Adjustments.

Author: rohe

flask_op/application.py

@@ -18,15 +18,18 @@ def init_oidc_op_endpoints(app):
                          port=app.srv_config.port)
         _server_info_config['issuer'] = iss
 
-    _kj_args = {k:v for k,v in _server_info_config['jwks'].items() if k != 'uri_path'}
-    _kj = init_key_jar(**_kj_args)
-    # make sure I have a set of keys under my 'real' name
-    _kj.import_jwks_as_json(_kj.export_jwks_as_json(True, ''), iss)
-
-    endpoint_context = EndpointContext(_server_info_config, keyjar=_kj, cwd=folder)
-
-    # sort of backward but work so...
-    _kj.httpc_params = endpoint_context.httpc_params
+    # _kj_args = {k:v for k,v in _server_info_config['jwks'].items() if k != 'uri_path'}
+    #
+    # db_conf = _server_info_config.get('db_conf')
+    # if db_conf:
+    #     key_jar_conf = db_conf.get('keyjar')
+    #     _kj = init_key_jar(storage_conf=key_jar_conf, **_kj_args)
+    # else:
+    #     _kj = init_key_jar(**_kj_args)
+    # # make sure I have a set of keys under my 'real' name
+    # _kj.import_jwks_as_json(_kj.export_jwks_as_json(True, ''), iss)
+
+    endpoint_context = EndpointContext(_server_info_config, cwd=folder)
 
     for endp in endpoint_context.endpoint.values():
         p = urlparse(endp.endpoint_path)

flask_op/config.yaml

@@ -112,7 +112,7 @@ op:
         path: '.well-known/webfinger'
         class: oidcendpoint.oidc.discovery.Discovery
         kwargs:
-          client_authn_method: []
+          client_authn_method: null
       provider_info:
         path: ".well-known/openid-configuration"
         class: oidcendpoint.oidc.provider_config.ProviderConfiguration

flask_op/config_persistent.yaml

@@ -0,0 +1,294 @@
+logging:
+  version: 1
+  root:
+    handlers:
+      - default
+      - console
+    level: DEBUG
+  loggers:
+    bobcat_idp:
+      level: DEBUG
+  handlers:
+    default:
+      class: logging.FileHandler
+      filename: 'debug.log'
+      formatter: default
+    console:
+      class: logging.StreamHandler
+      stream: 'ext://sys.stdout'
+      formatter: default
+  formatters:
+    default:
+      format: '%(asctime)s %(name)s %(levelname)s %(message)s'
+
+port: &port 5000
+domain: &domain 127.0.0.1
+server_name: '{domain}:{port}'
+base_url: &base_url 'https://{domain}:{port}'
+
+key_def: &key_def
+  -
+    type: RSA
+    use:
+      - sig
+  -
+    type: EC
+    crv: "P-256"
+    use:
+      - sig
+
+OIDC_KEYS: &oidc_keys
+  'private_path': "private/jwks.json"
+  'key_defs': *key_def
+  'public_path': 'static/jwks.json'
+  'read_only': False
+  # otherwise OP metadata will have jwks_uri: https://127.0.0.1:5000/None!
+  'uri_path': 'static/jwks.json'
+
+
+op:
+  server_info:
+    issuer: *base_url
+    http_params:
+      verify_ssl: False
+    session_key:
+      filename: private/session_jwk.json
+      type: OCT
+      use: sig
+    capabilities:
+      subject_types_supported:
+        - public
+        - pairwise
+      grant_types_supported:
+        - authorization_code
+        - implicit
+        - urn:ietf:params:oauth:grant-type:jwt-bearer
+        - refresh_token
+    template_dir: templates
+    id_token:
+      class: oidcendpoint.id_token.IDToken
+      kwargs:
+        default_claims:
+          email:
+            essential: True
+          email_verified:
+            essential: True
+    token_handler_args:
+      jwks_def:
+        private_path: 'private/token_jwks.json'
+        read_only: False
+        key_defs:
+          -
+            type: oct
+            bytes: 24
+            use:
+              - enc
+            kid: code
+          -
+            type: oct
+            bytes: 24
+            use:
+              - enc
+            kid: refresh
+      code:
+        lifetime: 600
+      token:
+        class: oidcendpoint.jwt_token.JWTToken
+        lifetime: 3600
+        add_claims:
+          - email
+          - email_verified
+          - phone_number
+          - phone_number_verified
+        add_claim_by_scope: True
+        aud:
+          - https://example.org/appl
+      refresh:
+        lifetime: 86400
+    keys:
+      *oidc_keys
+    endpoint:
+      webfinger:
+        path: '.well-known/webfinger'
+        class: oidcendpoint.oidc.discovery.Discovery
+        kwargs:
+          client_authn_method: null
+      provider_info:
+        path: ".well-known/openid-configuration"
+        class: oidcendpoint.oidc.provider_config.ProviderConfiguration
+        kwargs:
+          client_authn_method: null
+      registration:
+          path: registration
+          class: oidcendpoint.oidc.registration.Registration
+          kwargs:
+            client_authn_method: null
+            client_secret_expiration_time: 432000
+      registration_api:
+          path: registration_api
+          class: oidcendpoint.oidc.read_registration.RegistrationRead
+          kwargs:
+            client_authn_method:
+              - bearer_header
+      introspection:
+          path: introspection
+          class: oidcendpoint.oauth2.introspection.Introspection
+          kwargs:
+            client_authn_method:
+              - client_secret_post
+            release:
+            - username
+      authorization:
+          path: authorization
+          class: oidcendpoint.oidc.authorization.Authorization
+          kwargs:
+            client_authn_method: null
+            claims_parameter_supported: True
+            request_parameter_supported: True
+            request_uri_parameter_supported: True
+            response_types_supported:
+              - code
+              - token
+              - id_token
+              - "code token"
+              - "code id_token"
+              - "id_token token"
+              - "code id_token token"
+              - none
+            response_modes_supported:
+              - query
+              - fragment
+              - form_post
+      token:
+          path: token
+          class: oidcendpoint.oidc.token.AccessToken
+          kwargs:
+            client_authn_method:
+              - client_secret_post
+              - client_secret_basic
+              - client_secret_jwt
+              - private_key_jwt
+      userinfo:
+          path: userinfo
+          class: oidcendpoint.oidc.userinfo.UserInfo
+          kwargs:
+            claim_types_supported:
+              - normal
+              - aggregated
+              - distributed
+      end_session:
+          path: session
+          class: oidcendpoint.oidc.session.Session
+          kwargs:
+              logout_verify_url: verify_logout
+              post_logout_uri_path: post_logout
+              signing_alg: "ES256"
+              frontchannel_logout_supported: True
+              frontchannel_logout_session_supported: True
+              backchannel_logout_supported: True
+              backchannel_logout_session_supported: True
+              check_session_iframe: 'check_session_iframe'
+    userinfo:
+      class: oidcendpoint.user_info.UserInfo
+      kwargs:
+        db_file: users.json
+    authentication:
+      user:
+        acr: oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD
+        class: oidcendpoint.user_authn.user.UserPassJinja2
+        kwargs:
+          verify_endpoint: 'verify/user'
+          template: user_pass.jinja2
+          db:
+            class: oidcendpoint.util.JSONDictDB
+            kwargs:
+              json_path: passwd.json
+          page_header: "Testing log in"
+          submit_btn: "Get me in!"
+          user_label: "Nickname"
+          passwd_label: "Secret sauce"
+      #anon:
+        #acr: oidcendpoint.user_authn.authn_context.UNSPECIFIED
+        #class: oidcendpoint.user_authn.user.NoAuthn
+        #kwargs:
+          #user: diana
+    cookie_dealer:
+      class: oidcendpoint.cookie.CookieDealer
+      kwargs:
+        sign_jwk:
+          filename: 'private/cookie_sign_jwk.json'
+          type: OCT
+          kid: cookie_sign_key_id
+        enc_jwk:
+          filename: 'private/cookie_enc_jwk.json'
+          type: OCT
+          kid: cookie_enc_key_id
+        # enc_jwk: 'private/cookie_enc_jwk.json'
+        default_values:
+            name: oidc_op
+            domain: *domain
+            path: /
+            max_age: 3600
+    login_hint2acrs:
+      class: oidcendpoint.login_hint.LoginHint2Acrs
+      kwargs:
+        scheme_map:
+          email:
+            - oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD
+
+    # this adds PKCE support as mandatory - disable it if needed (essential: False)
+    add_on:
+      pkce:
+        function: oidcendpoint.oidc.add_on.pkce.add_pkce_support
+        kwargs:
+          essential: false
+          code_challenge_method:
+            #plain
+            S256
+            S384
+            S512
+
+      claims:
+        function: oidcendpoint.oidc.add_on.custom_scopes.add_custom_scopes
+        kwargs:
+          research_and_scholarship:
+            - name
+            - given_name
+            - family_name
+            - email
+            - email_verified
+            - sub
+            - iss
+            - eduperson_scoped_affiliation
+    db_conf:
+      abstract_storage_cls: abstorage.base.LabeledAbstractStorage
+      keyjar:
+        handler: abstorage.storages.abfile.AbstractFileSystem
+        fdir: storage/keyjar
+        key_conv: abstorage.converter.QPKey
+        value_conv: cryptojwt.serialize.item.KeyIssuer
+        label: 'x'
+      default:
+        handler: abstorage.storages.abfile.AbstractFileSystem
+        fdir: storage
+        key_conv: abstorage.converter.QPKey
+        value_conv: abstorage.converter.JSON
+      session:
+        handler: abstorage.storages.abfile.AbstractFileSystem
+        fdir: storage/session
+        key_conv: abstorage.converter.QPKey
+        value_conv: abstorage.converter.JSON
+      sso:
+        handler: abstorage.storages.abfile.AbstractFileSystem
+        fdir: storage/sso
+        key_conv: abstorage.converter.QPKey
+        value_conv: abstorage.converter.JSON
+
+webserver:
+  server_cert: 'certs/89296913_127.0.0.1.cert'
+  server_key: 'certs/89296913_127.0.0.1.key'
+  ca_bundle: null
+  verify_user: false
+  port: *port
+  domain: *domain
+  debug: true

flask_op/server.py

@@ -20,35 +20,35 @@
 logger = logging.getLogger(__name__)
 
 
-class PeerCertWSGIRequestHandler(werkzeug.serving.WSGIRequestHandler):
-    """
-    We subclass this class so that we can gain access to the connection
-    property. self.connection is the underlying client socket. When a TLS
-    connection is established, the underlying socket is an instance of
-    SSLSocket, which in turn exposes the getpeercert() method.
-
-    The output from that method is what we want to make available elsewhere
-    in the application.
-    """
-
-    def make_environ(self):
-        """
-        The superclass method develops the environ hash that eventually
-        forms part of the Flask request object.
-
-        We allow the superclass method to run first, then we insert the
-        peer certificate into the hash. That exposes it to us later in
-        the request variable that Flask provides
-        """
-        environ = super(PeerCertWSGIRequestHandler, self).make_environ()
-        x509_binary = self.connection.getpeercert(True)
-        if x509_binary:
-            x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, x509_binary)
-            environ['peercert'] = x509
-        else:
-            logger.warning('No peer certificate')
-            environ['peercert'] = ''
-        return environ
+# class PeerCertWSGIRequestHandler(werkzeug.serving.WSGIRequestHandler):
+#     """
+#     We subclass this class so that we can gain access to the connection
+#     property. self.connection is the underlying client socket. When a TLS
+#     connection is established, the underlying socket is an instance of
+#     SSLSocket, which in turn exposes the getpeercert() method.
+#
+#     The output from that method is what we want to make available elsewhere
+#     in the application.
+#     """
+#
+#     def make_environ(self):
+#         """
+#         The superclass method develops the environ hash that eventually
+#         forms part of the Flask request object.
+#
+#         We allow the superclass method to run first, then we insert the
+#         peer certificate into the hash. That exposes it to us later in
+#         the request variable that Flask provides
+#         """
+#         environ = super(PeerCertWSGIRequestHandler, self).make_environ()
+#         x509_binary = self.connection.getpeercert(True)
+#         if x509_binary:
+#             x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, x509_binary)
+#             environ['peercert'] = x509
+#         else:
+#             logger.warning('No peer certificate')
+#             environ['peercert'] = ''
+#         return environ
 
 
 def main(config_file, args):