summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonathan Huot <jonathan.huot@thomsonreuters.com>2019-05-13 11:36:20 +0200
committerJonathan Huot <jonathan.huot@thomsonreuters.com>2019-05-13 11:36:20 +0200
commit0821ab7467fec977cc8dbe357435d03861c16027 (patch)
tree0eb22d174d37e07c5572b4aa18a2d9574691a48b
parenta8eaf06eabedba10b5bc928a831e71682c9e88ee (diff)
downloadoauthlib-0821ab7467fec977cc8dbe357435d03861c16027.tar.gz
Add UserInfoEndpoint to the OIDC Provider support.
-rw-r--r--docs/oauth2/oidc/validator.rst1
-rw-r--r--oauthlib/openid/__init__.py1
-rw-r--r--oauthlib/openid/connect/core/endpoints/__init__.py1
-rw-r--r--oauthlib/openid/connect/core/endpoints/pre_configured.py4
-rw-r--r--oauthlib/openid/connect/core/endpoints/userinfo.py102
-rw-r--r--oauthlib/openid/connect/core/request_validator.py42
-rw-r--r--tests/openid/connect/core/endpoints/test_userinfo_endpoint.py70
7 files changed, 220 insertions, 1 deletions
diff --git a/docs/oauth2/oidc/validator.rst b/docs/oauth2/oidc/validator.rst
index 7a6f574..17f5825 100644
--- a/docs/oauth2/oidc/validator.rst
+++ b/docs/oauth2/oidc/validator.rst
@@ -20,6 +20,7 @@ Into
from oauthlib.openid import RequestValidator
Then, you have to implement the new RequestValidator methods as shown below.
+Note that a new UserInfo endpoint is defined and need a new controller into your webserver.
RequestValidator Extension
----------------------------------------------------
diff --git a/oauthlib/openid/__init__.py b/oauthlib/openid/__init__.py
index 7f1a876..8157c29 100644
--- a/oauthlib/openid/__init__.py
+++ b/oauthlib/openid/__init__.py
@@ -7,4 +7,5 @@ oauthlib.openid
from __future__ import absolute_import, unicode_literals
from .connect.core.endpoints import Server
+from .connect.core.endpoints import UserInfoEndpoint
from .connect.core.request_validator import RequestValidator
diff --git a/oauthlib/openid/connect/core/endpoints/__init__.py b/oauthlib/openid/connect/core/endpoints/__init__.py
index 719f883..528841f 100644
--- a/oauthlib/openid/connect/core/endpoints/__init__.py
+++ b/oauthlib/openid/connect/core/endpoints/__init__.py
@@ -9,3 +9,4 @@ for consuming and providing OpenID Connect
from __future__ import absolute_import, unicode_literals
from .pre_configured import Server
+from .userinfo import UserInfoEndpoint
diff --git a/oauthlib/openid/connect/core/endpoints/pre_configured.py b/oauthlib/openid/connect/core/endpoints/pre_configured.py
index 6367847..fde2739 100644
--- a/oauthlib/openid/connect/core/endpoints/pre_configured.py
+++ b/oauthlib/openid/connect/core/endpoints/pre_configured.py
@@ -34,10 +34,11 @@ from ..grant_types.dispatchers import (
AuthorizationTokenGrantDispatcher
)
from ..tokens import JWTToken
+from .userinfo import UserInfoEndpoint
class Server(AuthorizationEndpoint, IntrospectEndpoint, TokenEndpoint,
- ResourceEndpoint, RevocationEndpoint):
+ ResourceEndpoint, RevocationEndpoint, UserInfoEndpoint):
"""An all-in-one endpoint featuring all four major grant types."""
@@ -105,3 +106,4 @@ class Server(AuthorizationEndpoint, IntrospectEndpoint, TokenEndpoint,
token_types={'Bearer': bearer, 'JWT': jwt})
RevocationEndpoint.__init__(self, request_validator)
IntrospectEndpoint.__init__(self, request_validator)
+ UserInfoEndpoint.__init__(self, request_validator)
diff --git a/oauthlib/openid/connect/core/endpoints/userinfo.py b/oauthlib/openid/connect/core/endpoints/userinfo.py
new file mode 100644
index 0000000..7a39f76
--- /dev/null
+++ b/oauthlib/openid/connect/core/endpoints/userinfo.py
@@ -0,0 +1,102 @@
+"""
+oauthlib.openid.connect.core.endpoints.userinfo
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This module is an implementation of userinfo endpoint.
+"""
+from __future__ import absolute_import, unicode_literals
+
+import json
+import logging
+
+from oauthlib.common import Request
+from oauthlib.common import unicode_type
+from oauthlib.oauth2.rfc6749.endpoints.base import BaseEndpoint
+from oauthlib.oauth2.rfc6749.endpoints.base import catch_errors_and_unavailability
+from oauthlib.oauth2.rfc6749.tokens import BearerToken
+from oauthlib.oauth2.rfc6749 import errors
+
+
+log = logging.getLogger(__name__)
+
+
+class UserInfoEndpoint(BaseEndpoint):
+ """Authorizes access to userinfo resource.
+ """
+ def __init__(self, request_validator):
+ self.bearer = BearerToken(request_validator, None, None, None)
+ self.request_validator = request_validator
+ BaseEndpoint.__init__(self)
+
+ @catch_errors_and_unavailability
+ def create_userinfo_response(self, uri, http_method='GET', body=None, headers=None):
+ """Validate BearerToken and return userinfo from RequestValidator
+
+ The UserInfo Endpoint MUST return a
+ content-type header to indicate which format is being returned. The
+ content-type of the HTTP response MUST be application/json if the
+ response body is a text JSON object; the response body SHOULD be encoded
+ using UTF-8.
+ """
+ request = Request(uri, http_method, body, headers)
+ request.scopes = ["openid"]
+ self.validate_userinfo_request(request)
+
+ claims = self.request_validator.get_userinfo_claims(request)
+ if claims is None:
+ log.error('Userinfo MUST have claims for %r.', request)
+ raise errors.ServerError(status_code=500)
+
+ if isinstance(claims, dict):
+ resp_headers = {
+ 'Content-Type': 'application/json'
+ }
+ if "sub" not in claims:
+ log.error('Userinfo MUST have "sub" for %r.', request)
+ raise errors.ServerError(status_code=500)
+ body = json.dumps(claims)
+ elif isinstance(claims, unicode_type):
+ resp_headers = {
+ 'Content-Type': 'application/jwt'
+ }
+ body = claims
+ else:
+ log.error('Userinfo return unknown response for %r.', request)
+ raise errors.ServerError(status_code=500)
+ log.debug('Userinfo access valid for %r.', request)
+ return resp_headers, body, 200
+
+ def validate_userinfo_request(self, request):
+ """Ensure the request is valid.
+
+ 5.3.1. UserInfo Request
+ The Client sends the UserInfo Request using either HTTP GET or HTTP
+ POST. The Access Token obtained from an OpenID Connect Authentication
+ Request MUST be sent as a Bearer Token, per Section 2 of OAuth 2.0
+ Bearer Token Usage [RFC6750].
+
+ It is RECOMMENDED that the request use the HTTP GET method and the
+ Access Token be sent using the Authorization header field.
+
+ The following is a non-normative example of a UserInfo Request:
+
+ GET /userinfo HTTP/1.1
+ Host: server.example.com
+ Authorization: Bearer SlAV32hkKG
+
+ 5.3.3. UserInfo Error Response
+ When an error condition occurs, the UserInfo Endpoint returns an Error
+ Response as defined in Section 3 of OAuth 2.0 Bearer Token Usage
+ [RFC6750]. (HTTP errors unrelated to RFC 6750 are returned to the User
+ Agent using the appropriate HTTP status code.)
+
+ The following is a non-normative example of a UserInfo Error Response:
+
+ HTTP/1.1 401 Unauthorized
+ WWW-Authenticate: Bearer error="invalid_token",
+ error_description="The Access Token expired"
+ """
+ if not self.bearer.validate_request(request):
+ raise errors.InvalidTokenError()
+ if "openid" not in request.scopes:
+ raise errors.InsufficientScopeError()
diff --git a/oauthlib/openid/connect/core/request_validator.py b/oauthlib/openid/connect/core/request_validator.py
index d96c9ef..e853d39 100644
--- a/oauthlib/openid/connect/core/request_validator.py
+++ b/oauthlib/openid/connect/core/request_validator.py
@@ -265,3 +265,45 @@ class RequestValidator(OAuth2RequestValidator):
- OpenIDConnectHybrid
"""
raise NotImplementedError('Subclasses must implement this method.')
+
+ def get_userinfo_claims(self, request):
+ """Return the UserInfo claims in JSON or Signed or Encrypted.
+
+ The UserInfo Claims MUST be returned as the members of a JSON object
+ unless a signed or encrypted response was requested during Client
+ Registration. The Claims defined in Section 5.1 can be returned, as can
+ additional Claims not specified there.
+
+ For privacy reasons, OpenID Providers MAY elect to not return values for
+ some requested Claims.
+
+ If a Claim is not returned, that Claim Name SHOULD be omitted from the
+ JSON object representing the Claims; it SHOULD NOT be present with a
+ null or empty string value.
+
+ The sub (subject) Claim MUST always be returned in the UserInfo
+ Response.
+
+ Upon receipt of the UserInfo Request, the UserInfo Endpoint MUST return
+ the JSON Serialization of the UserInfo Response as in Section 13.3 in
+ the HTTP response body unless a different format was specified during
+ Registration [OpenID.Registration].
+
+ If the UserInfo Response is signed and/or encrypted, then the Claims are
+ returned in a JWT and the content-type MUST be application/jwt. The
+ response MAY be encrypted without also being signed. If both signing and
+ encryption are requested, the response MUST be signed then encrypted,
+ with the result being a Nested JWT, as defined in [JWT].
+
+ If signed, the UserInfo Response SHOULD contain the Claims iss (issuer)
+ and aud (audience) as members. The iss value SHOULD be the OP's Issuer
+ Identifier URL. The aud value SHOULD be or include the RP's Client ID
+ value.
+
+ :param request: OAuthlib request.
+ :type request: oauthlib.common.Request
+ :rtype: Claims as a dict OR JWT/JWS/JWE as a string
+
+ Method is used by:
+ UserInfoEndpoint
+ """
diff --git a/tests/openid/connect/core/endpoints/test_userinfo_endpoint.py b/tests/openid/connect/core/endpoints/test_userinfo_endpoint.py
new file mode 100644
index 0000000..4593d79
--- /dev/null
+++ b/tests/openid/connect/core/endpoints/test_userinfo_endpoint.py
@@ -0,0 +1,70 @@
+# -*- coding: utf-8 -*-
+from __future__ import absolute_import, unicode_literals
+
+import mock
+import json
+
+from oauthlib.openid import RequestValidator
+from oauthlib.openid import UserInfoEndpoint
+from oauthlib.oauth2.rfc6749 import errors
+
+from tests.unittest import TestCase
+
+
+def set_scopes_valid(token, scopes, request):
+ request.scopes = ["openid", "bar"]
+ return True
+
+
+class UserInfoEndpointTest(TestCase):
+ def setUp(self):
+ self.claims = {
+ "sub": "john",
+ "fruit": "banana"
+ }
+ # Can't use MagicMock/wraps below.
+ # Triggers error when endpoint copies to self.bearer.request_validator
+ self.validator = RequestValidator()
+ self.validator.validate_bearer_token = mock.Mock()
+ self.validator.validate_bearer_token.side_effect = set_scopes_valid
+ self.validator.get_userinfo_claims = mock.Mock()
+ self.validator.get_userinfo_claims.return_value = self.claims
+ self.endpoint = UserInfoEndpoint(self.validator)
+
+ self.uri = 'should_not_matter'
+ self.headers = {
+ 'Authorization': 'Bearer eyJxx'
+ }
+
+ def test_userinfo_no_auth(self):
+ self.endpoint.create_userinfo_response(self.uri)
+
+ def test_userinfo_wrong_auth(self):
+ self.headers['Authorization'] = 'Basic foifoifoi'
+ self.endpoint.create_userinfo_response(self.uri, headers=self.headers)
+
+ def test_userinfo_token_expired(self):
+ self.validator.validate_bearer_token.return_value = False
+ self.endpoint.create_userinfo_response(self.uri, headers=self.headers)
+
+ def test_userinfo_token_no_openid_scope(self):
+ def set_scopes_invalid(token, scopes, request):
+ request.scopes = ["foo", "bar"]
+ return True
+ self.validator.validate_bearer_token.side_effect = set_scopes_invalid
+ with self.assertRaises(errors.InsufficientScopeError) as context:
+ self.endpoint.create_userinfo_response(self.uri)
+
+ def test_userinfo_json_response(self):
+ h, b, s = self.endpoint.create_userinfo_response(self.uri)
+ self.assertEqual(s, 200)
+ body_json = json.loads(b)
+ self.assertEqual(self.claims, body_json)
+ self.assertEqual("application/json", h['Content-Type'])
+
+ def test_userinfo_jwt_response(self):
+ self.validator.get_userinfo_claims.return_value = "eyJzzzzz"
+ h, b, s = self.endpoint.create_userinfo_response(self.uri)
+ self.assertEqual(s, 200)
+ self.assertEqual(b, "eyJzzzzz")
+ self.assertEqual("application/jwt", h['Content-Type'])