Add an example application using pyOP.

Author: Rebecka Gulliksson

README.md

@@ -7,6 +7,7 @@ Uses [pyoidc](https://github.com/rohe/pyoidc/) and
 # Provider implementations using pyOP
 * [se-leg-op](https://github.com/SUNET/se-leg-op)
 * [SATOSA OIDC frontend](https://github.com/its-dirg/SATOSA/blob/master/src/satosa/frontends/openid_connect.py)
+* [local example](example/views.py)
 
 # Introduction
 

example/README.md

@@ -0,0 +1,8 @@
+# pyOP example application 
+To run the example application, execute the following commands:
+
+```bash
+cd example/
+pip install -r requirements.txt # install the dependencies
+gunicorn wsgi:app -b :9090 --certfile https.crt --keyfile https.key # run the application
+```

example/app.py

@@ -0,0 +1,60 @@
+from flask.app import Flask
+from flask.helpers import url_for
+from jwkest.jwk import RSAKey, rsa_load
+
+from pyop.authz_state import AuthorizationState
+from pyop.provider import Provider
+from pyop.subject_identifier import HashBasedSubjectIdentifierFactory
+from pyop.userinfo import Userinfo
+
+
+def init_oidc_provider(app):
+    with app.app_context():
+        issuer = url_for('oidc_provider.index')[:-1]
+        authentication_endpoint = url_for('oidc_provider.authentication_endpoint')
+        jwks_uri = url_for('oidc_provider.jwks_uri')
+        token_endpoint = url_for('oidc_provider.token_endpoint')
+        userinfo_endpoint = url_for('oidc_provider.userinfo_endpoint')
+        registration_endpoint = url_for('oidc_provider.registration_endpoint')
+        end_session_endpoint = url_for('oidc_provider.end_session_endpoint')
+
+    configuration_information = {
+        'issuer': issuer,
+        'authorization_endpoint': authentication_endpoint,
+        'jwks_uri': jwks_uri,
+        'token_endpoint': token_endpoint,
+        'userinfo_endpoint': userinfo_endpoint,
+        'registration_endpoint': registration_endpoint,
+        'end_session_endpoint': end_session_endpoint,
+        'scopes_supported': ['openid', 'profile'],
+        'response_types_supported': ['code', 'code id_token', 'code token', 'code id_token token'],  # code and hybrid
+        'response_modes_supported': ['query', 'fragment'],
+        'grant_types_supported': ['authorization_code', 'implicit'],
+        'subject_types_supported': ['pairwise'],
+        'token_endpoint_auth_methods_supported': ['client_secret_basic'],
+        'claims_parameter_supported': True
+    }
+
+    userinfo_db = Userinfo(app.users)
+    signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256')
+    provider = Provider(signing_key, configuration_information,
+                        AuthorizationState(HashBasedSubjectIdentifierFactory(app.config['SUBJECT_ID_HASH_SALT'])),
+                        {}, userinfo_db)
+
+    return provider
+
+
+def oidc_provider_init_app(name=None):
+    name = name or __name__
+    app = Flask(name)
+    app.config.from_pyfile('application.cfg')
+
+    app.users = {'test_user': {'name': 'Testing Name'}}
+
+    from .views import oidc_provider_views
+    app.register_blueprint(oidc_provider_views)
+
+    # Initialize the oidc_provider after views to be able to set correct urls
+    app.provider = init_oidc_provider(app)
+
+    return app

example/application.cfg

@@ -0,0 +1,5 @@
+SERVER_NAME = 'localhost:9090'
+SECRET_KEY = 'secret_key'
+SESSION_COOKIE_NAME='pyop_session'
+SUBJECT_ID_HASH_SALT = 'salt'
+PREFERRED_URL_SCHEME = 'https'

example/https.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEBjCCAu6gAwIBAgIJAIybVu7kfIK0MA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMTD2xva2kuaXRzLnVtdS5zZTAeFw0xNTEy
+MTAxNDQyMDFaFw0yNTEyMDcxNDQyMDFaMF8xCzAJBgNVBAYTAkFVMRMwEQYDVQQI
+EwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
+GDAWBgNVBAMTD2xva2kuaXRzLnVtdS5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALiLDBwIteIobC+7JHoNeQRrTIbws9BghN4UUzyLo7+xeP9YwHaS
+tq6HqYK4cVLyx8k06Siw/4PwqMPNj9/B4f/ZXhEkXgbBP5TP36UgKrUIk4zInRFb
+Rjy+DcqjSZdgW1CKBKWJstXjSYen5rPm+voM/0msi164NPcfDMQIZmcQWh0MmEfG
+qlvdwTvjdaAQt8p7CGsxIdu4gPfhubknbTQKu+BVq5/RCVP7VU830PSr1RYhthX8
+Gt8ir32jEdDdjIrfA/zFx6PChyLkQFXtg/9WymnIM1j2ngNreL2nppwnqMYRnI9i
+C/y7MY4al3WeL9IETrtgh1jzXUNpgpJ03B0CAwEAAaOBxDCBwTAdBgNVHQ4EFgQU
+cTNphzIIRpQBQ2VT0Vx9xQYzNN0wgZEGA1UdIwSBiTCBhoAUcTNphzIIRpQBQ2VT
+0Vx9xQYzNN2hY6RhMF8xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRl
+MSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxGDAWBgNVBAMTD2xv
+a2kuaXRzLnVtdS5zZYIJAIybVu7kfIK0MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADggEBAJYJfUqOPTyZ+tflKoN4l+scIXpBxqtQbjX+MYli6VHpl+M8y163
+KsCglXPddL7Z58KBrUDx1m6f7dFQ3PMYn/S2dUcRrNOdfaDKZ5QgyYj/iVr8HSOh
+6i1OtMFaBqW5WyqA5YgvUz63hZ2kDOBHZcEfSn2+roylBUiueV9gFNKDWneNMLo2
+PMZxcGWZ3wIQbu9ahakbJUvTigFStKeLoY1A2ZSTH7W4elB5DDxYOKZSzd/KZpfn
+/o/Pc7YbbEUYgIyf3QNusdH+t2pw9ZkrlKMhiv9ZAmjAWMDY7O/i3r7u7AkODu7z
+OHbH3rJqkbaiS8/q0cMZG6AMUzPRglzsTc4=
+-----END CERTIFICATE-----

example/https.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuIsMHAi14ihsL7skeg15BGtMhvCz0GCE3hRTPIujv7F4/1jA
+dpK2roepgrhxUvLHyTTpKLD/g/Cow82P38Hh/9leESReBsE/lM/fpSAqtQiTjMid
+EVtGPL4NyqNJl2BbUIoEpYmy1eNJh6fms+b6+gz/SayLXrg09x8MxAhmZxBaHQyY
+R8aqW93BO+N1oBC3ynsIazEh27iA9+G5uSdtNAq74FWrn9EJU/tVTzfQ9KvVFiG2
+Ffwa3yKvfaMR0N2Mit8D/MXHo8KHIuRAVe2D/1bKacgzWPaeA2t4vaemnCeoxhGc
+j2IL/LsxjhqXdZ4v0gROu2CHWPNdQ2mCknTcHQIDAQABAoIBAQCooAWUqDDqUl1o
+z+voyt7FtvXaZ58mzMsb0h6suDwMMTKKwKI8tprOp4+wrrB+RvFfXUWftPwFp6XO
+JMtOfm7vxcM6jqyMJ5DdfYSx8c6UVR3eCoHbFjf70P3xJ3tbIuTNlw/f4w7Sejj6
+B+W6hVjXm4C55TwEdPWQyYJ0rehESxITn7DDjDNXxxwDqwAv8yPTYf8m7mb7qh3V
+EBnvZPIWpgEIVqV2crQSfHJwg29KhS7cnExJBYEPppBQ4aoUGyMqJN0EyBL4DrRo
+Ds6hPttLaXEmB+ACm/OQzhEeFKduob5OIKRSyp9Z8t6/B9uHiIKCENRU4O4zux57
+jZ8MIypRAoGBAO0anHYHlniyP5f/8u4kvTnW3wbDtRJ3L3zVSKN8shQmQnjNWmsI
+LhLWLU2OTRsXlJB7oYqNBojUBdeGimYot9kmjx4XkxELB6XAaYDG6pDvM7axC5qH
+iuC4jVHdEsIfy9dP6wZ/b+A+JOWWpS1vdAizfvgWI32JLGDPkjjUlzNvAoGBAMdA
+F5KZZLZFYsZM470/bb20qFMURDRI+5yz0VUHTNUQEr/xhMcYFske6ox14A7gXzwd
+SHAvTDkV8DsGu/FzSWzZmVhNc1EtdM3Cbe3Y7WJoIQoupuxBDEvrBE9riyOjW61q
+dYIO2ymfJfc2Vx6d7LAK9itXdqa3RIo7ZPK7EbMzAoGAAR1C5vsaJe8QhXJafewG
+R6NO4QVCcJfGzVtjQAFyBM45OcAdUKt1K/l9tQOaMSpnNFagZ7pJ8ZKthFnJhLlk
+Q8z+lzGdK1NV8d15oXVN3OiC4bTrTQqeCHhVkbDsSaVEm/pwLFOk/vTLz5hpplED
+xpaxXhEckZZ3cu0GzuWQ4FkCgYAb34tspqjAFtTKiNcTElx3vV4OwTcJWWxZb45J
+JsxIwgbdcxvv/h6x4/FL1PGTIzAvaKlJiFRRaBBDMZ35GPeckpQxFiSbppBAeIKI
+U2Bh888rbXtMcY0W0bm4ooLEaYXZrJrjptBh8jGNc7ycO9twhRgK2CFxERI1hDmK
++0BuoQKBgHLRFdJYFkNKB+j56vTlB5AFTXcjs6x0dZ4j0SDAqVYgIHErpd2bhgOz
+s698rfdadwbYN4UEqvV/2NhDLx/jag4BvCermK71HaXvYnvqKw3UHGAG8K/dCCFR
+eSuZnxTSoWAPjMLi64hRzbWVT+oeZuy83lG6qDygbI1z1nlYWdo3
+-----END RSA PRIVATE KEY-----

example/requirements.txt

@@ -0,0 +1,3 @@
+pyop
+Flask
+gunicorn

example/signing_key.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQCi7nye2Ye1MrUD/sZAplfkpMkXHYduydvfvv/+Ihx1ClxKS/KG
+/1EhqyBVVvhHLRs9pimKMyLm2pBE51rGOt//XKhsoFAa37VID2iz7DQuV6DGgyBS
+FaKgaYBpinEQy2WcjU4eABnABV2r+K2UmGkqVJheqHqOqHUKasT4gy/6kQIDAQAB
+AoGAf7u+YX6ioNCvDwHHBVojn/H8YK3axmVkhiYkZWTysGM99VVTPridL2sMfzse
+jBZ1u8Av4tOyMg/5eLtz8+KmRjljpeAEFfsA1htWE8vESXnvDFwKldXD9Vi/kppb
+CYqASGCBUX3i1LPYffvjUxIgD+Tjx4k56c5EN5G331flDV0CQQDP8fWraegLJ+K1
+iXGNQzpaqG3EI3vf35Yb2bJpmD39QIXFIcJJ5MZHVW+1TyvgiavM4hS2+LGA8kGh
+OvMWfbYTAkEAyJWGBUmAW9mooo1Vw4tJjEWAHjHvzcQ4dqIju+WN8Xy5JTWkDD6Z
+VgKGtgLt2HfpSsgej14+Rh5mrjo4SbYxSwJAKG0syq9jOk/9xjc7STBJtvhJprkT
+SxnHsBBpnBfJ7WNO3l1KzVzZo2Kbvg7vQ87gBIvrZQsCT0RJuBOi0LuN2wJAAInm
+Qj1gSt7axRT8FfpZyDankW0w56yPOkJVNjv3lZ5wINl0B1RjtQdstTBs0xf/WGQR
+MPFf2XBbdjxRymDi4QJBAM3MUYPOlUk1UVCSQKyCkBwL3zMaPjBjD5LXkhGJzxsb
+T74NznwmCib/r0Rl/KmD7/bAq7R4aheOS/OMaZyhbkk=
+-----END RSA PRIVATE KEY-----

example/templates/logout.jinja2

@@ -0,0 +1,8 @@
+<!doctype html>
+<title>Logout</title>
+
+Do you really want to logout?
+<form method="POST">
+    <button type="submit" name="logout" value="logout">Yes, logout</button>
+    <button type="submit" name="no_logout" value="no_logout">No, cancel logout</button>
+</form>

example/views.py

@@ -0,0 +1,124 @@
+from urllib.parse import urlencode, parse_qs
+
+import flask
+from flask import Blueprint, redirect
+from flask import current_app
+from flask import jsonify
+from flask.helpers import make_response
+from flask.templating import render_template
+from oic.oic.message import TokenErrorResponse, UserInfoErrorResponse, EndSessionRequest
+
+from pyop.access_token import AccessToken, BearerTokenError
+from pyop.exceptions import InvalidAuthenticationRequest, InvalidAccessToken, InvalidClientAuthentication, OAuthError, \
+    InvalidSubjectIdentifier, InvalidClientRegistrationRequest
+from pyop.util import should_fragment_encode
+
+oidc_provider_views = Blueprint('oidc_provider', __name__, url_prefix='')
+
+
+@oidc_provider_views.route('/')
+def index():
+    return 'Hello world!'
+
+
+@oidc_provider_views.route('/registration', methods=['POST'])
+def registration_endpoint():
+    try:
+        response = current_app.provider.handle_client_registration_request(flask.request.get_data().decode('utf-8'))
+        return make_response(jsonify(response.to_dict()), 201)
+    except InvalidClientRegistrationRequest as e:
+        return make_response(jsonify(e.to_dict()), status=400)
+
+
+@oidc_provider_views.route('/authentication', methods=['GET'])
+def authentication_endpoint():
+    # parse authentication request
+    try:
+        auth_req = current_app.provider.parse_authentication_request(urlencode(flask.request.args),
+                                                                     flask.request.headers)
+    except InvalidAuthenticationRequest as e:
+        current_app.logger.debug('received invalid authn request', exc_info=True)
+        error_url = e.to_error_url()
+        if error_url:
+            return redirect(error_url, 303)
+        else:
+            # show error to user
+            return make_response('Something went wrong: {}'.format(str(e)), 400)
+
+    # automagic authentication
+    authn_response = current_app.provider.authorize(auth_req, 'test_user')
+    response_url = authn_response.request(auth_req['redirect_uri'], should_fragment_encode(auth_req))
+    return redirect(response_url, 303)
+
+
+@oidc_provider_views.route('/.well-known/openid-configuration')
+def provider_configuration():
+    return jsonify(current_app.provider.provider_configuration.to_dict())
+
+
+@oidc_provider_views.route('/jwks')
+def jwks_uri():
+    return jsonify(current_app.provider.jwks)
+
+
+@oidc_provider_views.route('/token', methods=['POST'])
+def token_endpoint():
+    try:
+        token_response = current_app.provider.handle_token_request(flask.request.get_data().decode('utf-8'),
+                                                                   flask.request.headers)
+        return jsonify(token_response.to_dict())
+    except InvalidClientAuthentication as e:
+        current_app.logger.debug('invalid client authentication at token endpoint', exc_info=True)
+        error_resp = TokenErrorResponse(error='invalid_client', error_description=str(e))
+        response = make_response(error_resp.to_json(), 401)
+        response.headers['Content-Type'] = 'application/json'
+        response.headers['WWW-Authenticate'] = 'Basic'
+        return response
+    except OAuthError as e:
+        current_app.logger.debug('invalid request: %s', str(e), exc_info=True)
+        error_resp = TokenErrorResponse(error=e.oauth_error, error_description=str(e))
+        response = make_response(error_resp.to_json(), 400)
+        response.headers['Content-Type'] = 'application/json'
+        return response
+
+
+@oidc_provider_views.route('/userinfo', methods=['GET', 'POST'])
+def userinfo_endpoint():
+    try:
+        response = current_app.provider.handle_userinfo_request(flask.request.get_data().decode('utf-8'),
+                                                                flask.request.headers)
+        return jsonify(response.to_dict())
+    except (BearerTokenError, InvalidAccessToken) as e:
+        error_resp = UserInfoErrorResponse(error='invalid_token', error_description=str(e))
+        response = make_response(error_resp.to_json(), 401)
+        response.headers['WWW-Authenticate'] = AccessToken.BEARER_TOKEN_TYPE
+        response.headers['Content-Type'] = 'application/json'
+        return response
+
+
+def do_logout(end_session_request):
+    try:
+        current_app.provider.logout_user(end_session_request=end_session_request)
+    except InvalidSubjectIdentifier as e:
+        return make_response('Logout unsuccessful!', 400)
+
+    redirect_url = current_app.provider.do_post_logout_redirect(end_session_request)
+    if redirect_url:
+        return redirect(redirect_url, 303)
+
+    return make_response('Logout successful!')
+
+
+@oidc_provider_views.route('/logout', methods=['GET', 'POST'])
+def end_session_endpoint():
+    if flask.request.method == 'GET':
+        # redirect from RP
+        end_session_request = EndSessionRequest().deserialize(urlencode(flask.request.args))
+        flask.session['end_session_request'] = end_session_request.to_dict()
+        return render_template('logout.jinja2')
+    else:
+        form = parse_qs(flask.request.get_data().decode('utf-8'))
+        if 'logout' in form:
+            return do_logout(EndSessionRequest().from_dict(flask.session['end_session_request']))
+        else:
+            return make_response('You chose not to logout')

example/wsgi.py

@@ -0,0 +1,7 @@
+import logging
+
+from example.app import oidc_provider_init_app
+
+name = 'oidc_provider'
+app = oidc_provider_init_app(name)
+logging.basicConfig(level=logging.DEBUG)