V2.0.0 - Plenty of changes

.github/workflows/python-app.yml

@@ -0,0 +1,59 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: oidc-op
+
+on:
+  push:
+    branches: [ master, develop ]
+  pull_request:
+    branches: [ master, develop ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version:
+          - '3.7'
+          - '3.8'
+          - '3.9'
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi
+        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+        python setup.py install
+    - name: Lint with flake8
+      run: |
+        # stop the build if there are Python syntax errors or undefined names
+        flake8 src/oidcop --count --select=E9,F63,F7,F82 --show-source --statistics
+        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
+        flake8 src/oidcop --max-line-length 120 --count --exit-zero --statistics
+
+    - name: Test with pytest
+      run: |
+        pytest --cov=oidcop tests/
+    - name: Bandit Security Scan
+      run: |
+        bandit --skip B105,B106,B107 -r src/oidcop/
+    #- name: Upload coverage to Codecov
+      #uses: codecov/codecov-action@v1
+      #with:
+        #token: ${{ secrets.CODECOV_TOKEN }}
+        #file: example/coverage.xml
+        #flags: unittests
+        #env_vars: OS,PYTHON
+        #name: codecov-umbrella
+        #fail_ci_if_error: true
+        #path_to_write_report: ./codecov_report.txt

.gitignore

@@ -1,5 +1,3 @@
-django_op/db.sqlite3
-templates
 static/
 private/
 conf.yaml
@@ -117,3 +115,5 @@ venv.bak/
 src/oidcendpoint.egg-info/
 
 .iframes/
+tests/pairwise.salt
+tests/public.salt

.isort.cfg

@@ -0,0 +1,7 @@
+[settings]
+force_single_line = 1
+known_first_party = oidcop
+known_third_party = cryptojwt, oidcmsg
+known_future_library = future,past
+default_section = THIRDPARTY
+line_length = 100

.readthedocs.yml

@@ -0,0 +1,23 @@
+# .readthedocs.yml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Build documentation in the docs/ directory with Sphinx
+sphinx:
+  configuration: docs/source/conf.py
+
+# Build documentation with MkDocs
+#mkdocs:
+#  configuration: mkdocs.yml
+
+# Optionally build your docs in additional formats such as PDF and ePub
+formats: all
+
+# Optionally set the version of Python and requirements required to build your docs
+python:
+  version: 3.8
+  install:
+    - requirements: requirements-docs.txt

README.md

@@ -1,233 +1,39 @@
 # oidc-op
-Examples of a OIDC OPs with CherryPy, Flask and Django.
-**NOT** something you should even image running in a production environment.
 
+This project is a Python implementation of an **OIDC Provider** on top of [jwtconnect.io](https://jwtconnect.io/) that shows to you how to 'build' an OP using the classes and functions provided by oidc-op.
 
-### Introduction
+If you want to add or replace functionality the official documentation should be able to tell you how.
+If you are just going to build a standard OP you only have to understand how to write your configuration file.
+In `example/` folder you'll find some complete examples based on flask and django.
 
-This project are here to show you how to 'build' an OP using the
-classes and functions provided by oidcendpoint.
+Idpy OIDC-op implements the following standards:
 
-If you are just going to build a standard OP you only have to write the
-configuration file. If you want to add or replace functionality this document
-should be able to tell you how.
+* [OpenID Connect Core 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-core-1_0.html)
+* [Web Finger](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery)
+* [OpenID Connect Discovery 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-discovery-1_0.html)
+* [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-registration-1_0.html)
+* [OpenID Connect Session Management 1.0](https://openid.net/specs/openid-connect-session-1_0.html)
+* [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html)
+* [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html)
+* [OAuth2 Token introspection](https://tools.ietf.org/html/rfc7662)
 
-Setting up an OP means making a number if decisions. Like, should the OP support:
+It also comes with the following `add_on` modules.
 
-- [Web Finger](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery)
-- [dynamic discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
-- [dynamic client registration](https://openid.net/specs/openid-connect-registration-1_0.html)
+* Custom scopes, that extends [OIDC standard ScopeClaims](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
+* [Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://tools.ietf.org/html/rfc7636)
+* [OAuth2 RAR](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar)
+* [OAuth2 DPoP](https://tools.ietf.org/id/draft-fett-oauth-dpop-04.html)
 
-All these are services you can access at endpoints. The total set of endpoints
-that this package supports are
+The entire project code is open sourced and therefore licensed under the [Apache 2.0](https://en.wikipedia.org/wiki/Apache_License)
 
-- webfinger
-- provider_info
-- registration
-- authorization
-- token
-- refresh_token
-- userinfo
-- end_session
+For any futher information please read the [Official Documentation](#TODO).
 
 
-### Configuration directives
+# Contribute
 
+[Join in](https://idpy.org/contribute/).
 
-_issuer_
 
-The issuer ID of the OP, unique value.
+# Authors
 
-_capabilities_
-
-This covers most of the basic functionality of the OP. The key words are the
-same as defined in
-https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata .
-A couple of things are defined else where. Like the endpoints, issuer id,
-jwks_uri and the authentication methods at the token endpoint.
-
-An example:
-
-    response_types_supported:
-        - code
-        - token
-        - id_token
-        - "code token"
-        - "code id_token"
-        - "id_token token"
-        - "code id_token token"
-        - none
-      response_modes_supported:
-        - query
-        - fragment
-        - form_post
-      subject_types_supported:
-        - public
-        - pairwise
-      grant_types_supported:
-        - authorization_code
-        - implicit
-        - urn:ietf:params:oauth:grant-type:jwt-bearer
-        - refresh_token
-      claim_types_supported:
-        - normal
-        - aggregated
-        - distributed
-
-      claims_parameter_supported: True
-      request_parameter_supported: True
-      request_uri_parameter_supported: True
-      frontchannel_logout_supported: True
-      frontchannel_logout_session_supported: True
-      backchannel_logout_supported: True
-      backchannel_logout_session_supported: True
-      check_session_iframe: https://127.0.0.1:5000/check_session_iframe
-
-
-_id_token_
-
-Defines which class that handles creating an ID Token and possibly also
-arguments used when initiating that class.
-
-An example:
-
-    id_token:
-      class: oidcendpoint.id_token.IDToken
-      kwargs:
-        default_claims:
-          email:
-            essential: True
-          email_verified:
-            essential: True
-
-
-### OIDC Provider example setup
-
-Create an environment
-````
-virtualenv -ppython3 env
-source env/bin/activate
-````
-
-##### Install oidc-op
-````
-pip install git+https://github.com/rohe/oidc-op.git
-
-# get the usage examples
-git clone https://github.com/rohe/oidc-op.git
-````
-
-##### Configure a Django OP
-
-See
-
-https://github.com/peppelinux/django-oidc-op
-
-##### Configure a Flask OP
-
-````
-pip install flask
-cd oidc-op/
-
-# configuration: create a private folder
-cp -R flask_op/private .
-
-# copy required files
-cp flask_op/passwd.json private/
-cp flask_op/conf.yaml private/
-cp -R flask_op/templates .
-
-# create a JWK for cookie signing
-jwkgen --kty=SYM --kid cookie > private/cookie_sign_jwk.json
-````
-
-##### About JWK Set (JWKS) files
-see: https://cryptojwt.readthedocs.io/en/latest/keyhandling.html
-
-You can use `cryptojwt.key_jar.init_key_jar` to create JWKS file.
-An easy way can be to configure the auto creation of JWKS files directly in your conf.yaml file.
-Using `read_only: False` in `OIDC_KEYS` it will create the path within the JWKS files.
-Change it to `True` if you don't want to overwrite them on each execution.
-
-````
-# in conf.yaml
-#
-OIDC_KEYS:
-    'private_path': './private/jwks.json'
-    'key_defs': *keydef
-    'public_path': './static/jwks.json'
-    # this will create the jwks files if they absent
-    'read_only': False
-````
-
-In the JWTConnect-Python-CryptoJWT distribution there is also a script you can use to construct a JWK.
-
-You can for instance do:
-````
-$ jwkgen --kty=RSA
-{
-    "d": "b9ucfay9vxDvz_nRZMVSUR9eRvHNMo0tc8Bl7tWkwxTis7LBXxmbMH1yzLs8omUil_u2a-Z_6VlKENxacuejYYcOhs6bfaU3iOqJbGi2p4t2i1oxjuF-cX6BZ5aHB5Wfb1uTXXobHokjcjVVDmBr_fNYBEPtZsVYqyN9sR9KE_ZLHEPks3IER09aX9G3wiB_PgcxQDRAl72qucsBz9_W9KS-TVWs-qCEqtXLmx9AAN6P8SjUcHAzEb0ZCJAYCkVu34wgNjxVaGyYN1qMA-1iOOVz--wtMyBwc5atSDBDgUApxFyj_DHSeBl81IHedcPjS9azxqFhumP7oJJyfecfSQ",
-    "e": "AQAB",
-    "kid": "cHZQbWRrMzRZak53U1pfSUNjY0dKd2xXaXRKenktdUduUjVBVTl3VE5ndw",
-    "kty": "RSA",
-    "n": "73XCXV2iiubSCEaFe26OpVnsBFlXwXh_yDCDyBqFgAFi5WdZTpRMJZoK0nn_vv2MvrXqFnw6IfXkwdsRGlMsNldVy36003gKa584CNksxfenwJZcF-huASUrSJEFr-3c0fMT_pLyAc7yf3rNCdRegzbBXSvIGKQpaeIjIFYftAPd9tjGA_SuYWVQDsSh3MeGbB4wt0lArAyFZ4f5o7SSxSDRCUF3ng3CB_QKUAaDHHgXrcNG_gPpgqQZjsDJ0VwMXjFKxQmskbH-dfsQ05znQsYn3pjcd_TEZ-Yu765_L5uxUrkEy_KnQXe1iqaQHcnfBWKXt18NAuBfgmKsv8gnxQ",
-    "p": "_RPgbiQcFu8Ekp-tC-Kschpag9iaLc9aDqrxE6GWuThEdExGngP_p1I7Qd7gXHHTMXLp1c4gH2cKx4AkfQyKny2RJGtV2onQButUU5r0gwnlqqycIA2Dc9JiH85PX2Z889TKJUlVETfYbezHbKhdsazjjsXCQ6p9JfkmgfBQOXM",
-    "q": "8jmgnadtwjMt96iOaoL51irPRXONO82tLM2AAZAK5Obsj23bZ9LFiw2Joh5oCSFdoUcRhbbIhCIv2aT4T_XKnDGnddrkxpF5Xgu0-hPNYnJx5m4kuzerot4j79Tx6qO-bshaaGz50MHs1vHSeFaDVN4fvh_hDWpV1BCNI0PKK-c"
-}
-SHA-256: pvPmdk34YjNwSZ_ICccGJwlWitJzy-uGnR5AU9wTNgw
-````
-
-
-##### Run the server
-````
-python -m flask_op.server private/conf.yaml
-````
-
-Then open your browser to `https://127.0.0.1:5000/.well-known/openid-configuration` to get the OpenID Provider Configuration resource.
-
-
-##### Install OidcRP and configure flask-rp
-
-It uses `JWTConnect-Python-OidcRP` as Relaing Party for tests, see [related page](https://github.com/openid/JWTConnect-Python-OidcRP).
-You can run a working instance of `JWTConnect-Python-OidcRP.flask_rp` with:
-
-````
-pip install git+https://github.com/openid/JWTConnect-Python-OidcRP.git
-
-# get entire project to have examples files
-git clone https://github.com/openid/JWTConnect-Python-OidcRP.git
-cd JWTConnect-Python-OidcRP
-
-# run it as it come
-python3 -m flask_rp.wsgi flask_rp/conf.yaml
-
-# if you use django_op
-RP_LOGFILE_NAME="./flrp.django.log" python3 -m flask_rp.wsgi django_op/example/data/oidc_rp/conf.django.yaml
-````
-
-Now you can connect to `https://127.0.0.1:8090/` to see the RP landing page and select your authentication endpoint.
-
-
-### Authentication examples
-
-![RP](doc/images/1.png)
-
-Get to the RP landing page to choose your authentication endpoint. The first option aims to use _Provider Discovery_.
-
-----------------------------------
-
-![OP Auth](doc/images/2.png)
-
-AS/OP accepted our authentication request and prompt to us the login form. Read passwd.json file to get credentials.
-
-----------------------------------
-
-![Access](doc/images/3.png)
-
-The identity representation with the information fetched from the user info endpoint.
-
-----------------------------------
-
-![Logout](doc/images/4.png)
-
-We can even test the single logout
+- Roland Hedberg