Skip to content
This repository has been archived by the owner on Mar 9, 2023. It is now read-only.

Commit

Permalink
Updated parameter names
Browse files Browse the repository at this point in the history
  • Loading branch information
Roland Hedberg committed Jan 1, 2013
1 parent 6c4a778 commit 85a82c2
Show file tree
Hide file tree
Showing 23 changed files with 511 additions and 78 deletions.
8 changes: 8 additions & 0 deletions .idea/libraries/sass_stdlib.xml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/oic/oauth2/provider.py
View file
Expand Up @@ -133,7 +133,7 @@ def authn_intro(self, environ, start_response):
except KeyError:
return BadRequest("Unknown session identifier")

_sdb.update(sid, "user_id", dic["login"][0])
_sdb.update(sid, "sub", dic["login"][0])

LOG_DEBUG("session[\"authzreq\"] = %s" % session["authzreq"])
#_log_info( "type: %s" % type(session["authzreq"]))
Expand Down
6 changes: 3 additions & 3 deletions src/oic/oic/__init__.py
View file
Expand Up @@ -304,7 +304,7 @@ def add_token(self, resp):
"id_token_encrypted_response_alg": "id_token_encryption_alg_values_supported",
"id_token_encrypted_response_enc": "id_token_encryption_enc_values_supported",
"default_acr": "acrs_supported",
"user_id_type": "user_id_types_supported",
"subbject_type": "subbject_types_supported",
"token_endpoint_auth_alg": "token_endpoint_auth_algs_supported",
#"request_object_signing_alg": "request_object_signing_alg_values_supported
}
Expand Down Expand Up @@ -1243,7 +1243,7 @@ def make_id_token(self, session, loa="2", issuer="",
_args = user_info.to_dict()

# Make sure that there are no name clashes
for key in ["iss", "user_id", "aud", "exp", "acr", "nonce",
for key in ["iss", "sub", "aud", "exp", "acr", "nonce",
"auth_time"]:
try:
del _args[key]
Expand All @@ -1257,7 +1257,7 @@ def make_id_token(self, session, loa="2", issuer="",
if access_token:
_args["at_hash"] = jws.left_hash(access_token, halg)

idt = IdToken(iss=issuer, user_id=session["user_id"],
idt = IdToken(iss=issuer, sub=session["sub"],
aud = session["client_id"],
exp = time_util.epoch_in_a_while(**inawhile), acr=loa,
iat = time_util.utc_now(),
Expand Down
8 changes: 4 additions & 4 deletions src/oic/oic/claims_provider.py
View file
Expand Up @@ -31,7 +31,7 @@
logger = logging.getLogger(__name__)

class UserClaimsRequest(Message):
c_param = {"user_id": SINGLE_REQUIRED_STRING,
c_param = {"sub": SINGLE_REQUIRED_STRING,
"client_id": SINGLE_REQUIRED_STRING,
"client_secret": SINGLE_REQUIRED_STRING,
"claims_names": REQUIRED_LIST_OF_STRINGS}
Expand Down Expand Up @@ -143,14 +143,14 @@ def claims_endpoint(self, environ, start_response, *args):

_log_info("User info claims: %s" % uic)

#oicsrv, userdb, user_id, client_id="", user_info_claims=None
info = self.function["userinfo"](self, self.userdb, ucreq["user_id"],
#oicsrv, userdb, subject, client_id="", user_info_claims=None
info = self.function["userinfo"](self, self.userdb, ucreq["sub"],
ucreq["client_id"],
user_info_claims=uic)

_log_info("User info: %s" % info.to_dict())

if self.do_aggregation(info, ucreq["user_id"]):
if self.do_aggregation(info, ucreq["sub"]):
cresp = self._aggregation(info)
else:
cresp = self._distributed(info)
Expand Down
2 changes: 1 addition & 1 deletion src/oic/oic/consumer.py
View file
Expand Up @@ -137,7 +137,7 @@ def clean_response(aresp):

CONSUMER_PREF_ARGS =[
"token_endpoint_auth_type",
"user_id_type",
"subject_type",
"require_signed_request_object",
"userinfo_signed_response_algs",
"userinfo_encrypted_response_alg",
Expand Down
47 changes: 25 additions & 22 deletions src/oic/oic/provider.py
View file
Expand Up @@ -242,6 +242,9 @@ def _verify_redirect_uri(self, areq):
"""
MUST NOT contain a fragment
MAY contain query component
:return: An error response if the redirect URI is faulty otherwise
None
"""
try:
_redirect_uri = urlparse.unquote(areq["redirect_uri"])
Expand Down Expand Up @@ -348,7 +351,7 @@ def get_sector_id(self, redirect_uri, client_info):
sid = client_info["sector_id"]
except KeyError:
try:
uit = client_info["user_id_type"]
uit = client_info["subject_type"]
if uit == "pairwise":
sid = _base
except KeyError:
Expand Down Expand Up @@ -449,11 +452,11 @@ def authorization_endpoint(self, environ, start_response, **kwargs):

if openid_req:
try:
user = openid_req["id_token"]["claims"]["user_id"]["value"]
user = openid_req["id_token"]["claims"]["sub"]["value"]
except KeyError:
user = ""
elif "id_token" in areq:
user = areq["id_token"]["user_id"]
user = areq["id_token"]["sub"]
else:
user = ""

Expand Down Expand Up @@ -496,9 +499,9 @@ def authorization_endpoint(self, environ, start_response, **kwargs):
cookie = None

if self.authn_as:
user_id = self.authn_as
_log_debug("Implicit authenticated as %s" % user_id)
_sdb.update(sid, "local_user_id", user_id)
sub = self.authn_as
_log_debug("Implicit authenticated as %s" % sub)
_sdb.update(sid, "local_sub", sub)
(redirect_uri, reply) = self.get_redirect_uri(areq)
client_info = self.cdb[areq["client_id"]]
sector_id = self.get_sector_id(redirect_uri, client_info)
Expand All @@ -508,11 +511,11 @@ def authorization_endpoint(self, environ, start_response, **kwargs):
except KeyError:
preferred_id_type = self.preferred_id_type

self.sdb.do_userid(sid, user_id, sector_id, preferred_id_type)
self.sdb.do_userid(sid, sub, sector_id, preferred_id_type)
_log_debug("session: %s" % _sdb[sid])
_log_debug("uid2sid: %s" % _sdb.uid2sid)
return self.authenticated(environ, start_response, active_auth=sid,
areq=areq, user=user_id)
areq=areq, user=sub)

if openid_req:
_log_info("Request: %s" % openid_req.to_dict())
Expand All @@ -534,8 +537,8 @@ def authorization_endpoint(self, environ, start_response, **kwargs):
_log_info("- SSO -")
_scode = base64.b64decode(key)
_log_debug("OLD session: %s" % _sdb[_scode])
user = self.sdb[_scode]["user_id"]
_sdb.update(sid, "user_id", user)
user = self.sdb[_scode]["sub"]
_sdb.update(sid, "sub", user)
return self.authenticated(environ,
start_response,
active_auth=_scode,
Expand All @@ -555,8 +558,8 @@ def authorization_endpoint(self, environ, start_response, **kwargs):
try:
_log_info("- SSO -")
_scode = base64.b64decode(key)
user = self.sdb[_scode]["user_id"]
_sdb.update(sid, "user_id", user)
user = self.sdb[_scode]["sub"]
_sdb.update(sid, "sub", user)
# This happens if a valid cookie is presented
return self.authenticated(environ, start_response,
active_auth=_scode,
Expand Down Expand Up @@ -866,11 +869,11 @@ def _collect_user_info(self, session, userinfo_claims=None):
logger.debug("userdb: %s" % self.userdb.keys())
logger.debug("Session info: %s" % session)
info = self.function["userinfo"](self, self.userdb,
session["local_user_id"],
session["local_sub"],
session["client_id"],
userinfo_claims)

info["user_id"] = session["user_id"]
info["sub"] = session["sub"]
logger.debug("user_info_response: %s" % (info,))

return info
Expand Down Expand Up @@ -1241,7 +1244,7 @@ def providerinfo_endpoint(self, environ, start_response, **kwargs):
"code id_token",
"token id_token",
"code token id_token"],
user_id_types_supported=["public", "pairwise"],
subject_types_supported=["public", "pairwise"],
#request_object_algs_supported=["HS256"]
)

Expand Down Expand Up @@ -1351,7 +1354,7 @@ def authenticated(self, environ, start_response, **kwargs):
issue_new_code = False
if "active_auth" in kwargs:
scode = kwargs["active_auth"]
user_id = kwargs["user"]
sub = kwargs["user"]
areq = kwargs["areq"]
client_info = self.cdb[areq["client_id"]]
if "code" in areq["response_type"]:
Expand All @@ -1368,15 +1371,15 @@ def authenticated(self, environ, start_response, **kwargs):
pass

try:
(verified, user_id) = self.function["verify_user"](dic)
(verified, sub) = self.function["verify_user"](dic)
if not verified:
resp = Unauthorized("Wrong password")
return resp(environ, start_response)
except AuthnFailure, err:
resp = Unauthorized("%s" % (err,))
return resp(environ, start_response)

_log_debug("verified user_id: %s" % user_id)
_log_debug("verified sub: %s" % sub)

try:
# Use the session identifier to find the session information
Expand All @@ -1398,28 +1401,28 @@ def authenticated(self, environ, start_response, **kwargs):
areq = AuthorizationRequest().deserialize(asession["authzreq"],
"json")

self.sdb.update(scode, "local_user_id", user_id)
self.sdb.update(scode, "local_sub", sub)

(redirect_uri, reply) = self.get_redirect_uri(areq)
client_info = self.cdb[areq["client_id"]]
sector_id = self.get_sector_id(redirect_uri, client_info)
try:
preferred_id_type = client_info["user_id_type"]
preferred_id_type = client_info["subject_type"]
except KeyError:
preferred_id_type = self.preferred_id_type

_log_debug("sector_id: %s, preferred_id_type: %s" % (sector_id,
preferred_id_type))

self.sdb.do_userid(scode, user_id, sector_id, preferred_id_type)
self.sdb.do_userid(scode, sub, sector_id, preferred_id_type)

_log_debug("areq: %s" % areq)
_log_debug("session: %s" % self.sdb[scode])
_log_debug("uid2sid: %s" % self.sdb.uid2sid)

# Do the authorization
try:
permission = self.function["authorize"](user_id)
permission = self.function["authorize"](sub)
self.sdb.update(scode, "permission", permission)
except Exception:
raise
Expand Down
2 changes: 1 addition & 1 deletion src/oic/utils/keyio.py
View file
Expand Up @@ -277,7 +277,7 @@ def remove(self, typ, val=None):
pass

for key,val in self._key.items():
if val is []:
if val == []:
del self._key[key]

def __str__(self):
Expand Down
32 changes: 16 additions & 16 deletions src/oic/utils/sdb.py
View file
Expand Up @@ -23,8 +23,8 @@ class ExpiredToken(Exception):
class WrongTokenType(Exception):
pass

def pairwise_id(user_id, sector_identifier, seed):
return hashlib.sha256("%s%s%s" % (user_id, sector_identifier, seed)).hexdigest()
def pairwise_id(sub, sector_identifier, seed):
return hashlib.sha256("%s%s%s" % (sub, sector_identifier, seed)).hexdigest()

class Crypt():
def __init__(self, password, mode=AES.MODE_CBC):
Expand Down Expand Up @@ -163,13 +163,13 @@ def update_by_token(self, token, attribute, value):
(typ, key) = self.token.type_and_key(token)
return self.update(key, attribute, value)

def do_userid(self, sid, user_id, sector_id, preferred_id_type):
def do_userid(self, sid, sub, sector_id, preferred_id_type):
old = [""]
if preferred_id_type == "public":
uid = user_id
uid = sub
else:
uid = pairwise_id(user_id, sector_id, self.seed)
old.append(user_id)
uid = pairwise_id(sub, sector_id, self.seed)
old.append(sub)

logger.debug("uid: %s, old: %s" % (uid, old))
self.uid2sid[uid] = sid
Expand All @@ -181,28 +181,28 @@ def do_userid(self, sid, user_id, sector_id, preferred_id_type):
pass

logger.debug("uid2sid: %s" % self.uid2sid)
self._db[sid]["local_user_id"] = user_id
self._db[sid]["user_id"] = uid
self._db[sid]["local_sub"] = sub
self._db[sid]["sub"] = uid

return uid

def create_authz_session(self, user_id, areq, id_token=None, oidreq=None):
def create_authz_session(self, sub, areq, id_token=None, oidreq=None):
"""
:param user_id: Identifier for the user, this is the real identifier
:param sub: Identifier for the user, this is the real identifier
:param areq: The AuthorizationRequest instance
:param id_token: An IDToken instance
:param oidreq: An OpenIDRequest instance
:return: The session identifier, which is the database key
"""

sid = self.token.key(user=user_id, areq=areq)
sid = self.token.key(user=sub, areq=areq)
access_grant = self.token(sid=sid)

_dic = {
"oauth_state": "authz",
"local_user_id": user_id,
"user_id": user_id,
"local_sub": sub,
"sub": sub,
"code": access_grant,
"code_used": False,
"authzreq": areq.to_json(),
Expand Down Expand Up @@ -232,7 +232,7 @@ def create_authz_session(self, user_id, areq, id_token=None, oidreq=None):
_dic["oidreq"] = oidreq.to_json()

self._db[sid] = _dic
self.uid2sid[user_id] = sid
self.uid2sid[sub] = sid
return sid

def update_to_token(self, token=None, issue_refresh=True, id_token="",
Expand Down Expand Up @@ -375,7 +375,7 @@ def get_sid_from_userid(self, uid):
def duplicate(self, sinfo):
_dic = copy.copy(sinfo)
areq = AuthorizationRequest().from_json(_dic["authzreq"])
sid = self.token.key(user=_dic["user_id"], areq=areq)
sid = self.token.key(user=_dic["sub"], areq=areq)

_dic["code"] = self.token(sid=sid)
_dic["code_used"] = False
Expand All @@ -389,5 +389,5 @@ def duplicate(self, sinfo):
pass

self._db[sid] = _dic
self.uid2sid[_dic["user_id"]] = sid
self.uid2sid[_dic["sub"]] = sid
return sid
50 changes: 50 additions & 0 deletions tests/debug_1.py
View file
@@ -0,0 +1,50 @@
import time
from oic.oic import Client
from oic.utils.time_util import utc_time_sans_frac
from oic.oic.message import IdToken
from oic.utils.keyio import KeyChain, KeyJar

__author__ = 'rohe0002'

CLIENT_SECRET = "abcdefghijklmnop"
CLIENT_ID = "client_1"

KC_HMAC_VS = KeyChain({"hmac": "abcdefghijklmnop"}, usage=["ver", "sig"])
KC_RSA = KeyChain(source="file://../oc3/certs/mycert.key", type="rsa",
usage=["ver", "sig"])
KC_HMAC_S = KeyChain({"hmac": "abcdefghijklmnop"}, usage=["sig"])

KEYJ = KeyJar()
KEYJ[""] = [KC_RSA, KC_HMAC_S]
KEYJ["client_1"] = [KC_HMAC_VS]

IDTOKEN = IdToken(iss="http://oic.example.org/", user_id="user_id",
aud=CLIENT_ID, exp=utc_time_sans_frac()+86400,
nonce="N0nce",
iat=time.time())

# ----------------- CLIENT --------------------

client = Client(CLIENT_ID)
client.redirect_uris = ["http://example.com/redirect"]
client.client_secret = CLIENT_SECRET
client.keyjar[""] = KC_RSA

claims = {
"name": {"essential": True},
"nickname": None,
"email": {"essential": True},
"verified": {"essential": True},
"picture": None
}

areq = client.construct_AuthorizationRequest(
request_args={"scope":"openid", "response_type":["code"]},
userinfo_claims={"claims":claims,
"preferred_locale":"en"},
idtoken_claims={"claims":{"auth_time": None,
"acr":{"values":["2"]}},
"max_age": 86400},
)

print areq

0 comments on commit 85a82c2

Please sign in to comment.