From 0a5ce3675a06faeb42c139f01702bfa5479ca9b9 Mon Sep 17 00:00:00 2001 From: Roland Hedberg Date: Thu, 11 Nov 2021 10:58:09 +0100 Subject: [PATCH 1/2] Removed not up to date configuration files. Edited README content. --- README.md | 6 +- example/flask_rp/conf.yaml | 129 ------------ example/flask_rp/example_conf.yaml | 320 ----------------------------- 3 files changed, 3 insertions(+), 452 deletions(-) delete mode 100644 example/flask_rp/conf.yaml delete mode 100644 example/flask_rp/example_conf.yaml diff --git a/README.md b/README.md index 2fbbc67..d64b6d8 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # oidcrp High level interface to the OIDC RP library -oidcrp represents the 4th layer in the -JWTConnect stack (cryptojwt, oidcmsg, oidcservice, oidcrp) +oidcrp represents the 3rd layer in the +JWTConnect stack (cryptojwt, oidcmsg, oidcrp) See the documentation at http://oidcrp.readthedocs.io/en/latest/ . -See sample RPs at https://github.com/openid/JWTConnect-Python-OidcRP/tree/master/chrp . Has example configurations for Facebook, GitHub, Google, LinkedIn, Microsoft, Okta, Ping Federate, and Salesforce. +See sample RPs at https://github.com/openid/JWTConnect-Python-OidcRP/tree/master/example . Has example configurations for Facebook, GitHub, Google, LinkedIn, Microsoft, Okta, Ping Federate, and Salesforce. diff --git a/example/flask_rp/conf.yaml b/example/flask_rp/conf.yaml deleted file mode 100644 index ea23a1a..0000000 --- a/example/flask_rp/conf.yaml +++ /dev/null @@ -1,129 +0,0 @@ -logging: - version: 1 - disable_existing_loggers: False - root: - handlers: - - console - - file - level: DEBUG - loggers: - idp: - level: DEBUG - handlers: - console: - class: logging.StreamHandler - stream: 'ext://sys.stdout' - formatter: default - file: - class: logging.FileHandler - filename: 'debug.log' - formatter: default - formatters: - default: - format: '%(asctime)s %(name)s %(levelname)s %(message)s' - -port: &port 8090 -domain: &domain 127.0.0.1 -base_url: "https://{domain}:{port}" - -httpc_params: - # This is just for testing an local usage. In all other cases it MUST be True - verify: false - # Client side - #client_cert: "certs/client.crt" - #client_key: "certs/client.key" - -keydefs: &keydef - - "type": "RSA" - "key": '' - "use": ["sig"] - - "type": "EC" - "crv": "P-256" - "use": ["sig"] - -rp_keys: - 'private_path': 'private/jwks.json' - 'key_defs': *keydef - 'public_path': 'static/jwks.json' - # this will create the jwks files if they are absent - 'read_only': False - -client_preferences: &id001 - application_name: rphandler - application_type: web - contacts: - - ops@example.com - response_types: - - code - scope: - - openid - - profile - - email - - address - - phone - token_endpoint_auth_method: - - client_secret_basic - - client_secret_post - -services: &id002 - discovery: &disc - class: oidcrp.oidc.provider_info_discovery.ProviderInfoDiscovery - kwargs: {} - registration: ®ist - class: oidcrp.oidc.registration.Registration - kwargs: {} - authorization: &authz - class: oidcrp.oidc.authorization.Authorization - kwargs: {} - accesstoken: &acctok - class: oidcrp.oidc.access_token.AccessToken - kwargs: {} - userinfo: &userinfo - class: oidcrp.oidc.userinfo.UserInfo - kwargs: {} - end_session: &sess - class: oidcrp.oidc.end_session.EndSession - kwargs: {} - -clients: - "": - client_preferences: *id001 - redirect_uris: None - services: *id002 - local: - client_preferences: *id001 - issuer: https://127.0.0.1:5000/ - redirect_uris: - - 'https://{domain}:{port}/authz_cb/local' - post_logout_redirect_uris: - - "https://{domain}:{port}/session_logout/local" - frontchannel_logout_uri: "https://{domain}:{port}/fc_logout/local" - frontchannel_logout_session_required: True - backchannel_logout_uri: "https://{domain}:{port}/bc_logout/local" - backchannel_logout_session_required: True - services: - discovery: *disc - registration: *regist - authorization: *authz - accesstoken: *acctok - userinfo: *userinfo - end_session: *sess - add_ons: - pkce: - function: oidcrp.oauth2.add_on.pkce.add_support - kwargs: - code_challenge_length: 64 - code_challenge_method: S256 - - -webserver: - port: *port - domain: *domain - # If BASE is https these has to be specified - server_cert: "certs/cert.pem" - server_key: "certs/key.pem" - # If you want the clients cert to be verified - # verify_user: optional - # The you also need - # ca_bundle: '' - debug: true diff --git a/example/flask_rp/example_conf.yaml b/example/flask_rp/example_conf.yaml deleted file mode 100644 index 8898418..0000000 --- a/example/flask_rp/example_conf.yaml +++ /dev/null @@ -1,320 +0,0 @@ - -PORT: 8089 -BASEURL: "https://localhost:8089" - -# If BASE is https these has to be specified -SERVER_CERT: "certs/cert.pem" -SERVER_KEY: "certs/key.pem" -CA_BUNDLE: '' - -# This is just for testing an local usage. In all other cases it MUST be True -VERIFY_SSL: false - -KEYDEFS: &keydef - - - "type": "RSA" - "key": '' - "use": ["sig"] - - - "type": "EC" - "crv": "P-256" - "use": ["sig"] - -HTML_HOME: 'html' -SECRET_KEY: 'secret_key' -SESSION_COOKIE_NAME: 'rp_session' -PREFERRED_URL_SCHEME: 'https' - -RP_KEYS: - 'private_path': './private/jwks.json' - 'key_defs': *keydef - 'public_path': './static/jwks.json' - # this will create the jwks files if they absent - 'read_only': False - -# information used when registering the client, this may be the same for all OPs - -client_preferences: &prefs - application_name: rphandler - application_type: web - contacts: [ops@example.com] - response_types: [code] - scope: [openid, profile, email, address, phone] - token_endpoint_auth_method: [client_secret_basic, client_secret_post] - -services: &services - discovery: - class: oidcservice.oidc.provider_info_discovery.ProviderInfoDiscovery - kwargs: {} - registration: - class: oidcservice.oidc.registration.Registration - kwargs: {} - authorization: - class: oidcservice.oidc.authorization.Authorization - kwargs: {} - accesstoken: - class: oidcservice.oidc.access_token.AccessToken - kwargs: {} - refresh_accesstoken: - class: oidcservice.oidc.refresh_access_token.RefreshAccessToken - kwargs: {} - userinfo: - class: oidcservice.oidc.userinfo.UserInfo - kwargs: {} - end_session: - class: oidcservice.oidc.end_session.EndSession - kwargs: {} - - - -# The keys in this dictionary are the OPs short user friendly name -# not the issuer (iss) name. - -clients: - # The ones that support webfinger, OP discovery and client registration - # This is the default, any client that is not listed here is expected to - # support dynamic discovery and registration. - "": - client_preferences: *prefs - redirect_uris: None - services: *services - # Supports OP information lookup but not client registration - google: - issuer: "https://accounts.google.com/" - client_id: "xxxxxxxxx.apps.googleusercontent.com" - client_secret: "2222222222" - redirect_uris: - - https://localhost:8089/authz_cb/google - client_preferences: - response_types: - - code - scope: - - openid - - profile - - email - token_endpoint_auth_method: "client_secret_basic" - allow: - issuer_mismatch: true - services: - discovery: - class: oidcservice.rp.provider_info_discovery.ProviderInfoDiscovery - - authorization: - class: oidcservice.oidc.authorization.Authorization - - accesstoken: - class: oidcservice.oidc.accesstoken.Accesstoken - - refresh_accesstoken: - class: oidcservice.oidc.refresh_access_token.RefreshAccessToken - - userinfo: - class: oidcservice.oidc.userinfo.UserInfo - - end_session: - class: oidcservice.oidc.session.EndSession - - microsoft: - issuer: 'https://login.microsoftonline.com//v2.0' - client_id: 242424242424' - client_secret': ipipipippipipippi - redirect_uris: - - https://localhost:8089/authz_cb/microsoft - client_preferences: - response_types: - - id_token - scope: - - openid, - token_endpoint_auth_method: private_key_jwt - response_mode: form_post - allow: - issuer_mismatch: True - services: - discovery: - class: oidcservice.rp.provider_info_discovery.ProviderInfoDiscovery - authorization: - class: oidcservice.oidc.authorization.Authorization - linkedin: - issuer: https://www.linkedin.com/oauth/v2/ - client_id: xxxxxxx - client_secret: yyyyyyy - redirect_uris: - - https://localhost:8089/authz_cb/linkedin - behaviour: - response_types: - - code - scope: - - r_basicprofile - - r_emailaddress - token_endpoint_auth_method: client_secret_post - provider_info: - authorization_endpoint: - https://www.linkedin.com/oauth/v2/authorization - token_endpoint: - https://www.linkedin.com/oauth/v2/accessToken - userinfo_endpoint: - "https://api.linkedin.com/v1/people/~?format=json" - userinfo_request_method: GET - services: - authorization: - class: oidcservice.oidc.authorization.Authorization - accesstoken: - class: oidcrp.provider.linkedin.AccessToken - userinfo: - class: oidcrp.provider.linkedin.UserInfo - facebook: - issuer: "https://www.facebook.com/v2.11/dialog/oauth" - behaviour: - response_types: - - code - scope: - - email - - public_profile - token_endpoint_auth_method: - - '' - redirect_uris: - - https://localhost:8089/authz_cb/facebook - provider_info: - authorization_endpoint: - https://www.facebook.com/v2.11/dialog/oauth - token_endpoint: - https://graph.facebook.com/v2.11/oauth/access_token - userinfo_endpoint: - https://graph.facebook.com/me - services: - authorization: - class: oidcservice.oidc.authorization.Authorization - accesstoken: - class: oidcservice.oidc.accesstoken.Accesstoken - kwargs: - default_authn_method: '' - userinfo: - class: oidcservice.oidc.userinfo.UserInfo - kwargs: - default_authn_method: '' - github: - issuer: - https://github.com/login/oauth/authorize - client_id: eeeeeeeee - client_secret: aaaaaaaaaaaaa - redirect_uris: - - /authz_cb/github - behaviour: - response_types: - - code - scope: - - user - - public_repo - token_endpoint_auth_method: - - '' - provider_info: - authorization_endpoint: - https://github.com/login/oauth/authorize - token_endpoint: - https://github.com/login/oauth/access_token - userinfo_endpoint: - https://api.github.com/user - services: - authorization: - class: oidcservice.oidc.authorization.Authorization - accesstoken: - class: oidcservice.oidc.accesstoken.Accesstoken - userinfo: - class: oidcservice.oidc.userinfo.UserInfo - kwargs: - default_authn_method: '' - salesforce: - issuer: - https://login.salesforce.com - client_id: - xxxxxxxxx.yyy - client_secret: - 2222222222 - redirect_uris: - - https://localhost:8089/authz_cb/salesforce - client_preferences: - response_types: - - code - scope: - - openid - - profile - - email - token_endpoint_auth_method: client_secret_basic - services: - discovery: - class: oidcservice.rp.provider_info_discovery.ProviderInfoDiscovery - authorization: - class: oidcservice.oidc.authorization.Authorization - accesstoken: - class: oidcservice.oidc.accesstoken.Accesstoken - refresh_accesstoken: - class: oidcservice.oidc.refresh_access_token.RefreshAccessToken - userinfo: - class: oidcservice.oidc.userinfo.UserInfo - keys: - file: - rsa: - - salesforce.key - okta: - issuer: https://dev-968755.oktapreview.com/ - client_id: 123456789 - client_secret: abcdefgh - redirect_uris: - - https://localhost:8089/authz_cb/okta - client_preferences: - response_types: - - code - scope: - - openid - - profile - - email - token_endpoint_auth_method: client_secret_basic - provider_info: - authorization_endpoint: - https://dev-968755.oktapreview.com/oauth2/default/v1/authorize - token_endpoint: - https://dev-968755.oktapreview.com/oauth2/default/v1/token - userinfo_endpoint: - https://dev-968755.oktapreview.com/oauth2/v1/userinfo - services: - authorization: - class: oidcservice.oidc.authorization.Authorization - accesstoken: - class: oidcservice.oidc.accesstoken.Accesstoken - userinfo: - class: oidcservice.oidc.userinfo.UserInfo - pingfed: - issuer: https://pf.example.com/ - client_id: pyrp_client - client_secret: someSecretxxx - redirect_uris: - - https://localhost:8089/authz_cb/pingfed - behaviour: - response_types: - - code - scope: - - openid - - profile - - email - token_endpoint_auth_method: client_secret_basic - provider_info: - authorization_endpoint: - https://pf.example.com/as/authorization.oauth2 - token_endpoint: - https://pf.example.com/as/token.oauth2 - userinfo_endpoint: - https://pf.example.com/idp/userinfo.openid - services: - authorization: - class: oidcservice.oidc.authorization.Authorization - accesstoken: - class: oidcservice.oidc.accesstoken.Accesstoken - userinfo: - class: oidcservice.oidc.userinfo.UserInfo - keys: - url: - https://pf.example.com/: https://pf.example.com/jwks.json - -# Whether an attempt to fetch the userinfo should be made -USERINFO: true - From a67c23f1f945d5ab2c00aa5a3e2b44fc451927a2 Mon Sep 17 00:00:00 2001 From: Roland Hedberg Date: Thu, 11 Nov 2021 10:59:15 +0100 Subject: [PATCH 2/2] Edited README content. Removed statement we didn't live up to. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d64b6d8..047bb9e 100644 --- a/README.md +++ b/README.md @@ -6,4 +6,4 @@ JWTConnect stack (cryptojwt, oidcmsg, oidcrp) See the documentation at http://oidcrp.readthedocs.io/en/latest/ . -See sample RPs at https://github.com/openid/JWTConnect-Python-OidcRP/tree/master/example . Has example configurations for Facebook, GitHub, Google, LinkedIn, Microsoft, Okta, Ping Federate, and Salesforce. +See sample RPs at https://github.com/openid/JWTConnect-Python-OidcRP/tree/master/example .