Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
Add an openidish mechanism for proving that you own a given user_id #765
Conversation
All checks have passed
NegativeMjark
assigned
erikjohnston
May 5, 2016
NegativeMjark
referenced this pull request
in matrix-org/sytest
May 5, 2016
Merged
Add test for a openidish mechanism for proving to third parties that … #234
erikjohnston
and 1 other
commented on an outdated diff
May 5, 2016
| +class IdTokenServlet(RestServlet): | ||
| + """ | ||
| + Get a bearer token that may be passed to a third party to confirm ownership | ||
| + of a matrix user id. | ||
| + | ||
| + The format of the response could be made compatible with the format given | ||
| + in http://openid.net/specs/openid-connect-core-1_0.html#TokenResponse | ||
| + | ||
| + But instead of returning a signed "id_token" the response contains the | ||
| + name of the issuing matrix homeserver. This means that for now the third | ||
| + party will need to check the validity of the "id_token" against the | ||
| + federation /openid/userinfo endpoint of the homeserver. | ||
| + | ||
| + Request: | ||
| + | ||
| + POST /user/{user_id}/openid/token?access_token=... HTTP/1.1 |
erikjohnston
Owner
|
erikjohnston
commented on the diff
May 5, 2016
| @@ -448,6 +448,50 @@ def _wrap(self, code): | ||
| return code | ||
| +class OpenIdUserInfo(BaseFederationServlet): | ||
| + """ | ||
| + Exchange a bearer token for information about a user. | ||
| + | ||
| + The response format should be compatible with: | ||
| + http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse | ||
| + | ||
| + GET /openid/userinfo?access_token=ABDEFGH HTTP/1.1 |
erikjohnston
Owner
|
erikjohnston
commented on the diff
May 5, 2016
| + self.auth = hs.get_auth() | ||
| + self.store = hs.get_datastore() | ||
| + self.clock = hs.get_clock() | ||
| + self.server_name = hs.config.server_name | ||
| + | ||
| + @defer.inlineCallbacks | ||
| + def on_POST(self, request, user_id): | ||
| + requester = yield self.auth.get_user_by_req(request) | ||
| + if user_id != requester.user.to_string(): | ||
| + raise AuthError(403, "Cannot request tokens for other users.") | ||
| + | ||
| + # Parse the request body to make sure it's JSON, but ignore the contents | ||
| + # for now. | ||
| + parse_json_object_from_request(request) | ||
| + | ||
| + token = random_string(24) |
erikjohnston
Owner
|
All checks have passed
|
LGTM |
NegativeMjark commentedMay 5, 2016
Doesn't actually fully implement open id yet. but the intention is that response format could be made compatible with that expected from open id.
However it does have enough machinery to prove ownership of a given user_id which is probably a good start.