1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
|
from authlib.oauth2.rfc8414 import AuthorizationServerMetadata
from authlib.oauth2.rfc8414.models import validate_array_value
class OpenIDProviderMetadata(AuthorizationServerMetadata):
REGISTRY_KEYS = [
"issuer",
"authorization_endpoint",
"token_endpoint",
"jwks_uri",
"registration_endpoint",
"scopes_supported",
"response_types_supported",
"response_modes_supported",
"grant_types_supported",
"token_endpoint_auth_methods_supported",
"service_documentation",
"ui_locales_supported",
"op_policy_uri",
"op_tos_uri",
# added by OpenID
"token_endpoint_auth_signing_alg_values_supported",
"acr_values_supported",
"subject_types_supported",
"id_token_signing_alg_values_supported",
"id_token_encryption_alg_values_supported",
"id_token_encryption_enc_values_supported",
"userinfo_signing_alg_values_supported",
"userinfo_encryption_alg_values_supported",
"userinfo_encryption_enc_values_supported",
"request_object_signing_alg_values_supported",
"request_object_encryption_alg_values_supported",
"request_object_encryption_enc_values_supported",
"display_values_supported",
"claim_types_supported",
"claims_supported",
"claims_locales_supported",
"claims_parameter_supported",
"request_parameter_supported",
"request_uri_parameter_supported",
"require_request_uri_registration",
# not defined by OpenID
# 'revocation_endpoint',
# 'revocation_endpoint_auth_methods_supported',
# 'revocation_endpoint_auth_signing_alg_values_supported',
# 'introspection_endpoint',
# 'introspection_endpoint_auth_methods_supported',
# 'introspection_endpoint_auth_signing_alg_values_supported',
# 'code_challenge_methods_supported',
]
def validate_jwks_uri(self):
# REQUIRED in OpenID Connect
jwks_uri = self.get("jwks_uri")
if jwks_uri is None:
raise ValueError('"jwks_uri" is required')
return super().validate_jwks_uri()
def validate_acr_values_supported(self):
"""OPTIONAL. JSON array containing a list of the Authentication
Context Class References that this OP supports.
"""
validate_array_value(self, "acr_values_supported")
def validate_subject_types_supported(self):
"""REQUIRED. JSON array containing a list of the Subject Identifier
types that this OP supports. Valid types include pairwise and public.
"""
# 1. REQUIRED
values = self.get("subject_types_supported")
if values is None:
raise ValueError('"subject_types_supported" is required')
# 2. JSON array
if not isinstance(values, list):
raise ValueError('"subject_types_supported" MUST be JSON array')
# 3. Valid types include pairwise and public
valid_types = {"pairwise", "public"}
if not valid_types.issuperset(set(values)):
raise ValueError('"subject_types_supported" contains invalid values')
def validate_id_token_signing_alg_values_supported(self):
"""REQUIRED. JSON array containing a list of the JWS signing
algorithms (alg values) supported by the OP for the ID Token to
encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be
included. The value none MAY be supported, but MUST NOT be used
unless the Response Type used returns no ID Token from the
Authorization Endpoint (such as when using the Authorization
Code Flow).
"""
# 1. REQUIRED
values = self.get("id_token_signing_alg_values_supported")
if values is None:
raise ValueError('"id_token_signing_alg_values_supported" is required')
# 2. JSON array
if not isinstance(values, list):
raise ValueError(
'"id_token_signing_alg_values_supported" MUST be JSON array'
)
# 3. The algorithm RS256 MUST be included
if "RS256" not in values:
raise ValueError(
'"RS256" MUST be included in "id_token_signing_alg_values_supported"'
)
def validate_id_token_encryption_alg_values_supported(self):
"""OPTIONAL. JSON array containing a list of the JWE encryption
algorithms (alg values) supported by the OP for the ID Token to
encode the Claims in a JWT.
"""
validate_array_value(self, "id_token_encryption_alg_values_supported")
def validate_id_token_encryption_enc_values_supported(self):
"""OPTIONAL. JSON array containing a list of the JWE encryption
algorithms (enc values) supported by the OP for the ID Token to
encode the Claims in a JWT.
"""
validate_array_value(self, "id_token_encryption_enc_values_supported")
def validate_userinfo_signing_alg_values_supported(self):
"""OPTIONAL. JSON array containing a list of the JWS signing
algorithms (alg values) [JWA] supported by the UserInfo Endpoint
to encode the Claims in a JWT. The value none MAY be included.
"""
validate_array_value(self, "userinfo_signing_alg_values_supported")
def validate_userinfo_encryption_alg_values_supported(self):
"""OPTIONAL. JSON array containing a list of the JWE encryption
algorithms (alg values) [JWA] supported by the UserInfo Endpoint
to encode the Claims in a JWT.
"""
validate_array_value(self, "userinfo_encryption_alg_values_supported")
def validate_userinfo_encryption_enc_values_supported(self):
"""OPTIONAL. JSON array containing a list of the JWE encryption
algorithms (enc values) [JWA] supported by the UserInfo Endpoint
to encode the Claims in a JWT.
"""
validate_array_value(self, "userinfo_encryption_enc_values_supported")
def validate_request_object_signing_alg_values_supported(self):
"""OPTIONAL. JSON array containing a list of the JWS signing
algorithms (alg values) supported by the OP for Request Objects,
which are described in Section 6.1 of OpenID Connect Core 1.0.
These algorithms are used both when the Request Object is passed
by value (using the request parameter) and when it is passed by
reference (using the request_uri parameter). Servers SHOULD support
none and RS256.
"""
values = self.get("request_object_signing_alg_values_supported")
if not values:
return
if not isinstance(values, list):
raise ValueError(
'"request_object_signing_alg_values_supported" MUST be JSON array'
)
def validate_request_object_encryption_alg_values_supported(self):
"""OPTIONAL. JSON array containing a list of the JWE encryption
algorithms (alg values) supported by the OP for Request Objects.
These algorithms are used both when the Request Object is passed
by value and when it is passed by reference.
"""
validate_array_value(self, "request_object_encryption_alg_values_supported")
def validate_request_object_encryption_enc_values_supported(self):
"""OPTIONAL. JSON array containing a list of the JWE encryption
algorithms (enc values) supported by the OP for Request Objects.
These algorithms are used both when the Request Object is passed
by value and when it is passed by reference.
"""
validate_array_value(self, "request_object_encryption_enc_values_supported")
def validate_display_values_supported(self):
"""OPTIONAL. JSON array containing a list of the display parameter
values that the OpenID Provider supports. These values are described
in Section 3.1.2.1 of OpenID Connect Core 1.0.
"""
values = self.get("display_values_supported")
if not values:
return
if not isinstance(values, list):
raise ValueError('"display_values_supported" MUST be JSON array')
valid_values = {"page", "popup", "touch", "wap"}
if not valid_values.issuperset(set(values)):
raise ValueError('"display_values_supported" contains invalid values')
def validate_claim_types_supported(self):
"""OPTIONAL. JSON array containing a list of the Claim Types that
the OpenID Provider supports. These Claim Types are described in
Section 5.6 of OpenID Connect Core 1.0. Values defined by this
specification are normal, aggregated, and distributed. If omitted,
the implementation supports only normal Claims.
"""
values = self.get("claim_types_supported")
if not values:
return
if not isinstance(values, list):
raise ValueError('"claim_types_supported" MUST be JSON array')
valid_values = {"normal", "aggregated", "distributed"}
if not valid_values.issuperset(set(values)):
raise ValueError('"claim_types_supported" contains invalid values')
def validate_claims_supported(self):
"""RECOMMENDED. JSON array containing a list of the Claim Names
of the Claims that the OpenID Provider MAY be able to supply values
for. Note that for privacy or other reasons, this might not be an
exhaustive list.
"""
validate_array_value(self, "claims_supported")
def validate_claims_locales_supported(self):
"""OPTIONAL. Languages and scripts supported for values in Claims
being returned, represented as a JSON array of BCP47 [RFC5646]
language tag values. Not all languages and scripts are necessarily
supported for all Claim values.
"""
validate_array_value(self, "claims_locales_supported")
def validate_claims_parameter_supported(self):
"""OPTIONAL. Boolean value specifying whether the OP supports use of
the claims parameter, with true indicating support. If omitted, the
default value is false.
"""
_validate_boolean_value(self, "claims_parameter_supported")
def validate_request_parameter_supported(self):
"""OPTIONAL. Boolean value specifying whether the OP supports use of
the request parameter, with true indicating support. If omitted, the
default value is false.
"""
_validate_boolean_value(self, "request_parameter_supported")
def validate_request_uri_parameter_supported(self):
"""OPTIONAL. Boolean value specifying whether the OP supports use of
the request_uri parameter, with true indicating support. If omitted,
the default value is true.
"""
_validate_boolean_value(self, "request_uri_parameter_supported")
def validate_require_request_uri_registration(self):
"""OPTIONAL. Boolean value specifying whether the OP requires any
request_uri values used to be pre-registered using the request_uris
registration parameter. Pre-registration is REQUIRED when the value
is true. If omitted, the default value is false.
"""
_validate_boolean_value(self, "require_request_uri_registration")
@property
def claim_types_supported(self):
# If omitted, the implementation supports only normal Claims
return self.get("claim_types_supported", ["normal"])
@property
def claims_parameter_supported(self):
# If omitted, the default value is false.
return self.get("claims_parameter_supported", False)
@property
def request_parameter_supported(self):
# If omitted, the default value is false.
return self.get("request_parameter_supported", False)
@property
def request_uri_parameter_supported(self):
# If omitted, the default value is true.
return self.get("request_uri_parameter_supported", True)
@property
def require_request_uri_registration(self):
# If omitted, the default value is false.
return self.get("require_request_uri_registration", False)
def _validate_boolean_value(metadata, key):
if key not in metadata:
return
if metadata[key] not in (True, False):
raise ValueError(f'"{key}" MUST be boolean')
|
