## User Management
Interaction with EOEPCA endpoint using python Demo Client.

In [1]:
import utils.DemoClient as client
import jwt
import json
import requests
from rauth import OAuth2Service

## Client
We instantiate a client to interact with the platform. The client dynamically registers with the Authorisation Server to take part in UMA (User Managed Access) flows through which authorization is obtained for scoped access resources on behalf of the user.

In [2]:
#-------------------------------------------------------------------------------
# Initialise client
#-------------------------------------------------------------------------------
base_domain = "demo.eoepca.org"
platform_domain = "auth." + base_domain
base_url = "https://" + platform_domain
eric_pep= "http://demo-user-eric-pepapi." + base_domain
eric_pep_auth= "http://demo-user-eric-pep."+ base_domain + "/authorize"
pdp_url= "http://"+platform_domain+"/pdp"
authorize_url = 'https://'+platform_domain+'/oxauth/restv1/authorize'
token_url = 'https://'+platform_domain+'/oxauth/restv1/token'
redirect_uri_for_github = f"https://{platform_domain}/oxauth/auth/passport/img/github.png"
demo = client.DemoClient(base_url)
demo.register_client([redirect_uri_for_github])
demo.save_state()

State loaded from file: {'client_id': 'e6f2cb2b-be25-4953-b23e-9db7a2369a27', 'client_secret': '96c9b288-544e-4154-a231-f3ffd8f0e6f0'}
client_id: e6f2cb2b-be25-4953-b23e-9db7a2369a27 [REUSED]
Client state saved to file: state.json


## User Authentication
User authenticates and the client receives an ID Token (JWT) that represents the user, and is used to identify the user in UMA authorization flows.

### Authenticate

In [3]:
#-------------------------------------------------------------------------------
# Authenticate as Eric (isOperator: True) and get ID Token
#-------------------------------------------------------------------------------
USER_NAME="eric"
USER_PASSWORD="defaultPWD"
operator_id_token = demo.get_id_token(USER_NAME, USER_PASSWORD)
print("operator_id_token:", operator_id_token)

[Request] GET => https://auth.demo.eoepca.org/.well-known/uma2-configuration
<Response [200]>
token_endpoint: https://auth.demo.eoepca.org/oxauth/restv1/token
[Request] POST => https://auth.demo.eoepca.org/oxauth/restv1/token
operator_id_token: eyJraWQiOiIzOWNkNzM5Yy00NzE1LTQ2ODctOGQ4Mi1lMTRkMTVmNDllNDZfc2lnX3JzMjU2IiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOiJlNmYyY2IyYi1iZTI1LTQ5NTMtYjIzZS05ZGI3YTIzNjlhMjciLCJzdWIiOiIwYzM4M2I5My1jMmUzLTQ3ZTktYTdkMC1iZDdlYzQ5ZGE5MzkiLCJ1c2VyX25hbWUiOiJlcmljIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLmRlbW8uZW9lcGNhLm9yZyIsImV4cCI6MTY4NDE4OTg0NSwiaWF0IjoxNjg0MTg2MjQ1LCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAiLCJpc09wZXJhdG9yIjp0cnVlfQ.kjPN-4o2CPwqhaw5pX3ZSlsqaqknqLA9MjiXM_-IEHBd-gXf7T4vrNKHUjZIZeIggPUr1m9pJ4hpnD92KuMJhB2lqEHz0LD_4yGqT0Y-Vfw9AA6tYIT8ESwRMQP7lOlhOCFDBQqzLbGDHdLQxZOy39MVJuAg3mBxusjSGBEHO8zaBOrXGAeQg8ayEypTMYxU0iqNmeLurEh4-xwHlAWbE5sz4f3n_oCerWKvjhjLLkFlo3r47N00zMJDbpLphoM4zFHpr6wySy4w4gQG6cTbJIlWuNm5BxzoQjJsmvEj6_6nm2x6nkZLaW5I4X5ko

### Inspect the ID Token

In [4]:
# Inspect ID Token
jwt_header = jwt.get_unverified_header(operator_id_token)
jwt_payload = jwt.decode(operator_id_token, options={"verify_signature": False})
print("JWT Header:", json.dumps(jwt_header, indent = 2), "\n---\nJWT Payload:", json.dumps(jwt_payload, indent = 2))
operator_UID= jwt_payload["sub"]

JWT Header: {
  "kid": "39cd739c-4715-4687-8d82-e14d15f49e46_sig_rs256",
  "typ": "JWT",
  "alg": "RS256"
} 
---
JWT Payload: {
  "aud": "e6f2cb2b-be25-4953-b23e-9db7a2369a27",
  "sub": "0c383b93-c2e3-47e9-a7d0-bd7ec49da939",
  "user_name": "eric",
  "iss": "https://auth.demo.eoepca.org",
  "exp": 1684189845,
  "iat": 1684186245,
  "oxOpenIDConnectVersion": "openidconnect-1.0",
  "isOperator": true
}


The ID Token (JWT) identifies the user via user_name / sub (Subject) fields, and the client via the aud (Audience) field. The JWT is signed and can be verified, using the kid (Key ID) field, via the JWKS endpoint of the Authorization Server.

## External ID Provider Login

The current External IdPs are GitHub and COIH, this test will apply the authorization code flow of OAuth2, where a first request to the authorization endpoint of the Login Service will return a code once the external user is authenticated. Afterwards the redirection will prompt a GitHub logo Image but in the url we can extract the code,that will be used to retrieve an access token. Copy the URL and proceed to next step

In [5]:
#--------------------------
#LINK TO SOCIAL PASSPORT
#--------------------------
client_id, client_secret = demo.get_client_credentials()

scope = ['openid', 'email', 'user_name', 'is_operator']
service = OAuth2Service(name="foo", client_id=client_id, client_secret=client_secret, access_token_url=token_url, authorize_url=authorize_url, base_url=base_url)
params = {'scope': scope,'response_type': 'code','redirect_uri': redirect_uri_for_github,'acr_values': 'passport_social'}

url = service.get_authorize_url(**params)
print("Link to Social Passport Login: ")
print(url)

Link to Social Passport Login: 
https://auth.demo.eoepca.org/oxauth/restv1/authorize?scope=%5B%27openid%27%2C+%27email%27%2C+%27user_name%27%2C+%27is_operator%27%5D&response_type=code&redirect_uri=https%3A%2F%2Fauth.demo.eoepca.org%2Foxauth%2Fauth%2Fpassport%2Fimg%2Fgithub.png&acr_values=passport_social&client_id=e6f2cb2b-be25-4953-b23e-9db7a2369a27


Here you will have to copy/paste the redirection once logged in to retrieve code and continue with the flow. An access token should result as output

In [6]:
#--------------------------
#TOKEN RETRIEVAL
#--------------------------
code_url = input('Please paste redirect URL: ').strip()
code = code_url.split('code=')[1].split('&')[0]
data = {'client_id': client_id, 'client_secret': client_secret, 'code': code, 'grant_type': 'authorization_code', 'redirect_uri': redirect_uri_for_github}
response = requests.post(token_url, data=data)
print(response.text)

IndexError: list index out of range

## Access Protected Endpoint
We perform an example access to an ADES resource.
The ADES is protected by a PEP (Policy Enforcement Point). When accessing the protected endpoint the client follows a UMA (User Managed Access) flow to obtain authorized access on behalf of the user. The UMA flow utilises the ID Token to obtain a 'ticket' which can then be exchanged by the client for an access token (RPT - Relying Party Token) that acts as a short-lived (e.g. 5 mins) credential for the specific access by a specific client, to a specific resource, on behalf of a specific user.
The use case will perform an update to the policy associated to the resource in order to allow access to a non operator user, external to the resource.

### Resource Insertion
The authenticated user must be an operator to realize this operation.
A call to the PEP resource API is done in order to include a new resource for the demo into the database. This resource has protected scope so only the operator user is able to access it.
If that resource already exists a 422 response will be returned.

In [None]:
#--------------------------
#INSERT RESOURCE
#--------------------------
uri= "/demo/testResource"
data = '{"icon_uri":"'+uri+'","name":"DemoResource","scopes":["protected_access"]}'
headers = {'Content-Type': 'application/json, Authorization: Bearer '+ operator_id_token}
response = requests.post(eric_pep+'/resources', headers=headers, data=data, verify=False)
print("Resource Insertion with code: " + str(response))

#--------------------------
#RESOURCE PUBLIC VISUALIZATION-->Query the resource endpoint to check if the resource is inserted
#--------------------------
operation_headers = { 'content-type': "application/x-www-form-urlencoded", "cache-control": "no-cache", "Authorization": "Bearer "+operator_id_token}
res = requests.get(eric_pep +"/resources"+"?path="+uri, headers=headers, verify=False)
k=res.json()
print("Resource found in database: " + str(k))

### Operator successful access to resource
The operator will perform the UMA Flow to prove a successful access to the resource created.

In [None]:
#--------------------------
#GET TICKET-->Naive request to resource with no authorization, ticket returned
#--------------------------
rpt=None
print("ADES API Processes endpoint:", eric_pep_auth)
ticket_headers_oper = { 'content-type': "application/json", "cache-control": "no-cache", "Authorization": "Bearer " + operator_id_token, "X-Original-Uri": uri }
tkt = requests.get(eric_pep_auth, headers=ticket_headers_oper, verify=False)
ticket = tkt.headers["WWW-Authenticate"].split("ticket=")[1]
print("401 Unauthorized, ticket returned: "+ticket)

#--------------------------
#GET RPT-->Request RPT token from UMA endpoints giving a ticket and the user id_token
#--------------------------
data = "claim_token_format=http://openid.net/specs/openid-connect-core-1_0.html#IDToken&claim_token="+operator_id_token+"&ticket="+ticket+"&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&client_id="+client_id+"&client_secret="+client_secret+"&scope=openid"
rpt_headers= { 'Content-Type': 'application/x-www-form-urlencoded', 'cache-control': 'no-cache' }
rpts_response = requests.post(token_url, data=data, headers=rpt_headers, verify = False)
rpt = rpts_response.json()["access_token"]
print("The UMA returns: " + str(rpts_response) + " with a RPT UMA Token: " + str(rpt))

#--------------------------
#ACCESS TO RESOURCE-->The access_token is returned and the request to the resource is retried with approved credentials
#--------------------------
headers = { 'content-type': "application/json", "cache-control": "no-cache", "Authorization": "Bearer "+rpt, "X-Original-Uri": uri}
resource_access = requests.get(eric_pep_auth, headers=headers, verify=False)
print("Retrying access to resource with proper token: "+ str(resource_access))

### Non Operator denied access to resource
The Alice user (not an operator) will perform the UMA Flow to prove an unsuccessful attempt to resource access.
The Login Service will call the PDP to check if the policy associated to the resource allows access to Alice. Once the PDP checks the resource is not accessible by Alice, the RPT request will respond with a 403 Forbidden by Policy

In [None]:
#--------------------------
#USER AUTH
#--------------------------
USER_NAME="alice"
USER_PASSWORD="defaultPWD"
alice_id_token = demo.get_id_token(USER_NAME, USER_PASSWORD)
alice_UID =jwt.decode(alice_id_token, options={"verify_signature": False})["sub"]

#--------------------------
#GET TICKET--> 401
#--------------------------
ticket_headers_alice = { 'content-type': "application/json", "cache-control": "no-cache", "Authorization": "Bearer "+alice_id_token, "X-Original-Uri": uri}
tkt = requests.get(eric_pep_auth, headers=ticket_headers_alice, verify=False)
ticket = tkt.headers["WWW-Authenticate"].split("ticket=")[1]
print("401 Unauthorized, ticket returned: " + str(ticket))
#--------------------------
#GET RPT--> 403
#--------------------------
data = "claim_token_format=http://openid.net/specs/openid-connect-core-1_0.html#IDToken&claim_token="+alice_id_token+"&ticket="+ticket+"&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&client_id="+client_id+"&client_secret="+client_secret+"&scope=openid"
rpts_response = requests.post(token_url, data=data, headers=rpt_headers, verify = False)
print("Forbidden for non operator user: " + str(rpts_response))

### Update Policy
The operator user who is the resource owner will perform a call to the PDP to update the policy associated to that resource to include access to Alice

In [None]:
#--------------------------
#UPDATE POLICY--> 200
#--------------------------
data={'name':'Updated Policy for Demo Resource','description':'Policy modified for demo purpose','config':{'resource_id':k["_id"] ,'action':'get','rules':[{'OR':[{'EQUAL':{'id':operator_UID}},{'EQUAL':{'id':alice_UID}}]}]},'scopes':['protected_access']}
resp, text = demo.update_policy(pdp_url, data, k["_id"], operator_id_token)
print(resp)

### Non Operator successful access to resource
With the new policy the user Alice will perform the same request to the resource but now with granted access.

In [None]:
#--------------------------
#GET TICKET--> 401
#--------------------------
tkt = requests.get(eric_pep_auth, headers=ticket_headers_alice, verify=False)
ticket = tkt.headers["WWW-Authenticate"].split("ticket=")[1]
print("401 Unauthorized, ticket returned: "+ticket)
#--------------------------
#GET RPT--> 200
#--------------------------
data = "claim_token_format=http://openid.net/specs/openid-connect-core-1_0.html#IDToken&claim_token="+alice_id_token+"&ticket="+ticket+"&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&client_id="+client_id+"&client_secret="+client_secret+"&scope=openid"
rpts_response = requests.post(token_url, data=data, headers=rpt_headers, verify = False)
rpt = rpts_response.json()["access_token"]
print("The UMA returns: " + str(rpts_response) + " with a RPT UMA Token" + str(rpt))
#--------------------------
#ACCESS TO RESOURCE--> 200
#--------------------------
headers = { 'content-type': "application/json", "cache-control": "no-cache", "Authorization": "Bearer "+rpt, "X-Original-Uri": uri}
tkt = requests.get(eric_pep_auth, headers=headers, verify=False)
print("Retrying access to resource with proper token: "+ str(tkt))

## Open Resources
Resources with open scope should be accessible to anyone. This test will add an open resource and then attempt to access it without using any type of authorization.

### Add open resource
The operator user will perform a call to the PDP to add an open resource.

In [None]:
#--------------------------
# INSERT OPEN RESOURCE
#--------------------------
#uri = "https://dummy-service.develop.eoepca.org/openResource"
#data = '{"icon_uri":"' + uri + '","name":"DemoOpenResource","scopes":["open"]}'
#headers = {'Content-Type': 'application/json, Authorization: Bearer '+ operator_id_token}
#response = requests.post(eric_pep + '/resources', headers=headers, data=data, verify=False)
#print("Open resource inserted with code: " + str(response))

 ### Access an open resource
 We attempt to access the open resource, which should be retrieved without any type of authentication.

In [None]:
#--------------------------
# ACCESS TO OPEN RESOURCE --> The requested resource is retrieved without requiring credentials
#--------------------------
#headers = { 'content-type': "application/json", "cache-control": "no-cache", "X-Original-Uri": uri}
#resource_access = requests.get(eric_pep_auth, headers=headers, verify=False)
#print("Open resources: " + str(resource_access))