Skip to content
This repository was archived by the owner on Jun 1, 2023. It is now read-only.

Commit 754171d

Browse files
roherohe
committed
An example configuration for an RP that knows DPoP.
Support the usage of DPoP for the user info endpoint.
1 parent 0a47f8a commit 754171d

File tree

2 files changed

+223
-0
lines changed

2 files changed

+223
-0
lines changed

Diff for: example/flask_rp/dpop_conf.json

+218
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,218 @@
1+
{
2+
"logging": {
3+
"version": 1,
4+
"disable_existing_loggers": false,
5+
"root": {
6+
"handlers": [
7+
"file"
8+
],
9+
"level": "DEBUG"
10+
},
11+
"loggers": {
12+
"idp": {
13+
"level": "DEBUG"
14+
}
15+
},
16+
"handlers": {
17+
"file": {
18+
"class": "logging.FileHandler",
19+
"filename": "dpoop_debug.log",
20+
"formatter": "default"
21+
}
22+
},
23+
"formatters": {
24+
"default": {
25+
"format": "%(asctime)s %(name)s %(levelname)s %(message)s"
26+
}
27+
}
28+
},
29+
"port": 8090,
30+
"domain": "127.0.0.1",
31+
"base_url": "https://{domain}:{port}",
32+
"httpc_params": {
33+
"verify": false
34+
},
35+
"rp_keys": {
36+
"private_path": "private/jwks.json",
37+
"key_defs": [
38+
{
39+
"type": "RSA",
40+
"key": "",
41+
"use": [
42+
"sig"
43+
]
44+
},
45+
{
46+
"type": "EC",
47+
"crv": "P-256",
48+
"use": [
49+
"sig"
50+
]
51+
}
52+
],
53+
"public_path": "static/jwks.json",
54+
"read_only": false
55+
},
56+
"services": {
57+
"discovery": {
58+
"class": "oidcrp.oidc.provider_info_discovery.ProviderInfoDiscovery",
59+
"kwargs": {}
60+
},
61+
"registration": {
62+
"class": "oidcrp.oidc.registration.Registration",
63+
"kwargs": {}
64+
},
65+
"authorization": {
66+
"class": "oidcrp.oidc.authorization.Authorization",
67+
"kwargs": {}
68+
},
69+
"accesstoken": {
70+
"class": "oidcrp.oidc.access_token.AccessToken",
71+
"kwargs": {}
72+
},
73+
"userinfo": {
74+
"class": "oidcrp.oidc.userinfo.UserInfo",
75+
"kwargs": {}
76+
},
77+
"end_session": {
78+
"class": "oidcrp.oidc.end_session.EndSession",
79+
"kwargs": {}
80+
}
81+
},
82+
"clients": {
83+
"": {
84+
"client_preferences": {
85+
"application_name": "rphandler",
86+
"application_type": "web",
87+
"contacts": [
88+
"[email protected]"
89+
],
90+
"response_types": [
91+
"code"
92+
],
93+
"scope": [
94+
"openid",
95+
"profile",
96+
"email",
97+
"address",
98+
"phone"
99+
],
100+
"token_endpoint_auth_method": [
101+
"client_secret_basic",
102+
"client_secret_post"
103+
]
104+
},
105+
"redirect_uris": [],
106+
"services": {
107+
"discovery": {
108+
"class": "oidcrp.oidc.provider_info_discovery.ProviderInfoDiscovery",
109+
"kwargs": {}
110+
},
111+
"registration": {
112+
"class": "oidcrp.oidc.registration.Registration",
113+
"kwargs": {}
114+
},
115+
"authorization": {
116+
"class": "oidcrp.oidc.authorization.Authorization",
117+
"kwargs": {}
118+
},
119+
"accesstoken": {
120+
"class": "oidcrp.oidc.access_token.AccessToken",
121+
"kwargs": {}
122+
},
123+
"userinfo": {
124+
"class": "oidcrp.oidc.userinfo.UserInfo",
125+
"kwargs": {}
126+
},
127+
"end_session": {
128+
"class": "oidcrp.oidc.end_session.EndSession",
129+
"kwargs": {}
130+
}
131+
}
132+
},
133+
"flask_provider": {
134+
"client_preferences": {
135+
"application_name": "rphandler",
136+
"application_type": "web",
137+
"contacts": [
138+
"[email protected]"
139+
],
140+
"response_types": [
141+
"code"
142+
],
143+
"scope": [
144+
"openid",
145+
"profile",
146+
"email",
147+
"address",
148+
"phone"
149+
],
150+
"token_endpoint_auth_method": [
151+
"client_secret_basic",
152+
"client_secret_post"
153+
]
154+
},
155+
"issuer": "https://127.0.0.1:5000/",
156+
"redirect_uris": [
157+
"https://{domain}:{port}/authz_cb/local"
158+
],
159+
"post_logout_redirect_uris": [
160+
"https://{domain}:{port}/session_logout/local"
161+
],
162+
"frontchannel_logout_uri": "https://{domain}:{port}/fc_logout/local",
163+
"frontchannel_logout_session_required": true,
164+
"backchannel_logout_uri": "https://{domain}:{port}/bc_logout/local",
165+
"backchannel_logout_session_required": true,
166+
"services": {
167+
"discovery": {
168+
"class": "oidcrp.oidc.provider_info_discovery.ProviderInfoDiscovery",
169+
"kwargs": {}
170+
},
171+
"registration": {
172+
"class": "oidcrp.oidc.registration.Registration",
173+
"kwargs": {}
174+
},
175+
"authorization": {
176+
"class": "oidcrp.oidc.authorization.Authorization",
177+
"kwargs": {}
178+
},
179+
"accesstoken": {
180+
"class": "oidcrp.oidc.access_token.AccessToken",
181+
"kwargs": {}
182+
},
183+
"userinfo": {
184+
"class": "oidcrp.oidc.userinfo.UserInfo",
185+
"kwargs": {}
186+
},
187+
"end_session": {
188+
"class": "oidcrp.oidc.end_session.EndSession",
189+
"kwargs": {}
190+
}
191+
},
192+
"add_ons": {
193+
"pkce": {
194+
"function": "oidcrp.oauth2.add_on.pkce.add_support",
195+
"kwargs": {
196+
"code_challenge_length": 64,
197+
"code_challenge_method": "S256"
198+
}
199+
},
200+
"dpop": {
201+
"function": "oidcrp.oauth2.add_on.dpop.add_support",
202+
"kwargs": {
203+
"signing_algorithms": [
204+
"ES256", "ES384", "ES512"
205+
]
206+
}
207+
}
208+
}
209+
}
210+
},
211+
"webserver": {
212+
"port": 8090,
213+
"domain": "127.0.0.1",
214+
"server_cert": "certs/cert.pem",
215+
"server_key": "certs/key.pem",
216+
"debug": true
217+
}
218+
}

Diff for: src/oidcrp/oauth2/add_on/dpop.py

+5
Original file line numberDiff line numberDiff line change
@@ -151,10 +151,15 @@ def add_support(services, signing_algorithms: Optional[list] = None):
151151
:param signing_algorithms:
152152
"""
153153

154+
# Access token request should use DPoP header
154155
_service = services["accesstoken"]
155156
_context = _service.client_get("service_context")
156157
_context.add_on['dpop'] = {
157158
# "key": key_by_alg(signing_algorithm),
158159
"sign_algs": signing_algorithms
159160
}
160161
_service.construct_extra_headers.append(dpop_header)
162+
163+
# The same for userinfo requests
164+
_service = services["userinfo"]
165+
_service.construct_extra_headers.append(dpop_header)

0 commit comments

Comments
 (0)