Adding default configurations. base_url is the only required argument to RPHandler.

The remaining arguments has reasonable defaults.
If you go with the defaults you get an RPHandler that can spawn RPs that does everything dynamically.

Author: rohe

chrp/rp.py

@@ -88,10 +88,9 @@
     else:
         _verify_ssl = True
 
-    rph = RPHandler(base_url=_base_url, hash_seed="BabyHoldOn", keyjar=_kj,
-                    jwks_path=config.PUBLIC_JWKS_PATH,
-                    client_configs=config.CLIENTS,
-                    services=config.SERVICES, verify_ssl=_verify_ssl)
+    rph = RPHandler(_base_url, config.CLIENTS, services=config.SERVICES,
+                    hash_seed="BabyHoldOn", keyjar=_kj, jwks_path=config.PUBLIC_JWKS_PATH,
+                    verify_ssl=_verify_ssl)
 
     cherrypy.tree.mount(cprp.Consumer(rph, 'html'), '/', provider_config)
 

flask_rp/application.py

@@ -24,10 +24,9 @@ def init_oidc_rp_handler(app):
         _path = ''
     _kj.httpc_params = _rp_conf.httpc_params
 
-    rph = RPHandler(base_url=_rp_conf.base_url,
+    rph = RPHandler(_rp_conf.base_url, _rp_conf.clients, services=_rp_conf.services,
                     hash_seed=_rp_conf.hash_seed, keyjar=_kj, jwks_path=_path,
-                    client_configs=_rp_conf.clients,
-                    services=_rp_conf.services, httpc_params=_rp_conf.httpc_params)
+                    httpc_params=_rp_conf.httpc_params)
 
     return rph
 

src/oidcrp/__init__.py

@@ -4,6 +4,7 @@
 import traceback
 
 from cryptojwt.key_bundle import keybundle_from_local_file
+from cryptojwt.key_jar import init_key_jar
 from cryptojwt.utils import as_bytes
 from cryptojwt.utils import as_unicode
 from oidcmsg.exception import MessageException
@@ -54,6 +55,53 @@ def token_secret_key(sid):
 SERVICE_NAME = "OIC"
 CLIENT_CONFIG = {}
 
+DEFAULT_SEVICES = {
+    'web_finger': {'class': 'oidcservice.oidc.webfinger.WebFinger'},
+    'discovery': {'class': 'oidcservice.oidc.provider_info_discovery.ProviderInfoDiscovery'},
+    'registration': {'class': 'oidcservice.oidc.registration.Registration'},
+    'authorization': {'class': 'oidcservice.oidc.authorization.Authorization'},
+    'access_token': {'class': 'oidcservice.oidc.access_token.AccessToken'},
+    'refresh_access_token': {'class': 'oidcservice.oidc.refresh_access_token.RefreshAccessToken'},
+    'userinfo': {'class': 'oidcservice.oidc.userinfo.UserInfo'}
+}
+
+DEFAULT_CLIENT_PREFS = {
+    'application_type': 'web',
+    'application_name': 'rphandler',
+    'response_types': ['code', 'id_token', 'id_token token', 'code id_token', 'code id_token token',
+                       'code token'],
+    'scope': ['openid'],
+    'token_endpoint_auth_method': 'client_secret_basic'
+}
+
+# Using PKCE is default
+DEFAULT_CLIENT_CONFIGS = {
+    "": {
+        "client_preferences": DEFAULT_CLIENT_PREFS,
+        "add_ons": {
+            "pkce": {
+                "function": "oidcservice.oidc.add_on.pkce.add_pkce_support",
+                "kwargs": {
+                    "code_challenge_length": 64,
+                    "code_challenge_method": "S256"
+                }
+            }
+        }
+    }
+}
+
+DEFAULT_KEY_DEFS = [
+    {"type": "RSA", "use": ["sig"]},
+    {"type": "EC", "crv": "P-256", "use": ["sig"]},
+]
+
+DEFAULT_RP_KEY_DEFS = {
+    'private_path': 'private/jwks.json',
+    'key_defs': DEFAULT_KEY_DEFS,
+    'public_path': 'static/jwks.json',
+    'read_only': False
+}
+
 
 def add_path(url, path):
     if url.endswith('/'):
@@ -113,14 +161,30 @@ def dynamic_provider_info_discovery(client):
 
 
 class RPHandler(object):
-    def __init__(self, base_url='', hash_seed="", keyjar=None, verify_ssl=True,
-                 services=None, client_configs=None, client_authn_factory=None,
+    def __init__(self, base_url, client_configs=None, services=None, keyjar=None,
+                 hash_seed="", verify_ssl=True, client_authn_factory=None,
                  client_cls=None, state_db=None, http_lib=None, httpc_params=None,
                  **kwargs):
 
         self.base_url = base_url
-        self.hash_seed = as_bytes(hash_seed)
-        self.keyjar = keyjar
+        if hash_seed:
+            self.hash_seed = as_bytes(hash_seed)
+        else:
+            self.hash_seed = as_bytes(rndstr(32))
+
+        _jwks_path = kwargs.get('jwks_path')
+        if keyjar is None:
+            self.keyjar = init_key_jar(**DEFAULT_RP_KEY_DEFS, owner='')
+            self.keyjar.import_jwks_as_json(self.keyjar.export_jwks_as_json(True, ''), base_url)
+            if _jwks_path is None:
+                _jwks_path = DEFAULT_RP_KEY_DEFS['public_path']
+        else:
+            self.keyjar = keyjar
+
+        try:
+            self.jwks_uri = add_path(base_url, _jwks_path)
+        except KeyError:
+            self.jwks_uri = ""
 
         if state_db:
             self.state_db = state_db
@@ -129,22 +193,26 @@ def __init__(self, base_url='', hash_seed="", keyjar=None, verify_ssl=True,
 
         self.session_interface = StateInterface(self.state_db)
 
-        try:
-            self.jwks_uri = add_path(base_url, kwargs['jwks_path'])
-        except KeyError:
-            self.jwks_uri = ""
-
         self.extra = kwargs
 
         self.client_cls = client_cls or oidc.RP
-        self.services = services
+        if services is None:
+            self.services = DEFAULT_SEVICES
+        else:
+            self.services = services
+
         self.client_authn_factory = client_authn_factory
-        self.client_configs = client_configs
+
+        if client_configs is None:
+            self.client_configs = DEFAULT_CLIENT_CONFIGS
+        else:
+            self.client_configs = client_configs
 
         # keep track on which RP instance that serves with OP
         self.issuer2rp = {}
         self.hash2issuer = {}
         self.httplib = http_lib
+
         if not httpc_params:
             self.httpc_params = {'verify': verify_ssl}
         else:
@@ -193,7 +261,12 @@ def init_client(self, issuer):
         :param issuer: An issuer ID
         :return: A Client instance
         """
-        _cnf = self.pick_config(issuer)
+        try:
+            _cnf = self.pick_config(issuer)
+        except KeyError:
+            _cnf = self.pick_config('')
+            _cnf['issuer'] = issuer
+
         try:
             _services = _cnf['services']
         except KeyError:
@@ -310,6 +383,13 @@ def do_client_registration(self, client=None, iss_id='', state=''):
         if not client.service_context.client_id:
             load_registration_response(client)
 
+    def add_callbacks(self, service_context):
+        _callbacks = self.create_callbacks(service_context.provider_info['issuer'])
+        service_context.redirect_uris = [
+            v for k, v in _callbacks.items() if not k.startswith('__')]
+        service_context.callbacks = _callbacks
+        return _callbacks
+
     def client_setup(self, iss_id='', user=''):
         """
         First if no issuer ID is given then the identifier for the user is
@@ -365,10 +445,7 @@ def client_setup(self, iss_id='', user=''):
                 _sc.client_id = client.client_id = add_path(_fe.entity_id, iss_id)
                 self.hash2issuer[iss_id] = issuer
             else:
-                _callbacks = self.create_callbacks(_sc.provider_info['issuer'])
-                _sc.redirect_uris = [
-                    v for k, v in _callbacks.items() if not k.startswith('__')]
-                _sc.callbacks = _callbacks
+                _callbacks = self.add_callbacks(_sc)
                 _sc.client_id = client.client_id = add_path(_fe.entity_id, _callbacks['__hex'])
         else:  # explicit
             logger.debug("Do client registration")

tests/test_20_rp_handler.py

@@ -202,7 +202,7 @@ def iss_id(iss):
 class TestRPHandler(object):
     @pytest.fixture(autouse=True)
     def rphandler_setup(self):
-        self.rph = RPHandler(base_url=BASE_URL, client_configs=CLIENT_CONFIG,
+        self.rph = RPHandler(BASE_URL, CLIENT_CONFIG,
                              keyjar=CLI_KEY, module_dirs=['oidc'])
 
     def test_pick_config(self):
@@ -303,25 +303,15 @@ def test_create_callbacks(self):
         cb = self.rph.create_callbacks('https://op.example.com/')
 
         assert set(cb.keys()) == {'code', 'implicit', 'form_post', '__hex'}
-        assert cb == {
-            'code': 'https://example.com/rp/authz_cb'
-                    '/7f729285244adafbf5412e06b097e0e1f92049bfc432fed0a13cbcb5661b137d',
-            'implicit':
-                'https://example.com/rp/authz_im_cb'
-                '/7f729285244adafbf5412e06b097e0e1f92049bfc432fed0a13cbcb5661b137d',
-            'form_post':
-                'https://example.com/rp/authz_fp_cb'
-                '/7f729285244adafbf5412e06b097e0e1f92049bfc432fed0a13cbcb5661b137d',
-            '__hex':
-                '7f729285244adafbf5412e06b097e0e1f92049bfc432fed0a13cbcb5661b137d'
-        }
+        _hash = cb['__hex']
+
+        assert cb['code'] == 'https://example.com/rp/authz_cb/{}'.format(_hash)
+        assert cb['implicit'] == 'https://example.com/rp/authz_im_cb/{}'.format(_hash)
+        assert cb['form_post'] == 'https://example.com/rp/authz_fp_cb/{}'.format(_hash)
 
-        assert list(self.rph.hash2issuer.keys()) == [
-            '7f729285244adafbf5412e06b097e0e1f92049bfc432fed0a13cbcb5661b137d']
+        assert list(self.rph.hash2issuer.keys()) == [_hash]
 
-        assert self.rph.hash2issuer[
-                   '7f729285244adafbf5412e06b097e0e1f92049bfc432fed0a13cbcb5661b137d'
-               ] == 'https://op.example.com/'
+        assert self.rph.hash2issuer[_hash] == 'https://op.example.com/'
 
     def test_begin(self):
         res = self.rph.begin(issuer_id='github')
@@ -615,8 +605,7 @@ def test_get_provider_specific_service():
 class TestRPHandlerTier2(object):
     @pytest.fixture(autouse=True)
     def rphandler_setup(self, httpserver):
-        self.rph = RPHandler(base_url=BASE_URL, client_configs=CLIENT_CONFIG,
-                             keyjar=CLI_KEY)
+        self.rph = RPHandler(BASE_URL, CLIENT_CONFIG, keyjar=CLI_KEY)
         res = self.rph.begin(issuer_id='github')
         _session = self.rph.get_session_information(res['state'])
         client = self.rph.issuer2rp[_session['iss']]
@@ -800,8 +789,7 @@ class TestRPHandlerWithMockOP(object):
     def rphandler_setup(self):
         self.issuer = 'https://github.com/login/oauth/authorize'
         self.mock_op = MockOP(issuer=self.issuer)
-        self.rph = RPHandler(
-            base_url=BASE_URL, client_configs=CLIENT_CONFIG,
+        self.rph = RPHandler(BASE_URL, CLIENT_CONFIG,
             http_lib=self.mock_op, keyjar=KeyJar())
 
     def test_finalize(self):