From d8d07b7dbdff7b7b2222c5cc778946a5a4663959 Mon Sep 17 00:00:00 2001 From: d42 Date: Tue, 25 Feb 2020 02:32:35 +0100 Subject: [PATCH] openid-configuration --- website/config.py | 26 ++++++++++++++++++++++++++ website/models.py | 9 ++------- website/routes.py | 15 ++++++++++----- 3 files changed, 38 insertions(+), 12 deletions(-) create mode 100644 website/config.py diff --git a/website/config.py b/website/config.py new file mode 100644 index 0000000..2784ec3 --- /dev/null +++ b/website/config.py @@ -0,0 +1,26 @@ +def read_private_key_file(path): + with open(path) as f: + return f.read() + +ISSUER_URL = 'https://arkhack.org' +JWT_CONFIG = { + 'key': read_private_key_file('private.pem'), + 'alg': 'RS512', + 'iss': ISSUER_URL, + 'exp': 3600 +} + +SCOPES_SUPPORTED = [ + "profile:read", + "profile:write", + "password:write", + "users:read", + "openid", +] + +RESPONSE_TYPES_SUPPORTED = [ + "code", + "code id_token", + "id_token", + "token id_token", +] diff --git a/website/models.py b/website/models.py index fc49465..fc4d78b 100644 --- a/website/models.py +++ b/website/models.py @@ -1,6 +1,7 @@ from datetime import datetime from flask_sqlalchemy import SQLAlchemy +from .config import SCOPES_SUPPORTED db = SQLAlchemy() @@ -54,13 +55,7 @@ class Client(db.Model): return redirect_uri in self.redirect_uris def check_requested_scopes(self, scopes): - return { - "profile:read", - "profile:write", - "password:write", - "users:read", - "openid", - }.issuperset(scopes) + set(SCOPES_SUPPORTED).issuperset(scopes) def check_token_endpoint_auth_method(self, method): allowed = ['client_secret_post', 'client_secret_basic'] diff --git a/website/routes.py b/website/routes.py index 6e6caa6..5ebc2a5 100644 --- a/website/routes.py +++ b/website/routes.py @@ -2,6 +2,7 @@ from authlib.oauth2 import OAuth2Error from flask import Blueprint, render_template, jsonify, request, flash, redirect, current_app from flask_login import login_required, current_user, login_user, logout_user +from .config import SCOPES_SUPPORTED, RESPONSE_TYPES_SUPPORTED, ISSUER_URL from .forms import LoginForm from .ldap import LDAPUser, check_credentials from .oauth2 import authorization, require_oauth @@ -124,10 +125,14 @@ def oauth_token_revoke(): @bp.route("/.well-known/openid-configuration") def oidc_configuration(): - issuer = current_app.config['ISSUER_URL'] return jsonify({ - "issuer": issuer, - "authorization_endpoint": issuer + "/oauth/authorize", - "token_endpoint": issuer + "/oauth/token", - "userinfo_endpoint": issuer + "/api/1/userinfo", + "issuer": ISSUER_URL, + "authorization_endpoint": f"{ISSUER_URL}/oauth/authorize", + "token_endpoint": f"{ISSUER_URL}/oauth/token", + "userinfo_endpoint": f"{ISSUER_URL}/api/1/userinfo", + "jwks_uri": f"{ISSUER_URL}/jwks.json", + "scopes_supported": SCOPES_SUPPORTED, # recommended + "response_types_supported": RESPONSE_TYPES_SUPPORTED, + "subject_types_supported": ["pairwise"], + "id_token_signing_alg_values_supported": ["RS256", "none"], })