Merge pull request #70 from IdentityPython/stand_alone_client

Stand alone client

Author: rohe

example/flask_rp/views.py

@@ -186,7 +186,7 @@ def repost_fragment():
     return finalize(op_identifier, args)
 
 
-@oidc_rp_views.route('/authz_im_cb')
+@oidc_rp_views.route('/authz_tok_cb')
 def authz_im_cb(op_identifier='', **kwargs):
     logger.debug('implicit_hybrid_flow kwargs: {}'.format(kwargs))
     return render_template('repost_fragment.html', op_identifier=op_identifier)
@@ -244,9 +244,10 @@ def session_logout(op_identifier):
 @oidc_rp_views.route('/logout')
 def logout():
     logger.debug('logout')
-    _info = current_app.rph.logout(state=session['state'])
-    logger.debug('logout redirect to "{}"'.format(_info['url']))
-    return redirect(_info['url'], 303)
+    _request_info = current_app.rph.logout(state=session['state'])
+    _url = _request_info["url"]
+    logger.debug(f'logout redirect to "{_url}"')
+    return redirect(_url, 303)
 
 
 @oidc_rp_views.route('/bc_logout/<op_identifier>', methods=['GET', 'POST'])

src/idpyoidc/client/claims/transform.py

@@ -21,6 +21,7 @@
     "subject_type": "subject_types_supported",
     "token_endpoint_auth_method": "token_endpoint_auth_methods_supported",
     "response_types": "response_types_supported",
+    "response_modes": "response_modes_supported",
     "grant_types": "grant_types_supported",
     # In OAuth2 but not in OIDC
     "scope": "scopes_supported",

src/idpyoidc/client/current.py

@@ -56,16 +56,14 @@ def get_set(
     ) -> dict:
         """
 
-        @param key: The key to a seet of current claims
+        @param key: The key to a set of current claims
         @param message: A message class
         @param claim: A list of claims
         @return: Dictionary
+        @raise KeyError if no such key
         """
 
-        try:
-            _current = self.get(key)
-        except KeyError:
-            return {}
+        _current = self.get(key)
 
         if message:
             _res = {k: _current[k] for k in message.c_param.keys() if k in _current}

src/idpyoidc/client/defaults.py

@@ -31,10 +31,7 @@
     "response_types": [
         "code",
         "id_token",
-        "id_token token",
         "code id_token",
-        "code id_token token",
-        "code token",
     ],
     "token_endpoint_auth_method": "client_secret_basic",
     "scopes_supported": ["openid"],
@@ -48,6 +45,7 @@
 # Using PKCE is default
 DEFAULT_CLIENT_CONFIGS = {
     "": {
+        "client_type": "oidc",
         "preference": DEFAULT_CLIENT_PREFERENCES,
         "add_ons": {
             "pkce": {
@@ -71,6 +69,8 @@
 }
 
 OIDCONF_PATTERN = "{}/.well-known/openid-configuration"
+OAUTH2_SERVER_METADATA_URL = "{}/.well-known/oauth-authorization-server"
+
 CC_METHOD = {
     "S256": hashlib.sha256,
     "S384": hashlib.sha384,
@@ -92,3 +92,13 @@
 SAML2_BEARER_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:saml2-bearer"
 
 BASECHR = string.ascii_letters + string.digits
+
+DEFAULT_RESPONSE_MODE = {
+    "code": "query",
+    "id_token": "fragment",
+    "token": "fragment",
+    "code token": "fragment",
+    "code id_token": "fragment",
+    "id_token token": "fragment",
+    "code id_token token": "fragment",
+}

src/idpyoidc/client/oauth2/__init__.py

@@ -1,5 +1,5 @@
-from json import JSONDecodeError
 import logging
+from json import JSONDecodeError
 from typing import Callable
 from typing import Optional
 from typing import Union
@@ -12,8 +12,8 @@
 from idpyoidc.client.exception import OidcServiceError
 from idpyoidc.client.exception import ParseError
 from idpyoidc.client.service import REQUEST_INFO
-from idpyoidc.client.service import SUCCESSFUL
 from idpyoidc.client.service import Service
+from idpyoidc.client.service import SUCCESSFUL
 from idpyoidc.client.util import do_add_ons
 from idpyoidc.client.util import get_deserialization_method
 from idpyoidc.configure import Configuration
@@ -26,8 +26,6 @@
 
 logger = logging.getLogger(__name__)
 
-Version = "2.0"
-
 
 class ExpiredToken(Exception):
     pass
@@ -40,20 +38,20 @@ class Client(Entity):
     client_type = "oauth2"
 
     def __init__(
-        self,
-        keyjar: Optional[KeyJar] = None,
-        config: Optional[Union[dict, Configuration]] = None,
-        services: Optional[dict] = None,
-        httpc: Optional[Callable] = None,
-        httpc_params: Optional[dict] = None,
-        context: Optional[OidcContext] = None,
-        upstream_get: Optional[Callable] = None,
-        key_conf: Optional[dict] = None,
-        entity_id: Optional[str] = "",
-        verify_ssl: Optional[bool] = True,
-        jwks_uri: Optional[str] = "",
-        client_type: Optional[str] = "",
-        **kwargs
+            self,
+            keyjar: Optional[KeyJar] = None,
+            config: Optional[Union[dict, Configuration]] = None,
+            services: Optional[dict] = None,
+            httpc: Optional[Callable] = None,
+            httpc_params: Optional[dict] = None,
+            context: Optional[OidcContext] = None,
+            upstream_get: Optional[Callable] = None,
+            key_conf: Optional[dict] = None,
+            entity_id: Optional[str] = "",
+            verify_ssl: Optional[bool] = True,
+            jwks_uri: Optional[str] = "",
+            client_type: Optional[str] = "",
+            **kwargs
     ):
         """
 
@@ -70,7 +68,11 @@ def __init__(
         :return: Client instance
         """
 
-        if not client_type:
+        if client_type:
+            self.client_type = client_type
+        elif config and 'client_type' in config:
+            client_type = self.client_type = config["client_type"]
+        else:
             client_type = self.client_type
 
         if verify_ssl is False:
@@ -80,6 +82,8 @@ def __init__(
             else:
                 httpc_params = {"verify": False}
 
+        jwks_uri = jwks_uri or config.get('jwks_uri', '')
+
         Entity.__init__(
             self,
             keyjar=keyjar,
@@ -106,12 +110,12 @@ def __init__(
             do_add_ons(_add_ons, self._service)
 
     def do_request(
-        self,
-        request_type: str,
-        response_body_type: Optional[str] = "",
-        request_args: Optional[dict] = None,
-        behaviour_args: Optional[dict] = None,
-        **kwargs
+            self,
+            request_type: str,
+            response_body_type: Optional[str] = "",
+            request_args: Optional[dict] = None,
+            behaviour_args: Optional[dict] = None,
+            **kwargs
     ):
         _srv = self._service[request_type]
 
@@ -134,14 +138,14 @@ def set_client_id(self, client_id):
         self.get_context().set("client_id", client_id)
 
     def get_response(
-        self,
-        service: Service,
-        url: str,
-        method: Optional[str] = "GET",
-        body: Optional[dict] = None,
-        response_body_type: Optional[str] = "",
-        headers: Optional[dict] = None,
-        **kwargs
+            self,
+            service: Service,
+            url: str,
+            method: Optional[str] = "GET",
+            body: Optional[dict] = None,
+            response_body_type: Optional[str] = "",
+            headers: Optional[dict] = None,
+            **kwargs
     ):
         """
 
@@ -177,14 +181,14 @@ def get_response(
         return self.parse_request_response(service, resp, response_body_type, **kwargs)
 
     def service_request(
-        self,
-        service: Service,
-        url: str,
-        method: Optional[str] = "GET",
-        body: Optional[dict] = None,
-        response_body_type: Optional[str] = "",
-        headers: Optional[dict] = None,
-        **kwargs
+            self,
+            service: Service,
+            url: str,
+            method: Optional[str] = "GET",
+            body: Optional[dict] = None,
+            response_body_type: Optional[str] = "",
+            headers: Optional[dict] = None,
+            **kwargs
     ) -> Message:
         """
         The method that sends the request and handles the response returned.
@@ -312,17 +316,20 @@ def dynamic_provider_info_discovery(client: Client, behaviour_args: Optional[dic
     :param behaviour_args:
     :param client: A :py:class:`idpyoidc.client.oidc.Client` instance
     """
+
+    if client.client_type == 'oidc' and client.get_service("provider_info"):
+        service = 'provider_info'
+    elif client.client_type == 'oauth2' and client.get_service('server_metadata'):
+        service = 'server_metadata'
+    else:
+        raise ConfigurationError("Can not do dynamic provider info discovery")
+
+    _context = client.get_context()
     try:
-        client.get_service("provider_info")
+        _context.set("issuer", _context.config["srv_discovery_url"])
     except KeyError:
-        raise ConfigurationError("Can not do dynamic provider info discovery")
-    else:
-        _context = client.get_context()
-        try:
-            _context.set("issuer", _context.config["srv_discovery_url"])
-        except KeyError:
-            pass
+        pass
 
-        response = client.do_request("provider_info", behaviour_args=behaviour_args)
-        if is_error_message(response):
-            raise OidcServiceError(response["error"])
+    response = client.do_request(service, behaviour_args=behaviour_args)
+    if is_error_message(response):
+        raise OidcServiceError(response["error"])

src/idpyoidc/client/oauth2/authorization.py

@@ -40,9 +40,9 @@ class Authorization(Service):
     }
 
     _callback_path = {
-        "redirect_uris": {  # based on response_types
-            "code": "authz_cb",
-            "implicit": "authz_im_cb",
+        "redirect_uris": {  # based on response_mode
+            "query": "authz_cb",
+            "fragment": "authz_im_cb",
             # "form_post": "form"
         }
     }
@@ -100,14 +100,21 @@ def post_parse_response(self, response, **kwargs):
                         pass
         return response
 
-    def _do_flow(self, flow_type, response_types):
-        if flow_type == "code":
+    def _do_flow(self, flow_type, response_types, context) -> str:
+        if flow_type == "query":
             if "code" in response_types:
-                return True
-        elif flow_type in ["implicit", "hybrid"]:
+                return "query"
+        elif flow_type == "fragment":
             if implicit_response_types(response_types):
-                return True
-        return False
+                return "fragment"
+        elif flow_type == 'form_post':
+            rm = context.get_preference('response_modes_supported')
+            if rm and 'form_post' in rm:
+                if context.config.conf.get("separate_form_post_cb", True):
+                    return "form_post"
+                else:
+                    return "query"
+        return ''
 
     def _do_redirect_uris(self, base_url, hex, context, callback_uris, response_types):
         _redirect_uris = context.get_preference("redirect_uris", [])
@@ -116,23 +123,27 @@ def _do_redirect_uris(self, base_url, hex, context, callback_uris, response_type
                 # the same redirect_uris for all flow types
                 callback_uris["redirect_uris"] = {}
                 for flow_type in self._callback_path["redirect_uris"].keys():
-                    if self._do_flow(flow_type, response_types):
+                    if self._do_flow(flow_type, response_types, context):
                         callback_uris["redirect_uris"][flow_type] = _redirect_uris
         elif callback_uris:
             if "redirect_uris" in callback_uris:
                 pass
             else:
                 callback_uris["redirect_uris"] = {}
-                for flow_type, path in self._callback_path["redirect_uris"].items():
-                    if self._do_flow(flow_type, response_types):
+                for flow_type in self._callback_path["redirect_uris"].keys():
+                    _var = self._do_flow(flow_type, response_types, context)
+                    if _var:
+                        _path = self._callback_path["redirect_uris"][_var]
                         callback_uris["redirect_uris"][flow_type] = [
-                            self.get_uri(base_url, path, hex)
+                            self.get_uri(base_url, _path, hex)
                         ]
         else:
             callback_uris["redirect_uris"] = {}
-            for flow_type, path in self._callback_path["redirect_uris"].items():
-                if self._do_flow(flow_type, response_types):
-                    callback_uris["redirect_uris"][flow_type] = [self.get_uri(base_url, path, hex)]
+            for flow_type in self._callback_path["redirect_uris"].keys():
+                _var = self._do_flow(flow_type, response_types, context)
+                if _var:
+                    _path = self._callback_path["redirect_uris"][_var]
+                    callback_uris["redirect_uris"][flow_type] = [self.get_uri(base_url, _path, hex)]
         return callback_uris
 
     def construct_uris(

src/idpyoidc/client/oauth2/server_metadata.py

@@ -4,6 +4,7 @@
 
 from cryptojwt.key_jar import KeyJar
 
+from idpyoidc.client.defaults import OAUTH2_SERVER_METADATA_URL
 from idpyoidc.client.defaults import OIDCONF_PATTERN
 from idpyoidc.client.exception import OidcServiceError
 from idpyoidc.client.service import Service
@@ -23,6 +24,7 @@ class ServerMetadata(Service):
     synchronous = True
     service_name = "server_metadata"
     http_method = "GET"
+    url_pattern = OAUTH2_SERVER_METADATA_URL
 
     _supports = {}
 
@@ -41,9 +43,9 @@ def get_endpoint(self):
             _iss = self.endpoint
 
         if _iss.endswith("/"):
-            return OIDCONF_PATTERN.format(_iss[:-1])
+            return self.url_pattern.format(_iss[:-1])
 
-        return OIDCONF_PATTERN.format(_iss)
+        return self.url_pattern.format(_iss)
 
     def get_request_parameters(self, method="GET", **kwargs):
         """