Merge branch 'refactor-confidential-client' into dev

Author: rayluo

msal/application.py

@@ -9,7 +9,7 @@
 
 import requests
 
-from .oauth2cli import Client, JwtSigner
+from .oauth2cli import Client, JwtAssertionCreator
 from .authority import Authority
 from .mex import send_request as mex_send_request
 from .wstrust_request import send_request as wst_send_request
@@ -154,10 +154,10 @@ def _build_client(self, client_credential, authority):
             headers = {}
             if 'public_certificate' in client_credential:
                 headers["x5c"] = extract_certs(client_credential['public_certificate'])
-            signer = JwtSigner(
+            assertion = JwtAssertionCreator(
                 client_credential["private_key"], algorithm="RS256",
                 sha1_thumbprint=client_credential.get("thumbprint"), headers=headers)
-            client_assertion = signer.sign_assertion(
+            client_assertion = assertion.create_regenerative_assertion(
                 audience=authority.token_endpoint, issuer=self.client_id,
                 additional_claims=self.client_claims or {})
             client_assertion_type = Client.CLIENT_ASSERTION_TYPE_JWT

msal/oauth2cli/__init__.py

@@ -1,5 +1,6 @@
-__version__ = "0.2.0"
+__version__ = "0.3.0"
 
 from .oidc import Client
-from .assertion import JwtSigner
+from .assertion import JwtAssertionCreator
+from .assertion import JwtSigner  # Obsolete. For backward compatibility.
 

msal/oauth2cli/assertion.py

@@ -9,17 +9,57 @@
 
 logger = logging.getLogger(__name__)
 
-class Signer(object):
-    def sign_assertion(
-            self, audience, issuer, subject, expires_at,
+class AssertionCreator(object):
+    def create_normal_assertion(
+            self, audience, issuer, subject, expires_at=None, expires_in=600,
             issued_at=None, assertion_id=None, **kwargs):
-        # Names are defined in https://tools.ietf.org/html/rfc7521#section-5
+        """Create an assertion in bytes, based on the provided claims.
+
+        All parameter names are defined in https://tools.ietf.org/html/rfc7521#section-5
+        except the expires_in is defined here as lifetime-in-seconds,
+        which will be automatically translated into expires_at in UTC.
+        """
         raise NotImplementedError("Will be implemented by sub-class")
 
+    def create_regenerative_assertion(
+            self, audience, issuer, subject=None, expires_in=600, **kwargs):
+        """Create an assertion as a callable,
+        which will then compute the assertion later when necessary.
+
+        This is a useful optimization to reuse the client assertion.
+        """
+        return AutoRefresher(  # Returns a callable
+            lambda a=audience, i=issuer, s=subject, e=expires_in, kwargs=kwargs:
+                self.create_normal_assertion(a, i, s, expires_in=e, **kwargs),
+            expires_in=max(expires_in-60, 0))
+
+
+class AutoRefresher(object):
+    """Cache the output of a factory, and auto-refresh it when necessary. Usage::
 
-class JwtSigner(Signer):
+        r = AutoRefresher(time.time, expires_in=5)
+        for i in range(15):
+            print(r())  # the timestamp change only after every 5 seconds
+            time.sleep(1)
+    """
+    def __init__(self, factory, expires_in=540):
+        self._factory = factory
+        self._expires_in = expires_in
+        self._buf = {}
+    def __call__(self):
+        EXPIRES_AT, VALUE = "expires_at", "value"
+        now = time.time()
+        if self._buf.get(EXPIRES_AT, 0) <= now:
+            logger.debug("Regenerating new assertion")
+            self._buf = {VALUE: self._factory(), EXPIRES_AT: now + self._expires_in}
+        else:
+            logger.debug("Reusing still valid assertion")
+        return self._buf.get(VALUE)
+
+
+class JwtAssertionCreator(AssertionCreator):
     def __init__(self, key, algorithm, sha1_thumbprint=None, headers=None):
-        """Create a signer.
+        """Construct a Jwt assertion creator.
 
         Args:
 
@@ -37,11 +77,11 @@ def __init__(self, key, algorithm, sha1_thumbprint=None, headers=None):
             self.headers["x5t"] = base64.urlsafe_b64encode(
                 binascii.a2b_hex(sha1_thumbprint)).decode()
 
-    def sign_assertion(
-            self, audience, issuer, subject=None, expires_at=None,
+    def create_normal_assertion(
+            self, audience, issuer, subject=None, expires_at=None, expires_in=600,
             issued_at=None, assertion_id=None, not_before=None,
             additional_claims=None, **kwargs):
-        """Sign a JWT Assertion.
+        """Create a JWT Assertion.
 
         Parameters are defined in https://tools.ietf.org/html/rfc7523#section-3
         Key-value pairs in additional_claims will be added into payload as-is.
@@ -51,7 +91,7 @@ def sign_assertion(
             'aud': audience,
             'iss': issuer,
             'sub': subject or issuer,
-            'exp': expires_at or (now + 10*60),  # 10 minutes
+            'exp': expires_at or (now + expires_in),
             'iat': issued_at or now,
             'jti': assertion_id or str(uuid.uuid4()),
             }
@@ -68,3 +108,9 @@ def sign_assertion(
                     'See https://pyjwt.readthedocs.io/en/latest/installation.html#cryptographic-dependencies-optional')
             raise
 
+
+# Obsolete. For backward compatibility. They will be removed in future versions.
+Signer = AssertionCreator  # For backward compatibility
+JwtSigner = JwtAssertionCreator  # For backward compatibility
+JwtSigner.sign_assertion = JwtAssertionCreator.create_normal_assertion  # For backward compatibility
+

msal/oauth2cli/oauth2.py

@@ -33,7 +33,7 @@ def __init__(
             server_configuration,  # type: dict
             client_id,  # type: str
             client_secret=None,  # type: Optional[str]
-            client_assertion=None,  # type: Optional[bytes]
+            client_assertion=None,  # type: Union[bytes, callable, None]
             client_assertion_type=None,  # type: Optional[str]
             default_headers=None,  # type: Optional[dict]
             default_body=None,  # type: Optional[dict]
@@ -55,10 +55,12 @@ def __init__(
                 https://example.com/.../.well-known/openid-configuration
             client_id (str): The client's id, issued by the authorization server
             client_secret (str):  Triggers HTTP AUTH for Confidential Client
-            client_assertion (bytes):
+            client_assertion (bytes, callable):
                 The client assertion to authenticate this client, per RFC 7521.
                 It can be a raw SAML2 assertion (this method will encode it for you),
                 or a raw JWT assertion.
+                It can also be a callable (recommended),
+                so that we will do lazy creation of an assertion.
             client_assertion_type (str):
                 The type of your :attr:`client_assertion` parameter.
                 It is typically the value of :attr:`CLIENT_ASSERTION_TYPE_SAML2` or
@@ -75,11 +77,9 @@ def __init__(
         self.configuration = server_configuration
         self.client_id = client_id
         self.client_secret = client_secret
+        self.client_assertion = client_assertion
         self.default_body = default_body or {}
-        if client_assertion is not None and client_assertion_type is not None:
-            # See https://tools.ietf.org/html/rfc7521#section-4.2
-            encoder = self.client_assertion_encoders.get(client_assertion_type, lambda a: a)
-            self.default_body["client_assertion"] = encoder(client_assertion)
+        if client_assertion_type is not None:
             self.default_body["client_assertion_type"] = client_assertion_type
         self.logger = logging.getLogger(__name__)
         self.session = s = requests.Session()
@@ -114,6 +114,15 @@ def _obtain_token(  # The verb "obtain" is influenced by OAUTH2 RFC 6749
             **kwargs  # Relay all extra parameters to underlying requests
             ):  # Returns the json object came from the OAUTH2 response
         _data = {'client_id': self.client_id, 'grant_type': grant_type}
+
+        if self.default_body.get("client_assertion_type") and self.client_assertion:
+            # See https://tools.ietf.org/html/rfc7521#section-4.2
+            encoder = self.client_assertion_encoders.get(
+                    self.default_body["client_assertion_type"], lambda a: a)
+            _data["client_assertion"] = encoder(
+                self.client_assertion()  # Do lazy on-the-fly computation
+                if callable(self.client_assertion) else self.client_assertion)
+
         _data.update(self.default_body)  # It may contain authen parameters
         _data.update(data or {})  # So the content in data param prevails
         # We don't have to clean up None values here, because requests lib will.