Dealing with static configuration and provider keys.

rohe · rohe · commit 6169babd9825 · 2019-10-15T15:05:13.000+02:00
diff --git a/src/oidcrp/__init__.py b/src/oidcrp/__init__.py
@@ -3,6 +3,7 @@
 import sys
 import traceback
 
+from cryptojwt.key_bundle import keybundle_from_local_file
 from cryptojwt.utils import as_bytes
 from cryptojwt.utils import as_unicode
 from oidcmsg.exception import MessageException
@@ -239,6 +240,21 @@ def do_provider_info(self, client=None, state=''):
                         if _srv.endpoint_name == key:
                             _srv.endpoint = val
 
+            if 'keys' in _pi:
+                for typ, _spec in _pi['keys'].items():
+                    if typ == 'url':
+                        for _iss, _url in _spec.items():
+                            self.keyjar.add_url(_iss, _url)
+                    elif typ == 'file':
+                        for kty, _name in _spec.items():
+                            if kty == 'jwks':
+                                self.keyjar.import_jwks_from_file(_name,
+                                                                  client.service_context.issuer)
+                            elif kty == 'rsa':  # PEM file
+                                _kb = keybundle_from_local_file(_name, "der", ["sig"])
+                                self.keyjar.add_kb(client.service_context.issuer, _kb)
+                    else:
+                        raise ValueError('Unknown provider JWKS type: {}'.format(typ))
             try:
                 return client.service_context.provider_info['issuer']
             except KeyError:
@@ -357,7 +373,7 @@ def create_callbacks(self, issuer):
             'implicit': "{}/authz_im_cb/{}".format(self.base_url, _hex),
             'form_post': "{}/authz_fp_cb/{}".format(self.base_url, _hex),
             '__hex': _hex
-        }
+            }
 
     def init_authorization(self, client=None, state='', req_args=None):
         """
@@ -384,7 +400,7 @@ def init_authorization(self, client=None, state='', req_args=None):
             'scope': service_context.behaviour['scope'],
             'response_type': service_context.behaviour['response_types'][0],
             'nonce': _nonce
-        }
+            }
 
         if req_args is not None:
             request_args.update(req_args)
@@ -493,15 +509,15 @@ def get_access_token(self, state, client=None):
             'grant_type': 'authorization_code',
             'client_id': client.service_context.client_id,
             'client_secret': client.service_context.client_secret
-        }
+            }
         logger.debug('request_args: {}'.format(req_args))
         try:
             tokenresp = client.do_request(
                 'accesstoken', request_args=req_args,
                 authn_method=self.get_client_authn_method(client,
                                                           "token_endpoint"),
                 state=state
-            )
+                )
         except Exception as err:
             message = traceback.format_exception(*sys.exc_info())
             logger.error(message)
@@ -537,7 +553,7 @@ def refresh_access_token(self, state, client=None, scope=''):
                 authn_method=self.get_client_authn_method(client,
                                                           "token_endpoint"),
                 state=state, request_args=req_args
-            )
+                )
         except Exception as err:
             message = traceback.format_exception(*sys.exc_info())
             logger.error(message)
@@ -714,7 +730,7 @@ def finalize(self, issuer, response):
             return {
                 'state': authorization_response['state'],
                 'error': authorization_response['error']
-            }
+                }
 
         _state = authorization_response['state']
         token = self.get_access_and_id_token(authorization_response,
@@ -729,7 +745,7 @@ def finalize(self, issuer, response):
                 return {
                     'error': "Invalid response %s." % inforesp["error"],
                     'state': _state
-                }
+                    }
 
         elif token['id_token']:  # look for it in the ID Token
             inforesp = self.userinfo_in_id_token(token['id_token'])
@@ -764,7 +780,7 @@ def finalize(self, issuer, response):
             'state': authorization_response['state'],
             'token': token['access_token'],
             'id_token': token['id_token']
-        }
+            }
 
     def has_active_authentication(self, state):
         """
@@ -853,7 +869,7 @@ def logout(self, state, client=None, post_logout_redirect_uri=''):
         if post_logout_redirect_uri:
             request_args = {
                 "post_logout_redirect_uri": post_logout_redirect_uri
-            }
+                }
         else:
             request_args = {}
 
@@ -883,7 +899,7 @@ def backchannel_logout(client, request='', request_args=None):
         'aud': client.service_context.client_id,
         'iss': client.service_context.issuer,
         'keyjar': client.service_context.keyjar
-    }
+        }
 
     try:
         req.verify(**kwargs)
@@ -905,4 +921,3 @@ def backchannel_logout(client, request='', request_args=None):
         _state = client.session_interface.get_state_by_sub(sub)
 
     return _state
-
