Separate services from add-ons to services.

Author: rohe

src/oidcservice/oidc/add_on/__init__.py

@@ -1,7 +1,8 @@
 from cryptojwt.utils import b64e
 from oidcmsg.message import Message
 
-from oidcservice import unreserved, CC_METHOD
+from oidcservice import CC_METHOD
+from oidcservice import unreserved
 from oidcservice.exception import Unsupported
 from oidcservice.oauth2.utils import get_state_parameter
 
@@ -42,12 +43,12 @@ def add_code_challenge(request_args, service, **kwargs):
         raise Unsupported(
             'PKCE Transformation method:{}'.format(_method))
 
-    _item = Message(code_verifier=code_verifier,code_challenge_method=_method)
+    _item = Message(code_verifier=code_verifier, code_challenge_method=_method)
     service.store_item(_item, 'pkce', request_args['state'])
 
     request_args.update({"code_challenge": code_challenge,
                          "code_challenge_method": _method})
-    return request_args
+    return request_args, {}
 
 
 def add_code_verifier(request_args, service, **kwargs):
@@ -68,3 +69,24 @@ def add_code_verifier(request_args, service, **kwargs):
 def put_state_in_post_args(request_args, **kwargs):
     state = get_state_parameter(request_args, kwargs)
     return request_args, {'state': state}
+
+
+def add_pkce_support(service, code_challenge_length, code_challenge_method):
+    """
+
+    :param service: Dictionary of services
+    :param code_challenge_length:
+    :param code_challenge_method:
+    :return:
+    """
+    authn_service = service["authorization"]
+    authn_service.service_context.args['pkce'] = {
+        "code_challenge_length": code_challenge_length,
+        "code_challenge_method": code_challenge_method
+    }
+
+    authn_service.pre_construct.append(add_code_challenge)
+
+    token_service = service['accesstoken']
+    token_service.pre_construct.append(put_state_in_post_args)
+    token_service.post_construct.append(add_code_verifier)

src/oidcservice/oidc/pkce.py src/oidcservice/oidc/add_on/pkce.pysrc/oidcservice/oidc/pkce.py renamed to src/oidcservice/oidc/add_on/pkce.py

@@ -310,7 +310,7 @@ def get_request_parameters(self, request_args=None, method="",
             request_body_type = self.request_body_type
 
         request = self.construct_request(request_args=request_args, **kwargs)
-        LOGGER.debug("Request: %s", request.to_dict())
+        LOGGER.debug("Request: ", request)
         _info = {'method': method}
 
         _args = kwargs.copy()

src/oidcservice/oidc/service.py.old

@@ -86,6 +86,7 @@ def __init__(self, keyjar=None, config=None, **kwargs):
         self.issuer = ''
         self.redirect_uris = []
         self.callback = None
+        self.args = {}
 
         try:
             self.clock_skew = config['clock_skew']

src/oidcservice/service.py

@@ -1 +1 @@
-eyJhbGciOiJSUzI1NiIsImtpZCI6ImFWODBkazlpZG1sbU1YVlBkMUJYV2xGcGIwZFdZVnBHYkRkVVYxSlFWWGRoV0cxVU9HeFNaRkZCYXcifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICI1enczbFA2bmxicmp1MHdBamZEaE1adGE3V0FPTkJhNSIsICJjbGllbnRfaWQiOiAiY2xpZW50X2lkIiwgImlzcyI6ICJjbGllbnRfaWQiLCAiaWF0IjogMTU0NzY2NTY2OCwgImF1ZCI6IFsiaHR0cHM6Ly9leGFtcGxlLmNvbSJdLCAia2lkIjogImFWODBkazlpZG1sbU1YVlBkMUJYV2xGcGIwZFdZVnBHYkRkVVYxSlFWWGRoV0cxVU9HeFNaRkZCYXcifQ.UZ58mw35enn2cjSmEoe34EDs9mnrVqgK3T1mKp945frz6J3INFRwlu9h4PR45GEi4ebbeY6EZmb8zeCBS_EfoJI37k_JLma7sxOqsF8viVO_MGQGLo2ygrU-UyKnFpKldg5rPI5SAcYQElufT3jv0vqx-o3HQ5p-usuZNMMatvle_IWckHbWAACZ81oy2PDvp_nTwma5UH_giQQA1mSYcmgo2YxluszPJa0FLEw4Uy8-yMVnWkIlodeF9inrMrSSePpwfl5t0gNxxOY4PN84t6VsXLcfp6Jfq4xpFkfPIJNuRc5iY3NX2-tsRF6TuUrhl0PFELdIombkCcUEDLWJdQ
+eyJhbGciOiJSUzI1NiIsImtpZCI6ImFWODBkazlpZG1sbU1YVlBkMUJYV2xGcGIwZFdZVnBHYkRkVVYxSlFWWGRoV0cxVU9HeFNaRkZCYXcifQ.eyJyZXNwb25zZV90eXBlIjogImNvZGUiLCAic3RhdGUiOiAic3RhdGUiLCAicmVkaXJlY3RfdXJpIjogImh0dHBzOi8vZXhhbXBsZS5jb20vY2xpL2F1dGh6X2NiIiwgInNjb3BlIjogIm9wZW5pZCIsICJub25jZSI6ICJheE1QSlByalVacFdERkxUSVYxVVE3Q2RCMzVseHpOcCIsICJjbGllbnRfaWQiOiAiY2xpZW50X2lkIiwgImlzcyI6ICJjbGllbnRfaWQiLCAiaWF0IjogMTU3NDAwNTE2MiwgImF1ZCI6IFsiaHR0cHM6Ly9leGFtcGxlLmNvbSJdfQ.bohgxuuW6EslKVZk_do68TCjx7JMybcvcTFD5MYxFDi2zc0nsMO62uE1eoN_8fd7eprV9G7PJF69lRBOEpszROMsK-nOq7GM1Q8DJIabPF99SF3hKVPNPyPF5ipRLIESG0_I4KB1dY41dOnd5rSeHMLwdNiN5iakjqoeK_LpX0J0DlaCp8RZeMubN6EB1KXHXi6RpWbtprZbvtQha0dCsQ4xfXJTt61CkPH1VEV-8W2orWvmX9fFIznF0Zt06HIinK8EO1_xg88kKmg3JtMrJ9cq8RweM8G2g5xcdRvFrFcVlnBSZwWuDM01oUlowOM20X-9FeQ--I6L2r-8NPUOrw

src/oidcservice/service_context.py

@@ -162,8 +162,7 @@ def test_request_init_request_method(self):
                                          owner='client_id'))
         assert _resp
         assert set(_resp.keys()) == {'response_type', 'client_id', 'scope',
-                                     'redirect_uri', 'state', 'nonce',
-                                     'iss', 'aud', 'kid', 'iat'}
+                                     'redirect_uri', 'state', 'nonce', 'iss', 'aud', 'iat'}
 
     def test_request_param(self):
         req_args = {'response_type': 'code', 'state': 'state'}

tests/request123456.jwt

@@ -2,9 +2,10 @@
 from oidcmsg.message import SINGLE_REQUIRED_STRING
 from oidcmsg.oidc import AuthorizationResponse
 
-from oidcservice.oidc.pkce import add_code_challenge
-from oidcservice.oidc.pkce import add_code_verifier
-from oidcservice.oidc.pkce import put_state_in_post_args
+from oidcservice.oidc.add_on.pkce import add_code_challenge
+from oidcservice.oidc.add_on.pkce import add_code_verifier
+from oidcservice.oidc.add_on.pkce import add_pkce_support
+from oidcservice.oidc.add_on.pkce import put_state_in_post_args
 from oidcservice.service import Service
 from oidcservice.service import init_services
 from oidcservice.service_context import ServiceContext
@@ -36,12 +37,12 @@ def test_add_code_challenge_default_values():
     service = DummyService(service_context, state_db=InMemoryStateDataBase())
     _state = State(iss='Issuer')
     service.state_db.set('state', _state.to_json())
-    spec = add_code_challenge({'state': 'state'}, service)
+    request_args, _  = add_code_challenge({'state': 'state'}, service)
 
     # default values are length:64 method:S256
-    assert set(spec.keys()) == {'code_challenge', 'code_challenge_method',
+    assert set(request_args.keys()) == {'code_challenge', 'code_challenge_method',
                                 'state'}
-    assert spec['code_challenge_method'] == 'S256'
+    assert request_args['code_challenge_method'] == 'S256'
 
     request_args = add_code_verifier({}, service, state='state')
     assert len(request_args['code_verifier']) == 64
@@ -61,10 +62,10 @@ def test_add_code_challenge_spec_values():
     _state = State(iss='Issuer')
     service.state_db.set('state', _state.to_json())
 
-    spec = add_code_challenge({'state': 'state'}, service)
-    assert set(spec.keys()) == {'code_challenge', 'code_challenge_method',
+    request_args, _ = add_code_challenge({'state': 'state'}, service)
+    assert set(request_args.keys()) == {'code_challenge', 'code_challenge_method',
                                 'state'}
-    assert spec['code_challenge_method'] == 'S384'
+    assert request_args['code_challenge_method'] == 'S384'
 
     request_args = add_code_verifier({}, service, state='state')
     assert len(request_args['code_verifier']) == 128
@@ -82,7 +83,7 @@ def test_authorization_and_pkce():
                               state_db=InMemoryStateDataBase(),
                               service_context=service_context)
     service.post_construct.append(add_code_challenge)
-    request = service.construct_request()
+    request, _ = service.construct_request()
     assert set(request.keys()) == {'client_id', 'code_challenge',
                                    'code_challenge_method', 'state', 'nonce',
                                    'redirect_uri', 'response_type', 'scope'}
@@ -102,7 +103,7 @@ def test_access_token_and_pkce():
     authz_service = service_factory('Authorization', ['oidc'], state_db=db,
                                     service_context=service_context)
     authz_service.post_construct.append(add_code_challenge)
-    request = authz_service.construct_request()
+    request, _ = authz_service.construct_request()
     _state = request['state']
 
     auth_response = AuthorizationResponse(code='access code')
@@ -134,28 +135,17 @@ def test_pkce_config():
     service_definitions = {
         'authorization': {
             'class': 'oidcservice.oidc.authorization.Authorization',
-            'kwargs': {},
-            'post_functions': [
-                {
-                    'function': 'oidcservice.oidc.pkce.add_code_challenge'
-                }
-            ]
+            'kwargs': {}
         },
         'access_token': {
             'class': 'oidcservice.oidc.access_token.AccessToken',
-            'kwargs': {},
-            'pre_functions': [
-                {
-                    'function': 'oidcservice.oidc.pkce.put_state_in_post_args'
-                }
-            ],
-            'post_functions': [
-                {'function': 'oidcservice.oidc.pkce.add_code_verifier'}
-            ]
+            'kwargs': {}
         }
     }
     service = init_services(service_definitions, service_context, db)
 
+    add_pkce_support(service, 64, 'S256')
+
     request = service['authorization'].construct_request()
     _state = request['state']
 
@@ -166,49 +156,3 @@ def test_pkce_config():
     assert set(request.keys()) == {'client_id', 'redirect_uri', 'grant_type',
                                    'client_secret', 'code_verifier', 'code',
                                    'state'}
-
-# class TestPKCE(object):
-#     def test_pkce_create(self):
-#         _cli = Client(
-#             config={'code_challenge': {'method': 'S256', 'length': 64}})
-#         args, cv = _cli.add_code_challenge()
-#         assert args['code_challenge_method'] == 'S256'
-#         assert _eq(list(args.keys()),
-#                    ['code_challenge_method', 'code_challenge'])
-#
-#     def test_pkce_verify_256(self, session_db_factory):
-#         _cli = Client(
-#             config={'code_challenge': {'method': 'S256', 'length': 64}})
-#         args, cv = _cli.add_code_challenge()
-#
-#         authn_broker = AuthnBroker()
-#         authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
-#         _prov = Provider("as",
-#                          session_db_factory('https://connect-op.heroku.com'),
-#                          {},
-#                          authn_broker, Implicit(), verify_client)
-#
-#         assert _prov.verify_code_challenge(cv, args['code_challenge']) is True
-#         assert _prov.verify_code_challenge(cv, args['code_challenge'],
-#                                            'S256') is True
-#         resp = _prov.verify_code_challenge('XXX', args['code_challenge'])
-#         assert isinstance(resp, Response)
-#         assert resp.info()['status_code'] == 401
-#
-#     def test_pkce_verify_512(self, session_db_factory):
-#         _cli = Client(
-#             config={'code_challenge': {'method': 'S512', 'length': 96}})
-#         args, cv = _cli.add_code_challenge()
-#
-#         authn_broker = AuthnBroker()
-#         authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
-#         _prov = Provider("as",
-#                          session_db_factory('https://connect-op.heroku.com'),
-#                          {},
-#                          authn_broker, Implicit(), verify_client)
-#
-#         assert _prov.verify_code_challenge(cv, args['code_challenge'],
-#                                            'S512') is True
-#         resp = _prov.verify_code_challenge('XXX', args['code_challenge'])
-#         assert isinstance(resp, Response)
-#         assert resp.info()['status_code'] == 401

tests/test_13_oic_service.py

@@ -396,7 +396,7 @@ def test_conversation():
 
     assert isinstance(_resp, AccessTokenResponse)
     assert set(_resp['__verified_id_token'].keys()) == {
-        'iss', 'kid', 'nonce', 'acr', 'auth_time', 'aud', 'iat', 'exp', 'sub'}
+        'iss', 'nonce', 'acr', 'auth_time', 'aud', 'iat', 'exp', 'sub'}
 
     service['accesstoken'].update_service_context(_resp, key=STATE)