+                set_cookie(self.cookiejar, SimpleCookie(_cookie))
+            except CookieError as err:
+                logger.error(err)
+                raise NonFatalException(response, "{}".format(err))
+        except (AttributeError, KeyError) as err:
+            pass
+
     def __call__(self, url, method="GET", **kwargs):
         """
         Send a HTTP request to a URL using a specified method
@@ -91,14 +115,11 @@ def __call__(self, url, method="GET", **kwargs):
             _kwargs.update(kwargs)
 
         # If I have cookies add them all to the request
-        if self.cookiejar:
-            _kwargs["cookies"] = self._cookies()
-            logger.debug("SENT {} COOKIES".format(len(_kwargs["cookies"])))
+        self.add_cookies(kwargs)
 
         # If I want to modify the request arguments based on URL, method
         # and current arguments I can use this call back function.
-        if self.req_callback is not None:
-            _kwargs = self.req_callback(method, url, **_kwargs)
+        self.run_req_callback(url, method, kwargs)
 
         try:
             # Do the request
@@ -112,17 +133,7 @@ def __call__(self, url, method="GET", **kwargs):
         if self.events is not None:
             self.events.store('HTTP response', r, ref=url)
 
-        try:
-            _cookie = r.headers["set-cookie"]
-            logger.debug("RECEIVED COOKIE")
-            try:
-                # add received cookies to the cookie jar
-                set_cookie(self.cookiejar, SimpleCookie(_cookie))
-            except CookieError as err:
-                logger.error(err)
-                raise NonFatalException(r, "{}".format(err))
-        except (AttributeError, KeyError) as err:
-            pass
+        self.set_cookie(r)
 
         # return the response
         return r

src/oidcrp/http.py

@@ -0,0 +1,71 @@
+import os
+from http.cookies import SimpleCookie
+
+import pytest
+
+from oidcrp.cookie import CookieDealer
+from oidcrp.http import HTTPLib
+from oidcrp.util import set_cookie
+
+_dirname = os.path.dirname(os.path.abspath(__file__))
+
+CLIENT_CERT = open(os.path.join(_dirname, "data", "keys",'cert.key')).read()
+CA_CERT = open(os.path.join(_dirname, "data", "keys",'cacert.pem')).read()
+
+
+@pytest.fixture
+def cookie_dealer():
+    class DummyServer():
+        def __init__(self):
+            self.symkey = b"0123456789012345"
+
+    return CookieDealer(DummyServer())
+
+
+def test_ca_cert():
+    with pytest.raises(ValueError):
+        HTTPLib(CA_CERT, False, CLIENT_CERT)
+
+    _h = HTTPLib(CA_CERT, True, CLIENT_CERT)
+    assert _h.request_args["verify"] == CA_CERT
+
+
+def test_cookie(cookie_dealer):
+    cookie_value = "Something to pass along"
+    cookie_typ = "sso"
+    cookie_name = "Foobar"
+
+    kaka = cookie_dealer.create_cookie(cookie_value, cookie_typ,
+                                       cookie_name)
+    _h = HTTPLib()
+    set_cookie(_h.cookiejar, SimpleCookie(kaka[1]))
+
+    res = _h._cookies()
+    assert set(res.keys()) == {'Foobar'}
+
+    kwargs = _h.add_cookies({})
+    assert 'cookies' in kwargs
+    assert set(kwargs['cookies'].keys()) == {'Foobar'}
+
+
+class DummyResponse(object):
+    def __init__(self, status_code, data, headers):
+        self.status_code = status_code
+        self.data = data
+        self.headers = headers
+
+
+def test_set_cookie(cookie_dealer):
+    cookie_value = "Something to pass along"
+    cookie_typ = "sso"
+    cookie_name = "Foobar"
+
+    kaka = cookie_dealer.create_cookie(cookie_value, cookie_typ,
+                                       cookie_name)
+
+    _h = HTTPLib()
+    response = DummyResponse(200, 'OK', {"set-cookie": kaka[1]})
+    _h.set_cookie(response)
+
+    res = _h._cookies()
+    assert set(res.keys()) == {'Foobar'}