Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes to make the library work correctly, some fixes to the "simple" example and some internal documentation. #803

Open
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

alejandro-nieto-git
Copy link

Documentation changes (b9e18b6 and e22e228)

Added some internal documentation to methods of the "simple" examples and the library.

Fixes to make the authentication request/response work

0cd2944

In the oic.oauth2 construct_Authorization method the request args in kwargs are never added to the request_args of the request and therefore you can't get the client_id, the state, the redirection_uris etc when trying to complete the auth in the VerifierMiddleware of the OP, atleast in the "simple op" example. There are some changes needed for the VerifierMiddleware to work too. In my proposal I use the HTTP_REFERER header to get the query args of the previous request which is the request to get the login static page and it has the arguments we added in the construct_Authorization method which makes it possible to get authenticated correctly.

Fixes to make the token request/response work and the userinfo request/response work

897a652

The token endpoint and userinfo endpoint are never added to the Client instance so I added them just after the Client creation. Someone with more knowledge about the library than me can try and add these changes inside the library functions almost certainly.

ce469a9

When trying to get the access token some method of the library needs to check the authorization header with the Bearer token of the HTTP Basic Auth when using the authorization code flow but this header is ignored when the request is processed using the pyoidcMiddleware so I add this header in each request to the token endpoint and it works now.

1e98232

When the issuer of the id token is verified in the library methods the iss is checked against the keyjar which makes no sense and makes the verification fail always. Now it checks it against the known iss.

@alejandro-nieto-git
Copy link
Author

I have a working project that uses this fixes and other fixes so I will try to make more PRs in the future.

Copy link
Collaborator

@tpazderka tpazderka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests are failing due to some changes. That needs to be addressed as well.

@@ -298,7 +298,7 @@ def verify_id_token(instance, check_hash=False, **kwargs):

if "keyjar" in kwargs:
try:
if _body["iss"] not in kwargs["keyjar"]:
if _body["iss"] not in kwargs["iss"]:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is checking if we have the needed key to make the signature and/or encryption.

@@ -255,6 +255,9 @@ def __init__(
logout_path="",
settings: PyoidcSettings = None,
):
"""
:param name the iss, which is the URI of the OP.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather use the google style conventions.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will take a look at it, thanks for your advice.

@@ -425,6 +425,8 @@ def construct_AuthorizationRequest(
else:
request_args = {}

request_args.update(kwargs)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the content should be in the request_args, the kwargs can potentially contain bad arguments.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My problem is that if I don't add the request args manually from kwargs these arguments like client_id, redirect_uri passed to the oic.oic. construct_AuthenticationRequest method are never added to the authentication request. So, if I'm not doing anything else wrong, there is a problem when picking the args passed to this method because if I run my app with the authenticationRequest method detailed below without my changes the redirect_uri arg in the authentication request made to the OP is equal to "h". When I use the python debug console to print session["client"].registration_response["redirect_uris"][0] its value is 'https://localhost:8080/authenticateDigitelTS' and therefore it's correct.

def authenticationRequest(self, session):
        """
        Sends a request to the OP to authenticate the user that made this request.

        :param session: a CherryPy Session with the session of the user that made the request.

        :return a RegistrationResponse instance with the response.
        """

        session["state"] = rndstr()
        session["nonce"] = rndstr()
        args = {
            "client_id": session["client"].client_id,
            "response_type": session["client"].response_type,
            "scope": session["client"].scope,
            "nonce": session["nonce"],
            "redirect_uri": session["client"].registration_response["redirect_uris"][0],
            "state": session["state"]
        }

        auth_request = session["client"].construct_AuthorizationRequest(**args)
        # Send the request to the authorization endpoint.
        loginPseudoURL = auth_request.request(session["client"].authorization_endpoint)

        return loginPseudoURL

I don't know if the problem is because of these arguments never being added to request_args in oic.oauth2.construct_AuthorizationRequest or there is an error in any other place because I don't know all the implementation details of the library that well. Maybe you can point me in the right direction. Thanks for your help, have a good day.

PD: I will check google documentation conventions for future PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants