Merge pull request #367 from bajnokk/redis_ttl

OIDC frontend: support Redis and session expiration

Author: c00kiemon5ter

doc/README.md

@@ -459,22 +459,22 @@ Connect Relying Parties (RPs). The default configuration file can be found
 [here](../example/plugins/frontends/openid_connect_frontend.yaml.example).
 
 As opposed to the other plugins, this plugin is NOT stateless (due to the nature of OpenID Connect using any other
-flow than "Implicit Flow"). However, the frontend supports using a MongoDB instance as its backend storage, so as long
+flow than "Implicit Flow"). However, the frontend supports using a MongoDB or Redis instance as its backend storage, so as long
 that's reachable from all machines it should not be a problem.
 
 The configuration parameters available:
 * `signing_key_path`: path to a RSA Private Key file (PKCS#1). MUST be configured.
-* `db_uri`: connection URI to MongoDB instance where the data will be persisted, if it's not specified all data will only
+* `db_uri`: connection URI to MongoDB or Redis instance where the data will be persisted, if it's not specified all data will only
    be stored in-memory (not suitable for production use).
-* `client_db_uri`: connection URI to MongoDB instance where the client data will be persistent, if it's not specified the clients list will be received from the `client_db_path`.
+* `client_db_uri`: connection URI to MongoDB or Redis instance where the client data will be persistent, if it's not specified the clients list will be received from the `client_db_path`.
 * `client_db_path`: path to a file containing the client database in json format. It will only be used if `client_db_uri` is not set. If `client_db_uri` and `client_db_path` are not set, clients will only be stored in-memory (not suitable for production use).
 * `sub_hash_salt`: salt which is hashed into the `sub` claim. If it's not specified, SATOSA will generate a random salt on each startup, which means that users will get new `sub` value after every restart.
 * `provider`: provider configuration information. MUST be configured, the following configuration are supported:
     * `response_types_supported` (default: `[id_token]`): list of all supported response types, see [Section 3 of OIDC Core](http://openid.net/specs/openid-connect-core-1_0.html#Authentication).
     * `subject_types_supported` (default: `[pairwise]`): list of all supported subject identifier types, see [Section 8 of OIDC Core](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)
     * `scopes_supported` (default: `[openid]`): list of all supported scopes, see [Section 5.4 of OIDC Core](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
     * `client_registration_supported` (default: `No`): boolean whether [dynamic client registration is supported](https://openid.net/specs/openid-connect-registration-1_0.html).
-        If dynamic client registration is not supported all clients must exist in the MongoDB instance configured by the `db_uri` in the `"clients"` collection of the `"satosa"` database.
+        If dynamic client registration is not supported all clients must exist in the MongoDB or Redis instance configured by the `db_uri` in the `"clients"` collection of the `"satosa"` database.
         The registration info must be stored using the client id as a key, and use the parameter names of a [OIDC Registration Response](https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse).
     * `authorization_code_lifetime`: how long authorization codes should be valid, see [default](https://github.com/IdentityPython/pyop#token-lifetimes)
     * `access_token_lifetime`: how long access tokens should be valid, see [default](https://github.com/IdentityPython/pyop#token-lifetimes)

src/satosa/frontends/openid_connect.py

@@ -16,7 +16,7 @@
 from pyop.exceptions import (InvalidAuthenticationRequest, InvalidClientRegistrationRequest,
                              InvalidClientAuthentication, OAuthError, BearerTokenError, InvalidAccessToken)
 from pyop.provider import Provider
-from pyop.storage import MongoWrapper
+from pyop.storage import StorageBase
 from pyop.subject_identifier import HashBasedSubjectIdentifierFactory
 from pyop.userinfo import Userinfo
 from pyop.util import should_fragment_encode
@@ -40,86 +40,53 @@ class OpenIDConnectFrontend(FrontendModule):
     """
 
     def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url, name):
-        self._validate_config(conf)
+        _validate_config(conf)
         super().__init__(auth_req_callback_func, internal_attributes, base_url, name)
 
         self.config = conf
-        self.signing_key = RSAKey(key=rsa_load(conf["signing_key_path"]), use="sig", alg="RS256",
-                                  kid=conf.get("signing_key_id", ""))
-
-    def _create_provider(self, endpoint_baseurl):
-        response_types_supported = self.config["provider"].get("response_types_supported", ["id_token"])
-        subject_types_supported = self.config["provider"].get("subject_types_supported", ["pairwise"])
-        scopes_supported = self.config["provider"].get("scopes_supported", ["openid"])
-        extra_scopes = self.config["provider"].get("extra_scopes")
-        capabilities = {
-            "issuer": self.base_url,
-            "authorization_endpoint": "{}/{}".format(endpoint_baseurl, AuthorizationEndpoint.url),
-            "jwks_uri": "{}/jwks".format(endpoint_baseurl),
-            "response_types_supported": response_types_supported,
-            "id_token_signing_alg_values_supported": [self.signing_key.alg],
-            "response_modes_supported": ["fragment", "query"],
-            "subject_types_supported": subject_types_supported,
-            "claim_types_supported": ["normal"],
-            "claims_parameter_supported": True,
-            "claims_supported": [attribute_map["openid"][0]
-                                 for attribute_map in self.internal_attributes["attributes"].values()
-                                 if "openid" in attribute_map],
-            "request_parameter_supported": False,
-            "request_uri_parameter_supported": False,
-            "scopes_supported": scopes_supported
-        }
-
-        if 'code' in response_types_supported:
-            capabilities["token_endpoint"] = "{}/{}".format(endpoint_baseurl, TokenEndpoint.url)
-
-        if self.config["provider"].get("client_registration_supported", False):
-            capabilities["registration_endpoint"] = "{}/{}".format(endpoint_baseurl, RegistrationEndpoint.url)
-
-        authz_state = self._init_authorization_state()
+        provider_config = self.config["provider"]
+        provider_config["issuer"] = base_url
+
+        self.signing_key = RSAKey(
+            key=rsa_load(self.config["signing_key_path"]),
+            use="sig",
+            alg="RS256",
+            kid=self.config.get("signing_key_id", ""),
+        )
+
         db_uri = self.config.get("db_uri")
+        self.user_db = (
+            StorageBase.from_uri(db_uri, db_name="satosa", collection="authz_codes")
+            if db_uri
+            else {}
+        )
+
+        sub_hash_salt = self.config.get("sub_hash_salt", rndstr(16))
+        authz_state = _init_authorization_state(provider_config, db_uri, sub_hash_salt)
+
         client_db_uri = self.config.get("client_db_uri")
         cdb_file = self.config.get("client_db_path")
         if client_db_uri:
-            cdb = MongoWrapper(client_db_uri, "satosa", "clients")
+            cdb = StorageBase.from_uri(
+                client_db_uri, db_name="satosa", collection="clients", ttl=None
+            )
         elif cdb_file:
             with open(cdb_file) as f:
                 cdb = json.loads(f.read())
         else:
             cdb = {}
-        self.user_db = MongoWrapper(db_uri, "satosa", "authz_codes") if db_uri else {}
-        self.provider = Provider(
+
+        self.endpoint_baseurl = "{}/{}".format(self.base_url, self.name)
+        self.provider = _create_provider(
+            provider_config,
+            self.endpoint_baseurl,
+            self.internal_attributes,
             self.signing_key,
-            capabilities,
             authz_state,
+            self.user_db,
             cdb,
-            Userinfo(self.user_db),
-            extra_scopes=extra_scopes,
-            id_token_lifetime=self.config["provider"].get("id_token_lifetime", 3600),
         )
 
-    def _init_authorization_state(self):
-        sub_hash_salt = self.config.get("sub_hash_salt", rndstr(16))
-        db_uri = self.config.get("db_uri")
-        if db_uri:
-            authz_code_db = MongoWrapper(db_uri, "satosa", "authz_codes")
-            access_token_db = MongoWrapper(db_uri, "satosa", "access_tokens")
-            refresh_token_db = MongoWrapper(db_uri, "satosa", "refresh_tokens")
-            sub_db = MongoWrapper(db_uri, "satosa", "subject_identifiers")
-        else:
-            authz_code_db = None
-            access_token_db = None
-            refresh_token_db = None
-            sub_db = None
-
-        token_lifetimes = {k: self.config["provider"][k] for k in ["authorization_code_lifetime",
-                                                                   "access_token_lifetime",
-                                                                   "refresh_token_lifetime",
-                                                                   "refresh_token_threshold"]
-                           if k in self.config["provider"]}
-        return AuthorizationState(HashBasedSubjectIdentifierFactory(sub_hash_salt), authz_code_db, access_token_db,
-                                  refresh_token_db, sub_db, **token_lifetimes)
-
     def _get_extra_id_token_claims(self, user_id, client_id):
         if "extra_id_token_claims" in self.config["provider"]:
             config = self.config["provider"]["extra_id_token_claims"].get(client_id, [])
@@ -196,9 +163,6 @@ def register_endpoints(self, backend_names):
         else:
             backend_name = backend_names[0]
 
-        endpoint_baseurl = "{}/{}".format(self.base_url, self.name)
-        self._create_provider(endpoint_baseurl)
-
         provider_config = ("^.well-known/openid-configuration$", self.provider_config)
         jwks_uri = ("^{}/jwks$".format(self.name), self.jwks)
 
@@ -209,42 +173,36 @@ def register_endpoints(self, backend_names):
             auth_path = urlparse(auth_endpoint).path.lstrip("/")
         else:
             auth_path = "{}/{}".format(self.name, AuthorizationEndpoint.url)
+
         authentication = ("^{}$".format(auth_path), self.handle_authn_request)
         url_map = [provider_config, jwks_uri, authentication]
 
         if any("code" in v for v in self.provider.configuration_information["response_types_supported"]):
-            self.provider.configuration_information["token_endpoint"] = "{}/{}".format(endpoint_baseurl,
-                                                                                       TokenEndpoint.url)
-            token_endpoint = ("^{}/{}".format(self.name, TokenEndpoint.url), self.token_endpoint)
+            self.provider.configuration_information["token_endpoint"] = "{}/{}".format(
+                self.endpoint_baseurl, TokenEndpoint.url
+            )
+            token_endpoint = (
+                "^{}/{}".format(self.name, TokenEndpoint.url), self.token_endpoint
+            )
             url_map.append(token_endpoint)
 
-            self.provider.configuration_information["userinfo_endpoint"] = "{}/{}".format(endpoint_baseurl,
-                                                                                          UserinfoEndpoint.url)
-            userinfo_endpoint = ("^{}/{}".format(self.name, UserinfoEndpoint.url), self.userinfo_endpoint)
+            self.provider.configuration_information["userinfo_endpoint"] = (
+                "{}/{}".format(self.endpoint_baseurl, UserinfoEndpoint.url)
+            )
+            userinfo_endpoint = (
+                "^{}/{}".format(self.name, UserinfoEndpoint.url), self.userinfo_endpoint
+            )
             url_map.append(userinfo_endpoint)
+
         if "registration_endpoint" in self.provider.configuration_information:
-            client_registration = ("^{}/{}".format(self.name, RegistrationEndpoint.url), self.client_registration)
+            client_registration = (
+                "^{}/{}".format(self.name, RegistrationEndpoint.url),
+                self.client_registration,
+            )
             url_map.append(client_registration)
 
         return url_map
 
-    def _validate_config(self, config):
-        """
-        Validates that all necessary config parameters are specified.
-        :type config: dict[str, dict[str, Any] | str]
-        :param config: the module config
-        """
-        if config is None:
-            raise ValueError("OIDCFrontend conf can't be 'None'.")
-
-        for k in {"signing_key_path", "provider"}:
-            if k not in config:
-                raise ValueError("Missing configuration parameter '{}' for OpenID Connect frontend.".format(k))
-
-        if "signing_key_id" in config and type(config["signing_key_id"]) is not str:
-            raise ValueError(
-                "The configuration parameter 'signing_key_id' is not defined as a string for OpenID Connect frontend.")
-
     def _get_authn_request_from_state(self, state):
         """
         Extract the clietns request stoed in the SATOSA state.
@@ -411,6 +369,128 @@ def userinfo_endpoint(self, context):
             return response
 
 
+def _validate_config(config):
+    """
+    Validates that all necessary config parameters are specified.
+    :type config: dict[str, dict[str, Any] | str]
+    :param config: the module config
+    """
+    if config is None:
+        raise ValueError("OIDCFrontend configuration can't be 'None'.")
+
+    for k in {"signing_key_path", "provider"}:
+        if k not in config:
+            raise ValueError("Missing configuration parameter '{}' for OpenID Connect frontend.".format(k))
+
+    if "signing_key_id" in config and type(config["signing_key_id"]) is not str:
+        raise ValueError(
+            "The configuration parameter 'signing_key_id' is not defined as a string for OpenID Connect frontend.")
+
+
+def _create_provider(
+    provider_config,
+    endpoint_baseurl,
+    internal_attributes,
+    signing_key,
+    authz_state,
+    user_db,
+    cdb,
+):
+    response_types_supported = provider_config.get("response_types_supported", ["id_token"])
+    subject_types_supported = provider_config.get("subject_types_supported", ["pairwise"])
+    scopes_supported = provider_config.get("scopes_supported", ["openid"])
+    extra_scopes = provider_config.get("extra_scopes")
+    capabilities = {
+        "issuer": provider_config["issuer"],
+        "authorization_endpoint": "{}/{}".format(endpoint_baseurl, AuthorizationEndpoint.url),
+        "jwks_uri": "{}/jwks".format(endpoint_baseurl),
+        "response_types_supported": response_types_supported,
+        "id_token_signing_alg_values_supported": [signing_key.alg],
+        "response_modes_supported": ["fragment", "query"],
+        "subject_types_supported": subject_types_supported,
+        "claim_types_supported": ["normal"],
+        "claims_parameter_supported": True,
+        "claims_supported": [
+            attribute_map["openid"][0]
+            for attribute_map in internal_attributes["attributes"].values()
+            if "openid" in attribute_map
+        ],
+        "request_parameter_supported": False,
+        "request_uri_parameter_supported": False,
+        "scopes_supported": scopes_supported
+    }
+
+    if 'code' in response_types_supported:
+        capabilities["token_endpoint"] = "{}/{}".format(
+            endpoint_baseurl, TokenEndpoint.url
+        )
+
+    if provider_config.get("client_registration_supported", False):
+        capabilities["registration_endpoint"] = "{}/{}".format(
+            endpoint_baseurl, RegistrationEndpoint.url
+        )
+
+    provider = Provider(
+        signing_key,
+        capabilities,
+        authz_state,
+        cdb,
+        Userinfo(user_db),
+        extra_scopes=extra_scopes,
+        id_token_lifetime=provider_config.get("id_token_lifetime", 3600),
+    )
+    return provider
+
+
+def _init_authorization_state(provider_config, db_uri, sub_hash_salt):
+    if db_uri:
+        authz_code_db = StorageBase.from_uri(
+            db_uri,
+            db_name="satosa",
+            collection="authz_codes",
+            ttl=provider_config.get("authorization_code_lifetime", 600),
+        )
+        access_token_db = StorageBase.from_uri(
+            db_uri,
+            db_name="satosa",
+            collection="access_tokens",
+            ttl=provider_config.get("access_token_lifetime", 3600),
+        )
+        refresh_token_db = StorageBase.from_uri(
+            db_uri,
+            db_name="satosa",
+            collection="refresh_tokens",
+            ttl=provider_config.get("refresh_token_lifetime", None),
+        )
+        sub_db = StorageBase.from_uri(
+            db_uri, db_name="satosa", collection="subject_identifiers", ttl=None
+        )
+    else:
+        authz_code_db = None
+        access_token_db = None
+        refresh_token_db = None
+        sub_db = None
+
+    token_lifetimes = {
+        k: provider_config[k]
+        for k in [
+            "authorization_code_lifetime",
+            "access_token_lifetime",
+            "refresh_token_lifetime",
+            "refresh_token_threshold",
+        ]
+        if k in provider_config
+    }
+    return AuthorizationState(
+        HashBasedSubjectIdentifierFactory(sub_hash_salt),
+        authz_code_db,
+        access_token_db,
+        refresh_token_db,
+        sub_db,
+        **token_lifetimes,
+    )
+
+
 def combine_return_input(values):
     return values