Merge pull request #109 from IdentityPython/develop

Version 2.1.0

Author: rohe

docs/source/contents/conf.rst

@@ -156,9 +156,35 @@ An example::
       backchannel_logout_session_supported: True
       check_session_iframe: https://127.0.0.1:5000/check_session_iframe
 
--------------
+---------
+client_db
+---------
+
+If you're running an OP with static client registration you want to keep the
+registered clients in a database separate from the session database since
+it will change independent of the OP process. In this case you need this.
+If you are on the other hand only allowing dynamic client registration then
+keeping registered clients in the session database makes total sense.
+
+The class you reference in the specification MUST be a subclass of
+oidcmsg.storage.DictType and have some of the methods a dictionary has.
+
+Note also that this class MUST support the dump and load methods as defined
+in :py:class:`oidcmsg.impexp.ImpExp`.
+
+An example::
+
+    client_db: {
+        "class": 'oidcmsg.abfile.AbstractFileSystem',
+        "kwargs": {
+            'fdir': full_path("afs"),
+            'value_conv': 'oidcmsg.util.JSON'
+        }
+    }
+
+--------------
 cookie_handler
--------------
+--------------
 
 An example::
 

pyproject.toml

@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
 
 [metadata]
 name = "oidcop"
-version = "2.0.0"
+version = "2.1.0"
 author = "Roland Hedberg"
 author_email = "[email protected]"
 description = "Python implementation of an OAuth2 AS and an OIDC Provider"

setup.py

@@ -72,7 +72,7 @@ def run_tests(self):
         "Programming Language :: Python :: 3.9",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "oidcmsg==1.3.3-1",
+        "oidcmsg==1.4.0",
         "cryptojwt==1.5.2",
         "pyyaml",
         "jinja2>=2.11.3",

src/oidcop/__init__.py

@@ -1,6 +1,6 @@
 import secrets
 
-__version__ = "2.0.1"
+__version__ = "2.1.0"
 
 DEF_SIGN_ALG = {
     "id_token": "RS256",

src/oidcop/configure.py

@@ -192,6 +192,7 @@ class EntityConfiguration(Base):
         "base_url": "",
         "capabilities": None,
         "claims_interface": None,
+        "client_db": None,
         "cookie_handler": None,
         "endpoint": {},
         "httpc_params": {},

src/oidcop/endpoint_context.py

@@ -93,7 +93,7 @@ class EndpointContext(OidcContext):
         "args": {},
         # "authn_broker": AuthnBroker,
         # "authz": AuthzHandling,
-        "cdb": {},
+        "cdb": "DICT_TYPE",
         "conf": {},
         # "cookie_handler": None,
         "cwd": "",
@@ -129,8 +129,15 @@ def __init__(
         OidcContext.__init__(self, conf, keyjar, entity_id=conf.get("issuer", ""))
         self.conf = conf
 
+        _client_db = conf.get("client_db")
+        if _client_db:
+            logger.debug(f"Loading client db using: {_client_db}")
+            self.cdb = importer(_client_db["class"])(**_client_db["kwargs"])
+        else:
+            logger.debug("No special client db, will use memory based dictionary")
+            self.cdb = {}
+
         # For my Dev environment
-        self.cdb = {}
         self.jti_db = {}
         self.registration_access_token = {}
         # self.session_db = {}

src/oidcop/oidc/userinfo.py

@@ -10,6 +10,7 @@
 from oidcmsg import oidc
 from oidcmsg.message import Message
 from oidcmsg.oauth2 import ResponseMessage
+from oidcop.session.claims import claims_match
 
 from oidcop.endpoint import Endpoint
 from oidcop.token.exception import UnknownToken
@@ -140,6 +141,8 @@ def process_request(self, request=None, **kwargs):
                 user_id=_session_info["user_id"], claims_restriction=_claims
             )
             info["sub"] = _grant.sub
+            if _grant.add_acr_value("userinfo"):
+                info["acr"] = _grant.authentication_event["authn_info"]
         else:
             info = {
                 "error": "invalid_request",

src/oidcop/session/grant.py

@@ -9,6 +9,7 @@
 
 from oidcop.authn_event import AuthnEvent
 from oidcop.session import MintingNotAllowed
+from oidcop.session.claims import claims_match
 from oidcop.session.token import AccessToken
 from oidcop.session.token import AuthorizationCode
 from oidcop.session.token import IDToken
@@ -180,6 +181,14 @@ def find_scope(self, based_on):
 
         return self.scope
 
+    def add_acr_value(self, claims_release_point):
+        _release = self.claims.get(claims_release_point)
+        if _release:
+            _acr_request = _release.get("acr")
+            _used_acr = self.authentication_event.get("authn_info")
+            return claims_match(_used_acr, _acr_request)
+        return False
+
     def payload_arguments(
             self,
             session_id: str,
@@ -221,6 +230,10 @@ def payload_arguments(
         user_info = endpoint_context.claims_interface.get_user_claims(user_id, _claims_restriction)
         payload.update(user_info)
 
+        # Should I add the acr value
+        if self.add_acr_value(claims_release_point):
+            payload["acr"] = self.authentication_event["authn_info"]
+
         return payload
 
     def mint_token(

src/oidcop/session/manager.py

@@ -38,7 +38,7 @@ def __init__(self, salt: Optional[str] = "", filename: Optional[str] = ""):
             if os.path.isfile(filename):
                 self.salt = open(filename).read()
             elif not os.path.isfile(filename) and os.path.exists(
-                filename
+                    filename
             ):  # Not a file, Something else
                 raise ConfigurationError("Salt filename points to something that is not a file")
             else:
@@ -73,8 +73,10 @@ class SessionManager(Database):
     init_args = ["handler"]
 
     def __init__(
-        self, handler: TokenHandler, conf: Optional[dict] = None, sub_func: Optional[dict] = None,
+            self, handler: TokenHandler, conf: Optional[dict] = None,
+            sub_func: Optional[dict] = None,
     ):
+        super(SessionManager, self).__init__()
         self.conf = conf or {}
 
         # these won't change runtime
@@ -125,9 +127,9 @@ def __setattr__(self, key, value):
 
     def _init_db(self):
         Database.__init__(
-                    self,
-                    key=self.load_key(),
-                    salt=self.load_salt()
+            self,
+            key=self.load_key(),
+            salt=self.load_salt()
         )
 
     def get_user_info(self, uid: str) -> UserSessionInfo:
@@ -153,14 +155,14 @@ def find_token(self, session_id: str, token_value: str) -> Optional[SessionToken
         return None  # pragma: no cover
 
     def create_grant(
-        self,
-        authn_event: AuthnEvent,
-        auth_req: AuthorizationRequest,
-        user_id: str,
-        client_id: Optional[str] = "",
-        sub_type: Optional[str] = "public",
-        token_usage_rules: Optional[dict] = None,
-        scopes: Optional[list] = None,
+            self,
+            authn_event: AuthnEvent,
+            auth_req: AuthorizationRequest,
+            user_id: str,
+            client_id: Optional[str] = "",
+            sub_type: Optional[str] = "public",
+            token_usage_rules: Optional[dict] = None,
+            scopes: Optional[list] = None,
     ) -> str:
         """
 
@@ -175,29 +177,31 @@ def create_grant(
         """
         sector_identifier = auth_req.get("sector_identifier_uri", "")
 
+        _claims = auth_req.get("claims", {})
+
         grant = Grant(
             authorization_request=auth_req,
             authentication_event=authn_event,
-            sub=self.sub_func[sub_type](
-                user_id, salt=self.salt, sector_identifier=sector_identifier
-            ),
+            sub=self.sub_func[sub_type](user_id, salt=self.salt,
+                                        sector_identifier=sector_identifier),
             usage_rules=token_usage_rules,
             scope=scopes,
+            claims=_claims
         )
 
         self.set([user_id, client_id, grant.id], grant)
 
         return self.encrypted_session_id(user_id, client_id, grant.id)
 
     def create_session(
-        self,
-        authn_event: AuthnEvent,
-        auth_req: AuthorizationRequest,
-        user_id: str,
-        client_id: Optional[str] = "",
-        sub_type: Optional[str] = "public",
-        token_usage_rules: Optional[dict] = None,
-        scopes: Optional[list] = None,
+            self,
+            authn_event: AuthnEvent,
+            auth_req: AuthorizationRequest,
+            user_id: str,
+            client_id: Optional[str] = "",
+            sub_type: Optional[str] = "public",
+            token_usage_rules: Optional[dict] = None,
+            scopes: Optional[list] = None,
     ) -> str:
         """
         Create part of a user session. The parts added are user- and client
@@ -309,10 +313,10 @@ def revoke_token(self, session_id: str, token_value: str, recursive: bool = Fals
             self._revoke_dependent(grant, token)
 
     def get_authentication_events(
-        self,
-        session_id: Optional[str] = "",
-        user_id: Optional[str] = "",
-        client_id: Optional[str] = "",
+            self,
+            session_id: Optional[str] = "",
+            user_id: Optional[str] = "",
+            client_id: Optional[str] = "",
     ) -> List[AuthnEvent]:
         """
         Return the authentication events that exists for a user/client combination.
@@ -371,10 +375,10 @@ def revoke_grant(self, session_id: str):
         self.set(_path, _info)
 
     def grants(
-        self,
-        session_id: Optional[str] = "",
-        user_id: Optional[str] = "",
-        client_id: Optional[str] = "",
+            self,
+            session_id: Optional[str] = "",
+            user_id: Optional[str] = "",
+            client_id: Optional[str] = "",
     ) -> List[Grant]:
         """
         Find all grant connected to a user session
@@ -395,13 +399,13 @@ def grants(
         return [self.get([user_id, client_id, gid]) for gid in _csi.subordinate]
 
     def get_session_info(
-        self,
-        session_id: str,
-        user_session_info: bool = False,
-        client_session_info: bool = False,
-        grant: bool = False,
-        authentication_event: bool = False,
-        authorization_request: bool = False,
+            self,
+            session_id: str,
+            user_session_info: bool = False,
+            client_session_info: bool = False,
+            grant: bool = False,
+            authentication_event: bool = False,
+            authorization_request: bool = False,
     ) -> dict:
         """
         Returns information connected to a session.
@@ -448,14 +452,21 @@ def get_session_info(
 
         return res
 
+    def _compatible_sid(self, sid):
+        # To be backward compatible is this an old time sid
+        p = self.unpack_session_key(sid)
+        if len(p) == 3:
+            sid = self.encrypted_session_id(*p)
+        return sid
+
     def get_session_info_by_token(
-        self,
-        token_value: str,
-        user_session_info: bool = False,
-        client_session_info: bool = False,
-        grant: bool = False,
-        authentication_event: bool = False,
-        authorization_request: bool = False,
+            self,
+            token_value: str,
+            user_session_info: bool = False,
+            client_session_info: bool = False,
+            grant: bool = False,
+            authentication_event: bool = False,
+            authorization_request: bool = False,
     ) -> dict:
         _token_info = self.token_handler.info(token_value)
         sid = _token_info.get("sid")
@@ -464,6 +475,9 @@ def get_session_info_by_token(
         if not sid:
             raise WrongTokenClass
 
+        # To be backward compatible is this an old time sid
+        sid = self._compatible_sid(sid)
+
         return self.get_session_info(
             sid,
             user_session_info=user_session_info,
@@ -475,7 +489,8 @@ def get_session_info_by_token(
 
     def get_session_id_by_token(self, token_value: str) -> str:
         _token_info = self.token_handler.info(token_value)
-        return _token_info["sid"]
+        sid = _token_info.get("sid")
+        return self._compatible_sid(sid)
 
     def add_grant(self, user_id: str, client_id: str, **kwargs) -> Grant:
         """

src/oidcop/token/__init__.py

@@ -15,6 +15,13 @@
 
 logger = logging.getLogger(__name__)
 
+ALT_TOKEN_NAME = {
+    "authorization_code": "A",
+    "access_token": "T",
+    "refresh_token": "R",
+    "id_token": "I"
+}
+
 
 def is_expired(exp, when=0):
     if exp < 0:
@@ -28,6 +35,11 @@ def is_expired(exp, when=0):
 class Token(object):
     def __init__(self, token_class, lifetime=300, **kwargs):
         self.token_class = token_class
+        try:
+            self.alt_token_name = ALT_TOKEN_NAME[token_class]
+        except KeyError:
+            self.alt_token_name = ""
+
         self.lifetime = lifetime
         self.kwargs = kwargs
 
@@ -70,7 +82,8 @@ def __init__(self, password, token_class="", token_type="Bearer", **kwargs):
         self.crypt = Crypt(password)
         self.token_type = token_type
 
-    def __call__(self, session_id: Optional[str] = "", token_class: Optional[str] = "", **payload) -> str:
+    def __call__(self, session_id: Optional[str] = "", token_class: Optional[str] = "",
+                 **payload) -> str:
         """
         Return a token.
 
@@ -112,9 +125,10 @@ def info(self, token: str) -> dict:
         :return: dictionary with info about the token
         """
         _res = dict(zip(["_id", "token_class", "sid", "exp"], self.split_token(token)))
-        if _res["token_class"] != self.token_class:
+        if _res["token_class"] not in [self.token_class, self.alt_token_name]:
             raise WrongTokenClass(_res["token_class"])
         else:
+            _res["token_class"] = self.token_class
             _res["handler"] = self
             return _res