canaille-globuzma/canaille/oidc/well_known.py

from flask import Blueprint
from flask import current_app
from flask import g
from flask import jsonify
from flask import request
from flask import url_for

from .oauth import get_issuer


bp = Blueprint("home", __name__, url_prefix="/.well-known")


def oauth_authorization_server():
    return {
        "issuer": get_issuer(),
        "authorization_endpoint": url_for("oidc.endpoints.authorize", _external=True),
        "token_endpoint": url_for("oidc.endpoints.issue_token", _external=True),
        "token_endpoint_auth_methods_supported": [
            "client_secret_basic",
            "private_key_jwt",
            "client_secret_post",
            "none",
        ],
        "token_endpoint_auth_signing_alg_values_supported": ["RS256", "ES256"],
        "userinfo_endpoint": url_for("oidc.endpoints.userinfo", _external=True),
        "introspection_endpoint": url_for(
            "oidc.endpoints.introspect_token", _external=True
        ),
        "jwks_uri": url_for("oidc.endpoints.jwks", _external=True),
        "registration_endpoint": url_for(
            "oidc.endpoints.client_registration", _external=True
        ),
        "scopes_supported": [
            "openid",
            "profile",
            "email",
            "address",
            "phone",
            "groups",
        ],
        "response_types_supported": [
            "code",
            "token",
            "id_token",
            "code token",
            "code id_token",
            "token id_token",
        ],
        "ui_locales_supported": g.available_language_codes,
        "code_challenge_methods_supported": ["plain", "S256"],
    }


def openid_configuration():
    return {
        **oauth_authorization_server(),
        "end_session_endpoint": url_for("oidc.endpoints.end_session", _external=True),
        "claims_supported": [
            "sub",
            "iss",
            "auth_time",
            "acr",
            "name",
            "given_name",
            "family_name",
            "nickname",
            "profile",
            "picture",
            "website",
            "email",
            "email_verified",
            "locale",
            "zoneinfo",
            "groups",
            "nonce",
        ],
        "subject_types_supported": ["pairwise", "public"],
        "id_token_signing_alg_values_supported": ["RS256", "ES256", "HS256"],
        "prompt_values_supported": ["none"]
        + (["create"] if current_app.config.get("ENABLE_REGISTRATION") else []),
    }


@bp.route("/oauth-authorization-server")
def oauth_authorization_server_endpoint():
    return jsonify(oauth_authorization_server())


@bp.route("/openid-configuration")
def openid_configuration_endpoint():
    return jsonify(openid_configuration())


@bp.route("/webfinger")
def webfinger():
    return jsonify(
        {
            "links": [
                {
                    "href": openid_configuration()["issuer"],
                    "rel": "http://openid.net/specs/connect/1.0/issuer",
                }
            ],
            "subject": request.args["resource"],
        }
    )
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from flask import Blueprint`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00			`from flask import current_app`
Implemented a basic WebFinger endpoint. 2022-10-03 15:25:32 +00:00			`from flask import g`
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from flask import jsonify`
Implemented a basic WebFinger endpoint. 2022-10-03 15:25:32 +00:00			`from flask import request`
Dynamically generate the server metadata. OAUTH2 and OIDC server metadata are now dynamically generated. 2022-11-15 14:56:07 +00:00			`from flask import url_for`
Serve server metadata files 2020-08-27 14:08:26 +00:00
Issuer 'ISS' configuration option is not mandatory anymore 2022-11-17 16:44:54 +00:00			`from .oauth import get_issuer`

Serve server metadata files 2020-08-27 14:08:26 +00:00
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`bp = Blueprint("home", __name__, url_prefix="/.well-known")`
Serve server metadata files 2020-08-27 14:08:26 +00:00

Stop caching server metadata 2022-12-15 22:00:52 +00:00			`def oauth_authorization_server():`
			`return {`
Issuer 'ISS' configuration option is not mandatory anymore 2022-11-17 16:44:54 +00:00			`"issuer": get_issuer(),`
Dynamically generate the server metadata. OAUTH2 and OIDC server metadata are now dynamically generated. 2022-11-15 14:56:07 +00:00			`"authorization_endpoint": url_for("oidc.endpoints.authorize", _external=True),`
			`"token_endpoint": url_for("oidc.endpoints.issue_token", _external=True),`
			`"token_endpoint_auth_methods_supported": [`
			`"client_secret_basic",`
			`"private_key_jwt",`
			`"client_secret_post",`
			`"none",`
			`],`
			`"token_endpoint_auth_signing_alg_values_supported": ["RS256", "ES256"],`
			`"userinfo_endpoint": url_for("oidc.endpoints.userinfo", _external=True),`
			`"introspection_endpoint": url_for(`
			`"oidc.endpoints.introspect_token", _external=True`
			`),`
			`"jwks_uri": url_for("oidc.endpoints.jwks", _external=True),`
			`"registration_endpoint": url_for(`
			`"oidc.endpoints.client_registration", _external=True`
			`),`
			`"scopes_supported": [`
			`"openid",`
			`"profile",`
			`"email",`
			`"address",`
			`"phone",`
			`"groups",`
			`],`
			`"response_types_supported": [`
			`"code",`
			`"token",`
			`"id_token",`
			`"code token",`
			`"code id_token",`
			`"token id_token",`
			`],`
LDAP 'preferredLanguage' attribute support 2022-11-20 21:12:18 +00:00			`"ui_locales_supported": g.available_language_codes,`
Dynamically generate the server metadata. OAUTH2 and OIDC server metadata are now dynamically generated. 2022-11-15 14:56:07 +00:00			`"code_challenge_methods_supported": ["plain", "S256"],`
			`}`


Stop caching server metadata 2022-12-15 22:00:52 +00:00			`def openid_configuration():`
			`return {`
			`**oauth_authorization_server(),`
Dynamically generate the server metadata. OAUTH2 and OIDC server metadata are now dynamically generated. 2022-11-15 14:56:07 +00:00			`"end_session_endpoint": url_for("oidc.endpoints.end_session", _external=True),`
			`"claims_supported": [`
			`"sub",`
			`"iss",`
			`"auth_time",`
			`"acr",`
			`"name",`
			`"given_name",`
			`"family_name",`
			`"nickname",`
			`"profile",`
			`"picture",`
			`"website",`
			`"email",`
			`"email_verified",`
			`"locale",`
			`"zoneinfo",`
			`"groups",`
Add nonce to the claims_supported server metadata list 2022-12-15 10:59:00 +00:00			`"nonce",`
Dynamically generate the server metadata. OAUTH2 and OIDC server metadata are now dynamically generated. 2022-11-15 14:56:07 +00:00			`],`
			`"subject_types_supported": ["pairwise", "public"],`
			`"id_token_signing_alg_values_supported": ["RS256", "ES256", "HS256"],`
feat: OIDC prompt=create implementation 2023-12-23 17:02:08 +00:00			`"prompt_values_supported": ["none"]`
			`+ (["create"] if current_app.config.get("ENABLE_REGISTRATION") else []),`
Dynamically generate the server metadata. OAUTH2 and OIDC server metadata are now dynamically generated. 2022-11-15 14:56:07 +00:00			`}`

Implemented a basic WebFinger endpoint. 2022-10-03 15:25:32 +00:00
Serve server metadata files 2020-08-27 14:08:26 +00:00			`@bp.route("/oauth-authorization-server")`
Stop caching server metadata 2022-12-15 22:00:52 +00:00			`def oauth_authorization_server_endpoint():`
			`return jsonify(oauth_authorization_server())`
Serve server metadata files 2020-08-27 14:08:26 +00:00

			`@bp.route("/openid-configuration")`
Stop caching server metadata 2022-12-15 22:00:52 +00:00			`def openid_configuration_endpoint():`
			`return jsonify(openid_configuration())`
Implemented a basic WebFinger endpoint. 2022-10-03 15:25:32 +00:00

			`@bp.route("/webfinger")`
			`def webfinger():`
			`return jsonify(`
			`{`
			`"links": [`
			`{`
Stop caching server metadata 2022-12-15 22:00:52 +00:00			`"href": openid_configuration()["issuer"],`
Implemented a basic WebFinger endpoint. 2022-10-03 15:25:32 +00:00			`"rel": "http://openid.net/specs/connect/1.0/issuer",`
			`}`
			`],`
			`"subject": request.args["resource"],`
			`}`
			`)`