Partial rework of claims and get_metadata

Author: rohe

src/idpyoidc/__init__.py

@@ -1,5 +1,5 @@
 __author__ = "Roland Hedberg"
-__version__ = "4.4.0"
+__version__ = "5.0.0"
 
 VERIFIED_CLAIM_PREFIX = "__verified"
 

src/idpyoidc/alg_info.py

@@ -0,0 +1,66 @@
+from functools import cmp_to_key
+import logging
+
+from cryptojwt.jwe import SUPPORTED
+from cryptojwt.jws.jws import SIGNER_ALGS
+
+logger = logging.getLogger(__name__)
+
+SIGNING_ALGORITHM_SORT_ORDER = ["RS", "ES", "PS", "HS", "Ed"]
+
+
+def cmp(a, b):
+    return (a > b) - (a < b)
+
+
+def alg_cmp(a, b):
+    if a == "none":
+        return 1
+    elif b == "none":
+        return -1
+
+    _pos1 = SIGNING_ALGORITHM_SORT_ORDER.index(a[0:2])
+    _pos2 = SIGNING_ALGORITHM_SORT_ORDER.index(b[0:2])
+    if _pos1 == _pos2:
+        return (a > b) - (a < b)
+    elif _pos1 > _pos2:
+        return 1
+    else:
+        return -1
+
+
+def get_signing_algs():
+    # Assumes Cryptojwt
+    _algs = [name for name in list(SIGNER_ALGS.keys()) if name != "none"]
+    return sorted(_algs, key=cmp_to_key(alg_cmp))
+
+
+def get_encryption_algs():
+    return SUPPORTED["alg"]
+
+
+def get_encryption_encs():
+    return SUPPORTED["enc"]
+
+
+def array_or_singleton(claim_spec, values):
+    if isinstance(claim_spec[0], list):
+        if isinstance(values, list):
+            return values
+        else:
+            return [values]
+    else:
+        if isinstance(values, list):
+            return values[0]
+        else:  # singleton
+            return values
+
+
+def is_subset(a, b):
+    if isinstance(a, list):
+        if isinstance(b, list):
+            return set(b).issubset(set(a))
+    elif isinstance(b, list):
+        return a in b
+    else:
+        return a == b

src/idpyoidc/claims.py

@@ -1,5 +1,6 @@
 import logging
 from typing import Callable
+from typing import List
 from typing import Optional
 
 from cryptojwt import KeyJar
@@ -8,11 +9,14 @@
 
 from idpyoidc.client.util import get_uri
 from idpyoidc.impexp import ImpExp
+from idpyoidc.message import Message
+from idpyoidc.transform import preferred_to_registered
 from idpyoidc.util import add_path
 from idpyoidc.util import qualified_name
 
 logger = logging.getLogger(__name__)
 
+
 def claims_dump(info, exclude_attributes):
     return {qualified_name(info.__class__): info.dump(exclude_attributes=exclude_attributes)}
 
@@ -124,7 +128,7 @@ def _keyjar(self, keyjar=None, conf=None, entity_id=""):
 
         return keyjar, _uri_path
 
-    def get_base_url(self, configuration: dict, entity_id: Optional[str]=""):
+    def get_base_url(self, configuration: dict, entity_id: Optional[str] = ""):
         raise NotImplementedError()
 
     def get_id(self, configuration: dict):
@@ -183,6 +187,10 @@ def load_conf(
             elif val:
                 self.set_preference(key, val)
 
+        for attr,val in supports.items():
+            if attr not in self.prefer and val is not None:
+                self.set_preference(attr,val)
+
         self.verify_rules(supports)
         return keyjar
 
@@ -222,3 +230,53 @@ def get_claim(self, key, default=None):
             return default
         else:
             return _val
+
+    def get_endpoint_claims(self, endpoints):
+        _info = {}
+        for endp in endpoints:
+            if endp.endpoint_name:
+                _info[endp.endpoint_name] = endp.full_path
+                for arg, claim in [("client_authn_method", "auth_methods"),
+                                   ("auth_signing_alg_values", "auth_signing_alg_values")]:
+                    _val = getattr(endp, arg, None)
+                    if _val:
+                        # trust_mark_status_endpoint_auth_methods_supported
+                        md_param = f"{endp.endpoint_name}_{claim}"
+                        _info[md_param] = _val
+        return _info
+
+    def get_metadata(self,
+                     entity_type: Optional[str] = "",
+                     endpoints: Optional[list] = None,
+                     metadata_schema: Optional[Message] = None,
+                     extra_claims: Optional[List[str]] = None,
+                     supported: Optional[dict] = None,
+                     **kwargs):
+
+        if supported is None:
+            supported = self.supports()
+
+        if not self.use:
+            self.use = preferred_to_registered(self.prefer, supported=supported)
+
+        metadata = self.use
+        # the claims that can appear in the metadata
+        if metadata_schema:
+            attr = list(metadata_schema.c_param.keys())
+        else:
+            attr = []
+
+        if extra_claims:
+            attr.extend(extra_claims)
+
+        if attr:
+            metadata = {k: v for k, v in metadata.items() if k in attr}
+
+        # collect endpoints
+        if endpoints:
+            metadata.update(self.get_endpoint_claims(endpoints))
+
+        if entity_type:
+            return {entity_type: metadata}
+        else:
+            return metadata

src/idpyoidc/client/claims/__init__.py

@@ -58,7 +58,7 @@ def get_jwks(self, keyjar):
             if (
                 len(_own_keys) == 1
                 and isinstance(_own_keys[0], SYMKey)
-                and self.prefer["client_secret"]
+                and self.prefer.get("client_secret", None)
             ):
                 pass
             else:

src/idpyoidc/client/claims/oauth2.py

@@ -1,7 +1,7 @@
 from typing import Optional
 
 from idpyoidc.client import claims
-from idpyoidc.client.claims.transform import create_registration_request
+from idpyoidc.transform import create_registration_request
 
 REGISTER2PREFERRED = {
     "scope": "scopes_supported",
@@ -26,7 +26,9 @@ class Claims(claims.Claims):
         "grant_types_supported": ["authorization_code", "implicit", "refresh_token"],
         "token_endpoint_auth_methods_supported": ["none", "client_secret_post", "client_secret_basic"],
         # "token_auth_signing_algs_supported": metadata.get_signing_algs(),
+        "client_id": None,
         "client_name": None,
+        "client_secret": None,
         "client_uri": None,
         "logo_uri": None,
         "scope": None,

src/idpyoidc/client/claims/oauth2resource.py

@@ -2,7 +2,7 @@
 
 from idpyoidc.client import claims
 from idpyoidc.message.oauth2 import OAuthProtectedResourceRequest
-from idpyoidc.client.claims.transform import array_or_singleton
+from idpyoidc.transform import array_or_singleton
 
 class Claims(claims.Claims):
     _supports = {

src/idpyoidc/client/claims/oidc.py

@@ -2,9 +2,9 @@
 import os
 from typing import Optional
 
-from idpyoidc import metadata
+from idpyoidc import alg_info
 from idpyoidc.client import claims as client_claims
-from idpyoidc.client.claims.transform import create_registration_request
+from idpyoidc.transform import create_registration_request
 from idpyoidc.message.oidc import RegistrationRequest
 from idpyoidc.message.oidc import RegistrationResponse
 
@@ -76,9 +76,9 @@ class Claims(client_claims.Claims):
         "encrypt_id_token_supported": None,
         # "grant_types_supported": ["authorization_code", "refresh_token"],
         "logo_uri": None,
-        "id_token_signing_alg_values_supported": metadata.get_signing_algs(),
-        "id_token_encryption_alg_values_supported": metadata.get_encryption_algs(),
-        "id_token_encryption_enc_values_supported": metadata.get_encryption_encs(),
+        "id_token_signing_alg_values_supported": alg_info.get_signing_algs(),
+        "id_token_encryption_alg_values_supported": alg_info.get_encryption_algs(),
+        "id_token_encryption_enc_values_supported": alg_info.get_encryption_encs(),
         "initiate_login_uri": None,
         "jwks": None,
         "jwks_uri": None,

src/idpyoidc/client/oauth2/access_token.py

@@ -7,7 +7,7 @@
 from idpyoidc.client.service import Service
 from idpyoidc.message import oauth2
 from idpyoidc.message.oauth2 import ResponseMessage
-from idpyoidc.metadata import get_signing_algs
+from idpyoidc.alg_info import get_signing_algs
 from idpyoidc.time_util import time_sans_frac
 
 LOGGER = logging.getLogger(__name__)

src/idpyoidc/client/oauth2/add_on/dpop.py

@@ -16,7 +16,7 @@
 from idpyoidc.message import SINGLE_REQUIRED_INT
 from idpyoidc.message import SINGLE_REQUIRED_JSON
 from idpyoidc.message import SINGLE_REQUIRED_STRING
-from idpyoidc.metadata import get_signing_algs
+from idpyoidc.alg_info import get_signing_algs
 from idpyoidc.time_util import utc_time_sans_frac
 
 logger = logging.getLogger(__name__)

src/idpyoidc/client/oauth2/add_on/jar.py

@@ -1,7 +1,7 @@
 import logging
 from typing import Optional
 
-from idpyoidc import metadata
+from idpyoidc import alg_info
 from idpyoidc.client.request_object import construct_request_parameter
 from idpyoidc.client.request_object import construct_request_uri
 
@@ -117,8 +117,8 @@ def add_support(
                 args["request_dir"] = request_dir
 
         if request_object_encryption_enc and request_object_encryption_alg:
-            if request_object_encryption_enc in metadata.get_encryption_encs():
-                if request_object_encryption_alg in metadata.get_encryption_algs():
+            if request_object_encryption_enc in alg_info.get_encryption_encs():
+                if request_object_encryption_alg in alg_info.get_encryption_algs():
                     args["request_object_encryption_enc"] = request_object_encryption_enc
                     args["request_object_encryption_alg"] = request_object_encryption_alg
                 else: