OIDCService#
- class gafaelfawr.services.oidc.OIDCService(*, config, authorization_store, token_service, slack_client=None, logger)#
Bases:
object
Minimalist OpenID Connect identity provider.
This provides just enough of the OpenID Connect protocol to satisfy Chronograf (and possibly some other applications). It is the underlying implementation of the
/auth/openid
routes.- Parameters:
config (
OIDCServerConfig
) – OpenID Connect server configuration.authorization_store (
OIDCAuthorizationStore
) – The underlying storage for OpenID Connect authorizations.token_service (
TokenService
) – Token manipulation service.slack_client (
Optional
[SlackWebhookClient
], default:None
) – If provided, a Slack webhook client to use to report corruption of the underlying Redis store.logger (
BoundLogger
) – Logger for diagnostics.
Notes
Expects the following flow:
User is sent to
/auth/openid/login
for initial authentication.User is redirected back to the application with an authorization code.
Application submits code to
/auth/openid/token
.Application receives an access token and an ID token (the same).
Application gets user information from
/auth/openid/userinfo
.
The handler code is responsible for parsing the requests from the user. This object creates the authorization code (with its associated Redis entry) for step 2, and then returns the token for that code in step 4.
Methods Summary
Invalidate all issued OpenID Connect codes.
get_jwks
()Return the key set for the OpenID Connect server.
Return the OpenID Connect configuration for the internal server.
is_valid_client
(client_id)Whether a client_id is a valid registered client.
issue_code
(client_id, redirect_uri, token)Issue a new authorization code.
issue_token
(user_info, **claims)Issue an OpenID Connect token.
redeem_code
(*, grant_type, client_id, ...)Redeem an authorization code.
verify_token
(token)Verify a token issued by the internal OpenID Connect server.
Methods Documentation
- get_openid_configuration()#
Return the OpenID Connect configuration for the internal server.
- Return type:
- is_valid_client(client_id)#
Whether a client_id is a valid registered client.
- async issue_code(client_id, redirect_uri, token)#
Issue a new authorization code.
- Parameters:
- Returns:
The code for a newly-created and stored authorization.
- Return type:
- Raises:
UnauthorizedClientError – The provided client ID is not registered as an OpenID Connect client.
- issue_token(user_info, **claims)#
Issue an OpenID Connect token.
This creates a new OpenID Connect token with data taken from the internal Gafaelfawr token.
- Parameters:
user_info (
TokenUserInfo
) – The token data on which to base the token.**claims (
str
) – Additional claims to add to the token.
- Returns:
The new token.
- Return type:
- async redeem_code(*, grant_type, client_id, client_secret, redirect_uri, code)#
Redeem an authorization code.
None of the parameters may be None in practice, but None is accepted and rejected wih an exception so that error handling can be unified.
- Parameters:
client_id (
Optional
[str
]) – Client ID of the OpenID Connect client.client_secret (
Optional
[str
]) – Secret for that client. A secret of None will never be valid, but is accepted so that error handling can be unified.redirect_uri (
Optional
[str
]) – The return URI of the OpenID Connect client.code (
Optional
[str
]) – The OpenID Connect authorization code.
- Returns:
A newly-issued JWT for this client.
- Return type:
- Raises:
InvalidClientError – Raised if the client ID is not known or the client secret does not match the client ID.
InvalidGrantError – Raised if the code is not valid, the client is not allowed to use it, or the underlying authorization or session does not exist.
InvalidRequestError – Raised if the token redemption request is syntactically invalid.
UnsupportedGrantTypeError – Raised if the requested grant type isn’t supported.
- verify_token(token)#
Verify a token issued by the internal OpenID Connect server.
- Parameters:
token (
OIDCToken
) – An encoded token.- Returns:
The verified token.
- Return type:
- Raises:
InvalidTokenError – The issuer of this token is unknown and therefore the token cannot be verified.