Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audience is endpoint dependent. #430

Merged
merged 4 commits into from
Oct 6, 2017
Merged

Audience is endpoint dependent. #430

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e580c62
Audience is endpoint dependent.
rohe Oct 6, 2017
9a685e8
Minimal provider info wasn't enough.
rohe Oct 6, 2017
26f4ecd
Updated Changelog
rohe Oct 6, 2017
612ed45
To increase coverage
rohe Oct 6, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,11 @@ The format is based on the [KeepAChangeLog] project.
## 0.13.0 [Unreleased]

### Fixed
- [#430] Audience of a client assertion is endpoint dependent.
- [#427] Made matching for response_types order independent for authorization requests
- [#399] Matching response_types for authz requests is too strict

[#430]: https://github.com/OpenIDC/pyoidc/pull/430
[#427]: https://github.com/OpenIDC/pyoidc/pull/427
[#399]: https://github.com/OpenIDC/pyoidc/issues/399

Expand Down
5 changes: 4 additions & 1 deletion src/oic/utils/authn/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ def assertion_jwt(cli, keys, audience, algorithm, lifetime=600):
at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
aud=audience, jti=rndstr(32),
exp=_now + lifetime, iat=_now)
logger.debug('AuthnToken: {}'.format(at.to_dict()))
return at.to_jwt(key=keys, algorithm=algorithm)


Expand Down Expand Up @@ -310,14 +311,16 @@ def construct(self, cis, request_args=None, http_args=None, **kwargs):
# audience is the OP endpoint
# audience = self.cli._endpoint(REQUEST2ENDPOINT[cis.type()])
# OR OP identifier
audience = self.cli.provider_info['issuer']
algorithm = None
if kwargs['authn_endpoint'] in ['token', 'refresh']:
try:
algorithm = self.cli.registration_info[
'token_endpoint_auth_signing_alg']
except (KeyError, AttributeError):
pass
audience = self.cli.provider_info['token_endpoint']
else:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The drop in coverage is caused by this branch, which is never covered.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can easily be remedied

audience = self.cli.provider_info['issuer']

if not algorithm:
algorithm = self.choose_algorithm(**kwargs)
Expand Down
37 changes: 34 additions & 3 deletions tests/test_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,8 @@ def test_construct(self, client):
{"key": _key, "kty": "RSA", "use": "sig"}])
client.keyjar[""] = kc_rsa
client.token_endpoint = "https://example.com/token"
client.provider_info = {'issuer': 'https://example.com/'}
client.provider_info = {'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"}
cis = AccessTokenRequest()
pkj = PrivateKeyJWT(client)
http_args = pkj.construct(cis, algorithm="RS256",
Expand All @@ -199,12 +200,14 @@ def test_construct(self, client):
jso = _jwt.payload()
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
assert _jwt.headers == {'alg': 'RS256'}
assert jso['aud'] == [client.provider_info['token_endpoint']]


class TestClientSecretJWT(object):
class TestClientSecretJWT_TE(object):
def test_client_secret_jwt(self, client):
client.token_endpoint = "https://example.com/token"
client.provider_info = {'issuer': 'https://example.com/'}
client.provider_info = {'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"}

csj = ClientSecretJWT(client)
cis = AccessTokenRequest()
Expand All @@ -224,6 +227,34 @@ def test_client_secret_jwt(self, client):
cas, [SYMKey(k=b64e(as_bytes(client.client_secret)))])

assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
assert info['aud'] == [client.provider_info['token_endpoint']]


class TestClientSecretJWT_UI(object):
def test_client_secret_jwt(self, client):
client.token_endpoint = "https://example.com/token"
client.provider_info = {'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"}

csj = ClientSecretJWT(client)
cis = AccessTokenRequest()

csj.construct(cis, algorithm="HS256",
authn_endpoint='userinfo')
assert cis["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in cis
cas = cis["client_assertion"]
_jwt = JWT().unpack(cas)
jso = _jwt.payload()
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
assert _jwt.headers == {'alg': 'HS256'}

_rj = JWS()
info = _rj.verify_compact(
cas, [SYMKey(k=b64e(as_bytes(client.client_secret)))])

assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
assert info['aud'] == [client.provider_info['issuer']]


class TestValidClientInfo(object):
Expand Down