Merge pull request #3 from openid/master

pkce support

Author: peppelinux

flask_rp/application.py

@@ -37,6 +37,7 @@ def init_oidc_rp_handler(app):
                     client_configs=app.config.get('CLIENTS'),
                     services=app.config.get('SERVICES'),
                     verify_ssl=verify_ssl)
+
     return rph
 
 

flask_rp/conf.yaml

@@ -31,15 +31,15 @@ RP_KEYS:
     # this will create the jwks files if they are absent
     'read_only': False
 
-client_preferences: &id001
+CLIENT_PREFERENCES: &id001
     application_name: rphandler
     application_type: web
     contacts: [[email protected]]
     response_types: [code]
     scope: [openid, profile, email, address, phone]
     token_endpoint_auth_method: [client_secret_basic, client_secret_post]
 
-services: &id002
+SERVICES: &id002
   discovery:
     class: oidcservice.oidc.provider_info_discovery.ProviderInfoDiscovery
     kwargs: {}
@@ -62,7 +62,6 @@ services: &id002
     class: oidcservice.oidc.end_session.EndSession
     kwargs: {}
 
-
 CLIENTS:
   flop:
     client_preferences: *id001
@@ -73,6 +72,12 @@ CLIENTS:
     jwks_uri: https://127.0.0.1:8090/static/jwks.json
     redirect_uris: ['https://127.0.0.1:8090/authz_cb/flop']
     services: *id002
+    add_ons:
+      pkce:
+        function: oidcservice.oidc.add_on.pkce.add_pkce_support
+        kwargs:
+          code_challenge_length: 64
+          code_challenge_method: S256
 
 # Whether an attempt to fetch the userinfo should be made
 USERINFO: true

src/oidcrp/__init__.py

@@ -647,6 +647,8 @@ def finalize_auth(self, client, issuer, response):
 
         _srv.update_service_context(authorization_response,
                                     state=authorization_response['state'])
+        self.session_interface.store_item(authorization_response, "auth_response",
+                                          authorization_response['state'])
         return authorization_response
 
     def get_access_and_id_token(self, authorization_response=None, state='',
@@ -805,7 +807,7 @@ def has_active_authentication(self, state):
 
     def get_valid_access_token(self, state):
         """
-        Find me a valid access token
+        Find a valid access token.
 
         :param state:
         :return: An access token if a valid one exists and when it
@@ -825,20 +827,16 @@ def get_valid_access_token(self, state):
             except KeyError:
                 pass
             else:
-                try:
-                    access_token = response['access_token']
-                except:
-                    continue
-                else:
+                if 'access_token' in response:
+                    access_token = response["access_token"]
                     try:
                         _exp = response['__expires_at']
                     except KeyError:  # No expiry date, lives for ever
                         indefinite.append((access_token, 0))
                     else:
-                        if _exp > now:  # expires sometime in the future
-                            if _exp > exp:
-                                exp = _exp
-                                token = (access_token, _exp)
+                        if _exp > now and _exp > exp:  # expires sometime in the future
+                            exp = _exp
+                            token = (access_token, _exp)
 
         if indefinite:
             return indefinite[0]

src/oidcrp/oauth2/__init__.py

@@ -13,6 +13,7 @@
 from oidcservice.state_interface import StateInterface
 
 from oidcrp.http import HTTPLib
+from oidcrp.util import do_add_ons
 from oidcrp.util import get_deserialization_method
 
 __author__ = 'Roland Hedberg'
@@ -41,7 +42,7 @@ def __init__(self, state_db, ca_certs=None, client_authn_factory=None,
         :param keyjar: A py:class:`oidcmsg.key_jar.KeyJar` instance
         :param verify_ssl: Whether the SSL certificate should be verified.
         :param config: Configuration information passed on to the
-            :py:class:`oidcservice.service_context.ServiceContext` 
+            :py:class:`oidcservice.service_context.ServiceContext`
             initialization
         :param client_cert: Certificate used by the HTTP client
         :param httplib: A HTTP client to use
@@ -72,6 +73,9 @@ def __init__(self, state_db, ca_certs=None, client_authn_factory=None,
         self.service = init_services(_srvs, self.service_context, state_db,
                                      _cam)
 
+        if 'add_ons' in config:
+            do_add_ons(config['add_ons'], self.service)
+
         self.service_context.service = self.service
 
         self.verify_ssl = verify_ssl
@@ -142,6 +146,11 @@ def service_request(self, service, url, method="GET", body=None,
         if 'error' in response:
             pass
         else:
+            try:
+                kwargs['key'] = kwargs['state']
+            except KeyError:
+                pass
+
             service.update_service_context(response, **kwargs)
         return response
 

src/oidcrp/util.py

@@ -10,6 +10,7 @@
 from oidcservice import sanitize
 from oidcservice.exception import TimeFormatError
 from oidcservice.exception import WrongContentType
+from oidcservice.util import importer
 
 logger = logging.getLogger(__name__)
 
@@ -128,10 +129,10 @@ def set_cookie(cookiejar, kaka):
 
 def verify_header(reqresp, body_type):
     """
-    
-    :param reqresp: Class instance with attributes: ['status', 'text', 
-        'headers', 'url'] 
-    :param body_type: If information returned in the body part 
+
+    :param reqresp: Class instance with attributes: ['status', 'text',
+        'headers', 'url']
+    :param body_type: If information returned in the body part
     :return: Verified body content type
     """
     logger.debug("resp.headers: %s" % (sanitize(reqresp.headers),))
@@ -237,11 +238,17 @@ def get_value_type(http_response, body_type):
 def load_configuration(filename):
     if filename.endswith('.yaml'):
         with open(filename) as fp:
-            conf = yaml.load(fp)
+            conf = yaml.safe_load(fp)
     elif filename.endswith('.py'):
         sys.path.insert(0, ".")
         conf = importlib.import_module(filename[:-3])
     else:
         raise ValueError('Wrong file type')
 
-    return conf
+    return conf
+
+
+def do_add_ons(add_ons, services):
+        for key, spec in add_ons.items():
+            _func = importer(spec['function'])
+            _func(services, **spec['kwargs'])