Refactored handling of client authentication methods.

Author: rohe

example/flask_rp/conf.json

@@ -61,27 +61,27 @@
   },
   "services": {
     "discovery": {
-      "class": "oidcrp.oidc.provider_info_discovery.ProviderInfoDiscovery",
+      "class": "idpyoidc.client.oidc.provider_info_discovery.ProviderInfoDiscovery",
       "kwargs": {}
     },
     "registration": {
-      "class": "oidcrp.oidc.registration.Registration",
+      "class": "idpyoidc.client.oidc.registration.Registration",
       "kwargs": {}
     },
     "authorization": {
-      "class": "oidcrp.oidc.authorization.Authorization",
+      "class": "idpyoidc.client.oidc.authorization.Authorization",
       "kwargs": {}
     },
     "accesstoken": {
-      "class": "oidcrp.oidc.access_token.AccessToken",
+      "class": "idpyoidc.client.oidc.access_token.AccessToken",
       "kwargs": {}
     },
     "userinfo": {
-      "class": "oidcrp.oidc.userinfo.UserInfo",
+      "class": "idpyoidc.client.oidc.userinfo.UserInfo",
       "kwargs": {}
     },
     "end_session": {
-      "class": "oidcrp.oidc.end_session.EndSession",
+      "class": "idpyoidc.client.oidc.end_session.EndSession",
       "kwargs": {}
     }
   },
@@ -111,27 +111,27 @@
       "redirect_uris": [],
       "services": {
         "discovery": {
-          "class": "oidcrp.oidc.provider_info_discovery.ProviderInfoDiscovery",
+          "class": "idpyoidc.client.oidc.provider_info_discovery.ProviderInfoDiscovery",
           "kwargs": {}
         },
         "registration": {
-          "class": "oidcrp.oidc.registration.Registration",
+          "class": "idpyoidc.client.oidc.registration.Registration",
           "kwargs": {}
         },
         "authorization": {
-          "class": "oidcrp.oidc.authorization.Authorization",
+          "class": "idpyoidc.client.oidc.authorization.Authorization",
           "kwargs": {}
         },
         "accesstoken": {
-          "class": "oidcrp.oidc.access_token.AccessToken",
+          "class": "idpyoidc.client.oidc.access_token.AccessToken",
           "kwargs": {}
         },
         "userinfo": {
-          "class": "oidcrp.oidc.userinfo.UserInfo",
+          "class": "idpyoidc.client.oidc.userinfo.UserInfo",
           "kwargs": {}
         },
         "end_session": {
-          "class": "oidcrp.oidc.end_session.EndSession",
+          "class": "idpyoidc.client.oidc.end_session.EndSession",
           "kwargs": {}
         }
       }
@@ -169,33 +169,33 @@
       "backchannel_logout_session_required": true,
       "services": {
         "discovery": {
-          "class": "oidcrp.oidc.provider_info_discovery.ProviderInfoDiscovery",
+          "class": "idpyoidc.client.oidc.provider_info_discovery.ProviderInfoDiscovery",
           "kwargs": {}
         },
         "registration": {
-          "class": "oidcrp.oidc.registration.Registration",
+          "class": "idpyoidc.client.oidc.registration.Registration",
           "kwargs": {}
         },
         "authorization": {
-          "class": "oidcrp.oidc.authorization.Authorization",
+          "class": "idpyoidc.client.oidc.authorization.Authorization",
           "kwargs": {}
         },
         "accesstoken": {
-          "class": "oidcrp.oidc.access_token.AccessToken",
+          "class": "idpyoidc.client.oidc.access_token.AccessToken",
           "kwargs": {}
         },
         "userinfo": {
-          "class": "oidcrp.oidc.userinfo.UserInfo",
+          "class": "idpyoidc.client.oidc.userinfo.UserInfo",
           "kwargs": {}
         },
         "end_session": {
-          "class": "oidcrp.oidc.end_session.EndSession",
+          "class": "idpyoidc.client.oidc.end_session.EndSession",
           "kwargs": {}
         }
       },
       "add_ons": {
         "pkce": {
-          "function": "oidcrp.oauth2.add_on.pkce.add_support",
+          "function": "idpyoidc.client.oauth2.add_on.pkce.add_support",
           "kwargs": {
             "code_challenge_length": 64,
             "code_challenge_method": "S256"
@@ -236,39 +236,71 @@
       "backchannel_logout_session_required": true,
       "services": {
         "discovery": {
-          "class": "oidcrp.oidc.provider_info_discovery.ProviderInfoDiscovery",
+          "class": "idpyoidc.client.oidc.provider_info_discovery.ProviderInfoDiscovery",
           "kwargs": {}
         },
         "registration": {
-          "class": "oidcrp.oidc.registration.Registration",
+          "class": "idpyoidc.client.oidc.registration.Registration",
           "kwargs": {}
         },
         "authorization": {
-          "class": "oidcrp.oidc.authorization.Authorization",
+          "class": "idpyoidc.client.oidc.authorization.Authorization",
           "kwargs": {}
         },
         "accesstoken": {
-          "class": "oidcrp.oidc.access_token.AccessToken",
+          "class": "idpyoidc.client.oidc.access_token.AccessToken",
           "kwargs": {}
         },
         "userinfo": {
-          "class": "oidcrp.oidc.userinfo.UserInfo",
+          "class": "idpyoidc.client.oidc.userinfo.UserInfo",
           "kwargs": {}
         },
         "end_session": {
-          "class": "oidcrp.oidc.end_session.EndSession",
+          "class": "idpyoidc.client.oidc.end_session.EndSession",
           "kwargs": {}
         }
       },
       "add_ons": {
         "pkce": {
-          "function": "oidcrp.oauth2.add_on.pkce.add_support",
+          "function": "idpyoidc.client.oauth2.add_on.pkce.add_support",
           "kwargs": {
             "code_challenge_length": 64,
             "code_challenge_method": "S256"
           }
         }
       }
+    },
+    "bobcat": {
+      "client_id": "client3",
+      "client_secret": "abcdefghijklmnop",
+      "issuer": "http://127.0.0.1:8080/",
+      "behaviour": {
+        "application_name": "rphandler",
+        "application_type": "web",
+        "contacts": [
+          "[email protected]"
+        ],
+        "response_types": [
+          "code"
+        ],
+        "scope": [
+          "openid",
+          "profile",
+          "email",
+          "address",
+          "phone"
+        ],
+        "token_endpoint_auth_method": [
+          "client_secret_basic",
+          "client_secret_post"
+        ]
+      },
+      "redirect_uris": [
+        "https://{domain}:{port}/authz_cb/bobcat"
+      ],
+      "post_logout_redirect_uri": "https://{domain}:{port}/session_logout/bobcat",
+      "frontchannel_logout_uri": "https://{domain}:{port}/fc_logout/bobcat",
+      "frontchannel_logout_session_required": true
     }
   },
   "webserver": {

example/flask_rp/views.py

@@ -10,10 +10,9 @@
 from flask import session
 from flask.helpers import make_response
 from flask.helpers import send_from_directory
-import werkzeug
-
 from idpyoidc.client import rp_handler
 from idpyoidc.client.exception import OidcServiceError
+import werkzeug
 
 logger = logging.getLogger(__name__)
 
@@ -53,12 +52,12 @@ def rp():
         uid = ''
 
     if iss or uid:
-        args = {
-            'req_args': {
-                "claims": {"id_token": {"acr": {"value": "https://refeds.org/profile/mfa"}}}
-            }
-        }
-
+        # args = {
+        #     'req_args': {
+        #         "claims": {"id_token": {"acr": {"value": "https://refeds.org/profile/mfa"}}}
+        #     }
+        # }
+        args = {}
         if uid:
             args['user_id'] = uid
 

src/idpyoidc/client/client_auth.py

@@ -7,6 +7,7 @@
 from cryptojwt.exception import UnsupportedAlgorithm
 from cryptojwt.jws.jws import SIGNER_ALGS
 from cryptojwt.jws.utils import alg2keytype
+from cryptojwt.utils import importer
 
 from idpyoidc.defaults import DEF_SIGN_ALG
 from idpyoidc.defaults import JWT_BEARER
@@ -612,13 +613,15 @@ def valid_service_context(service_context, when=0):
     return True
 
 
-def factory(auth_method):
-    """Return an instance of a client authentication class.
+def client_auth_setup(auth_set=None):
+    if auth_set is None:
+        auth_set = CLIENT_AUTHN_METHOD
+    else:
+        auth_set.update(CLIENT_AUTHN_METHOD)
+    res = {}
 
-    :param auth_method: The name of the client authentication method
-    """
-    try:
-        return CLIENT_AUTHN_METHOD[auth_method]()
-    except KeyError:
-        LOGGER.error('Unknown client authentication method: %s', auth_method)
-        raise ValueError(auth_method)
+    for name, cls in auth_set.items():
+        if isinstance(cls, str):
+            cls = importer(cls)
+        res[name] = cls()
+    return res

src/idpyoidc/client/entity.py

@@ -3,8 +3,7 @@
 from typing import Union
 
 from cryptojwt import KeyJar
-
-from idpyoidc.client.client_auth import factory
+from idpyoidc.client.client_auth import client_auth_setup
 from idpyoidc.client.configure import Configuration
 from idpyoidc.client.defaults import DEFAULT_OAUTH2_SERVICES
 from idpyoidc.client.service import init_services
@@ -13,7 +12,6 @@
 
 class Entity(object):
     def __init__(self,
-                 client_authn_factory: Optional[Callable] = None,
                  keyjar: Optional[KeyJar] = None,
                  config: Optional[Union[dict, Configuration]] = None,
                  services: Optional[dict] = None,
@@ -28,8 +26,6 @@ def __init__(self,
         self._service_context = ServiceContext(keyjar=keyjar, config=config,
                                                jwks_uri=jwks_uri, httpc_params=self.httpc_params)
 
-        _cam = client_authn_factory or factory
-
         if config:
             _srvs = config.get("services")
         else:
@@ -39,8 +35,10 @@ def __init__(self,
             _srvs = services or DEFAULT_OAUTH2_SERVICES
 
         self._service = init_services(service_definitions=_srvs,
-                                      client_get=self.client_get,
-                                      client_authn_factory=_cam)
+                                      client_get=self.client_get)
+
+        self.setup_client_authn_methods(config)
+
 
     def client_get(self, what, *arg):
         _func = getattr(self, "get_{}".format(what), None)
@@ -72,3 +70,7 @@ def get_entity(self):
 
     def get_client_id(self):
         return self._service_context.client_id
+
+    def setup_client_authn_methods(self, config):
+        self._service_context.client_authn_method = client_auth_setup(
+            config.get("client_authn_methods"))

src/idpyoidc/client/oauth2/__init__.py

@@ -31,12 +31,10 @@ class ExpiredToken(Exception):
 
 
 class Client(Entity):
-    def __init__(self, client_authn_factory=None, keyjar=None, verify_ssl=True, config=None,
+    def __init__(self, keyjar=None, verify_ssl=True, config=None,
                  httplib=None, services=None, jwks_uri='', httpc_params=None):
         """
 
-        :param client_authn_factory: Factory that this client can use to
-            initiate a client authentication class.
         :param keyjar: A py:class:`idpyoidc.key_jar.KeyJar` instance
         :param config: Configuration information passed on to the
             :py:class:`idpyoidc.client.service_context.ServiceContext`
@@ -48,7 +46,7 @@ def __init__(self, client_authn_factory=None, keyjar=None, verify_ssl=True, conf
         :return: Client instance
         """
 
-        Entity.__init__(self, client_authn_factory=client_authn_factory, keyjar=keyjar,
+        Entity.__init__(self, keyjar=keyjar,
                         config=config, services=services, jwks_uri=jwks_uri,
                         httpc_params=httpc_params)
 

src/idpyoidc/client/oauth2/access_token.py

@@ -23,9 +23,8 @@ class AccessToken(Service):
     request_body_type = 'urlencoded'
     response_body_type = 'json'
 
-    def __init__(self, client_get, client_authn_factory=None, conf=None):
-        Service.__init__(self, client_get,
-                         client_authn_factory=client_authn_factory, conf=conf)
+    def __init__(self, client_get, conf=None):
+        Service.__init__(self, client_get, conf=conf)
         self.pre_construct.append(self.oauth_pre_construct)
 
     def update_service_context(self, resp, key='', **kwargs):

src/idpyoidc/client/oauth2/authorization.py

@@ -28,9 +28,8 @@ class Authorization(Service):
     #     "endpoint": ""
     # })
 
-    def __init__(self, client_get, client_authn_factory=None, conf=None):
-        Service.__init__(self, client_get,
-                         client_authn_factory=client_authn_factory, conf=conf)
+    def __init__(self, client_get, conf=None):
+        Service.__init__(self, client_get, conf=conf)
         self.pre_construct.extend([pre_construct_pick_redirect_uri, set_state_parameter])
         self.post_construct.append(self.store_auth_request)
 

src/idpyoidc/client/oauth2/client_credentials/cc_access_token.py

@@ -16,9 +16,8 @@ class CCAccessToken(Service):
     request_body_type = 'urlencoded'
     response_body_type = 'json'
 
-    def __init__(self, client_get, client_authn_factory=None, conf=None):
-        Service.__init__(self, client_get,
-                         client_authn_factory=client_authn_factory, conf=conf)
+    def __init__(self, client_get, conf=None):
+        Service.__init__(self, client_get, conf=conf)
 
     def update_service_context(self, resp, key='cc', **kwargs):
         if 'expires_in' in resp:

src/idpyoidc/client/oauth2/client_credentials/cc_refresh_access_token.py

@@ -14,9 +14,8 @@ class CCRefreshAccessToken(Service):
     default_authn_method = 'bearer_header'
     http_method = 'POST'
 
-    def __init__(self, client_get, client_authn_factory=None, conf=None):
-        Service.__init__(self, client_get,
-                         client_authn_factory=client_authn_factory, conf=conf)
+    def __init__(self, client_get, conf=None):
+        Service.__init__(self, client_get, conf=conf)
         self.pre_construct.append(self.cc_pre_construct)
         self.post_construct.append(self.cc_post_construct)
 

src/idpyoidc/client/oauth2/provider_info_discovery.py

@@ -21,9 +21,8 @@ class ProviderInfoDiscovery(Service):
     service_name = 'provider_info'
     http_method = 'GET'
 
-    def __init__(self, client_get, client_authn_factory=None, conf=None):
-        Service.__init__(self, client_get,
-                         client_authn_factory=client_authn_factory, conf=conf)
+    def __init__(self, client_get, conf=None):
+        Service.__init__(self, client_get, conf=conf)
 
     def get_endpoint(self):
         """