New oidc fixes #176
New oidc fixes #176
Conversation
| signing_key = RSAKey(key=rsa_load(oidc_multi_value_frontend_config["config"]["signing_key_path"]), | ||
| use="sig", alg="RS256") | ||
| id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key]) | ||
| assert all((k, v) in {ck:cv if isinstance(cv,list) else [cv] for ck, cv in id_token_claims.items()}.items() for k, v in USERS[user_id].items()) |
There was a problem hiding this comment.
This is a bit complex. I'm adding whitespace to make it readable
assert all(
(k, v) in {
ck: cv if isinstance(cv, list) else [cv]
for ck, cv in id_token_claims.items()
}.items()
for k, v in USERS[user_id].items())What you're trying to do is figuring out if all items from USERS match an item in id_token_claims after a transformation. This means that USERS is a subset of (the transformed) id_token_claims.
claims_dict = {
ck: cv if isinstance(cv, list) else [cv]
for ck, cv in id_token_claims.items()
}
claims_set = set(claims_dict.items())
users_set = set(USERS[user_id].items())
assert users_set.issubset(claims_set)I think, though, that what you're really after is equality of the dicts.
claims_dict = {
ck: cv if isinstance(cv, list) else [cv]
for ck, cv in id_token_claims.items()
}
assert claims_dict == USERS[user_id]
|
I see a lot of good comments and suggestions, most of which because you're a better python hacker. What's your idea about moving forward? Our tree is way out of sync, so making a new PR would require substantial effort while the gist of the fixes is clear (imo)? |
c00kiemon5ter
force-pushed
the
new-oidc-fixes
branch
2 times, most recently
from
795b967
to
613bde0
Compare
| @@ -256,7 +256,13 @@ def _get_approved_attributes(self, provider_supported_claims, authn_req): | |||
| if "claims" in authn_req: | |||
| for k in ["id_token", "userinfo"]: | |||
| if k in authn_req["claims"]: | |||
| requested_claims.extend(authn_req["claims"][k].keys()) | |||
There was a problem hiding this comment.
@mrvanes I'm going through this PR, but I'm not sure how this is useful. This is some test data* for authn_req["claims"]:
authn_req["claims"] = {
"id_token": {
"foo": "bar",
"mail": {
"essential": True
}
},
"userinfo": {
"acr": {
"essential": True,
"values": [
"urn:mace:incommon:iap:silver",
"urn:mace:incommon:iap:bronze"
]
}
}
}Coming out of the process, the result is:
> print(requested_claims)
['sub', 'foo', 'email.essential', 'acr.essential', 'acr.values']Do we really want email.essential or acr.values? How is it more correct than before?
*link to the relevant section in the spec
c00kiemon5ter
force-pushed
the
new-oidc-fixes
branch
from
a1f64e6
to
f590928
Compare
As requested on the idpy meeting, I hereby created a new pr containing separate commits for each sub-fix, a config option for oidc multi_value and an accompanying test for oidc multi_value. I hope it lives up to your expectations. There is also a whitespace fix, because my editor is set to remove trailing whitespace stuff.