From 73032fe688a899f80d2a65479c72fec450ec51a1 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Thu, 28 Feb 2019 10:06:37 +0100 Subject: Removed duplicated OIDC members in OAuth2.RequestValidator --- docs/oauth2/oidc/validator.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/oauth2/oidc/validator.rst b/docs/oauth2/oidc/validator.rst index a03adfe..7a6f574 100644 --- a/docs/oauth2/oidc/validator.rst +++ b/docs/oauth2/oidc/validator.rst @@ -10,12 +10,14 @@ upgrade it by replacing one line of code: .. code-block:: python from oauthlib.oauth2 import Server + from oauthlib.oauth2 import RequestValidator Into .. code-block:: python from oauthlib.openid import Server + from oauthlib.openid import RequestValidator Then, you have to implement the new RequestValidator methods as shown below. @@ -24,5 +26,5 @@ RequestValidator Extension A couple of methods must be implemented in your validator subclass if you wish to support OpenID Connect: -.. autoclass:: oauthlib.oauth2.RequestValidator - :members: validate_silent_authorization, validate_silent_login, validate_user_match, get_id_token, get_authorization_code_scopes, validate_jwt_bearer_token +.. autoclass:: oauthlib.openid.RequestValidator + :members: -- cgit v1.2.1 From 7c570c763725fdaa40778d6cd6689b09b3971f50 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Thu, 28 Feb 2019 10:16:27 +0100 Subject: Add technicals fields of `id_token` in oauthlib OIDC support A new RequestValidator `fill_id_token` has been introduced to replace `get_id_token`. It aims to have the bare minimum amount of fields to complete a full OIDC id_token support. `get_id_token` is still valid but optional, and if it is implemented, `fill_id_token` will not be called. The current `fill_id_token` came with full support of `aud`, `iat`, `nonce`, `at_hash` and `c_hash`. More could come in the future e.g. `auth_time`, ... --- docs/oauth2/oidc/id_tokens.rst | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'docs') diff --git a/docs/oauth2/oidc/id_tokens.rst b/docs/oauth2/oidc/id_tokens.rst index 999cfa7..2387c01 100644 --- a/docs/oauth2/oidc/id_tokens.rst +++ b/docs/oauth2/oidc/id_tokens.rst @@ -1,9 +1,9 @@ ID Tokens ========= -The creation of `ID Tokens`_ is ultimately done not by OAuthLib but by your ``RequestValidator`` subclass. This is because their +The creation of `ID Tokens`_ is ultimately not done by OAuthLib but by your ``RequestValidator`` subclass. This is because their content is dependent on your implementation of users, their attributes, any claims you may wish to support, as well as the -details of how you model the notion of a Client Application. As such OAuthLib simply calls your validator's ``get_id_token`` +details of how you model the notion of a Client Application. As such OAuthLib simply calls your validator's ``fill_id_token`` method at the appropriate times during the authorization flow, depending on the grant type requested (Authorization Code, Implicit, Hybrid, etc.). @@ -12,7 +12,7 @@ See examples below. .. _`ID Tokens`: http://openid.net/specs/openid-connect-core-1_0.html#IDToken .. autoclass:: oauthlib.oauth2.RequestValidator - :members: get_id_token + :members: fill_id_token JWT/JWS example with pyjwt library @@ -38,12 +38,13 @@ You can switch to jwcrypto library if you want to return JWE instead. super().__init__(self, **kwargs) - def get_id_token(self, token, token_handler, request): + def fill_id_token(self, id_token, token, token_handler, request): import jwt - data = {"nonce": request.nonce} if request.nonce is not None else {} - + id_token["iss"] = "https://my.cool.app.com" + id_token["sub"] = request.user.id + id_token["exp"] = id_token["iat"] + 3600 * 24 # keep it valid for 24hours for claim_key in request.claims: - data[claim_key] = request.userattributes[claim_key] # this must be set in another callback + id_token[claim_key] = request.userattributes[claim_key] # this must be set in another callback - return jwt.encode(data, self.private_pem, 'RS256') + return jwt.encode(id_token, self.private_pem, 'RS256') -- cgit v1.2.1 From 53d3d335879f205ae705d93420f34984073cd5a1 Mon Sep 17 00:00:00 2001 From: Jonathan Huot Date: Tue, 26 Mar 2019 14:50:41 +0100 Subject: Renamed fill into finalize to add clarity --- docs/oauth2/oidc/id_tokens.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'docs') diff --git a/docs/oauth2/oidc/id_tokens.rst b/docs/oauth2/oidc/id_tokens.rst index 2387c01..a1bf7cf 100644 --- a/docs/oauth2/oidc/id_tokens.rst +++ b/docs/oauth2/oidc/id_tokens.rst @@ -3,7 +3,7 @@ ID Tokens The creation of `ID Tokens`_ is ultimately not done by OAuthLib but by your ``RequestValidator`` subclass. This is because their content is dependent on your implementation of users, their attributes, any claims you may wish to support, as well as the -details of how you model the notion of a Client Application. As such OAuthLib simply calls your validator's ``fill_id_token`` +details of how you model the notion of a Client Application. As such OAuthLib simply calls your validator's ``finalize_id_token`` method at the appropriate times during the authorization flow, depending on the grant type requested (Authorization Code, Implicit, Hybrid, etc.). @@ -12,7 +12,7 @@ See examples below. .. _`ID Tokens`: http://openid.net/specs/openid-connect-core-1_0.html#IDToken .. autoclass:: oauthlib.oauth2.RequestValidator - :members: fill_id_token + :members: finalize_id_token JWT/JWS example with pyjwt library @@ -38,7 +38,7 @@ You can switch to jwcrypto library if you want to return JWE instead. super().__init__(self, **kwargs) - def fill_id_token(self, id_token, token, token_handler, request): + def finalize_id_token(self, id_token, token, token_handler, request): import jwt id_token["iss"] = "https://my.cool.app.com" -- cgit v1.2.1