Merge pull request #103 from IdentityPython/develop

v2.0.1

Author: peppelinux

docs/source/contents/conf.rst

@@ -156,28 +156,33 @@ An example::
       backchannel_logout_session_supported: True
       check_session_iframe: https://127.0.0.1:5000/check_session_iframe
 
---------------
+-------------
 cookie_handler
---------------
+-------------
 
 An example::
 
-    "cookie_handler": {
+      "cookie_handler": {
         "class": "oidcop.cookie_handler.CookieHandler",
-            "kwargs": {
-              "keys": {
-                "private_path": f"{OIDC_JWKS_PRIVATE_PATH}/cookie_jwks.json",
-                "key_defs": [
-                  {"type": "OCT", "use": ["enc"], "kid": "enc"},
-                  {"type": "OCT", "use": ["sig"], "kid": "sig"}
-                ],
-                "read_only": False
-              },
-              "name": {
-                "session": "oidc_op",
-                "register": "oidc_op_rp",
-                "session_management": "sman"
-              }
+        "kwargs": {
+          "keys": {
+            "private_path": f"{OIDC_JWKS_PRIVATE_PATH}/cookie_jwks.json",
+            "key_defs": [
+              {"type": "OCT", "use": ["enc"], "kid": "enc"},
+              {"type": "OCT", "use": ["sig"], "kid": "sig"}
+            ],
+            "read_only": False
+          },
+          "flags": {
+              "samesite": "None",
+              "httponly": True,
+              "secure": True,
+          },
+          "name": {
+            "session": "oidc_op",
+            "register": "oidc_op_rp",
+            "session_management": "sman"
+          }
         }
     },
 

docs/source/contents/usage.md

@@ -49,6 +49,41 @@ The identity representation with the information fetched from the user info endp
 We can even test the single logout
 
 
+Refresh token
+-------------
+
+Here an example about how to refresh a token.
+It is important to consider that only scope=offline_access will get a usable refresh token.
+
+
+    import requests
+
+    CLIENT_ID = "DBP60x3KUQfCYWZlqFaS_Q"
+    CLIENT_SECRET="8526270403788522b2444e87ea90c53bcafb984119cec92eeccc12f1"
+    REFRESH_TOKEN = "Z0FBQUFBQ ... lN2JNODYtZThjMnFsZUNDcg=="
+
+    data = {
+        "grant_type" : "refresh_token",
+        "client_id" : f"{CLIENT_ID}",
+        "client_secret" : f"{CLIENT_SECRET}",
+        "refresh_token" : f"{REFRESH_TOKEN}"
+    }
+    headers = {'Content-Type': "application/x-www-form-urlencoded" }
+    response = requests.post(
+        'https://127.0.0.1:8000/oidcop/token', verify=False, data=data, headers=headers
+    )
+
+oidc-op will return a json response like this::
+
+{
+ 'access_token': 'eyJhbGc ... CIOH_09tT_YVa_gyTqg',
+ 'token_type': 'Bearer',
+ 'scope': 'openid profile email address phone offline_access',
+ 'refresh_token': 'Z0FBQ ... 1TE16cm1Tdg=='
+}
+
+
+
 Introspection endpoint
 ----------------------
 

example/flask_op/config.json

@@ -91,7 +91,7 @@
           "acr": "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword",
           "class": "oidcop.user_authn.user.UserPassJinja2",
           "kwargs": {
-            "verify_endpoint": "verify/user",
+            "verify_endpoint": "/verify/user",
             "template": "user_pass.jinja2",
             "db": {
               "class": "oidcop.util.JSONDictDB",

example/flask_op/views.py

@@ -28,10 +28,9 @@
 
 
 def _add_cookie(resp, cookie_spec):
-    kwargs = {'value': cookie_spec["value"]}
-    for param in ['expires', 'max-age']:
-        if param in cookie_spec:
-            kwargs[param] = cookie_spec[param]
+    kwargs = {k:v
+              for k,v in cookie_spec.items()
+              if k not in ('name',)}
     kwargs["path"] = "/"
     resp.set_cookie(cookie_spec["name"], **kwargs)
 

setup.py

@@ -47,6 +47,7 @@ def run_tests(self):
 with open(os.path.join(os.path.dirname(__file__), 'README.md')) as readme:
     README = readme.read()
 
+
 setup(
     name="oidcop",
     version=version,
@@ -71,7 +72,7 @@ def run_tests(self):
         "Programming Language :: Python :: 3.9",
         "Topic :: Software Development :: Libraries :: Python Modules"],
     install_requires=[
-        "oidcmsg==1.3.2-1",
+        "oidcmsg==1.3.3-1",
         "cryptojwt==1.5.2",
         "pyyaml",
         "jinja2>=2.11.3",

src/oidcop/__init__.py

@@ -1,6 +1,6 @@
 import secrets
 
-__version__ = "2.0.0-2"
+__version__ = "2.0.1"
 
 DEF_SIGN_ALG = {
     "id_token": "RS256",

src/oidcop/configure.py

@@ -65,7 +65,7 @@
             }
         },
     },
-    "httpc_params": {"verify": False},
+    "httpc_params": {"verify": False, "timeout": 4},
     "issuer": "https://{domain}:{port}",
     "template_dir": "templates",
     "token_handler_args": {
@@ -105,9 +105,6 @@ def add_base_path(conf: Union[dict, str], base_path: str, file_attributes: List[
     return conf
 
 
-URIS = ["issuer", "base_url"]
-
-
 def set_domain_and_port(conf: dict, uris: List[str], domain: str, port: int):
     for key, val in conf.items():
         if key in uris:
@@ -154,42 +151,59 @@ def create_from_config_file(
     )
 
 
-class Base:
+class Base(dict):
     """ Configuration base class """
 
     parameter = {}
 
     def __init__(
             self, conf: Dict, base_path: str = "", file_attributes: Optional[List[str]] = None,
     ):
+        dict.__init__(self)
+
         if file_attributes is None:
             file_attributes = DEFAULT_FILE_ATTRIBUTE_NAMES
 
         if base_path and file_attributes:
             # this adds a base path to all paths in the configuration
             add_base_path(conf, base_path, file_attributes)
 
-    def __getitem__(self, item):
-        if item in self.__dict__:
-            return self.__dict__[item]
-        else:
-            raise KeyError
-
-    def get(self, item, default=None):
-        return getattr(self, item, default)
+    def __getattr__(self, item):
+        return self[item]
 
-    def __contains__(self, item):
-        return item in self.__dict__
+    def __setattr__(self, key, value):
+        if key in self:
+            raise KeyError('{} has already been set'.format(key))
+        super(Base, self).__setitem__(key, value)
 
-    def items(self):
-        for key in self.__dict__:
-            if key.startswith("__") and key.endswith("__"):
-                continue
-            yield key, getattr(self, key)
+    def __setitem__(self, key, value):
+        if key in self:
+            raise KeyError('{} has already been set'.format(key))
+        super(Base, self).__setitem__(key, value)
 
 
 class EntityConfiguration(Base):
     default_config = AS_DEFAULT_CONFIG
+    uris = ["issuer", "base_url"]
+    parameter = {
+        "add_on": None,
+        "authz": None,
+        "authentication": None,
+        "base_url": "",
+        "capabilities": None,
+        "claims_interface": None,
+        "cookie_handler": None,
+        "endpoint": {},
+        "httpc_params": {},
+        "issuer": "",
+        "keys": None,
+        "session_key": None,
+        "template_dir": None,
+        "token_handler_args": {},
+        "userinfo": None,
+        "password": None,
+        "salt": None,
+    }
 
     def __init__(
             self,
@@ -204,72 +218,64 @@ def __init__(
         conf = copy.deepcopy(conf)
         Base.__init__(self, conf, base_path, file_attributes)
 
-        self.add_on = None
-        self.authz = None
-        self.authentication = None
-        self.base_url = ""
-        self.capabilities = None
-        self.claims_interface = None
-        self.cookie_handler = None
-        self.endpoint = {}
-        self.httpc_params = {}
-        self.issuer = ""
-        self.keys = None
-        self.template_dir = None
-        self.token_handler_args = {}
-        self.userinfo = None
-        self.session_params = None
-
         if file_attributes is None:
             file_attributes = DEFAULT_FILE_ATTRIBUTE_NAMES
 
-        for key in self.__dict__.keys():
+        if not domain:
+            domain = conf.get("domain", "127.0.0.1")
+
+        if not port:
+            port = conf.get("port", 80)
+
+        for key in self.parameter.keys():
             _val = conf.get(key)
             if not _val:
                 if key in self.default_config:
-                    _dc = copy.deepcopy(self.default_config[key])
-                    add_base_path(_dc, base_path, file_attributes)
-                    _val = _dc
+                    _val = copy.deepcopy(self.default_config[key])
+                    self.format(_val, base_path=base_path, file_attributes=file_attributes,
+                                domain=domain, port=port)
                 else:
                     continue
-            setattr(self, key, _val)
 
-        if self.template_dir is None:
-            self.template_dir = os.path.abspath("templates")
-        else:
-            self.template_dir = os.path.abspath(self.template_dir)
+            if key == "template_dir":
+                _val = os.path.abspath(_val)
 
-        if not domain:
-            domain = conf.get("domain", "127.0.0.1")
-
-        if not port:
-            port = conf.get("port", 80)
+            setattr(self, key, _val)
 
-        set_domain_and_port(conf, URIS, domain=domain, port=port)
+        # try:
+        #     _dir = self.template_dir
+        # except AttributeError:
+        #     self.template_dir = os.path.abspath("templates")
+        # else:
+        #     self.template_dir =
+
+    def format(self, conf, base_path, file_attributes, domain, port):
+        """
+        Formats parts of the configuration. That includes replacing the strings {domain} and {port}
+        with the used domain and port and making references to files and directories absolute
+        rather then relative. The formatting is done in place.
+
+        :param conf: The configuration part
+        :param base_path: The base path used to make file/directory refrences absolute
+        :param file_attributes: Attribute names that refer to files or directories.
+        :param domain: The domain name
+        :param port: The port used
+        """
+        add_base_path(conf, base_path, file_attributes)
+        if isinstance(conf, dict):
+            set_domain_and_port(conf, self.uris, domain=domain, port=port)
 
 
 class OPConfiguration(EntityConfiguration):
     "Provider configuration"
     default_config = OP_DEFAULT_CONFIG
-
-    def __init__(
-            self,
-            conf: Dict,
-            base_path: Optional[str] = "",
-            entity_conf: Optional[List[dict]] = None,
-            domain: Optional[str] = "",
-            port: Optional[int] = 0,
-            file_attributes: Optional[List[str]] = None,
-    ):
-        # OP special
-        self.id_token = None
-        self.login_hint2acrs = {}
-        self.login_hint_lookup = None
-
-        EntityConfiguration.__init__(self, conf=conf, base_path=base_path,
-                                     entity_conf=entity_conf, domain=domain, port=port,
-                                     file_attributes=file_attributes)
-
+    parameter = EntityConfiguration.parameter.copy()
+    parameter.update({
+        "id_token": None,
+        "login_hint2acrs": {},
+        "login_hint_lookup": None,
+        "sub_func": {}
+    })
 
 class ASConfiguration(EntityConfiguration):
     "Authorization server configuration"
@@ -290,6 +296,7 @@ def __init__(
 
 class Configuration(Base):
     """Server Configuration"""
+    uris = ["issuer", "base_url"]
 
     def __init__(
             self,
@@ -316,7 +323,7 @@ def __init__(
         if not port:
             port = conf.get("port", 80)
 
-        set_domain_and_port(conf, URIS, domain=domain, port=port)
+        set_domain_and_port(conf, self.uris, domain=domain, port=port)
 
         if entity_conf:
             for econf in entity_conf:
@@ -496,7 +503,7 @@ def __init__(
             },
         },
     },
-    "httpc_params": {"verify": False},
+    "httpc_params": {"verify": False, "timeout": 4},
     "issuer": "https://{domain}:{port}",
     "keys": {
         "private_path": "private/jwks.json",
@@ -511,7 +518,8 @@ def __init__(
     "login_hint2acrs": {
         "class": "oidcop.login_hint.LoginHint2Acrs",
         "kwargs": {
-            "scheme_map": {"email": ["urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"]}
+            "scheme_map": {
+                "email": ["urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"]}
         },
     },
     "template_dir": "templates",