Mostly CIBA related things.

Fixed the case where new client authentication methods where added by the configuration.

Author: rohe

src/idpyoidc/actor/__init__.py

@@ -0,0 +1,68 @@
+from typing import Optional
+from uuid import uuid4
+
+from cryptojwt.key_jar import KeyJar
+
+from idpyoidc.impexp import ImpExp
+
+
+class CIBAClient(ImpExp):
+    parameter = {
+        "context": {}
+    }
+
+    def __init__(
+            self,
+            keyjar: Optional[KeyJar] = None,
+    ):
+        ImpExp.__init__(self)
+        self.keyjar = keyjar
+        self.server = None
+        self.client = None
+        self.context = {}
+
+    def create_authentication_request(self, scope, binding_message, login_hint):
+        _service = self.client.client_get("service", "backchannel_authentication")
+
+        client_notification_token = uuid4().hex
+
+        request_args = {
+            "scope": scope,
+            "client_notification_token": client_notification_token,
+            "binding_message": binding_message,
+            "login_hint": login_hint
+        }
+        request = _service.get_request_parameters(request_args=request_args,
+                                                  authn_method="private_key_jwt")
+
+        self.context[client_notification_token] = {
+            "authentication_request": request,
+            "client_id": _service.client_get("service_context").issuer
+        }
+        return request
+
+    def get_client_id_from_token(self, token):
+        _context = self.context[token]
+        return _context["client_id"]
+
+    def do_client_notification(self, msg, http_info):
+        _notification_endpoint = self.server.server_get("endpoint", "client_notification")
+        _nreq = _notification_endpoint.parse_request(
+            msg, http_info, get_client_id_from_token=self.get_client_id_from_token)
+        _ninfo = _notification_endpoint.process_request(_nreq)
+
+
+class CIBAServer(ImpExp):
+    parameter = {
+        "context": {}
+    }
+
+    def __init__(
+            self,
+            keyjar: Optional[KeyJar] = None,
+    ):
+        ImpExp.__init__(self)
+        self.keyjar = keyjar
+        self.server = None
+        self.client = None
+        self.context = {}

src/idpyoidc/client/client_auth.py

@@ -15,6 +15,7 @@
 from idpyoidc.message.oidc import AuthnToken
 from idpyoidc.time_util import utc_time_sans_frac
 from idpyoidc.util import rndstr
+# from idpyoidc.oidc.backchannel_authentication import ClientNotificationAuthn
 
 from ..message import VREQUIRED
 from .util import sanitize
@@ -589,6 +590,7 @@ def get_signing_key_from_keyjar(self, algorithm, service_context=None):
     "bearer_body": BearerBody,
     "client_secret_jwt": ClientSecretJWT,
     "private_key_jwt": PrivateKeyJWT,
+#    "client_notification_authn": ClientNotificationAuthn
 }
 
 TYPE_METHOD = [(JWT_BEARER, JWSAuthnMethod)]

src/idpyoidc/client/service.py

@@ -12,18 +12,17 @@
 from idpyoidc.impexp import ImpExp
 from idpyoidc.item import DLDict
 from idpyoidc.message import Message
-from idpyoidc.message.oauth2 import ResponseMessage
 from idpyoidc.message.oauth2 import is_error_message
+from idpyoidc.message.oauth2 import ResponseMessage
 from idpyoidc.util import importer
-
-from ..constant import JOSE_ENCODED
-from ..constant import JSON_ENCODED
-from ..constant import URL_ENCODED
 from .client_auth import factory as ca_factory
 from .configure import Configuration
 from .exception import ResponseError
 from .util import get_http_body
 from .util import get_http_url
+from ..constant import JOSE_ENCODED
+from ..constant import JSON_ENCODED
+from ..constant import URL_ENCODED
 
 __author__ = 'Roland Hedberg'
 
@@ -254,7 +253,7 @@ def init_authentication_method(self, request, authn_method,
             LOGGER.debug('Client authn method: %s', authn_method)
             try:
                 _func = self.client_authn_factory(authn_method)
-            except ValueError: # not one of the common
+            except (KeyError, ValueError):  # not one of the common
                 _func = importer(authn_method)()
 
             return _func.construct(request, self, http_args=http_args, **kwargs)

src/idpyoidc/server/__init__.py

@@ -50,9 +50,9 @@ def __init__(
             cookie_handler=cookie_handler,
             httpc=httpc,
         )
-        self.endpoint_context.authz = self.do_authz()
+        self.endpoint_context.authz = self.setup_authz()
 
-        self.do_authentication(self.endpoint_context)
+        self.setup_authentication(self.endpoint_context)
 
         self.endpoint = do_endpoints(conf, self.server_get)
         _cap = get_provider_capabilities(conf, self.endpoint)
@@ -68,10 +68,10 @@ def __init__(
         )
         self.endpoint_context.do_userinfo()
         # Must be done after userinfo
-        self.do_login_hint_lookup()
+        self.setup_login_hint_lookup()
         self.endpoint_context.set_remember_token()
 
-        self.do_client_authn_methods()
+        self.setup_client_authn_methods()
         for endpoint_name, _ in self.endpoint.items():
             self.endpoint[endpoint_name].server_get = self.server_get
 
@@ -107,14 +107,14 @@ def get_endpoint(self, endpoint_name, *arg):
     def get_endpoint_context(self, *arg):
         return self.endpoint_context
 
-    def do_authz(self):
+    def setup_authz(self):
         authz_spec = self.conf.get("authz")
         if authz_spec:
             return init_service(authz_spec, self.server_get)
         else:
             return authz.Implicit(self.server_get)
 
-    def do_authentication(self, target):
+    def setup_authentication(self, target):
         _conf = self.conf.get("authentication")
         if _conf:
             target.authn_broker = populate_authn_broker(
@@ -130,7 +130,7 @@ def do_authentication(self, target):
             except AttributeError:
                 pass
 
-    def do_login_hint_lookup(self):
+    def setup_login_hint_lookup(self):
         _conf = self.conf.get("login_hint_lookup")
         if _conf:
             _userinfo = None
@@ -146,7 +146,7 @@ def do_login_hint_lookup(self):
             self.endpoint_context.login_hint_lookup = init_service(_conf)
             self.endpoint_context.login_hint_lookup.userinfo = _userinfo
 
-    def do_client_authn_methods(self):
+    def setup_client_authn_methods(self):
         self.endpoint_context.client_authn_method = client_auth_setup(self.server_get,
                                                                       self.conf.get(
-                                                                          "client_authn_method"))
+                                                                          "client_authn_methods"))

src/idpyoidc/server/client_authn.py

@@ -470,6 +470,8 @@ def verify_client(
 
     if http_info and "headers" in http_info:
         authorization_token = http_info["headers"].get("authorization")
+        if not authorization_token:
+            authorization_token = http_info["headers"].get("Authorization")
     else:
         authorization_token = None
 
@@ -479,6 +481,7 @@ def verify_client(
     if not allowed_methods:
         allowed_methods = list(methods.keys())
 
+    _method = None
     for _method in (methods[meth] for meth in allowed_methods):
         if not _method.is_usable(request=request, authorization_token=authorization_token):
             continue
@@ -518,7 +521,7 @@ def verify_client(
     # Validate that the used method is allowed for this client/endpoint
     client_allowed_methods = _cinfo.get(f"{endpoint.endpoint_name}_client_authn_method",
                                         _cinfo.get("client_authn_method"))
-    if client_allowed_methods is not None and _method.tag not in client_allowed_methods:
+    if client_allowed_methods is not None and _method and _method.tag not in client_allowed_methods:
         logger.info(
             f"Allowed methods for client: {client_id} at endpoint: {endpoint.name} are: "
             f"`{', '.join(client_allowed_methods)}`"
@@ -542,8 +545,9 @@ def verify_client(
 
 def client_auth_setup(server_get, auth_set=None):
     if auth_set is None:
-        auth_set = {}
-    auth_set = {**CLIENT_AUTHN_METHOD, **auth_set}
+        auth_set = CLIENT_AUTHN_METHOD
+    else:
+        auth_set.update(CLIENT_AUTHN_METHOD)
     res = {}
 
     for name, cls in auth_set.items():

src/idpyoidc/server/configure.py

@@ -145,6 +145,7 @@ class EntityConfiguration(Base):
         "capabilities": None,
         "claims_interface": None,
         "client_db": None,
+        "client_authn_methods": {},
         "cookie_handler": None,
         "endpoint": {},
         "httpc_params": {},

src/idpyoidc/server/endpoint.py

@@ -235,11 +235,14 @@ def client_authentication(self, request: Message, http_info: Optional[dict] = No
         if "endpoint" not in kwargs:
             kwargs["endpoint"] = self
 
+        get_client_id_from_token = kwargs.get("get_client_id_from_token")
+        if not get_client_id_from_token:
+            kwargs["get_client_id_from_token"] = getattr(self, "get_client_id_from_token", None)
+
         authn_info = verify_client(
             endpoint_context=self.server_get("endpoint_context"),
             request=request,
             http_info=http_info,
-            get_client_id_from_token=getattr(self, "get_client_id_from_token", None),
             **kwargs
         )
 

src/idpyoidc/server/oidc/backchannel_authentication.py

@@ -14,6 +14,9 @@
 from idpyoidc.message.oidc.backchannel_authentication import AuthenticationRequest
 from idpyoidc.message.oidc.backchannel_authentication import AuthenticationResponse
 from idpyoidc.server import Endpoint
+from idpyoidc.server import EndpointContext
+from idpyoidc.server.client_authn import ClientSecretBasic
+from idpyoidc.server.exception import NoSuchAuthentication
 from idpyoidc.server.oidc.token_helper import AccessTokenHelper
 from idpyoidc.server.session.token import MintingNotAllowed
 from idpyoidc.server.util import execute
@@ -272,16 +275,49 @@ class ClientNotification(Endpoint):
     request_cls = AuthenticationRequest
     response_cls = AuthenticationResponse
     error_cls = ResponseMessage
-    request_format = "urlencoded"
-    response_format = "urlencoded"
-    response_placement = "url"
-    endpoint_name = "backchannel_authentication_endpoint"
-    name = "backchannel_authentication"
+    request_format = "json"
+    endpoint_name = "client_notification_endpoint"
+    name = "client_notification"
     provider_info_attributes = {
-        "backchannel_token_delivery_modes_supported": ['poll', 'ping', 'push'],
-        "backchannel_authentication_request_signing_alg_values_supported": None,
-        "backchannel_user_code_parameter_supported": True,
+        "backchannel_client_notification_endpoint": None,
     }
 
     def __init__(self, server_get: Callable, **kwargs):
         Endpoint.__init__(self, server_get, **kwargs)
+
+    def process_request(
+                self,
+                request: Optional[Union[Message, dict]] = None,
+                http_info: Optional[dict] = None,
+                **kwargs
+        ) -> Union[Message, dict]:
+        return {}
+
+
+class ClientNotificationAuthn(ClientSecretBasic):
+    """The authentication method used at the notification endpoint."""
+
+    tag = "client_notification_authn"
+
+    def is_usable(self, request=None, authorization_token=None):
+        if authorization_token is not None and authorization_token.startswith("Bearer "):
+            return True
+        return False
+
+    def _verify(
+            self,
+            endpoint_context: EndpointContext,
+            request: Optional[Union[dict, Message]] = None,
+            authorization_token: Optional[str] = None,
+            endpoint=None,  # Optional[Endpoint]
+            get_client_id_from_token: Optional[Callable] = None,
+            **kwargs
+    ):
+        ttype, token = authorization_token.split(" ", 1)
+        if ttype != "Bearer":
+            raise NoSuchAuthentication(f"No support for {ttype}")
+        if get_client_id_from_token:
+            client_id = get_client_id_from_token(token)
+        else:
+            client_id = ""
+        return {"token": token, "client_id": client_id}