From 82d6172a86b29785b98747de03cf6e861ddb222d Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Tue, 6 Feb 2024 20:07:33 +0100 Subject: [PATCH 01/15] feat: added get_client_organisation_name method to retrieve the correct RP name --- spid_cie_oidc/provider/views/__init__.py | 75 +++++++++++-------- .../provider/views/authz_request_view.py | 10 ++- .../provider/views/consent_page_view.py | 4 +- 3 files changed, 52 insertions(+), 37 deletions(-) diff --git a/spid_cie_oidc/provider/views/__init__.py b/spid_cie_oidc/provider/views/__init__.py index 8ca9832d..3ef40868 100644 --- a/spid_cie_oidc/provider/views/__init__.py +++ b/spid_cie_oidc/provider/views/__init__.py @@ -32,6 +32,7 @@ OIDCFED_PROVIDER_PROFILES_ACR_4_REFRESH, OIDCFED_PROVIDER_PROFILES_ID_TOKEN_CLAIMS ) + logger = logging.getLogger(__name__) @@ -40,7 +41,7 @@ class OpBase: Baseclass with common methods for OPs """ - def redirect_response_data(self, redirect_uri:str, **kwargs) -> HttpResponseRedirect: + def redirect_response_data(self, redirect_uri: str, **kwargs) -> HttpResponseRedirect: if "?" in redirect_uri: qstring = "&" else: @@ -114,7 +115,7 @@ def validate_authz_request_object(self, req) -> TrustChain: jwks = get_jwks( rp_trust_chain.metadata['openid_relying_party'], - federation_jwks = rp_trust_chain.jwks + federation_jwks=rp_trust_chain.jwks ) jwk = self.find_jwk(header, jwks) if not jwk: @@ -178,7 +179,7 @@ def check_session(self, request) -> OidcSession: ) session_not_after = session.created + timezone.timedelta( - minutes = OIDCFED_PROVIDER_AUTH_CODE_MAX_AGE + minutes=OIDCFED_PROVIDER_AUTH_CODE_MAX_AGE ) if session_not_after < timezone.localtime(): raise ExpiredAuthCode( @@ -199,12 +200,12 @@ def check_client_assertion(self, client_id: str, client_assertion: str) -> bool: _op = self.get_issuer() _op_eid = _op.sub _op_eid_authz_endpoint = [_op.metadata['openid_provider']['authorization_endpoint']] - + try: ClientAssertion(**payload) except Exception as e: raise Exception(f"Client Assertion: json schema validation error: {e}") - + if isinstance(_aud, str): _aud = [_aud] _allowed_auds = _aud + _op_eid_authz_endpoint @@ -250,9 +251,9 @@ def get_jwt_common_data(self): } def get_access_token( - self, iss_sub:str, sub:str, authz: OidcSession, commons:dict + self, iss_sub: str, sub: str, authz: OidcSession, commons: dict ) -> dict: - + access_token = { "iss": iss_sub, "sub": sub, @@ -266,8 +267,8 @@ def get_access_token( return access_token def get_id_token_claims( - self, - authz:OidcSession + self, + authz: OidcSession ) -> dict: _provider_profile = getattr(settings, 'OIDCFED_DEFAULT_PROVIDER_PROFILE', OIDCFED_DEFAULT_PROVIDER_PROFILE) claims = {} @@ -276,21 +277,21 @@ def get_id_token_claims( return claims for claim in ( - authz.authz_request.get( - "claims", {} - ).get("id_token", {}).keys() + authz.authz_request.get( + "claims", {} + ).get("id_token", {}).keys() ): if claim in allowed_id_token_claims and authz.user.attributes.get(claim, None): claims[claim] = authz.user.attributes[claim] return claims def get_id_token( - self, - iss_sub:str, - sub:str, - authz:OidcSession, - jwt_at:str, - commons:dict + self, + iss_sub: str, + sub: str, + authz: OidcSession, + jwt_at: str, + commons: dict ) -> dict: id_token = { @@ -312,19 +313,19 @@ def get_id_token( def get_refresh_token( self, - iss_sub:str, - sub:str, - authz:OidcSession, - jwt_at:str, - commons:dict + iss_sub: str, + sub: str, + authz: OidcSession, + jwt_at: str, + commons: dict ) -> dict: # refresh token is scope offline_access and prompt == consent refresh_acrs = OIDCFED_PROVIDER_PROFILES_ACR_4_REFRESH[OIDCFED_DEFAULT_PROVIDER_PROFILE] acrs = authz.authz_request.get('acr_values', []) if ( - "offline_access" in authz.authz_request['scope'] and - 'consent' in authz.authz_request['prompt'] and - set(refresh_acrs).intersection(set(acrs)) + "offline_access" in authz.authz_request['scope'] and + 'consent' in authz.authz_request['prompt'] and + set(refresh_acrs).intersection(set(acrs)) ): refresh_token = { "sub": sub, @@ -337,8 +338,8 @@ def get_refresh_token( refresh_token.update(commons) return refresh_token - def get_iss_token_data(self, session : OidcSession, issuer: FederationEntityConfiguration): - _sub = session.pairwised_sub(provider_id = issuer.sub) + def get_iss_token_data(self, session: OidcSession, issuer: FederationEntityConfiguration): + _sub = session.pairwised_sub(provider_id=issuer.sub) iss_sub = issuer.sub commons = self.get_jwt_common_data() jwk = issuer.jwks_core[0] @@ -363,7 +364,7 @@ def get_iss_token_data(self, session : OidcSession, issuer: FederationEntityConf def get_expires_in(self, iat: int, exp: int): return timezone.timedelta( - seconds = exp - iat + seconds=exp - iat ).seconds def attributes_names_to_release(self, request, session: OidcSession) -> dict: @@ -391,6 +392,18 @@ def attributes_names_to_release(self, request, session: OidcSession) -> dict: for i in filtered_user_claims.keys() ] return dict( - i18n_user_claims = i18n_user_claims, - filtered_user_claims = filtered_user_claims + i18n_user_claims=i18n_user_claims, + filtered_user_claims=filtered_user_claims ) + + def get_client_organisation_name(self, tc): + fed_metadata = tc.metadata.get("federation_entity", {}) + name = fed_metadata.get("organization_name", "") + if not name: + op_metadata = tc.metadata.get("openid_relying_party", {}) + name = op_metadata.get("organization_name", "") + if not name: + name = op_metadata.get("client_name", "") + if not name: + name = op_metadata.get("client_id", "") + return name diff --git a/spid_cie_oidc/provider/views/authz_request_view.py b/spid_cie_oidc/provider/views/authz_request_view.py index 415b738f..b59d4cf2 100644 --- a/spid_cie_oidc/provider/views/authz_request_view.py +++ b/spid_cie_oidc/provider/views/authz_request_view.py @@ -198,10 +198,14 @@ def get(self, request, *args, **kwargs): # stores the authz request in a hidden field in the form form = self.get_login_form()() + + # context = { + # "client_organization_name": tc.metadata.get( + # "client_name", self.payload["client_id"] + # ), + context = { - "client_organization_name": tc.metadata.get( - "client_name", self.payload["client_id"] - ), + "client_organization_name": self.get_client_organisation_name(tc), "hidden_form": AuthzHiddenForm(dict(authz_request_object=req)), "form": form, "redirect_uri": self.payload["redirect_uri"], diff --git a/spid_cie_oidc/provider/views/consent_page_view.py b/spid_cie_oidc/provider/views/consent_page_view.py index 14fb0b26..56ffd843 100644 --- a/spid_cie_oidc/provider/views/consent_page_view.py +++ b/spid_cie_oidc/provider/views/consent_page_view.py @@ -56,9 +56,7 @@ def get(self, request, *args, **kwargs): context = { "form": self.get_consent_form()(), "session": session, - "client_organization_name": tc.metadata.get( - "client_name", session.client_id - ), + "client_organization_name": self.get_client_organisation_name(tc), "user_claims": sorted(set(i18n_user_claims),), "redirect_uri": session.authz_request["redirect_uri"], "state": session.authz_request["state"] From 4740ea5bccf81153f15b985d8ac46b995eb24ade Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Tue, 6 Feb 2024 20:16:55 +0100 Subject: [PATCH 02/15] chore: fix CIE organization_name --- examples/provider/dumps/example.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/provider/dumps/example.json b/examples/provider/dumps/example.json index 06242afd..fb0e7e4b 100644 --- a/examples/provider/dumps/example.json +++ b/examples/provider/dumps/example.json @@ -147,7 +147,7 @@ "metadata": { "federation_entity": { "federation_resolve_endpoint": "http://127.0.0.1:8002/oidc/op/resolve", - "organization_name": "SPID OIDC identity provider", + "organization_name": "CIE OIDC identity provider", "homepage_uri": "http://127.0.0.1:8002", "policy_uri": "http://127.0.0.1:8002/oidc/op/en/website/legal-information", "logo_uri": "http://127.0.0.1:8002/static/svg/logo-cie.svg", From 6403674dae07cf5536c82357b459b5cad261b1b6 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 7 Feb 2024 07:42:29 +0100 Subject: [PATCH 03/15] fix: updated cryptography rsa import to 42.0.2 --- spid_cie_oidc/entity/jwks.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/spid_cie_oidc/entity/jwks.py b/spid_cie_oidc/entity/jwks.py index 9726d505..b65f844d 100644 --- a/spid_cie_oidc/entity/jwks.py +++ b/spid_cie_oidc/entity/jwks.py @@ -2,7 +2,7 @@ from cryptojwt.jwk.rsa import new_rsa_key from cryptography.hazmat.primitives import serialization from cryptojwt.jwk.rsa import RSAKey - +from cryptography.hazmat.primitives.asymmetric import rsa import cryptography from django.conf import settings @@ -64,9 +64,9 @@ def serialize_rsa_key(rsa_key, kind="public", hash_func="SHA-256"): cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey """ data = {} - if isinstance(rsa_key, cryptography.hazmat.backends.openssl.rsa._RSAPublicKey): + if isinstance(rsa_key, rsa.RSAPublicKey): data = {"pub_key": rsa_key} - elif isinstance(rsa_key, cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey): + elif isinstance(rsa_key, rsa.RSAPrivateKey): data = {"priv_key": rsa_key} elif isinstance(rsa_key, (str, bytes)): # pragma: no cover if kind == "private": From ab823916862cc07558afc3712e008a28a407b4c6 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 7 Feb 2024 08:02:04 +0100 Subject: [PATCH 04/15] chore: bump to 1.3.1 --- spid_cie_oidc/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spid_cie_oidc/__init__.py b/spid_cie_oidc/__init__.py index 67bc602a..9c73af26 100644 --- a/spid_cie_oidc/__init__.py +++ b/spid_cie_oidc/__init__.py @@ -1 +1 @@ -__version__ = "1.3.0" +__version__ = "1.3.1" From 22381842391ada11826e9fe6316941d0278a3faf Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 7 Feb 2024 09:59:17 +0100 Subject: [PATCH 05/15] fix: corrected proposed change --- spid_cie_oidc/provider/views/__init__.py | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/spid_cie_oidc/provider/views/__init__.py b/spid_cie_oidc/provider/views/__init__.py index 3ef40868..b29269af 100644 --- a/spid_cie_oidc/provider/views/__init__.py +++ b/spid_cie_oidc/provider/views/__init__.py @@ -397,13 +397,19 @@ def attributes_names_to_release(self, request, session: OidcSession) -> dict: ) def get_client_organisation_name(self, tc): - fed_metadata = tc.metadata.get("federation_entity", {}) - name = fed_metadata.get("organization_name", "") - if not name: - op_metadata = tc.metadata.get("openid_relying_party", {}) - name = op_metadata.get("organization_name", "") - if not name: - name = op_metadata.get("client_name", "") - if not name: - name = op_metadata.get("client_id", "") + global name + rp_metadata = ( + tc.metadata.get( + "federation_entity", {} + ) or + tc.metadata.get( + "openid_relying_party", {} + ) + ) + if rp_metadata: + name = ( + rp_metadata.get("organization_name", "") or + rp_metadata.get("client_name", "") or + rp_metadata.get("client_id", "") + ) return name From 0f1c63afa32e7907b6fff8176b36a3c3d545d177 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 7 Feb 2024 10:51:36 +0100 Subject: [PATCH 06/15] fix: scope issue --- spid_cie_oidc/provider/views/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/spid_cie_oidc/provider/views/__init__.py b/spid_cie_oidc/provider/views/__init__.py index b29269af..de69e1f7 100644 --- a/spid_cie_oidc/provider/views/__init__.py +++ b/spid_cie_oidc/provider/views/__init__.py @@ -397,7 +397,6 @@ def attributes_names_to_release(self, request, session: OidcSession) -> dict: ) def get_client_organisation_name(self, tc): - global name rp_metadata = ( tc.metadata.get( "federation_entity", {} From e4e61f6af9d21dece02307c2b0959c9339608ac8 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 7 Feb 2024 12:00:50 +0100 Subject: [PATCH 07/15] Update spid_cie_oidc/provider/views/consent_page_view.py Co-authored-by: Giuseppe De Marco --- spid_cie_oidc/provider/views/consent_page_view.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spid_cie_oidc/provider/views/consent_page_view.py b/spid_cie_oidc/provider/views/consent_page_view.py index 56ffd843..f639db23 100644 --- a/spid_cie_oidc/provider/views/consent_page_view.py +++ b/spid_cie_oidc/provider/views/consent_page_view.py @@ -56,7 +56,7 @@ def get(self, request, *args, **kwargs): context = { "form": self.get_consent_form()(), "session": session, - "client_organization_name": self.get_client_organisation_name(tc), + "client_organization_name": self.get_client_organization_name(tc), "user_claims": sorted(set(i18n_user_claims),), "redirect_uri": session.authz_request["redirect_uri"], "state": session.authz_request["state"] From d718b27eb896b589b22352828a90f70d2bdf8e81 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 7 Feb 2024 12:00:59 +0100 Subject: [PATCH 08/15] Update spid_cie_oidc/provider/views/__init__.py Co-authored-by: Giuseppe De Marco --- spid_cie_oidc/provider/views/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spid_cie_oidc/provider/views/__init__.py b/spid_cie_oidc/provider/views/__init__.py index de69e1f7..d154e661 100644 --- a/spid_cie_oidc/provider/views/__init__.py +++ b/spid_cie_oidc/provider/views/__init__.py @@ -396,7 +396,7 @@ def attributes_names_to_release(self, request, session: OidcSession) -> dict: filtered_user_claims=filtered_user_claims ) - def get_client_organisation_name(self, tc): + def get_client_organization_name(self, tc): rp_metadata = ( tc.metadata.get( "federation_entity", {} From b6e8a15b791cc325eb6f0049fbe456c240e82945 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 7 Feb 2024 12:01:12 +0100 Subject: [PATCH 09/15] Update spid_cie_oidc/provider/views/authz_request_view.py Co-authored-by: Giuseppe De Marco --- spid_cie_oidc/provider/views/authz_request_view.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/spid_cie_oidc/provider/views/authz_request_view.py b/spid_cie_oidc/provider/views/authz_request_view.py index b59d4cf2..91aa24b7 100644 --- a/spid_cie_oidc/provider/views/authz_request_view.py +++ b/spid_cie_oidc/provider/views/authz_request_view.py @@ -198,12 +198,6 @@ def get(self, request, *args, **kwargs): # stores the authz request in a hidden field in the form form = self.get_login_form()() - - # context = { - # "client_organization_name": tc.metadata.get( - # "client_name", self.payload["client_id"] - # ), - context = { "client_organization_name": self.get_client_organisation_name(tc), "hidden_form": AuthzHiddenForm(dict(authz_request_object=req)), From de5969c081d78862e8a888c5ae96843735f6b5dc Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 7 Feb 2024 12:11:23 +0100 Subject: [PATCH 10/15] fix: reinstated method name --- spid_cie_oidc/provider/views/authz_request_view.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spid_cie_oidc/provider/views/authz_request_view.py b/spid_cie_oidc/provider/views/authz_request_view.py index 91aa24b7..76e3df86 100644 --- a/spid_cie_oidc/provider/views/authz_request_view.py +++ b/spid_cie_oidc/provider/views/authz_request_view.py @@ -199,7 +199,7 @@ def get(self, request, *args, **kwargs): # stores the authz request in a hidden field in the form form = self.get_login_form()() context = { - "client_organization_name": self.get_client_organisation_name(tc), + "client_organization_name": self.get_client_organization_name(tc), "hidden_form": AuthzHiddenForm(dict(authz_request_object=req)), "form": form, "redirect_uri": self.payload["redirect_uri"], From 7d2e0b911a570a6c1e4efd17bc16c142b1e53ba1 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Fri, 8 Mar 2024 16:00:10 +0100 Subject: [PATCH 11/15] feat: distinction between sig and enc keys during RP and OP operations --- .../federation_authority/dumps/example.json | 24 +++++++++++++++++-- examples/relying_party/dumps/example.json | 21 ++++++++++++++++ spid_cie_oidc/entity/utils.py | 17 +++++++++++++ .../provider/views/userinfo_endpoint.py | 15 ++++++------ .../relying_party/oauth2/__init__.py | 4 ++-- spid_cie_oidc/relying_party/views/__init__.py | 3 ++- spid_cie_oidc/relying_party/views/rp_begin.py | 8 ++++--- 7 files changed, 77 insertions(+), 15 deletions(-) diff --git a/examples/federation_authority/dumps/example.json b/examples/federation_authority/dumps/example.json index 0dc488c8..9e3fb256 100644 --- a/examples/federation_authority/dumps/example.json +++ b/examples/federation_authority/dumps/example.json @@ -238,6 +238,18 @@ ], "jwks_core": [ { + "alg": "RSA-OAEP", + "use": "enc", + "kty": "RSA", + "e": "AQAB", + "n": "oP1EPjcPOtV7Zog2suguY-tCLUVWSe2DOAHqlEWeDJtuQ1sO99Ue_5-Zbdm7iUmA2JNoCKZhp3RpICxRy01PsmXVm5UhsiYvHwK4vYq8hJRgtNpci3Gwj4YzpsN1p2un1VbvtAgiSN5wXURWyaMPMDuOMhIPIleaXU0wHcmGeXEuJrVPluz2jbqYhUHkAlySsH8-3Tx9VIjYohkiaSGU43XIYgCDL3mDkt7u3Z5w009vsNu1XhVZ7SE_XhkOzcvnA82NSq04ogwZ_oAyBY8nYMIN0irxR9r8NssGR3OZxqUMwvElqpyWt2NthgvS0GkMrgirQig-rvJ5bldlBkgOWQ", "d": "caSgY0rD4zH0oSM9eZ_ajUCFUgIN54-dyFlI0M_Bwf_2jQNM1sqbO9eSm9Rgsq2eIh-jLC7ZnBK1kLdvTxRELhiQQ7FwPHZuzQeMhkBpZb_qhFJ8JjyI1DXDZPUnquMK3_xaFODNnBCOZdqO1uxozFpivT7duTvUvAgupfzlp2XWDu_b2xDed16ZtroQk2gqjcByJSDt8U3lj82n34HjcpTZNGIIV4IbJ1jbUJ554A73bmQbjRFInKHMEDmTZGoa-GVcn9YgITUPL_vNvMJgzwcNeextFFLsX-Z8WD3ku4en-guehqFt7-6ZPVLJ0nlBn7oYOpLEML-U-tBZXsBx", + "p": "z8soMD0NaVkvMqIYN1OkKPGQUNSaopYiQEgS9ynQfo-GEo7lhHbcLnhpnqXVR0MYwpvdchJwehIr5-UZIWIV7BHkNLSWy5KPCKZ5G2P7CWsbDTDk0DjL7IJpOukhMsWRpumIKoOefs8RurTtbvGhwj09eLwy4sWO7uI7u11SHdU", + "q": "xlZonE4-C1acGa15uQDSes0DXrLShT337FLCRMy-6HQODSW__xxtV87wVywvDIf39nTQxoOnvUybuAfXww9xexuzC3Q2jXznpvHE7O7lglc6Uq-tEnviVVe-RhAwEQheVPEbCIJQHfvXhDsRzbTrzw7ennM0Gd5WtaICtb54vHU", + "kid": "m1-4Lr9DqAh5-UXYvQnacFiMSrPMaXfK0cfFmCxVvI8" + }, + { + "alg": "RS256", + "use": "sig", "kty": "RSA", "kid": "2HnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs", "n": "5s4qi1Ta-sEuKb5rJ8TzHmyGKaSu89pIXIi6w4Ekx6GL56mJDNE_MWJHsFjWXajfMdMQmZrSXAvLtXxmbhUui9Mq_IormhmEyyEJS0SyE9UKTxWzi0yd_n_C7OjFBhM-0ZyUlgl81E_sr-35P1A6b5WSYwMvRSR-P9yx_NI-XBQ48G_zdmk3CbuuzZsXZqqgj5U7OGWH-4Huosn9nH3FVkwX0OlWkgWM-J9DEWzGBjl9hfbbrMtM_obljHL2NfT6RJYER2IpdI8RCyQS3sMPt6ZHDskmuNlyMDNATCChXQJLnltwEjxcgvzjw_G9J25DwfdfVEhDF_0kCp44UMmS3Q", @@ -276,12 +288,20 @@ "jwks": { "keys": [ { - "kty": "RSA", "use": "sig", + "alg": "RS256", + "kty": "RSA", "n": "5s4qi1Ta-sEuKb5rJ8TzHmyGKaSu89pIXIi6w4Ekx6GL56mJDNE_MWJHsFjWXajfMdMQmZrSXAvLtXxmbhUui9Mq_IormhmEyyEJS0SyE9UKTxWzi0yd_n_C7OjFBhM-0ZyUlgl81E_sr-35P1A6b5WSYwMvRSR-P9yx_NI-XBQ48G_zdmk3CbuuzZsXZqqgj5U7OGWH-4Huosn9nH3FVkwX0OlWkgWM-J9DEWzGBjl9hfbbrMtM_obljHL2NfT6RJYER2IpdI8RCyQS3sMPt6ZHDskmuNlyMDNATCChXQJLnltwEjxcgvzjw_G9J25DwfdfVEhDF_0kCp44UMmS3Q", "e": "AQAB", "kid": "2HnoFS3YnC9tjiCaivhWLVUJ3AxwGGz_98uRFaqMEEs" - } + }, + { + "use": "enc", + "kty": "RSA", + "e": "AQAB", + "alg": "RSA-OAEP", + "n": "oP1EPjcPOtV7Zog2suguY-tCLUVWSe2DOAHqlEWeDJtuQ1sO99Ue_5-Zbdm7iUmA2JNoCKZhp3RpICxRy01PsmXVm5UhsiYvHwK4vYq8hJRgtNpci3Gwj4YzpsN1p2un1VbvtAgiSN5wXURWyaMPMDuOMhIPIleaXU0wHcmGeXEuJrVPluz2jbqYhUHkAlySsH8-3Tx9VIjYohkiaSGU43XIYgCDL3mDkt7u3Z5w009vsNu1XhVZ7SE_XhkOzcvnA82NSq04ogwZ_oAyBY8nYMIN0irxR9r8NssGR3OZxqUMwvElqpyWt2NthgvS0GkMrgirQig-rvJ5bldlBkgOWQ", + "kid": "m1-4Lr9DqAh5-UXYvQnacFiMSrPMaXfK0cfFmCxVvI8"} ] }, "jwks_uri": "http://127.0.0.1:8000/oidc/rp/openid_relying_party/jwks.json", diff --git a/examples/relying_party/dumps/example.json b/examples/relying_party/dumps/example.json index 53682e0c..80d62eff 100644 --- a/examples/relying_party/dumps/example.json +++ b/examples/relying_party/dumps/example.json @@ -45,6 +45,7 @@ ], "jwks_core": [ { + "use": "sig", "kty": "RSA", "n": "uXfJA-wTlTCA4FdsoE0qZfmKIgedmarrtWgQbElKbWg9RDR7Z8JVBaRLFqwyfyG1JJFm64G51cBJwLIFwWoF7nxsH9VYLm5ocjAnsR4RhlfVE0y_60wjf8skJgBRpiXQPlwH9jDGaqVE_PEBTObDO5w3XourD1F360-v5cLDLRHdFJIitdEVtqATqY5DglRDaKiBhis7a5_1bk839PDLaQhju4XJk4tvDy5-LVkMy5sP2zU6-1tJdA-VmaBZLXy9n0967FGIWmMzpafrBMOuHFcUOH56o-clDah_CITH1dq2D64K0MYhEpACO2p8AH4K8Q6YuJ1dnkVDDwZp2C84sQ", "e": "AQAB", @@ -52,6 +53,17 @@ "p": "5PA7lJEDd3vrw5hlolFzvjvRriOu1SMHXx9Y52AgpOeQ6MnE1pO8qwn33lwYTSPGYinaq4jS3FKF_U5vOZltJAGBMa4ByEvAROJVCh958rKVRWKIqVXLOi8Gk11kHbVKw6oDXAd8Qt_y_ff8k_K6jW2EbWm1K6kfTvTMzoHkqrU", "q": "z2QeMH4WtrdiWUET7JgZNX0TbcaVBgd2Gpo8JHnfnGOUsvO_euKGgqpCcxiWVXSlqffQyTgVzl4iMROP8bEaQwvueHurtziMDSy9Suumyktu3PbGgjqu_izRim8Xlg7sz8Hs2quJPII_fQ8BCoaWpg30osFZqCBarQM7CWhxR40", "kid": "YhuIJU6o15EUCyqA0LHEqJd-xVPJgoyW5wZ1o4padWs" + }, + { + "alg": "RSA-OAEP", + "use": "enc", + "kty": "RSA", + "n": "rZDx5jxztL4RL4obgFtOZCCelabRolJo_WHdvHVM0Pe5M1rCYXmcnGq5I2M7MdXrFHLa_Yl5rAzkxKyFgpB48vkmqIGNl8NX-6c95XDMQttHmp_atrPnKyJ0E2Zk1ZTomZMWnQCIXQYfcJI2x4W5Mjyh8Ip0ZDDUiqlYsADkHCThj0q6RjJRXtmK_rrt1-tcHOQbIHDVKXYACMWOzUr1YDGWgrFjPu2D2QAXmO3qxhaqIdABwim6XKuLYwzTlIeHJyeEZQiVLEY_Notu5GVQGeL8qMnW3SsqBw7rMYxKgLOcSk2-2J5_orToRNy0x1LQfMtHG3ic8KcFefV7UZeR3w", + "e": "AQAB", + "d": "Agb1P-F-bVupnNWH_5ZYh-8S7qb5I500yyjS6A9dVfvs736BGZYhQc5uoZQtrglwzgIA96uOmwW3h6Mx-469h1gTny3FE3vrmNEvIKogRRATssxMR8VWXU4Nma6gz4jp0MlgApKKPhPmkBrN925i9a_ODNeBI9dSKYP-Y4RPJb5RWBj2SwL62AwfSAYD012qUQAOw9uYP9c2gIA2sWRnNG0ufe6YTh0UDZub3B34BCoMf8Cr0cZZ4AvjVqoPBWWLZm265TDRHmJ3cS8EdMsSYCzQSaMy5B2wEwGmilO14TiNroDN1UcdoANhmXC9lzZWYx8Iz6BYH4ybk4fwGinEWQ", + "p": "7-9WcW5dg64vEAok88rZESb9ZXP6FgPMrZ2wCIDxP3XxhqQlaVANE2bSBLQYrwxCpKlIznCJOvOY2FALhBcF5GKdBhUrBhs7Iz46ACr2HKr7mQ5EiigDwMmdIJ5LGJL-RVevP2Ye4QxOWQbn3jttc9fsj2Pw3FjYaeUurs9AnUs", + "q": "uS__hm1ZVGN1FPmT6LfiM5-_xPmZwNwKRWV02e4drqa_qXQgbaMzZoSAc4duXXXgbyXc7LaJF4_fqR3Cpr1rXsXMTuJf9rb0uN4wZ9awZgmwbBx1JM2ikoQt08xvdxuH_7_0j584Ta7Go1TO2XX1QII06nr7EkVJ8HJqsE665T0", + "kid": "dlDtBxB1sKzY5hZTxJRLpvKVLeWHy5QYsFTSxETF5qM" } ], "trust_marks": [ @@ -85,11 +97,20 @@ "jwks": { "keys": [ { + "alg": "RS256", "kty": "RSA", "use": "sig", "n": "uXfJA-wTlTCA4FdsoE0qZfmKIgedmarrtWgQbElKbWg9RDR7Z8JVBaRLFqwyfyG1JJFm64G51cBJwLIFwWoF7nxsH9VYLm5ocjAnsR4RhlfVE0y_60wjf8skJgBRpiXQPlwH9jDGaqVE_PEBTObDO5w3XourD1F360-v5cLDLRHdFJIitdEVtqATqY5DglRDaKiBhis7a5_1bk839PDLaQhju4XJk4tvDy5-LVkMy5sP2zU6-1tJdA-VmaBZLXy9n0967FGIWmMzpafrBMOuHFcUOH56o-clDah_CITH1dq2D64K0MYhEpACO2p8AH4K8Q6YuJ1dnkVDDwZp2C84sQ", "e": "AQAB", "kid": "YhuIJU6o15EUCyqA0LHEqJd-xVPJgoyW5wZ1o4padWs" + }, + { + "alg": "RSA-OAEP", + "use": "enc", + "kty": "RSA", + "n": "rZDx5jxztL4RL4obgFtOZCCelabRolJo_WHdvHVM0Pe5M1rCYXmcnGq5I2M7MdXrFHLa_Yl5rAzkxKyFgpB48vkmqIGNl8NX-6c95XDMQttHmp_atrPnKyJ0E2Zk1ZTomZMWnQCIXQYfcJI2x4W5Mjyh8Ip0ZDDUiqlYsADkHCThj0q6RjJRXtmK_rrt1-tcHOQbIHDVKXYACMWOzUr1YDGWgrFjPu2D2QAXmO3qxhaqIdABwim6XKuLYwzTlIeHJyeEZQiVLEY_Notu5GVQGeL8qMnW3SsqBw7rMYxKgLOcSk2-2J5_orToRNy0x1LQfMtHG3ic8KcFefV7UZeR3w", + "e": "AQAB", + "kid": "dlDtBxB1sKzY5hZTxJRLpvKVLeWHy5QYsFTSxETF5qM" } ] }, diff --git a/spid_cie_oidc/entity/utils.py b/spid_cie_oidc/entity/utils.py index 8dd242e6..bd832fc4 100644 --- a/spid_cie_oidc/entity/utils.py +++ b/spid_cie_oidc/entity/utils.py @@ -14,6 +14,23 @@ logger = logging.getLogger(__name__) +def get_core_signing_key(entity_conf): + jwk_core_sig = entity_conf.jwks_core[0] + if len(entity_conf.jwks_core) > 1: + for jwk in entity_conf.jwks_core: + if jwk['use'] == 'sig': + jwk_core_sig = jwk + return jwk_core_sig + + +def get_rp_encryption_key(jwks_core): + jwk_core_enc = jwks_core[0] + if len(jwks_core) > 1: + for jwk in jwks_core: + if jwk['use'] == 'enc': + jwk_core_enc = jwk + return jwk_core_enc + def iat_now() -> int: return int(datetime.datetime.now().timestamp()) diff --git a/spid_cie_oidc/provider/views/userinfo_endpoint.py b/spid_cie_oidc/provider/views/userinfo_endpoint.py index f35a8b5e..02969b60 100644 --- a/spid_cie_oidc/provider/views/userinfo_endpoint.py +++ b/spid_cie_oidc/provider/views/userinfo_endpoint.py @@ -16,7 +16,7 @@ from spid_cie_oidc.entity.models import ( TrustChain ) -from spid_cie_oidc.entity.utils import get_jwks +from spid_cie_oidc.entity.utils import get_jwks, get_rp_encryption_key, get_core_signing_key from spid_cie_oidc.provider.models import IssuedToken from . import OpBase @@ -85,18 +85,19 @@ def get(self, request, *args, **kwargs): jwt[claim] = token.session.user.attributes[claim] # sign the data - jws = create_jws(jwt, issuer.jwks_core[0]) + key = get_core_signing_key(issuer) + jws = create_jws(jwt, key) #issuer.jwks_core[0]) # encrypt the data client_jwks = get_jwks( rp_tc.metadata['openid_relying_party'], federation_jwks = rp_tc.jwks ) - client_jwk = client_jwks[0] - for k in client_jwks: - if k.get('kid') and len(k["kid"]) >= 1: - client_jwk = k - break + client_jwk = get_rp_encryption_key(client_jwks) #[0] + # for k in client_jwks: + # if k.get('kid') and len(k["kid"]) >= 1: + # client_jwk = k + # break jwe = create_jwe( jws, diff --git a/spid_cie_oidc/relying_party/oauth2/__init__.py b/spid_cie_oidc/relying_party/oauth2/__init__.py index fa03535a..4f494a9e 100644 --- a/spid_cie_oidc/relying_party/oauth2/__init__.py +++ b/spid_cie_oidc/relying_party/oauth2/__init__.py @@ -6,7 +6,7 @@ from spid_cie_oidc.entity.models import FederationEntityConfiguration from spid_cie_oidc.entity.jwtse import create_jws from spid_cie_oidc.entity.settings import HTTPC_PARAMS, HTTPC_TIMEOUT -from spid_cie_oidc.entity.utils import iat_now, exp_from_now +from spid_cie_oidc.entity.utils import iat_now, exp_from_now, get_core_signing_key logger = logging.getLogger(__name__) @@ -49,7 +49,7 @@ def access_token_request( "exp": exp_from_now(), "jti": str(uuid.uuid4()), }, - jwk_dict=client_conf.jwks_core[0], + jwk_dict=get_core_signing_key(client_conf), ), ) diff --git a/spid_cie_oidc/relying_party/views/__init__.py b/spid_cie_oidc/relying_party/views/__init__.py index 5be98762..ffa2efae 100644 --- a/spid_cie_oidc/relying_party/views/__init__.py +++ b/spid_cie_oidc/relying_party/views/__init__.py @@ -13,6 +13,7 @@ from spid_cie_oidc.entity.exceptions import InvalidTrustchain from spid_cie_oidc.entity.models import TrustChain +from spid_cie_oidc.entity.utils import get_core_signing_key from spid_cie_oidc.entity.trust_chain_operations import get_or_create_trust_chain from spid_cie_oidc.relying_party.exceptions import ValidationException from spid_cie_oidc.relying_party.settings import ( @@ -146,7 +147,7 @@ def get_token_request(self, auth_token, request, token_type): "exp": exp_from_now(), "jti": str(uuid.uuid4()) }, - jwk_dict=rp_conf.jwks_core[0], + jwk_dict=get_core_signing_key(rp_conf) ) token_request_data["client_assertion"] = client_assertion diff --git a/spid_cie_oidc/relying_party/views/rp_begin.py b/spid_cie_oidc/relying_party/views/rp_begin.py index 86eb5608..3ab8ac6a 100644 --- a/spid_cie_oidc/relying_party/views/rp_begin.py +++ b/spid_cie_oidc/relying_party/views/rp_begin.py @@ -12,7 +12,7 @@ from django.views import View from spid_cie_oidc.entity.exceptions import InvalidTrustchain from spid_cie_oidc.entity.jwtse import create_jws -from spid_cie_oidc.entity.utils import get_jwks +from spid_cie_oidc.entity.utils import get_jwks, get_core_signing_key from spid_cie_oidc.entity.models import FederationEntityConfiguration from spid_cie_oidc.relying_party.settings import OIDCFED_ACR_PROFILES, RP_PROVIDER_PROFILES, \ RP_DEFAULT_PROVIDER_PROFILES @@ -25,7 +25,7 @@ ) from ..utils import ( http_dict_to_redirect_uri_path, - random_string, + random_string ) from . import SpidCieOidcRp @@ -188,7 +188,9 @@ def get(self, request, *args, **kwargs): # could be reused as a private_key_jwt # authz_data_obj["sub"] = client_conf["client_id"] - request_obj = create_jws(authz_data_obj, entity_conf.jwks_core[0]) + jwk_core_sig = get_core_signing_key(entity_conf) + + request_obj = create_jws(authz_data_obj, jwk_core_sig) authz_data["request"] = request_obj uri_path = http_dict_to_redirect_uri_path( { From 602c3a3ac8e23be2513c6882f9f44b17e38c1456 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Sat, 9 Mar 2024 12:58:13 +0100 Subject: [PATCH 12/15] fix: better function for key retrivial --- spid_cie_oidc/entity/utils.py | 19 +++++-------------- .../provider/views/userinfo_endpoint.py | 6 +++--- .../relying_party/oauth2/__init__.py | 4 ++-- spid_cie_oidc/relying_party/views/__init__.py | 4 ++-- spid_cie_oidc/relying_party/views/rp_begin.py | 4 ++-- 5 files changed, 14 insertions(+), 23 deletions(-) diff --git a/spid_cie_oidc/entity/utils.py b/spid_cie_oidc/entity/utils.py index bd832fc4..aed2743c 100644 --- a/spid_cie_oidc/entity/utils.py +++ b/spid_cie_oidc/entity/utils.py @@ -14,22 +14,13 @@ logger = logging.getLogger(__name__) -def get_core_signing_key(entity_conf): - jwk_core_sig = entity_conf.jwks_core[0] - if len(entity_conf.jwks_core) > 1: - for jwk in entity_conf.jwks_core: - if jwk['use'] == 'sig': - jwk_core_sig = jwk - return jwk_core_sig - - -def get_rp_encryption_key(jwks_core): - jwk_core_enc = jwks_core[0] +def get_key(jwks_core, use='sig'): + selected_jwk = jwks_core[0] if len(jwks_core) > 1: for jwk in jwks_core: - if jwk['use'] == 'enc': - jwk_core_enc = jwk - return jwk_core_enc + if jwk['use'] == use: + selected_jwk = jwk + return selected_jwk def iat_now() -> int: return int(datetime.datetime.now().timestamp()) diff --git a/spid_cie_oidc/provider/views/userinfo_endpoint.py b/spid_cie_oidc/provider/views/userinfo_endpoint.py index 02969b60..b9b90dd1 100644 --- a/spid_cie_oidc/provider/views/userinfo_endpoint.py +++ b/spid_cie_oidc/provider/views/userinfo_endpoint.py @@ -16,7 +16,7 @@ from spid_cie_oidc.entity.models import ( TrustChain ) -from spid_cie_oidc.entity.utils import get_jwks, get_rp_encryption_key, get_core_signing_key +from spid_cie_oidc.entity.utils import get_jwks, get_key from spid_cie_oidc.provider.models import IssuedToken from . import OpBase @@ -85,7 +85,7 @@ def get(self, request, *args, **kwargs): jwt[claim] = token.session.user.attributes[claim] # sign the data - key = get_core_signing_key(issuer) + key = get_key(issuer.jwks_core, 'sig') jws = create_jws(jwt, key) #issuer.jwks_core[0]) # encrypt the data @@ -93,7 +93,7 @@ def get(self, request, *args, **kwargs): rp_tc.metadata['openid_relying_party'], federation_jwks = rp_tc.jwks ) - client_jwk = get_rp_encryption_key(client_jwks) #[0] + client_jwk = get_key(client_jwks, 'enc') #[0] # for k in client_jwks: # if k.get('kid') and len(k["kid"]) >= 1: # client_jwk = k diff --git a/spid_cie_oidc/relying_party/oauth2/__init__.py b/spid_cie_oidc/relying_party/oauth2/__init__.py index 4f494a9e..b12f425d 100644 --- a/spid_cie_oidc/relying_party/oauth2/__init__.py +++ b/spid_cie_oidc/relying_party/oauth2/__init__.py @@ -6,7 +6,7 @@ from spid_cie_oidc.entity.models import FederationEntityConfiguration from spid_cie_oidc.entity.jwtse import create_jws from spid_cie_oidc.entity.settings import HTTPC_PARAMS, HTTPC_TIMEOUT -from spid_cie_oidc.entity.utils import iat_now, exp_from_now, get_core_signing_key +from spid_cie_oidc.entity.utils import iat_now, exp_from_now, get_key logger = logging.getLogger(__name__) @@ -49,7 +49,7 @@ def access_token_request( "exp": exp_from_now(), "jti": str(uuid.uuid4()), }, - jwk_dict=get_core_signing_key(client_conf), + jwk_dict=get_key(client_conf.jwks_core, 'sig'), ), ) diff --git a/spid_cie_oidc/relying_party/views/__init__.py b/spid_cie_oidc/relying_party/views/__init__.py index ffa2efae..65f8053a 100644 --- a/spid_cie_oidc/relying_party/views/__init__.py +++ b/spid_cie_oidc/relying_party/views/__init__.py @@ -13,7 +13,7 @@ from spid_cie_oidc.entity.exceptions import InvalidTrustchain from spid_cie_oidc.entity.models import TrustChain -from spid_cie_oidc.entity.utils import get_core_signing_key +from spid_cie_oidc.entity.utils import get_key from spid_cie_oidc.entity.trust_chain_operations import get_or_create_trust_chain from spid_cie_oidc.relying_party.exceptions import ValidationException from spid_cie_oidc.relying_party.settings import ( @@ -147,7 +147,7 @@ def get_token_request(self, auth_token, request, token_type): "exp": exp_from_now(), "jti": str(uuid.uuid4()) }, - jwk_dict=get_core_signing_key(rp_conf) + jwk_dict=get_key(rp_conf) ) token_request_data["client_assertion"] = client_assertion diff --git a/spid_cie_oidc/relying_party/views/rp_begin.py b/spid_cie_oidc/relying_party/views/rp_begin.py index 3ab8ac6a..b3bdad11 100644 --- a/spid_cie_oidc/relying_party/views/rp_begin.py +++ b/spid_cie_oidc/relying_party/views/rp_begin.py @@ -12,7 +12,7 @@ from django.views import View from spid_cie_oidc.entity.exceptions import InvalidTrustchain from spid_cie_oidc.entity.jwtse import create_jws -from spid_cie_oidc.entity.utils import get_jwks, get_core_signing_key +from spid_cie_oidc.entity.utils import get_jwks, get_key from spid_cie_oidc.entity.models import FederationEntityConfiguration from spid_cie_oidc.relying_party.settings import OIDCFED_ACR_PROFILES, RP_PROVIDER_PROFILES, \ RP_DEFAULT_PROVIDER_PROFILES @@ -188,7 +188,7 @@ def get(self, request, *args, **kwargs): # could be reused as a private_key_jwt # authz_data_obj["sub"] = client_conf["client_id"] - jwk_core_sig = get_core_signing_key(entity_conf) + jwk_core_sig = get_key(entity_conf.jwks_core, 'sig') request_obj = create_jws(authz_data_obj, jwk_core_sig) authz_data["request"] = request_obj From 1beb7da413ff49a4019a3dad7021ba03a5d20df9 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Sun, 10 Mar 2024 09:21:09 +0100 Subject: [PATCH 13/15] fix: added encryption algs to jwk validator --- spid_cie_oidc/entity/schemas/jwks.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/spid_cie_oidc/entity/schemas/jwks.py b/spid_cie_oidc/entity/schemas/jwks.py index 78f0f55a..23cc6d3c 100644 --- a/spid_cie_oidc/entity/schemas/jwks.py +++ b/spid_cie_oidc/entity/schemas/jwks.py @@ -18,6 +18,11 @@ class Jwk(BaseModel): "PS256", "PS384", "PS512", + "RSA-OAEP", + "RSA-OAEP-256", + "ECDH-ES", + "ECDH-ES+A128KW", + "ECDH-ES+A256KW" ] ] use: Optional[Literal["sig", "enc"]] From 6c2d5787d1d1b33861c5f164b07d53b87c09b637 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Wed, 13 Mar 2024 20:34:49 +0100 Subject: [PATCH 14/15] test: added separated keys for signing and encryption in RP and OP tests --- spid_cie_oidc/authority/tests/settings.py | 13 ++++++++----- spid_cie_oidc/entity/tests/rp_metadata_settings.py | 13 ++++++++----- spid_cie_oidc/entity/utils.py | 12 +++++------- spid_cie_oidc/provider/tests/settings.py | 2 ++ .../relying_party/tests/mocked_response.py | 6 ++++-- .../relying_party/tests/test_04_rp_callback.py | 1 + 6 files changed, 28 insertions(+), 19 deletions(-) diff --git a/spid_cie_oidc/authority/tests/settings.py b/spid_cie_oidc/authority/tests/settings.py index 1f291bc1..99a8f890 100644 --- a/spid_cie_oidc/authority/tests/settings.py +++ b/spid_cie_oidc/authority/tests/settings.py @@ -5,8 +5,11 @@ INTERMEDIARY_JWK1 = serialize_rsa_key(INTERMEDIARY_RSA.priv_key, kind='private') INTERMEDIARY_JWK1_pub = serialize_rsa_key(INTERMEDIARY_RSA.pub_key) -RP_METADATA_JWK1 = {'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'd': 'jEDxjcTZXBbgBV8Bgt7-qfW1FJoHDEFKFxhfMpHQQoETa-jTPhCxOD2MzYM8A-9kKc8tu9r-crTAl1PI42kPnMd283phixd5G5Tv8gSaGdnq-45ka0iRuC7TItUdDiMNb_2YzB4ZLGLNmaIKQJSGqCHEcQuRVyxJtTZwrXaMMOhDqJaWUvUQWF5C7g5O5mOVTkNKw6ujzhqcWa4N3NE-HwcbVW_9st4s1c_ng-DlwLTptaeM5j-LOeZMX1zcVlwYMi5ZkYYY6FHHjYI4nBWDtqhvf-64QaTv8exIjk8PcxHOwhfLTWiHPLk14af7U_pCzkP87WQCBgNfvt3WILQ5DQ', 'p': '75eNHkWaYQMgzVfFwif5uftSxqOhFU6VkxNKdqoRuFxJuVTO-M-vbQc3BwPxms2xrpizU6zGcoPGPvccDi0G040wZh34pWDVABMgGMKXKmeTwj8FuM1DzOVq8DKHmdrhk1gaQbPAP8JVOVYK7uh_lG5wmz3X-En1McMk-E8g8Ic', 'q': '0Sny6DLNtDP1_B9qiyCaMtRqPSAUZ1ohCZRlBT6-IGRR31Kt5S2JcVNDnF5w4dunlDY4nhIBZ0v0VyzWKgDXj6qrFY1pm1iE29gW227YsVRWQU8xWGpBwEu8nxNMr0u0zfe0QEGWU4RvNAsZPRa31HU87Vm7I3NSZ34DZsCZJoc', 'kid': 'HIvo33-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} -RP_METADATA_JWK1_pub = {'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'kid': 'HIvo33-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} +RP_METADATA_JWK1 = {'use': 'sig', 'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'd': 'jEDxjcTZXBbgBV8Bgt7-qfW1FJoHDEFKFxhfMpHQQoETa-jTPhCxOD2MzYM8A-9kKc8tu9r-crTAl1PI42kPnMd283phixd5G5Tv8gSaGdnq-45ka0iRuC7TItUdDiMNb_2YzB4ZLGLNmaIKQJSGqCHEcQuRVyxJtTZwrXaMMOhDqJaWUvUQWF5C7g5O5mOVTkNKw6ujzhqcWa4N3NE-HwcbVW_9st4s1c_ng-DlwLTptaeM5j-LOeZMX1zcVlwYMi5ZkYYY6FHHjYI4nBWDtqhvf-64QaTv8exIjk8PcxHOwhfLTWiHPLk14af7U_pCzkP87WQCBgNfvt3WILQ5DQ', 'p': '75eNHkWaYQMgzVfFwif5uftSxqOhFU6VkxNKdqoRuFxJuVTO-M-vbQc3BwPxms2xrpizU6zGcoPGPvccDi0G040wZh34pWDVABMgGMKXKmeTwj8FuM1DzOVq8DKHmdrhk1gaQbPAP8JVOVYK7uh_lG5wmz3X-En1McMk-E8g8Ic', 'q': '0Sny6DLNtDP1_B9qiyCaMtRqPSAUZ1ohCZRlBT6-IGRR31Kt5S2JcVNDnF5w4dunlDY4nhIBZ0v0VyzWKgDXj6qrFY1pm1iE29gW227YsVRWQU8xWGpBwEu8nxNMr0u0zfe0QEGWU4RvNAsZPRa31HU87Vm7I3NSZ34DZsCZJoc', 'kid': 'HIvo33-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} +RP_METADATA_JWK1_pub = {'use': 'sig', 'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'kid': 'HIvo33-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} + +RP_METADATA_JWK2 = {'alg': 'RSA-OAEP', 'use': 'enc', 'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'd': 'jEDxjcTZXBbgBV8Bgt7-qfW1FJoHDEFKFxhfMpHQQoETa-jTPhCxOD2MzYM8A-9kKc8tu9r-crTAl1PI42kPnMd283phixd5G5Tv8gSaGdnq-45ka0iRuC7TItUdDiMNb_2YzB4ZLGLNmaIKQJSGqCHEcQuRVyxJtTZwrXaMMOhDqJaWUvUQWF5C7g5O5mOVTkNKw6ujzhqcWa4N3NE-HwcbVW_9st4s1c_ng-DlwLTptaeM5j-LOeZMX1zcVlwYMi5ZkYYY6FHHjYI4nBWDtqhvf-64QaTv8exIjk8PcxHOwhfLTWiHPLk14af7U_pCzkP87WQCBgNfvt3WILQ5DQ', 'p': '75eNHkWaYQMgzVfFwif5uftSxqOhFU6VkxNKdqoRuFxJuVTO-M-vbQc3BwPxms2xrpizU6zGcoPGPvccDi0G040wZh34pWDVABMgGMKXKmeTwj8FuM1DzOVq8DKHmdrhk1gaQbPAP8JVOVYK7uh_lG5wmz3X-En1McMk-E8g8Ic', 'q': '0Sny6DLNtDP1_B9qiyCaMtRqPSAUZ1ohCZRlBT6-IGRR31Kt5S2JcVNDnF5w4dunlDY4nhIBZ0v0VyzWKgDXj6qrFY1pm1iE29gW227YsVRWQU8xWGpBwEu8nxNMr0u0zfe0QEGWU4RvNAsZPRa31HU87Vm7I3NSZ34DZsCZJoc', 'kid': 'ENC-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} +RP_METADATA_JWK2_pub = {'alg': 'RSA-OAEP', 'use': 'enc', 'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'kid': 'ENC-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} rp_onboarding_data = dict( name="RP Test", @@ -20,7 +23,7 @@ rp_conf = { "sub": rp_onboarding_data["sub"], "jwks_fed" : [RP_METADATA_JWK1], - "jwks_core" : [RP_METADATA_JWK1], + "jwks_core" : [RP_METADATA_JWK1, RP_METADATA_JWK2], "metadata": { "openid_relying_party": { "application_type": "web", @@ -32,7 +35,7 @@ "response_types": ["code"], "subject_type": "pairwise", "client_id": "http://rp-test.it/oidc/rp/", - "jwks": {"keys": [RP_METADATA_JWK1_pub]}, + "jwks": {"keys": [RP_METADATA_JWK1_pub, RP_METADATA_JWK2_pub]}, } }, "authority_hints": ["http://testserver/"], @@ -43,7 +46,7 @@ "iss": rp_conf["sub"], "sub": rp_conf["sub"], "jwks": { - "keys": [RP_METADATA_JWK1_pub] + "keys": [RP_METADATA_JWK1_pub, RP_METADATA_JWK2_pub] }, "metadata": rp_conf["metadata"], "authority_hints":rp_conf["authority_hints"] diff --git a/spid_cie_oidc/entity/tests/rp_metadata_settings.py b/spid_cie_oidc/entity/tests/rp_metadata_settings.py index 6549d1ef..4653c027 100644 --- a/spid_cie_oidc/entity/tests/rp_metadata_settings.py +++ b/spid_cie_oidc/entity/tests/rp_metadata_settings.py @@ -49,8 +49,11 @@ RP_METADATA_CIE_NOJWKS_NOJWKS_URI.pop("jwks_uri") -RP_METADATA_JWK1 = {'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'd': 'jEDxjcTZXBbgBV8Bgt7-qfW1FJoHDEFKFxhfMpHQQoETa-jTPhCxOD2MzYM8A-9kKc8tu9r-crTAl1PI42kPnMd283phixd5G5Tv8gSaGdnq-45ka0iRuC7TItUdDiMNb_2YzB4ZLGLNmaIKQJSGqCHEcQuRVyxJtTZwrXaMMOhDqJaWUvUQWF5C7g5O5mOVTkNKw6ujzhqcWa4N3NE-HwcbVW_9st4s1c_ng-DlwLTptaeM5j-LOeZMX1zcVlwYMi5ZkYYY6FHHjYI4nBWDtqhvf-64QaTv8exIjk8PcxHOwhfLTWiHPLk14af7U_pCzkP87WQCBgNfvt3WILQ5DQ', 'p': '75eNHkWaYQMgzVfFwif5uftSxqOhFU6VkxNKdqoRuFxJuVTO-M-vbQc3BwPxms2xrpizU6zGcoPGPvccDi0G040wZh34pWDVABMgGMKXKmeTwj8FuM1DzOVq8DKHmdrhk1gaQbPAP8JVOVYK7uh_lG5wmz3X-En1McMk-E8g8Ic', 'q': '0Sny6DLNtDP1_B9qiyCaMtRqPSAUZ1ohCZRlBT6-IGRR31Kt5S2JcVNDnF5w4dunlDY4nhIBZ0v0VyzWKgDXj6qrFY1pm1iE29gW227YsVRWQU8xWGpBwEu8nxNMr0u0zfe0QEGWU4RvNAsZPRa31HU87Vm7I3NSZ34DZsCZJoc', 'kid': 'HIvo33-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} -RP_METADATA_JWK1_pub = {'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'kid': 'HIvo33-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} +RP_METADATA_JWK1 = {'use': 'sig', 'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'd': 'jEDxjcTZXBbgBV8Bgt7-qfW1FJoHDEFKFxhfMpHQQoETa-jTPhCxOD2MzYM8A-9kKc8tu9r-crTAl1PI42kPnMd283phixd5G5Tv8gSaGdnq-45ka0iRuC7TItUdDiMNb_2YzB4ZLGLNmaIKQJSGqCHEcQuRVyxJtTZwrXaMMOhDqJaWUvUQWF5C7g5O5mOVTkNKw6ujzhqcWa4N3NE-HwcbVW_9st4s1c_ng-DlwLTptaeM5j-LOeZMX1zcVlwYMi5ZkYYY6FHHjYI4nBWDtqhvf-64QaTv8exIjk8PcxHOwhfLTWiHPLk14af7U_pCzkP87WQCBgNfvt3WILQ5DQ', 'p': '75eNHkWaYQMgzVfFwif5uftSxqOhFU6VkxNKdqoRuFxJuVTO-M-vbQc3BwPxms2xrpizU6zGcoPGPvccDi0G040wZh34pWDVABMgGMKXKmeTwj8FuM1DzOVq8DKHmdrhk1gaQbPAP8JVOVYK7uh_lG5wmz3X-En1McMk-E8g8Ic', 'q': '0Sny6DLNtDP1_B9qiyCaMtRqPSAUZ1ohCZRlBT6-IGRR31Kt5S2JcVNDnF5w4dunlDY4nhIBZ0v0VyzWKgDXj6qrFY1pm1iE29gW227YsVRWQU8xWGpBwEu8nxNMr0u0zfe0QEGWU4RvNAsZPRa31HU87Vm7I3NSZ34DZsCZJoc', 'kid': 'HIvo33-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} +RP_METADATA_JWK1_pub = {'use': 'sig', 'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'kid': 'HIvo33-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} + +RP_METADATA_JWK2 = {'alg': 'RSA-OAEP', 'use': 'enc', 'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'd': 'jEDxjcTZXBbgBV8Bgt7-qfW1FJoHDEFKFxhfMpHQQoETa-jTPhCxOD2MzYM8A-9kKc8tu9r-crTAl1PI42kPnMd283phixd5G5Tv8gSaGdnq-45ka0iRuC7TItUdDiMNb_2YzB4ZLGLNmaIKQJSGqCHEcQuRVyxJtTZwrXaMMOhDqJaWUvUQWF5C7g5O5mOVTkNKw6ujzhqcWa4N3NE-HwcbVW_9st4s1c_ng-DlwLTptaeM5j-LOeZMX1zcVlwYMi5ZkYYY6FHHjYI4nBWDtqhvf-64QaTv8exIjk8PcxHOwhfLTWiHPLk14af7U_pCzkP87WQCBgNfvt3WILQ5DQ', 'p': '75eNHkWaYQMgzVfFwif5uftSxqOhFU6VkxNKdqoRuFxJuVTO-M-vbQc3BwPxms2xrpizU6zGcoPGPvccDi0G040wZh34pWDVABMgGMKXKmeTwj8FuM1DzOVq8DKHmdrhk1gaQbPAP8JVOVYK7uh_lG5wmz3X-En1McMk-E8g8Ic', 'q': '0Sny6DLNtDP1_B9qiyCaMtRqPSAUZ1ohCZRlBT6-IGRR31Kt5S2JcVNDnF5w4dunlDY4nhIBZ0v0VyzWKgDXj6qrFY1pm1iE29gW227YsVRWQU8xWGpBwEu8nxNMr0u0zfe0QEGWU4RvNAsZPRa31HU87Vm7I3NSZ34DZsCZJoc', 'kid': 'ENC-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} +RP_METADATA_JWK2_pub = {'alg': 'RSA-OAEP', 'use': 'enc', 'kty': 'RSA', 'n': 'w8H80eT2zrs2XQ-SApZG9TkuXDuIxANfCVHt4fFqNnOEZaCNWqlTQIo0JiSBE-QmzZ09TYP1BJpESuQf_PUeLRVPfYHsBVk5OYvhT27_nYlV7_1LsFGLxxsIa-hswMMzvW-1_huKLy6Fp0WP0ouUJAHsF_eYVtO1ApRhvlIVd5azM4k7t8Lh8lkCSdF1SfGHfXnXJRb-XensZ0cFSfe2Koq9mD7jpGLXlPpXxj8Ow0g7KYT5kVtWE5ULmNmO7BIN1Hx4HpggbbEGgC9FyjKw4GfFb-csnB-icBPf_60HomjrkFFt6vTjrcqQaHOj-sEjP36N8rMSBiMmiMSPnsHhMQ', 'e': 'AQAB', 'kid': 'ENC-Km7n03ZqKDJfWVnlFudsW28YhQZx5eaXtAKA'} rp_onboarding_data = dict( name="RP Test", @@ -64,7 +67,7 @@ rp_conf = { "sub": rp_onboarding_data["sub"], "jwks_fed" : [RP_METADATA_JWK1], - "jwks_core" : [RP_METADATA_JWK1], + "jwks_core" : [RP_METADATA_JWK1, RP_METADATA_JWK2], "metadata": { "openid_relying_party": { "application_type": "web", @@ -76,7 +79,7 @@ "response_types": ["code"], "subject_type": "pairwise", "client_id": "http://rp-test.it/oidc/rp/", - "jwks": {"keys": [RP_METADATA_JWK1_pub]}, + "jwks": {"keys": [RP_METADATA_JWK1_pub, RP_METADATA_JWK2_pub]}, } }, "authority_hints": ["http://testserver/"], @@ -87,7 +90,7 @@ "iss": rp_conf["sub"], "sub": rp_conf["sub"], "jwks": { - "keys": [RP_METADATA_JWK1_pub] + "keys": [RP_METADATA_JWK1_pub, RP_METADATA_JWK2_pub] }, "metadata": rp_conf["metadata"], "authority_hints":rp_conf["authority_hints"] diff --git a/spid_cie_oidc/entity/utils.py b/spid_cie_oidc/entity/utils.py index 73fd91d9..fcb18fd2 100644 --- a/spid_cie_oidc/entity/utils.py +++ b/spid_cie_oidc/entity/utils.py @@ -14,13 +14,11 @@ logger = logging.getLogger(__name__) -def get_key(jwks, used=KeyUsage.signature): - # TODO change tests accordingly due 2 core keys - if len(jwks) > 1: - for jwk in jwks: - if jwk['use'] == used: - return jwk - return jwks[0] +def get_key(jwks, use=KeyUsage.signature): + for jwk in jwks: + if jwk['use'] == use: + return jwk + return jwks[0] def iat_now() -> int: diff --git a/spid_cie_oidc/provider/tests/settings.py b/spid_cie_oidc/provider/tests/settings.py index 762a68b6..eeb4ee70 100644 --- a/spid_cie_oidc/provider/tests/settings.py +++ b/spid_cie_oidc/provider/tests/settings.py @@ -1,4 +1,5 @@ op_conf_priv_jwk = { + "use": "sig", "kty": "RSA", "kid": "dB67gL7ck3TFiIAf7N6_7SHvqk0MDYMEQcoGGlkUAAw", "n": "01_4aI2Lu5ggsElmRkE_S_a83V_szXU0txV4db2hmJ8HR1Y2s7PsZZ5-emGpnTydGrR3n-QExeEEIcFt_a06Ryiink34RQcKoGXUDBMBU0Bu8G7NcZ99YX6yeG9wFi4xs-WviTPmtPqijkz6jm1_ltWDcwbktfkraIRKKggZaEl9ldtsFr2wSpin3AXuGIdeJ0hZqhF92ODBLGjJlaIL9KlwopDy56adReVnraawSdrxmuPGj78IEADNAme2nQNvv9UCu0FkAn5St1bKds3Gpv26W0kjr1gZLsmQrj9lTcDk_KbAwfEY__P7se62kusoSuKMTQqUG1TQpUY7oFGSdw", @@ -59,6 +60,7 @@ "jwks": { "keys": [ { + "use": "sig", "kty": "RSA", "n": "01_4aI2Lu5ggsElmRkE_S_a83V_szXU0txV4db2hmJ8HR1Y2s7PsZZ5-emGpnTydGrR3n-QExeEEIcFt_a06Ryiink34RQcKoGXUDBMBU0Bu8G7NcZ99YX6yeG9wFi4xs-WviTPmtPqijkz6jm1_ltWDcwbktfkraIRKKggZaEl9ldtsFr2wSpin3AXuGIdeJ0hZqhF92ODBLGjJlaIL9KlwopDy56adReVnraawSdrxmuPGj78IEADNAme2nQNvv9UCu0FkAn5St1bKds3Gpv26W0kjr1gZLsmQrj9lTcDk_KbAwfEY__P7se62kusoSuKMTQqUG1TQpUY7oFGSdw", "e": "AQAB", diff --git a/spid_cie_oidc/relying_party/tests/mocked_response.py b/spid_cie_oidc/relying_party/tests/mocked_response.py index c5d80563..18e9dec3 100644 --- a/spid_cie_oidc/relying_party/tests/mocked_response.py +++ b/spid_cie_oidc/relying_party/tests/mocked_response.py @@ -5,7 +5,7 @@ from spid_cie_oidc.provider.tests.settings import op_conf, op_conf_priv_jwk from spid_cie_oidc.authority.tests.settings import rp_conf, INTERMEDIARY_JWK1 from spid_cie_oidc.entity.jwtse import create_jws, create_jwe -from spid_cie_oidc.entity.utils import iat_now, exp_from_now +from spid_cie_oidc.entity.utils import iat_now, exp_from_now, get_key, KeyUsage from spid_cie_oidc.entity.utils import get_jwks from cryptojwt.jws.utils import left_hash logger = logging.getLogger(__name__) @@ -196,9 +196,11 @@ def content(self): "https://attributes.eid.gov.it/fiscal_number": "sdfsfs908df09s8df90s8fd0" } jws = create_jws(jwt, op_conf_priv_jwk) + jwks = get_jwks(rp_conf["metadata"]["openid_relying_party"]) + key = get_key(jwks, KeyUsage.encryption) jwe = create_jwe( jws, - get_jwks(rp_conf["metadata"]["openid_relying_party"])[0] + key ) return jwe.encode() diff --git a/spid_cie_oidc/relying_party/tests/test_04_rp_callback.py b/spid_cie_oidc/relying_party/tests/test_04_rp_callback.py index 1d274517..8ca3d88e 100644 --- a/spid_cie_oidc/relying_party/tests/test_04_rp_callback.py +++ b/spid_cie_oidc/relying_party/tests/test_04_rp_callback.py @@ -29,6 +29,7 @@ class RpCallBack(TestCase): def setUp(self): self.rp_jwk = { + 'use': 'sig', 'kty': 'RSA', 'kid': '19xSsWuFOo5bFBUECA5G3V5GEhC0s7X8TTCEykdzsmo', 'e': 'AQAB', From 43ad68f0424d64de0914d209bc1f5f0cd710a697 Mon Sep 17 00:00:00 2001 From: Glauco <37829079+rglauco@users.noreply.github.com> Date: Thu, 14 Mar 2024 10:07:22 +0100 Subject: [PATCH 15/15] chore: bump to version 1.4.1 --- spid_cie_oidc/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spid_cie_oidc/__init__.py b/spid_cie_oidc/__init__.py index 3e8d9f94..bf256159 100644 --- a/spid_cie_oidc/__init__.py +++ b/spid_cie_oidc/__init__.py @@ -1 +1 @@ -__version__ = "1.4.0" +__version__ = "1.4.1"