openid-configuration

2020-02-25 02:32:35 +01:00 · 2020-02-25 02:32:35 +01:00 · d8d07b7dbd
parent 14ee96ea4a
commit d8d07b7dbd
3 changed files with 38 additions and 12 deletions
--- a/website/config.py
+++ b/website/config.py
@ -0,0 +1,26 @@
+def read_private_key_file(path):
+    with open(path) as f:
+        return f.read()
+
+ISSUER_URL = 'https://arkhack.org'
+JWT_CONFIG = {
+    'key': read_private_key_file('private.pem'),
+    'alg': 'RS512',
+    'iss': ISSUER_URL,
+    'exp': 3600
+}
+
+SCOPES_SUPPORTED = [
+    "profile:read",
+    "profile:write",
+    "password:write",
+    "users:read",
+    "openid",
+]
+
+RESPONSE_TYPES_SUPPORTED = [
+    "code",
+    "code id_token",
+    "id_token",
+    "token id_token",
+]
--- a/website/models.py
+++ b/website/models.py
@ -1,6 +1,7 @@
 from datetime import datetime

 from flask_sqlalchemy import SQLAlchemy
+from .config import SCOPES_SUPPORTED


 db = SQLAlchemy()
@ -54,13 +55,7 @@ class Client(db.Model):
        return redirect_uri in self.redirect_uris

    def check_requested_scopes(self, scopes):
-        return {
-            "profile:read",
-            "profile:write",
-            "password:write",
-            "users:read",
-            "openid",
-        }.issuperset(scopes)
+        set(SCOPES_SUPPORTED).issuperset(scopes)

    def check_token_endpoint_auth_method(self, method):
        allowed = ['client_secret_post', 'client_secret_basic']
--- a/website/routes.py
+++ b/website/routes.py
@ -2,6 +2,7 @@ from authlib.oauth2 import OAuth2Error
 from flask import Blueprint, render_template, jsonify, request, flash, redirect, current_app
 from flask_login import login_required, current_user, login_user, logout_user

+from .config import SCOPES_SUPPORTED, RESPONSE_TYPES_SUPPORTED, ISSUER_URL
 from .forms import LoginForm
 from .ldap import LDAPUser, check_credentials
 from .oauth2 import authorization, require_oauth
@ -124,10 +125,14 @@ def oauth_token_revoke():

@bp.route("/.well-known/openid-configuration")
 def oidc_configuration():
-    issuer = current_app.config['ISSUER_URL']
    return jsonify({
-        "issuer": issuer,
-        "authorization_endpoint": issuer + "/oauth/authorize",
-        "token_endpoint": issuer + "/oauth/token",
-        "userinfo_endpoint": issuer + "/api/1/userinfo",
+        "issuer": ISSUER_URL,
+        "authorization_endpoint": f"{ISSUER_URL}/oauth/authorize",
+        "token_endpoint": f"{ISSUER_URL}/oauth/token",
+        "userinfo_endpoint": f"{ISSUER_URL}/api/1/userinfo",
+        "jwks_uri": f"{ISSUER_URL}/jwks.json",
+        "scopes_supported": SCOPES_SUPPORTED,  # recommended
+        "response_types_supported": RESPONSE_TYPES_SUPPORTED,
+        "subject_types_supported": ["pairwise"],
+        "id_token_signing_alg_values_supported": ["RS256", "none"],
    })