Including oidcendpoint in oidc-op with alignements to master branch

README.md

@@ -118,21 +118,10 @@ git clone https://github.com/rohe/oidc-op.git
 ````
 
 ##### Configure a Django OP
-````
-cd oidc-op/django-oidc-op
-pip install -r requirements.txt
-
-cd example
-pip install -r requirements.txt
-
-./manage.py migrate
-./manage.py createsuperuser
-./manage.py collectstatic
 
-gunicorn example.wsgi -b0.0.0.0:8000 --keyfile=./data/oidc_op/certs/key.pem --certfile=./data/oidc_op/certs/cert.pem --reload
+See
 
-
-````
+https://github.com/peppelinux/django-oidc-op
 
 ##### Configure a Flask OP
 

example/django_op/README.md

@@ -1,49 +1,39 @@
 # django-oidc-op
-A Django implementation of an **OIDC Provider** built top of [jwtconnect libraries](https://jwtconnect.io/).
-If you are just going to build a standard OIDC Provider you only have to write the configuration file.
+A Django implementation of an **OIDC Provider** on top of [jwtconnect.io](https://jwtconnect.io/).
+To configure a standard OIDC Provider you have to edit the oidcop configuration file.
+See `example/example/oidc_op.conf.yaml` to get in.
 
 This project is based on [Roland Hedberg's oidc-op](https://github.com/rohe/oidc-op).
+Oidcendpoint supports the following standards and drafts:
 
-## Status
-_Work in Progress_
-
-Please wait for the first release tag before considering it ready to use.
-Before adopting this project in a production use you should consider if the following endpoint should be enabled:
-
-- [Web Finger](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery)
-- [dynamic discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
-- [dynamic client registration](https://openid.net/specs/openid-connect-registration-1_0.html)
-
-**TODO**: _document how to disable them and how to register RP via django admin backend._
-
-#### Endpoints
+- [OpenID Connect Core 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-core-1_0.html)
+- [OpenID Connect Discovery 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-discovery-1_0.html)
+- [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-registration-1_0.html)
+- [OpenID Connect Session Management 1.0](https://openid.net/specs/openid-connect-session-1_0.html)
+- [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html)
+- [OAuth2 Token introspection](https://tools.ietf.org/html/rfc7662)
 
-Available resources are:
+It also supports the followings `add_ons` modules.
 
-- webfinger
-  - /.well-known/webfinger [to be tested]
+- Custom scopes, that extends [OIDC standard ScopeClaims](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
+- PKCE, [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
 
-- provider_info
-  - /.well-known/openid-configuration
-
-- registration
-  - /registration
-
-- authorization
-  - /authorization
-  - authentication, which type decide to support, default: login form.
+## Status
 
-- token
-  - access/authorization token
+The development status of this project is *experimental*, something goes wrong following latest oidcendpoint releases.
+A roadmap for a stable release is still in progress.
 
-- refresh_token
 
-- userinfo
-  - /userinfo
+Works:
 
-- end_session
-  - logout
+- Relying-Parties Admin UI completed, unit tests included (works v1.0.1)
+- Session and SSO management completed (works v1.0.1)
+- Logout session handler
 
+Work in progress:
+- KeyJAR and default storage (issuer, keybundles) (TODO with a full storage handler integration)
+- Cookie handling, at this time we do not use cookies (disabled in configuration)
+- Custom scopes
 
 ## Run the example demo
 
@@ -59,26 +49,37 @@ pip install -r requirements.txt
 ./manage.py createsuperuser
 ./manage.py collectstatic
 
-gunicorn example.wsgi -b0.0.0.0:8000 --keyfile=./data/oidc_op/certs/key.pem --certfile=./data/oidc_op/certs/cert.pem --reload
+## debug server
+gunicorn example.wsgi -b0.0.0.0:8000 --keyfile=./data/oidc_op/certs/key.pem --certfile=./data/oidc_op/certs/cert.pem --reload --timeout 3600 --capture-output --enable-stdio-inheritance
 ````
 
-You can use [JWTConnect-Python-OidcRP](https://github.com/openid/JWTConnect-Python-OidcRP) as an example RP as follows:
+You can use [JWTConnect-Python-OidcRP](https://github.com/openid/JWTConnect-Python-OidcRP) as follow:
+```
+cd JWTConnect-Python-OidcRP
+RP_LOGFILE_NAME="./flrp.django.log" python3 -m flask_rp.wsgi ../django-oidc-op/example/data/oidc_rp/conf.django.yaml
+```
 
-`RP_LOGFILE_NAME="./flrp.django.log" python3 -m flask_rp.wsgi ../django-oidc-op/example/data/oidc_rp/conf.django.yaml`
+You can also use a scripted RP handler on top of oidc-rp
+````
+python3 snippets/rp_handler.py -c example/data/oidc_rp/conf.django.yaml -u myuser -p mypass -iss django_oidc_op
+````
 
 
 ## Configure OIDC endpoint
 
 #### Django settings.py parameters
 
+`OIDCENDPOINT_CONFIG`: The path containing the oidc-op configuration file.
 `OIDC_OP_AUTHN_SALT_SIZE`: Salt size in byte, default: 4 (Integer).
 
-#### Signatures
-These following files needed to be present in `data/oidc_op/private`.
+#### JWKs
+These following files needed to be present in `data/oidc_op/private` otherwise they will be created on the first time automatically.
 
 1. session.json (JWK symmetric);
-2. cookie_sign_jwk.json (JWK symmetric);
-3. cookie_enc_jwk.json (JWK symmetric), optional, see `conf.yaml`.
+
+These are not used anymore, disabled in op conf.yaml:
+1. cookie_sign_jwk.json (JWK symmetric);
+2. cookie_enc_jwk.json (JWK symmetric), optional, see `conf.yaml`.
 
 To create them by hands comment out `'read_only': False'` in `conf.yaml`,
 otherwise they will be created automatically on each run.
@@ -88,30 +89,19 @@ A JWK creation example would be:
 jwkgen --kty SYM > data/oidc_op/private/cookie_enc_jwk.json
 ````
 
-## General description
-
-The example included in this project enables dynamic registration of RPs (you can even disable it).
-Using an example RP like [JWTConnect-Python-OidcRP](https://github.com/openid/JWTConnect-Python-OidcRP)
-and configuring in `CLIENTS` section to use django-oidc-op (see `example/data/oidc_rp/conf.django.yaml`),
-we'll see the following flow happens:
+## Django specific implementation
 
-1. /.well-known/openid-configuration
-   RP get the Provider configuration, what declared in the configuration at `op.server_info`;
-2. /registration
-   RP registers in the Provider if `dynamic client registration` is enabled (default true)
-3. /authorization
-   RP mades OIDC authorization
-4. RP going to be redirected to login form page (see authn_methods.py)
-5. user-agent posts form (user credentials) to `/verify/user_pass_django`
-6. verify_user in django, on top of oidcendpoint_app.endpoint_context.authn_broker
-7. RP request for an access token -> the response of the previous authentication is a HttpRedirect to op's /token resource
-8. RP get the redirection to OP's USERINFO endpoint, using the access token got before
+This project rely interely on behaviour and features provided by oidcendpoint, to get an exaustive integration in Django it
+adopt the following customizations.
 
+#### DataStore management
+Oidcendpoint have some data persistence:
+You can use oidcendpoint's standard `oidcmsg.storage.abfile.AbstractFileSystem` or Django models (Work in Progress).
 
-## UserInfo endpoint
+#### UserInfo endpoint
 
 Claims to be released are configured in `op.server_info.user_info` (in `conf.yaml`).
-All the attributes release and user authentication mechanism rely on classes implemented in `oidc_op.users.py`.
+The attributes release and user authentication mechanism rely on classes implemented in `oidc_op.users.py`.
 
 Configuration Example:
 
@@ -128,13 +118,33 @@ Configuration Example:
             verified_email: email
 ````
 
-**TODO**: Do a RP configuration UI for custom claims release for every client.
+#### Relying-Party search panel
+
+See `oidc_op.models` and `oidc_op.admin`, an UI was built to configure new RP via Django admin backend.
+![Alt text](images/rp_search.png)
 
+#### Relying-Party Registration
+![Alt text](images/rp.png)
+
+#### Session management and token preview
+![Alt text](images/oidc_session2.png)
 
 ## OIDC endpoint url prefix
 Can be configured in `urls.py` and also in oidc_op `conf.yaml`.
 
 - /oidc/endpoint/<provider_name>
 
 
+## Running tests
 
+running tests
+````
+./manage.py test --pdb  oidc_op.tests.01_client_db
+````
+
+## code coverage
+````
+coverage erase
+coverage run manage.py test
+coverage report
+````

example/django_op/example/.coveragerc

@@ -0,0 +1,9 @@
+[run]
+source = .
+
+[report]
+fail_under = 100
+show_missing = True
+skip_covered = True
+
+

example/django_op/example/accounts/__init__.py

@@ -0,0 +1,2 @@
+default_app_config = 'accounts.apps.AccountsConfig'
+

example/django_op/example/unical_accounts/apps.py → example/django_op/example/accounts/apps.py

@@ -1,6 +1,6 @@
 from django.apps import AppConfig
 
 
-class Unical_AccountsConfig(AppConfig):
-    name = 'unical_accounts'
+class AccountsConfig(AppConfig):
+    name = 'accounts'
     verbose_name = "Autenticazione e Autorizzazione Utenti"

example/django_op/example/accounts/migrations/0002_auto_20191202_1526.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.0 on 2019-12-02 15:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='user',
+            name='place_of_birth',
+            field=models.CharField(blank=True, choices=[('Aruba', 'Aruba'), ('Afghanistan', 'Afghanistan'), ('Angola', 'Angola'), ('Anguilla', 'Anguilla'), ('Åland Islands', 'Åland Islands'), ('Albania', 'Albania'), ('Andorra', 'Andorra'), ('United Arab Emirates', 'United Arab Emirates'), ('Argentina', 'Argentina'), ('Armenia', 'Armenia'), ('American Samoa', 'American Samoa'), ('Antarctica', 'Antarctica'), ('French Southern Territories', 'French Southern Territories'), ('Antigua and Barbuda', 'Antigua and Barbuda'), ('Australia', 'Australia'), ('Austria', 'Austria'), ('Azerbaijan', 'Azerbaijan'), ('Burundi', 'Burundi'), ('Belgium', 'Belgium'), ('Benin', 'Benin'), ('Bonaire, Sint Eustatius and Saba', 'Bonaire, Sint Eustatius and Saba'), ('Burkina Faso', 'Burkina Faso'), ('Bangladesh', 'Bangladesh'), ('Bulgaria', 'Bulgaria'), ('Bahrain', 'Bahrain'), ('Bahamas', 'Bahamas'), ('Bosnia and Herzegovina', 'Bosnia and Herzegovina'), ('Saint Barthélemy', 'Saint Barthélemy'), ('Belarus', 'Belarus'), ('Belize', 'Belize'), ('Bermuda', 'Bermuda'), ('Bolivia, Plurinational State of', 'Bolivia, Plurinational State of'), ('Brazil', 'Brazil'), ('Barbados', 'Barbados'), ('Brunei Darussalam', 'Brunei Darussalam'), ('Bhutan', 'Bhutan'), ('Bouvet Island', 'Bouvet Island'), ('Botswana', 'Botswana'), ('Central African Republic', 'Central African Republic'), ('Canada', 'Canada'), ('Cocos (Keeling) Islands', 'Cocos (Keeling) Islands'), ('Switzerland', 'Switzerland'), ('Chile', 'Chile'), ('China', 'China'), ("Côte d'Ivoire", "Côte d'Ivoire"), ('Cameroon', 'Cameroon'), ('Congo, The Democratic Republic of the', 'Congo, The Democratic Republic of the'), ('Congo', 'Congo'), ('Cook Islands', 'Cook Islands'), ('Colombia', 'Colombia'), ('Comoros', 'Comoros'), ('Cabo Verde', 'Cabo Verde'), ('Costa Rica', 'Costa Rica'), ('Cuba', 'Cuba'), ('Curaçao', 'Curaçao'), ('Christmas Island', 'Christmas Island'), ('Cayman Islands', 'Cayman Islands'), ('Cyprus', 'Cyprus'), ('Czechia', 'Czechia'), ('Germany', 'Germany'), ('Djibouti', 'Djibouti'), ('Dominica', 'Dominica'), ('Denmark', 'Denmark'), ('Dominican Republic', 'Dominican Republic'), ('Algeria', 'Algeria'), ('Ecuador', 'Ecuador'), ('Egypt', 'Egypt'), ('Eritrea', 'Eritrea'), ('Western Sahara', 'Western Sahara'), ('Spain', 'Spain'), ('Estonia', 'Estonia'), ('Ethiopia', 'Ethiopia'), ('Finland', 'Finland'), ('Fiji', 'Fiji'), ('Falkland Islands (Malvinas)', 'Falkland Islands (Malvinas)'), ('France', 'France'), ('Faroe Islands', 'Faroe Islands'), ('Micronesia, Federated States of', 'Micronesia, Federated States of'), ('Gabon', 'Gabon'), ('United Kingdom', 'United Kingdom'), ('Georgia', 'Georgia'), ('Guernsey', 'Guernsey'), ('Ghana', 'Ghana'), ('Gibraltar', 'Gibraltar'), ('Guinea', 'Guinea'), ('Guadeloupe', 'Guadeloupe'), ('Gambia', 'Gambia'), ('Guinea-Bissau', 'Guinea-Bissau'), ('Equatorial Guinea', 'Equatorial Guinea'), ('Greece', 'Greece'), ('Grenada', 'Grenada'), ('Greenland', 'Greenland'), ('Guatemala', 'Guatemala'), ('French Guiana', 'French Guiana'), ('Guam', 'Guam'), ('Guyana', 'Guyana'), ('Hong Kong', 'Hong Kong'), ('Heard Island and McDonald Islands', 'Heard Island and McDonald Islands'), ('Honduras', 'Honduras'), ('Croatia', 'Croatia'), ('Haiti', 'Haiti'), ('Hungary', 'Hungary'), ('Indonesia', 'Indonesia'), ('Isle of Man', 'Isle of Man'), ('India', 'India'), ('British Indian Ocean Territory', 'British Indian Ocean Territory'), ('Ireland', 'Ireland'), ('Iran, Islamic Republic of', 'Iran, Islamic Republic of'), ('Iraq', 'Iraq'), ('Iceland', 'Iceland'), ('Israel', 'Israel'), ('Italy', 'Italy'), ('Jamaica', 'Jamaica'), ('Jersey', 'Jersey'), ('Jordan', 'Jordan'), ('Japan', 'Japan'), ('Kazakhstan', 'Kazakhstan'), ('Kenya', 'Kenya'), ('Kyrgyzstan', 'Kyrgyzstan'), ('Cambodia', 'Cambodia'), ('Kiribati', 'Kiribati'), ('Saint Kitts and Nevis', 'Saint Kitts and Nevis'), ('Korea, Republic of', 'Korea, Republic of'), ('Kuwait', 'Kuwait'), ("Lao People's Democratic Republic", "Lao People's Democratic Republic"), ('Lebanon', 'Lebanon'), ('Liberia', 'Liberia'), ('Libya', 'Libya'), ('Saint Lucia', 'Saint Lucia'), ('Liechtenstein', 'Liechtenstein'), ('Sri Lanka', 'Sri Lanka'), ('Lesotho', 'Lesotho'), ('Lithuania', 'Lithuania'), ('Luxembourg', 'Luxembourg'), ('Latvia', 'Latvia'), ('Macao', 'Macao'), ('Saint Martin (French part)', 'Saint Martin (French part)'), ('Morocco', 'Morocco'), ('Monaco', 'Monaco'), ('Moldova, Republic of', 'Moldova, Republic of'), ('Madagascar', 'Madagascar'), ('Maldives', 'Maldives'), ('Mexico', 'Mexico'), ('Marshall Islands', 'Marshall Islands'), ('North Macedonia', 'North Macedonia'), ('Mali', 'Mali'), ('Malta', 'Malta'), ('Myanmar', 'Myanmar'), ('Montenegro', 'Montenegro'), ('Mongolia', 'Mongolia'), ('Northern Mariana Islands', 'Northern Mariana Islands'), ('Mozambique', 'Mozambique'), ('Mauritania', 'Mauritania'), ('Montserrat', 'Montserrat'), ('Martinique', 'Martinique'), ('Mauritius', 'Mauritius'), ('Malawi', 'Malawi'), ('Malaysia', 'Malaysia'), ('Mayotte', 'Mayotte'), ('Namibia', 'Namibia'), ('New Caledonia', 'New Caledonia'), ('Niger', 'Niger'), ('Norfolk Island', 'Norfolk Island'), ('Nigeria', 'Nigeria'), ('Nicaragua', 'Nicaragua'), ('Niue', 'Niue'), ('Netherlands', 'Netherlands'), ('Norway', 'Norway'), ('Nepal', 'Nepal'), ('Nauru', 'Nauru'), ('New Zealand', 'New Zealand'), ('Oman', 'Oman'), ('Pakistan', 'Pakistan'), ('Panama', 'Panama'), ('Pitcairn', 'Pitcairn'), ('Peru', 'Peru'), ('Philippines', 'Philippines'), ('Palau', 'Palau'), ('Papua New Guinea', 'Papua New Guinea'), ('Poland', 'Poland'), ('Puerto Rico', 'Puerto Rico'), ("Korea, Democratic People's Republic of", "Korea, Democratic People's Republic of"), ('Portugal', 'Portugal'), ('Paraguay', 'Paraguay'), ('Palestine, State of', 'Palestine, State of'), ('French Polynesia', 'French Polynesia'), ('Qatar', 'Qatar'), ('Réunion', 'Réunion'), ('Romania', 'Romania'), ('Russian Federation', 'Russian Federation'), ('Rwanda', 'Rwanda'), ('Saudi Arabia', 'Saudi Arabia'), ('Sudan', 'Sudan'), ('Senegal', 'Senegal'), ('Singapore', 'Singapore'), ('South Georgia and the South Sandwich Islands', 'South Georgia and the South Sandwich Islands'), ('Saint Helena, Ascension and Tristan da Cunha', 'Saint Helena, Ascension and Tristan da Cunha'), ('Svalbard and Jan Mayen', 'Svalbard and Jan Mayen'), ('Solomon Islands', 'Solomon Islands'), ('Sierra Leone', 'Sierra Leone'), ('El Salvador', 'El Salvador'), ('San Marino', 'San Marino'), ('Somalia', 'Somalia'), ('Saint Pierre and Miquelon', 'Saint Pierre and Miquelon'), ('Serbia', 'Serbia'), ('South Sudan', 'South Sudan'), ('Sao Tome and Principe', 'Sao Tome and Principe'), ('Suriname', 'Suriname'), ('Slovakia', 'Slovakia'), ('Slovenia', 'Slovenia'), ('Sweden', 'Sweden'), ('Eswatini', 'Eswatini'), ('Sint Maarten (Dutch part)', 'Sint Maarten (Dutch part)'), ('Seychelles', 'Seychelles'), ('Syrian Arab Republic', 'Syrian Arab Republic'), ('Turks and Caicos Islands', 'Turks and Caicos Islands'), ('Chad', 'Chad'), ('Togo', 'Togo'), ('Thailand', 'Thailand'), ('Tajikistan', 'Tajikistan'), ('Tokelau', 'Tokelau'), ('Turkmenistan', 'Turkmenistan'), ('Timor-Leste', 'Timor-Leste'), ('Tonga', 'Tonga'), ('Trinidad and Tobago', 'Trinidad and Tobago'), ('Tunisia', 'Tunisia'), ('Turkey', 'Turkey'), ('Tuvalu', 'Tuvalu'), ('Taiwan, Province of China', 'Taiwan, Province of China'), ('Tanzania, United Republic of', 'Tanzania, United Republic of'), ('Uganda', 'Uganda'), ('Ukraine', 'Ukraine'), ('United States Minor Outlying Islands', 'United States Minor Outlying Islands'), ('Uruguay', 'Uruguay'), ('United States', 'United States'), ('Uzbekistan', 'Uzbekistan'), ('Holy See (Vatican City State)', 'Holy See (Vatican City State)'), ('Saint Vincent and the Grenadines', 'Saint Vincent and the Grenadines'), ('Venezuela, Bolivarian Republic of', 'Venezuela, Bolivarian Republic of'), ('Virgin Islands, British', 'Virgin Islands, British'), ('Virgin Islands, U.S.', 'Virgin Islands, U.S.'), ('Viet Nam', 'Viet Nam'), ('Vanuatu', 'Vanuatu'), ('Wallis and Futuna', 'Wallis and Futuna'), ('Samoa', 'Samoa'), ('Yemen', 'Yemen'), ('South Africa', 'South Africa'), ('Zambia', 'Zambia'), ('Zimbabwe', 'Zimbabwe')], max_length=56, null=True, verbose_name='Luogo di nascita'),
+        ),
+    ]

example/django_op/example/unical_accounts/models.py → example/django_op/example/accounts/models.py

@@ -26,7 +26,7 @@ class User(AbstractUser):
                                       blank=True, null=True)
     gender    = models.CharField(_('Genere'), choices=GENDER,
                                  max_length=12, blank=True, null=True)
-    place_of_birth = models.CharField('Luogo di nascita', max_length=30,
+    place_of_birth = models.CharField('Luogo di nascita', max_length=56,
                                       blank=True, null=True,
                                       choices=[(i.name, i.name) for i in pycountry.countries])
     birth_date = models.DateField('Data di nascita',

example/django_op/example/unical_accounts/urls.py → example/django_op/example/accounts/urls.py

@@ -16,11 +16,11 @@
 from django.urls import path
 from .views import *
 
-app_name="unical_accounts"
+app_name="accounts"
 
 urlpatterns = [
 
     # url(r'^login/$', Login, name='login'),
     # path('logout', Logout, name='logout'),
-    
+
 ]