fix: Session dump inconsistent schema after sman flush

.gitignore

@@ -115,3 +115,5 @@ venv.bak/
 src/oidcendpoint.egg-info/
 
 .iframes/
+tests/pairwise.salt
+tests/public.salt

doc/source/contents/conf.rst

@@ -8,6 +8,38 @@ issuer
 
 The issuer ID of the OP, a unique value in URI format.
 
+----
+seed
+----
+
+Used in dynamic client registration endpoint when creating a new client_secret.
+If unset it will be random.
+
+--------
+password
+--------
+
+Encryption key used to encrypt the SessionID (sid) in access_token.
+If unset it will be random.
+
+----
+salt
+----
+
+Salt, value or filename, used in sub_funcs (pairwise, public) for creating the opaque hash of *sub* claim.
+
+-----------
+session_key
+-----------
+
+An example::
+
+    "session_key": {
+        "filename": "private/session_jwk.json",
+        "type": "OCT",
+        "use": "sig"
+      },
+
 ------
 add_on
 ------
@@ -195,8 +227,11 @@ An example::
           "class": "oidcop.oauth2.introspection.Introspection",
           "kwargs": {
             "client_authn_method": [
-              "client_secret_post"
-            ],
+              "client_secret_post",
+              "client_secret_basic",
+              "client_secret_jwt",
+              "private_key_jwt"
+            ]
             "release": [
               "username"
             ]
@@ -266,6 +301,15 @@ An example::
         }
       }
 
+You can specify which algoritms are supported, for example in userinfo_endpoint::
+
+    "userinfo_signing_alg_values_supported": OIDC_SIGN_ALGS,
+    "userinfo_encryption_alg_values_supported": OIDC_ENC_ALGS,
+
+Or in authorization endpoint::
+
+    "request_object_encryption_alg_values_supported": OIDC_ENC_ALGS,
+
 ------------
 httpc_params
 ------------
@@ -307,6 +351,9 @@ An example::
         "uri_path": "static/jwks.json"
       },
 
+*read_only* means that on each restart the keys will created and overwritten with new ones.
+This can be useful during the first time the project have been executed, then to keep them as they are *read_only* would be configured to *True*.
+
 ---------------
 login_hint2acrs
 ---------------
@@ -358,19 +405,6 @@ An example::
         }
       },
 
-
------------
-session_key
------------
-
-An example::
-
-    "session_key": {
-        "filename": "private/session_jwk.json",
-        "type": "OCT",
-        "use": "sig"
-      },
-
 ------------
 template_dir
 ------------
@@ -442,6 +476,44 @@ An example::
         }
       }
 
+jwks_defs can be replaced eventually by `jwks_file`::
+
+    "jwks_file": f"{OIDC_JWKS_PRIVATE_PATH}/token_jwks.json",
+
+You can even select wich algorithms to support in id_token, eg::
+
+    "id_token": {
+        "class": "oidcop.token.id_token.IDToken",
+        "kwargs": {
+            "id_token_signing_alg_values_supported": [
+                    "RS256",
+                    "RS512",
+                    "ES256",
+                    "ES512",
+                    "PS256",
+                    "PS512",
+                ],
+            "id_token_encryption_alg_values_supported": [
+                    "RSA-OAEP",
+                    "RSA-OAEP-256",
+                    "A192KW",
+                    "A256KW",
+                    "ECDH-ES",
+                    "ECDH-ES+A128KW",
+                    "ECDH-ES+A192KW",
+                    "ECDH-ES+A256KW",
+                ],
+            "id_token_encryption_enc_values_supported": [
+                    'A128CBC-HS256',
+                    'A192CBC-HS384',
+                    'A256CBC-HS512',
+                    'A128GCM',
+                    'A192GCM',
+                    'A256GCM'
+                ],
+        }
+    }
+
 --------
 userinfo
 --------

doc/source/contents/session_management.rst

@@ -372,16 +372,16 @@ max_usage
 
 used
 ::::
-How many times the token has been used
+    How many times the token has been used
 
 based_on
 ::::::::
-Reference to the token that was used to mint this token. Might be empty if the
-token was minted based on the grant it belongs to.
+    Reference to the token that was used to mint this token. Might be empty if the
+    token was minted based on the grant it belongs to.
 
 id
 ::
-Token identifier
+    Token identifier
 
 Session Info API
 ----------------
@@ -391,38 +391,56 @@ add_subordinate
 +++++++++++++++
 .. _`add_subordinate`:
 
+    ...
+
 remove_subordinate
 ++++++++++++++++++
 .. _`removed_subordinate`:
 
+    ...
+
 revoke
 ++++++
 .. _`revoke`:
 
+    ...
+
 is_revoked
 ++++++++++
 .. _`is_revoked`:
 
+    ...
+
 to_json
 +++++++
 .. _`to_json`:
 
+    ...
+
 from_json
 +++++++++
 .. _`from_json`:
 
+    ...
+
 Grant API
 ---------
 .. _`Grant API`:
 
+    ...
+
 Token API
 ---------
 .. _`Token API`:
 
+    ...
+
 Session Manager API
 -------------------
 .. _`Session Manager API`:
 
+    ...
+
 create_session
 ++++++++++++++
 .. _create_session:
@@ -463,77 +481,77 @@ add_grant
 +++++++++
 .. _add_grant:
 
-add_grant(self, user_id, client_id, **kwargs)
+    add_grant(self, user_id, client_id, **kwargs)
 
 find_token
 ++++++++++
 .. _find_token:
 
-find_token(self, session_id, token_value)
+    find_token(self, session_id, token_value)
 
 get_authentication_event
 ++++++++++++++++++++++++
 .. _get_authentication_event:
 
-get_authentication_event(self, session_id)
+    get_authentication_event(self, session_id)
 
 
 get_client_session_info
 +++++++++++++++++++++++
 .. _get_client_session_info:
 
-get_client_session_info(self, session_id)
+    get_client_session_info(self, session_id)
 
 get_grant_by_response_type
 ++++++++++++++++++++++++++
 .. _get_grant_by_response_type:
 
-get_grant_by_response_type(self, user_id, client_id)
+    get_grant_by_response_type(self, user_id, client_id)
 
 get_session_info
 ++++++++++++++++
 .. _get_session_info:
 
-get_session_info(self, session_id)
+    get_session_info(self, session_id)
 
 get_session_info_by_token
 +++++++++++++++++++++++++
 .. _get_session_info_by_token:
 
-get_session_info_by_token(self, token_value)
+    get_session_info_by_token(self, token_value)
 
 get_sids_by_user_id
 +++++++++++++++++++
 .. _get_sids_by_user_id:
 
-get_sids_by_user_id(self, user_id)
+    get_sids_by_user_id(self, user_id)
 
 get_user_info
 +++++++++++++
 .. _get_user_info:
 
-get_user_info(self, uid)
+    get_user_info(self, uid)
 
 grants
 ++++++
 .. _grants:
 
-grants(self, session_id)
+    grants(self, session_id)
 
 revoke_client_session
 +++++++++++++++++++++
 .. _revoke_client_session:
 
-revoke_client_session(self, session_id)
+    revoke_client_session(self, session_id)
 
 revoke_grant
 ++++++++++++
 .. _revoke_grant:
 
-revoke_grant(self, session_id)
+    revoke_grant(self, session_id)
 
 revoke_token
 ++++++++++++
 .. _revoke_token:
 
-revoke_token(self, session_id, token_value, recursive=False)
+    revoke_token(self, session_id, token_value, recursive=False)

doc/source/contents/usage.md

@@ -47,3 +47,46 @@ The identity representation with the information fetched from the user info endp
 ![Logout](../_images/4.png)
 
 We can even test the single logout
+
+
+Introspection endpoint
+----------------------
+
+Here an example about how to consume oidc-op introspection endpoint.
+This example uses a client with an HTTP Basic Authentication::
+
+    import base64
+    import requests
+
+    TOKEN = "eyJhbGciOiJFUzI1NiIsImtpZCI6IlQwZGZTM1ZVYUcxS1ZubG9VVTQwUXpJMlMyMHpjSHBRYlMxdGIzZ3hZVWhCYzNGaFZWTlpTbWhMTUEifQ.eyJzY29wZSI6IFsib3BlbmlkIiwgInByb2ZpbGUiLCAiZW1haWwiLCAiYWRkcmVzcyIsICJwaG9uZSJdLCAiYXVkIjogWyJvTHlSajdzSkozWHZBWWplRENlOHJRIl0sICJqdGkiOiAiOWQzMjkzYjZiYmNjMTFlYmEzMmU5ODU0MWIwNzE1ZWQiLCAiY2xpZW50X2lkIjogIm9MeVJqN3NKSjNYdkFZamVEQ2U4clEiLCAic3ViIjogIm9MeVJqN3NKSjNYdkFZamVEQ2U4clEiLCAic2lkIjogIlowRkJRVUZCUW1keGJIVlpkRVJKYkZaUFkxQldaa0pQVUVGc1pHOUtWWFZ3VFdkZmVEY3diMVprYmpSamRrNXRMVzB4YTNnelExOHlRbHBHYTNRNVRHZEdUUzF1UW1sMlkzVnhjRE5sUm01dFRFSmxabGRXYVhJeFpFdHVSV2xtUzBKcExWTmFaRzV3VjJodU0yNXlSbTU0U1ZWVWRrWTRRM2x2UWs1TlpVUk9SazlGVlVsRWRteGhjWGx2UWxWRFdubG9WbTFvZGpORlVUSnBkaTFaUTFCcFptZFRabWRDVWt0YVNuaGtOalZCWVhkcGJFNXpaV2xOTTFCMk0yaE1jMDV0ZGxsUlRFc3dObWxsYUcxa1lrTkhkemhuU25OaWFWZE1kVUZzZDBwWFdWbzFiRWhEZFhGTFFXWTBPVzl5VjJOUk4zaGtPRDA9IiwgInR0eXBlIjogIlQiLCAiaXNzIjogImh0dHBzOi8vMTI3LjAuMC4xOjgwMDAiLCAiaWF0IjogMTYyMTc3NzMwNSwgImV4cCI6IDE2MjE3ODA5MDV9.pVqxUNznsoZu9ND18IEMJIHDOT6_HxzoFiTLsniNdbAdXTuOoiaKeRTqtDyjT9WuUPszdHkVjt5xxeFX8gQMuA"
+
+    data = {
+     'token': TOKEN,
+     'token_type_hint': 'access_token'
+    }
+
+    _basic_secret = base64.b64encode(
+        f'{"oLyRj7sJJ3XvAYjeDCe8rQ"}:{"53fb49f2a6501ec775355c89750dc416744a3253138d5a04e409b313"}'.encode()
+    )
+    headers = {
+        'Authorization': f"Basic {_basic_secret.decode()}"
+    }
+
+    requests.post('https://127.0.0.1:8000/introspection', verify=False, data=data, headers=headers)
+
+
+oidc-op will return a json response like this::
+
+    {
+      "active": true,
+      "scope": "openid profile email address phone",
+      "client_id": "oLyRj7sJJ3XvAYjeDCe8rQ",
+      "token_type": "access_token",
+      "exp": 0,
+      "iat": 1621777305,
+      "sub": "a7b0dea2958aec275a789d7d7dc8e7d09c6316dd4fc6ae92742ed3297e14dded",
+      "iss": "https://127.0.0.1:8000",
+      "aud": [
+        "oLyRj7sJJ3XvAYjeDCe8rQ"
+      ]
+    }