Merge branch 'develop' into pkce-per-client

Author: peppelinux

docs/source/contents/conf.rst

@@ -643,3 +643,72 @@ the following::
             }
         }
     }
+
+
+=======
+Clients
+=======
+
+In this section there are some client configuration examples.
+
+A common configuration::
+
+    endpoint_context.cdb['jbxedfmfyc'] = {
+        client_id: 'jbxedfmfyc',
+        client_salt: '6flfsj0Z',
+        registration_access_token: 'z3PCMmC1HZ1QmXeXGOQMJpWQNQynM4xY',
+        registration_client_uri: 'https://127.0.0.1:8000/registration_api?client_id=jbxedfmfyc',
+        client_id_issued_at: 1630256902,
+        client_secret: '19cc69b70d0108f630e52f72f7a3bd37ba4e11678ad1a7434e9818e1',
+        client_secret_expires_at: 1929727754,
+        application_type: 'web',
+        contacts: [
+            'rp@example.com'
+        ],
+        token_endpoint_auth_method: 'client_secret_basic',
+        redirect_uris: [
+            [
+                'https://127.0.0.1:8090/authz_cb/satosa',
+                {}
+            ]
+        ],
+        post_logout_redirect_uris: [
+            [
+                'https://127.0.0.1:8090/session_logout/satosa',
+                null
+            ]
+        ],
+        response_types: [
+            'code'
+        ],
+        grant_types: [
+            'authorization_code'
+        ],
+        allowed_scopes: [
+            'openid',
+            'profile',
+            'email',
+            'offline_access'
+        ]
+    }
+
+
+How to configure the release of the user claims per clients::
+
+    endpoint_context.cdb["client_1"] = {
+        "client_secret": "hemligt",
+        "redirect_uris": [("https://example.com/cb", None)],
+        "client_salt": "salted",
+        "token_endpoint_auth_method": "client_secret_post",
+        "response_types": ["code", "token", "code id_token", "id_token"],
+        "add_claims": {
+            "always": {
+                "introspection": ["nickname", "eduperson_scoped_affiliation"],
+                "userinfo": ["picture", "phone_number"],
+            },
+            # this overload the general endpoint configuration for this client
+            # self.server.server_get("endpoint", "id_token").kwargs = {"add_claims_by_scope": True}
+            "by_scope": {
+                "id_token": False,
+            },
+        },

docs/source/contents/usage.md

@@ -1,7 +1,7 @@
 Usage
 -----
 
-Some examples, how to run flask_op and django_op, but also some typical configuration in relation to common use cases.
+Some examples, how to run [flask_op](https://github.com/IdentityPython/oidc-op/tree/master/example/flask_op) and [django_op](https://github.com/peppelinux/django-oidc-op) but also some typical configuration in relation to common use cases.
 
 
 
@@ -34,7 +34,7 @@ Get to the RP landing page to choose your authentication endpoint. The first opt
 
 ![OP Auth](../_images/2.png)
 
-AS/OP accepted our authentication request and prompt to us the login form. Read passwd.json file to get credentials.
+The AS/OP supports dynamic client registration, it accepts the authentication request and prompt to us the login form. Read [passwd.json](https://github.com/IdentityPython/oidc-op/blob/master/example/flask_op/passwd.json) file to get credentials.
 
 ----------------------------------
 
@@ -75,12 +75,12 @@ It is important to consider that only scope=offline_access will get a usable ref
 
 oidc-op will return a json response like this::
 
-{
- 'access_token': 'eyJhbGc ... CIOH_09tT_YVa_gyTqg',
- 'token_type': 'Bearer',
- 'scope': 'openid profile email address phone offline_access',
- 'refresh_token': 'Z0FBQ ... 1TE16cm1Tdg=='
-}
+    {
+     'access_token': 'eyJhbGc ... CIOH_09tT_YVa_gyTqg',
+     'token_type': 'Bearer',
+     'scope': 'openid profile email address phone offline_access',
+     'refresh_token': 'Z0FBQ ... 1TE16cm1Tdg=='
+    }
 
 
 

src/oidcop/client_authn.py

@@ -22,6 +22,7 @@
 from oidcop.exception import InvalidClient
 from oidcop.exception import MultipleUsage
 from oidcop.exception import NotForMe
+from oidcop.exception import ToOld
 from oidcop.exception import UnknownClient
 from oidcop.util import importer
 
@@ -409,6 +410,8 @@ def verify_client(
         try:
             # get_client_id_from_token is a callback... Do not abuse for code readability.
             auth_info["client_id"] = get_client_id_from_token(endpoint_context, _token, request)
+        except ToOld:
+            raise ValueError("Expired token")
         except KeyError:
             raise ValueError("Unknown token")
 

src/oidcop/oauth2/token.py

@@ -253,7 +253,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         _resp = {
             "access_token": access_token.value,
             "token_type": access_token.token_type,
-            "scope": _grant.scope,
+            "scope": scope,
         }
 
         if access_token.expires_at:
@@ -318,7 +318,7 @@ def post_parse_request(
         if "scope" in request:
             req_scopes = set(request["scope"])
             scopes = set(grant.find_scope(token.based_on))
-            if scopes < req_scopes:
+            if not req_scopes.issubset(scopes):
                 return self.error_cls(
                     error="invalid_request",
                     error_description="Invalid refresh scopes",

src/oidcop/oidc/token.py

@@ -218,7 +218,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         _resp = {
             "access_token": access_token.value,
             "token_type": token_type,
-            "scope": _grant.scope,
+            "scope": scope,
         }
 
         if access_token.expires_at:
@@ -246,7 +246,7 @@ def process_request(self, req: Union[Message, dict], **kwargs):
         if "id_token" in _mints and "openid" in scope:
             try:
                 _idtoken = self._mint_token(
-                    token_class="refresh_token",
+                    token_class="id_token",
                     grant=_grant,
                     session_id=_session_info["session_id"],
                     client_id=_session_info["client_id"],
@@ -307,7 +307,7 @@ def post_parse_request(
         if "scope" in request:
             req_scopes = set(request["scope"])
             scopes = set(grant.find_scope(token.based_on))
-            if scopes < req_scopes:
+            if not req_scopes.issubset(scopes):
                 return self.error_cls(
                     error="invalid_request",
                     error_description="Invalid refresh scopes",

src/oidcop/session/claims.py

@@ -5,6 +5,7 @@
 from oidcmsg.oidc import OpenIDSchema
 
 from oidcop.exception import ServiceError
+from oidcop.exception import ImproperlyConfigured
 from oidcop.scopes import convert_scopes2claims
 
 logger = logging.getLogger(__name__)
@@ -41,7 +42,11 @@ def authorization_request_claims(self,
 
     def _get_client_claims(self, client_id, usage):
         client_info = self.server_get("endpoint_context").cdb.get(client_id, {})
-        client_claims = client_info.get("{}_claims".format(usage), {})
+        client_claims = (
+            client_info.get("add_claims", {})
+            .get("always", {})
+            .get(usage, {})
+        )
         if isinstance(client_claims, list):
             client_claims = {k: None for k in client_claims}
         return client_claims
@@ -94,8 +99,19 @@ def get_claims(self, session_id: str, scopes: str, claims_release_point: str) ->
 
         claims.update(base_claims)
 
-        # Scopes can in some cases equate to set of claims, is that used here ?
-        if module.kwargs.get("add_claims_by_scope"):
+        # If specific client configuration exists overwrite add_claims_by_scope
+        if client_id in _context.cdb:
+            add_claims_by_scope = (
+                _context.cdb[client_id].get("add_claims", {})
+                .get("by_scope", {})
+                .get(claims_release_point, {})
+            )
+            if isinstance(add_claims_by_scope, dict) and not add_claims_by_scope:
+                add_claims_by_scope = module.kwargs.get("add_claims_by_scope")
+        else:
+            add_claims_by_scope = module.kwargs.get("add_claims_by_scope")
+
+        if add_claims_by_scope:
             if scopes:
                 _scopes = _context.scopes_handler.filter_scopes(client_id, _context, scopes)
 
@@ -127,9 +143,14 @@ def get_user_claims(self, user_id: str, claims_restriction: dict) -> dict:
         :param claims_restriction: Specifies the upper limit of which claims can be returned
         :return:
         """
+        meth = self.server_get("endpoint_context").userinfo
+        if not meth:
+            raise ImproperlyConfigured(
+                "userinfo MUST be defined in the configuration"
+            )
         if claims_restriction:
             # Get all possible claims
-            user_info = self.server_get("endpoint_context").userinfo(user_id, client_id=None)
+            user_info = meth(user_id, client_id=None)
             # Filter out the claims that can be returned
             return {
                 k: user_info.get(k)

src/oidcop/token/id_token.py

@@ -12,9 +12,10 @@
 from oidcop.session.claims import claims_match
 from oidcop.token import is_expired
 from oidcop.token.exception import InvalidToken
+
+from ..util import get_logout_id
 from . import Token
 from . import UnknownToken
-from ..util import get_logout_id
 
 logger = logging.getLogger(__name__)
 
@@ -131,7 +132,13 @@ def __init__(
         self.provider_info = construct_endpoint_info(self.default_capabilities, **kwargs)
 
     def payload(
-            self, session_id, alg="RS256", code=None, access_token=None, extra_claims=None,
+        self,
+        session_id,
+        alg="RS256",
+        code=None,
+        access_token=None,
+        extra_claims=None,
+        user_info=None,
     ):
         """
         Collect payload for the ID Token.
@@ -155,16 +162,18 @@ def payload(
                 if _val:
                     _args[attr] = _val
 
-        _claims_restriction = grant.claims.get("id_token")
-        if _claims_restriction == {}:
-            user_info = None
-        else:
-            user_info = _context.claims_interface.get_user_claims(
-                user_id=session_information["user_id"], claims_restriction=_claims_restriction,
-            )
-            if _claims_restriction and "acr" in _claims_restriction and "acr" in _args:
-                if claims_match(_args["acr"], _claims_restriction["acr"]) is False:
-                    raise ValueError("Could not match expected 'acr'")
+        if not user_info:
+            _claims_restriction = grant.claims.get("id_token")
+            if _claims_restriction == {}:
+                user_info = None
+            else:
+                user_info = _context.claims_interface.get_user_claims(
+                    user_id=session_information["user_id"],
+                    claims_restriction=_claims_restriction,
+                )
+                if _claims_restriction and "acr" in _claims_restriction and "acr" in _args:
+                    if claims_match(_args["acr"], _claims_restriction["acr"]) is False:
+                        raise ValueError("Could not match expected 'acr'")
 
         if user_info:
             try:
@@ -203,15 +212,16 @@ def payload(
         return _args
 
     def sign_encrypt(
-            self,
-            session_id,
-            client_id,
-            code=None,
-            access_token=None,
-            sign=True,
-            encrypt=False,
-            lifetime=None,
-            extra_claims=None,
+        self,
+        session_id,
+        client_id,
+        code=None,
+        access_token=None,
+        sign=True,
+        encrypt=False,
+        lifetime=None,
+        extra_claims=None,
+        user_info=None,
     ) -> str:
         """
         Signed and or encrypt a IDToken
@@ -240,6 +250,7 @@ def sign_encrypt(
             code=code,
             access_token=access_token,
             extra_claims=extra_claims,
+            user_info=user_info,
         )
 
         if lifetime is None:
@@ -249,7 +260,15 @@ def sign_encrypt(
 
         return _jwt.pack(_payload, recv=client_id)
 
-    def __call__(self, session_id: Optional[str] = "", ttype: Optional[str] = "", **kwargs) -> str:
+    def __call__(
+        self,
+        session_id: Optional[str] = "",
+        ttype: Optional[str] = "",
+        encrypt=False,
+        code=None,
+        access_token=None,
+        **kwargs,
+    ) -> str:
         _context = self.server_get("endpoint_context")
 
         user_id, client_id, grant_id = _context.session_manager.decrypt_session_id(session_id)
@@ -265,11 +284,16 @@ def __call__(self, session_id: Optional[str] = "", ttype: Optional[str] = "", **
 
         lifetime = self.lifetime
 
-        # Weed out stuff that doesn't belong here
-        kwargs = {k: v for k, v in kwargs.items() if k in ["encrypt", "code", "access_token"]}
-
         id_token = self.sign_encrypt(
-            session_id, client_id, sign=True, lifetime=lifetime, extra_claims=xargs, **kwargs
+            session_id,
+            client_id,
+            sign=True,
+            lifetime=lifetime,
+            extra_claims=xargs,
+            encrypt=encrypt,
+            code=code,
+            access_token=access_token,
+            user_info=kwargs,
         )
 
         return id_token

tests/__init__.py

@@ -0,0 +1,7 @@
+import os
+
+BASEDIR = os.path.abspath(os.path.dirname(__file__))
+
+
+def full_path(local_file):
+    return os.path.join(BASEDIR, local_file)