Merge pull request #104 from IdentityPython/response_type_handling

Response type handling

Author: rohe

.coveragerc

@@ -1,3 +1,8 @@
 # .coveragerc to control coverage.py
 [run]
+branch = true
+omit = */tests/*, */wsgi.py, fabfile.py, /usr/local/*, ./setup.py
 source = .
+
+[report]
+show_missing = true

.github/workflows/python-app.yml

@@ -18,10 +18,10 @@ jobs:
       fail-fast: false
       matrix:
         python-version:
-          - '3.7'
           - '3.8'
           - '3.9'
           - '3.10'
+          - '3.11'
 
     steps:
     - uses: actions/checkout@v2

doc/client/add_on/dpop.rst

@@ -40,7 +40,7 @@ in a client configuration.
 
     'add_ons': {
         "dpop": {
-            "function": "oidcrp.oauth2.add_on.dpop.add_support",
+            "function": "idpyoidc.client.oauth2.add_on.dpop.add_support",
             "kwargs": {
                 "signing_algorithms": ["ES256", "ES512"]
             }

doc/client/add_on/pushed_authorization.rst

@@ -8,10 +8,39 @@ Pushed Authorization
 Introduction
 ------------
 
-https://tools.ietf.org/id/draft-lodderstedt-oauth-par-00.html
+https://datatracker.ietf.org/doc/html/rfc9126
 
-The Internet draft defines the pushed authorization request endpoint,
+The Internet draft defines the pushed authorization request (PAR) endpoint,
 which allows clients to push the payload of an OAuth 2.0 authorization
 request to the authorization server via a direct request and provides
 them with a request URI that is used as reference to the data in a
-subsequent authorization request.
+subsequent authorization request.
+
+-------------
+Configuration
+-------------
+
+There is basically one things you can configure:
+
+- authn_method
+    Which client authentication method that should be used at the pushed authorization endpoint.
+    Default is none.
+
+-------
+Example
+-------
+
+What you have to do is to add a *par* section to an *add_ons* section
+in a client configuration.
+
+.. code:: python
+
+    'add_ons': {
+        "par": {
+            "function": "idpyoidc.client.oauth2.add_on.par.add_support",
+            "kwargs": {
+                "authn_method": "private_key_jwt"
+            }
+        }
+    }
+

example/flask_op/config.json

@@ -91,7 +91,7 @@
           }
         }
       },
-      "capabilities": {
+      "preference": {
         "subject_types_supported": [
           "public",
           "pairwise"
@@ -260,6 +260,7 @@
         "verify": false
       },
       "issuer": "https://{domain}:{port}",
+      "entity_id": "https://{domain}:{port}",
       "keys": {
         "private_path": "private/jwks.json",
         "key_defs": [
@@ -277,9 +278,8 @@
             ]
           }
         ],
-        "public_path": "static/jwks.json",
         "read_only": false,
-        "uri_path": "static/jwks.json"
+        "uri_path": "jwks"
       },
       "login_hint2acrs": {
         "class": "idpyoidc.server.login_hint.LoginHint2Acrs",
@@ -349,6 +349,6 @@
     "verify_user": false,
     "port": 5000,
     "domain": "127.0.0.1",
-    "debug": true
+    "debug": false
   }
 }

example/flask_op/views.py

@@ -1,26 +1,24 @@
 import json
-import os
 import sys
 import traceback
 from typing import Union
 from urllib.parse import urlparse
 
+import werkzeug
 from cryptojwt import as_unicode
 from flask import Blueprint
-from flask import Response
 from flask import current_app
 from flask import redirect
 from flask import render_template
 from flask import request
+from flask import Response
 from flask.helpers import make_response
-from flask.helpers import send_from_directory
+
 from idpyoidc.message.oauth2 import ResponseMessage
 from idpyoidc.message.oidc import AccessTokenRequest
 from idpyoidc.message.oidc import AuthorizationRequest
-import werkzeug
-
-from idpyoidc.server.exception import FailedAuthentication
 from idpyoidc.server.exception import ClientAuthenticationError
+from idpyoidc.server.exception import FailedAuthentication
 from idpyoidc.server.oidc.token import Token
 
 # logger = logging.getLogger(__name__)
@@ -29,8 +27,8 @@
 
 
 def _add_cookie(resp: Response, cookie_spec: Union[dict, list]):
-    kwargs = {k:v
-              for k,v in cookie_spec.items()
+    kwargs = {k: v
+              for k, v in cookie_spec.items()
               if k not in ('name',)}
     kwargs["path"] = "/"
     kwargs["samesite"] = "Lax"
@@ -44,15 +42,22 @@ def add_cookie(resp: Response, cookie_spec: Union[dict, list]):
     elif isinstance(cookie_spec, dict):
         _add_cookie(resp, cookie_spec)
 
-@oidc_op_views.route('/static/<path:path>')
-def send_js(path):
-    return send_from_directory('static', path)
 
+# @oidc_op_views.route('/static/<path:path>')
+# def send_js(path):
+#     return send_from_directory('static', path)
+#
+#
+# @oidc_op_views.route('/keys/<jwks>')
+# def keys(jwks):
+#     fname = os.path.join('static', jwks)
+#     return open(fname).read()
+#
 
-@oidc_op_views.route('/keys/<jwks>')
-def keys(jwks):
-    fname = os.path.join('static', jwks)
-    return open(fname).read()
+@oidc_op_views.route('/jwks')
+def jwks():
+    _context = current_app.server.get_context()
+    return _context.keyjar.export_jwks()
 
 
 @oidc_op_views.route('/')
@@ -188,11 +193,13 @@ def token():
     return service_endpoint(
         current_app.server.get_endpoint('token'))
 
+
 @oidc_op_views.route('/introspection', methods=['POST'])
 def introspection_endpoint():
     return service_endpoint(
         current_app.server.get_endpoint('introspection'))
 
+
 @oidc_op_views.route('/userinfo', methods=['GET', 'POST'])
 def userinfo():
     return service_endpoint(

pyproject.toml

@@ -24,7 +24,7 @@ classifiers =[
 [options]
 package_dir = "src"
 packages = "find:"
-python= "^3.6"
+python= "^3.8"
 
 [tool.black]
 line-length = 100

setup.py

@@ -63,14 +63,13 @@ def run_tests(self):
     classifiers=[
         "Development Status :: 4 - Beta",
         "License :: OSI Approved :: Apache Software License",
-        "Programming Language :: Python :: 3.7",
         "Programming Language :: Python :: 3.8",
         "Programming Language :: Python :: 3.9",
         "Programming Language :: Python :: 3.10",
         "Programming Language :: Python :: 3.11",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "cryptojwt>=1.8.3",
+        "cryptojwt>=1.8.4",
         "pyOpenSSL",
         "filelock>=3.0.12",
         'pyyaml>=5.1.2',

src/idpyoidc/__init__.py

@@ -1,5 +1,5 @@
 __author__ = "Roland Hedberg"
-__version__ = "4.2.0"
+__version__ = "4.3.0"
 
 VERIFIED_CLAIM_PREFIX = "__verified"
 

src/idpyoidc/client/oauth2/add_on/dpop.py

@@ -99,6 +99,7 @@ def dpop_header(
         headers: Optional[dict] = None,
         token: Optional[str] = "",
         nonce: Optional[str] = "",
+        endpoint_url: Optional[str] = "",
         **kwargs
 ) -> dict:
     """
@@ -114,7 +115,11 @@ def dpop_header(
     :return:
     """
 
-    provider_info = service_context.provider_info
+    if not endpoint_url:
+        endpoint_url = kwargs.get("endpoint")
+        if not endpoint_url:
+            endpoint_url = service_context.provider_info[service_endpoint]
+
     _dpop_conf = service_context.add_on.get("dpop")
     if not _dpop_conf:
         logger.warning("Asked to do dpop when I do not support it")
@@ -139,7 +144,7 @@ def dpop_header(
         "jwk": dpop_key.serialize(),
         "jti": uuid.uuid4().hex,
         "htm": http_method,
-        "htu": provider_info[service_endpoint],
+        "htu": endpoint_url,
         "iat": utc_time_sans_frac(),
     }