OIDCService#

class gafaelfawr.services.oidc.OIDCService(*, config, authorization_store, token_service, slack_client=None, logger)#

Bases: object

Minimalist OpenID Connect identity provider.

This provides just enough of the OpenID Connect protocol to satisfy Chronograf (and possibly some other applications). It is the underlying implementation of the /auth/openid routes.

Parameters:
  • config (OIDCServerConfig) – OpenID Connect server configuration.

  • authorization_store (OIDCAuthorizationStore) – The underlying storage for OpenID Connect authorizations.

  • token_service (TokenService) – Token manipulation service.

  • slack_client (Optional[SlackWebhookClient], default: None) – If provided, a Slack webhook client to use to report corruption of the underlying Redis store.

  • logger (BoundLogger) – Logger for diagnostics.

Notes

Expects the following flow:

  1. User is sent to /auth/openid/login for initial authentication.

  2. User is redirected back to the application with an authorization code.

  3. Application submits code to /auth/openid/token.

  4. Application receives an access token and an ID token (the same).

  5. Application gets user information from /auth/openid/userinfo.

The handler code is responsible for parsing the requests from the user. This object creates the authorization code (with its associated Redis entry) for step 2, and then returns the token for that code in step 4.

Methods Summary

delete_all_codes()

Invalidate all issued OpenID Connect codes.

get_jwks()

Return the key set for the OpenID Connect server.

get_openid_configuration()

Return the OpenID Connect configuration for the internal server.

is_valid_client(client_id)

Whether a client_id is a valid registered client.

issue_code(client_id, redirect_uri, token)

Issue a new authorization code.

issue_token(user_info, **claims)

Issue an OpenID Connect token.

redeem_code(*, grant_type, client_id, ...)

Redeem an authorization code.

verify_token(token)

Verify a token issued by the internal OpenID Connect server.

Methods Documentation

async delete_all_codes()#

Invalidate all issued OpenID Connect codes.

Return type:

None

get_jwks()#

Return the key set for the OpenID Connect server.

Return type:

JWKS

get_openid_configuration()#

Return the OpenID Connect configuration for the internal server.

Return type:

OIDCConfig

is_valid_client(client_id)#

Whether a client_id is a valid registered client.

Parameters:

client_id (str) – client_id parameter from the client.

Return type:

bool

async issue_code(client_id, redirect_uri, token)#

Issue a new authorization code.

Parameters:
  • client_id (str) – The client ID with access to this authorization.

  • redirect_uri (str) – The intended return URI for this authorization.

  • token (Token) – The underlying authentication token.

Returns:

The code for a newly-created and stored authorization.

Return type:

OIDCAuthorizationCode

Raises:

UnauthorizedClientError – The provided client ID is not registered as an OpenID Connect client.

issue_token(user_info, **claims)#

Issue an OpenID Connect token.

This creates a new OpenID Connect token with data taken from the internal Gafaelfawr token.

Parameters:
  • user_info (TokenUserInfo) – The token data on which to base the token.

  • **claims (str) – Additional claims to add to the token.

Returns:

The new token.

Return type:

OIDCVerifiedToken

async redeem_code(*, grant_type, client_id, client_secret, redirect_uri, code)#

Redeem an authorization code.

None of the parameters may be None in practice, but None is accepted and rejected wih an exception so that error handling can be unified.

Parameters:
  • grant_type (Optional[str]) – Type of token grant requested.

  • client_id (Optional[str]) – Client ID of the OpenID Connect client.

  • client_secret (Optional[str]) – Secret for that client. A secret of None will never be valid, but is accepted so that error handling can be unified.

  • redirect_uri (Optional[str]) – The return URI of the OpenID Connect client.

  • code (Optional[str]) – The OpenID Connect authorization code.

Returns:

A newly-issued JWT for this client.

Return type:

OIDCVerifiedToken

Raises:
  • InvalidClientError – Raised if the client ID is not known or the client secret does not match the client ID.

  • InvalidGrantError – Raised if the code is not valid, the client is not allowed to use it, or the underlying authorization or session does not exist.

  • InvalidRequestError – Raised if the token redemption request is syntactically invalid.

  • UnsupportedGrantTypeError – Raised if the requested grant type isn’t supported.

verify_token(token)#

Verify a token issued by the internal OpenID Connect server.

Parameters:

token (OIDCToken) – An encoded token.

Returns:

The verified token.

Return type:

OIDCVerifiedToken

Raises:

InvalidTokenError – The issuer of this token is unknown and therefore the token cannot be verified.