Serve server metadata files

2020-08-27 16:08:26 +02:00 · 2020-08-27 16:08:26 +02:00 · c3f1bdce78
commit c3f1bdce78
parent f587eb4093
10 changed files with 112 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,3 +14,5 @@ htmlcov
 build
 dist
 python-ldap-test*
+conf/oauth-authorization-server.json
+conf/openid-configuration.json
--- a/README.md
+++ b/README.md
@ -3,10 +3,10 @@
 oidc-ldap-bridge is a simple OpenID Connect provider based upon OpenLDAP.

 It aims to be very light, simple to install and simple to maintain. Its main features are :
- OAuth/OpenID Connect support.
- Authentication against a LDAP directory.
- No additional database required. Everything is stored in your OpenLDAP server.
- The code is easy to read and easy to edit in case you want to write a patch
+- OAuth/OpenID Connect support;
+- Authentication against a LDAP directory;
+- No additional database required. Everything is stored in your OpenLDAP server;
+- The code is easy to read and easy to edit in case you want to write a patch.

 ## Install

@ -36,6 +36,8 @@ To run the tests, you just need to run `tox`.
 To try a development environment, you can run the docker image and then open https://127.0.0.1:5000

 ```bash
-cp config.sample.toml config.toml
+cp conf/config.sample.toml conf/config.toml
+cp conf/oauth-authorization-server.sample.json conf/oauth-authorization-server
+cp conf/openid-configuration.sample.json conf/openid-configuration
 docker-compose up
 ```
--- a/TODO.md
+++ b/TODO.md
@ -4,3 +4,4 @@
 - Limit login attempts by time interval
 - Cleanup LDAP connections
 - Test with wrong inputs
+- Manage several redirect uris when adding a client
--- a/conf/config.sample.toml
+++ b/conf/config.sample.toml
@ -6,8 +6,8 @@ NAME = "MyDomain"
 LANGUAGE = "en"

 # Path to the RFC8414 metadata file
-OAUTH2_METADATA_FILE = "conf/oauth-authorization-server"
-OIDC_METADATA_FILE = "conf/openid_configuration"
+OAUTH2_METADATA_FILE = "conf/oauth-authorization-server.json"
+OIDC_METADATA_FILE = "conf/openid-configuration.json"

 [LDAP]
 URI = "ldap://ldap"
--- a/conf/oauth-authorization-server.sample.json
+++ b/conf/oauth-authorization-server.sample.json
--- a/conf/openid-configuration.sample.json
+++ b/conf/openid-configuration.sample.json
@ -0,0 +1,64 @@
+{
+  "issuer":
+    "https://mydomain.tld",
+  "authorization_endpoint":
+    "https://mydomain.tld/oauth/authorize",
+  "token_endpoint":
+    "https://mydomain.tld/oauth/token",
+  "token_endpoint_auth_methods_supported":
+    ["client_secret_basic", "private_key_jwt",
+    "client_secret_post", "none"],
+  "token_endpoint_auth_signing_alg_values_supported":
+    ["RS256", "ES256"],
+  "userinfo_endpoint":
+    "https://mydomain.tld/oauth/userinfo",
+  "check_session_iframe":
+    "https://mydomain.tld/oauth/check_session",
+  "end_session_endpoint":
+    "https://mydomain.tld/oauth/end_session",
+  "jwks_uri":
+    "https://mydomain.tld/oauth/jwks.json",
+  "registration_endpoint":
+    "https://mydomain.tld/oauth/register",
+  "scopes_supported":
+    ["openid", "profile", "email", "address",
+    "phone"],
+  "response_types_supported":
+    ["code", "token", "id_token", "code token",
+     "code id_token", "token id_token"],
+  "acr_values_supported":
+    ["urn:mace:incommon:iap:silver",
+     "urn:mace:incommon:iap:bronze"],
+  "subject_types_supported":
+    ["public", "pairwise"],
+  "userinfo_signing_alg_values_supported":
+    ["RS256", "ES256", "HS256"],
+  "userinfo_encryption_alg_values_supported":
+    ["RSA1_5", "A128KW"],
+  "userinfo_encryption_enc_values_supported":
+    ["A128CBC-HS256", "A128GCM"],
+  "id_token_signing_alg_values_supported":
+    ["RS256", "ES256", "HS256"],
+  "id_token_encryption_alg_values_supported":
+    ["RSA1_5", "A128KW"],
+  "id_token_encryption_enc_values_supported":
+    ["A128CBC-HS256", "A128GCM"],
+  "request_object_signing_alg_values_supported":
+    ["none", "RS256", "ES256"],
+  "display_values_supported":
+    ["page", "popup"],
+  "claim_types_supported":
+    ["normal", "distributed"],
+  "claims_supported":
+    ["sub", "iss", "auth_time", "acr",
+     "name", "given_name", "family_name", "nickname",
+     "profile", "picture", "website",
+     "email", "email_verified", "locale", "zoneinfo",
+     "https://mydomain.tld/claims/groups"],
+  "claims_parameter_supported":
+    true,
+  "service_documentation":
+    "http://mydomain.tld/oauth/service_documentation.html",
+  "ui_locales_supported":
+    ["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
+}
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -81,6 +81,9 @@ def app(slapd_server):
    app = create_app(
        {
            "SECRET_KEY": gen_salt(24),
+            "OAUTH2_METADATA_FILE": "conf/oauth-authorization-server.sample.json",
+            "OIDC_METADATA_FILE": "conf/openid-configuration.sample.json",
+
            "LDAP": {
                "ROOT_DN": slapd_server.suffix,
                "URI": slapd_server.ldap_uri,
--- a/tests/test_well_known.py
+++ b/tests/test_well_known.py
@ -0,0 +1,8 @@
+def test_oauth_authorization_server(testclient):
+    res = testclient.get("/.well-known/oauth-authorization-server", status=200).json
+    assert "https://mydomain.tld" == res["issuer"]
+
+
+def test_openid_configuration(testclient):
+    res = testclient.get("/.well-known/openid-configuration", status=200).json
+    assert "https://mydomain.tld" == res["issuer"]
--- a/web/init.py
+++ b/web/init.py
@ -4,12 +4,13 @@ import toml
 from flask import Flask, g, request, render_template
 from flask_babel import Babel

-import web.tokens
 import web.admin.tokens
 import web.admin.authorizations
 import web.admin.clients
-import web.routes
 import web.oauth
+import web.routes
+import web.tokens
+import web.well_known
 from .flaskutils import current_user
 from .ldaputils import LDAPObjectHelper
 from .oauth2utils import config_oauth
@ -31,7 +32,10 @@ def create_app(config=None):
    elif os.path.exists("conf/config.toml"):
        app.config.from_mapping(toml.load("conf/config.toml"))
    else:
-        raise Exception("No configuration file found.")
+        raise Exception(
+            "No configuration file found. "
+            "Either create conf/config.toml or set the 'CONFIG' variable environment."
+        )

    setup_app(app)
    return app
@ -44,6 +48,7 @@ def setup_app(app):
    app.register_blueprint(web.routes.bp)
    app.register_blueprint(web.oauth.bp, url_prefix="/oauth")
    app.register_blueprint(web.tokens.bp, url_prefix="/token")
+    app.register_blueprint(web.well_known.bp, url_prefix="/.well-known")
    app.register_blueprint(web.admin.tokens.bp, url_prefix="/admin/token")
    app.register_blueprint(
        web.admin.authorizations.bp, url_prefix="/admin/authorization"
--- a/web/well_known.py
+++ b/web/well_known.py
@ -0,0 +1,17 @@
+import json
+from flask import Blueprint, jsonify, current_app
+
+
+bp = Blueprint(__name__, "home")
+
+
+@bp.route("/oauth-authorization-server")
+def oauth_authorization_server():
+    with open(current_app.config["OAUTH2_METADATA_FILE"]) as fd:
+        return jsonify(json.load(fd))
+
+
+@bp.route("/openid-configuration")
+def openid_configuration():
+    with open(current_app.config["OIDC_METADATA_FILE"]) as fd:
+        return jsonify(json.load(fd))