cco/py-scopes
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

auth, work in progress: decode id_token, + other improvements

Browse source
This commit is contained in:
Helmut Merz 2025-04-25 20:34:52 +02:00
parent 87310b9798
commit 01fc7d2874
4 changed files with 30 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
demo/config.py
View file

@ -28,7 +28,7 @@ dbpassword = getenv('DBPASSWORD', 'secret')
dbschema = getenv('DBSCHEMA', 'demo')
# authentication settings
oidc_provider = 'https://a1.cy7.de'
oidc_provider = getenv('OIDC_PROVIDER', 'https://a1.cy7.de')
oidc_client_id = getenv('OIDC_CLIENT_ID', '311613119816392525')
oidc_params = dict(
op_config_url=oidc_provider + '/.well-known/openid-configuration',

2
demo/demo_server.py
View file

@ -5,10 +5,10 @@ from scopes.storage import topic
import logging
import waitress
from wsgiref.simple_server import make_server
def run(app, config):
oidc.startup() # todo: use generic app.startServices()
port = int(config.server_port)
print(f'Serving on port {port}.')
waitress.serve(app, port=port)

2
scopes/tests/tlib_web.py
View file

@ -29,5 +29,5 @@ def test_app(self, config):
def test_auth(self, config):
from scopes.web.auth import oidc
oidc.loadOidcProviderData()
oidc.startup() # todo: use generic app.startServices()
self.assertEqual(len(config.oidc_params['op_uris']), 8)

34
scopes/web/auth/oidc.py
View file

@ -3,6 +3,7 @@
from cryptography.fernet import Fernet
from email.utils import formatdate
import json
import jwt
import logging
import requests
from time import time
@ -103,7 +104,6 @@ class Authenticator(DummyFolder):
return None
def login(self):
loadOidcProviderData()
req = self.request
#print('***', dir(req))
state = util.rndstr()
@ -142,7 +142,9 @@ class Authenticator(DummyFolder):
tokenUrl = self.params['op_uris']['token_endpoint']
tokenResponse = requests.post(tokenUrl, data=args)
tdata = tokenResponse.json()
#print('*** token response', tdata)
print('*** token response', tdata)
claims = self.getIdTokenData(tdata['id_token'])
print('*** token id claims', claims)
headers = dict(Authorization='Bearer ' + tdata['access_token'])
userInfoUrl = self.params['op_uris']['userinfo_endpoint']
userInfo = requests.get(userInfoUrl, headers=headers)
@ -189,7 +191,6 @@ class Authenticator(DummyFolder):
cookie = self.request.getCookies().get(self.params['cookie_name'])
if cookie is None:
return {}
#raise ValueError('Missing authentication cookie')
if self.cookieCrypt:
cookie = self.cookieCrypt.decrypt(cookie)
#print('*** loadSession', self.params['cookie_name'], cookie)
@ -197,6 +198,23 @@ class Authenticator(DummyFolder):
data = json.loads(cookie)
return data
def getIdTokenData(self, token):
keyUri = self.params['op_uris']['jwks_uri']
jwksClient = jwt.PyJWKClient(keyUri)
key = jwksClient.get_signing_key_from_jwt(token)
return jwt.decode(token, key, options=dict(verify_aud=False))
header = jwt.get_unverified_header(token)
kid = header['kid']
key = self.loadOidcKeys()[kid]
return jwt.decode(token, key, audience=self.params.client_id)
def loadOidcKeys(self):
result = {}
keyUri = self.params['op_uris']['jwks_uri']
for k in requests.get(keyUri).json()['keys']:
result[k['kid']] = jwt.PyJWK(k)
return result
@register('auth', Root)
def authView(context, request):
@ -218,6 +236,11 @@ def logout(context, request):
return DefaultView(context, request)
def startup():
loadOidcProviderData()
#app.Publication.registerBeforeTraversal(
# lambda req: req.setPrincipal(authentication.authenticate(req))
oidcProviderUris = ['authorization_endpoint', 'token_endpoint',
'introspection_endpoint', 'userinfo_endpoint',
'revocation_endpoint', 'end_session_endpoint',
@ -230,8 +253,5 @@ def loadOidcProviderData(force=False):
opData = requests.get(params['op_config_url']).json()
for key in oidcProviderUris:
uris[key] = opData[key]
if force or params.get('op_keys') is None:
#if force or params.get('op_keys') is None:
params['op_keys'] = requests.get(uris['jwks_uri']).json()['keys']