Support stateless code flow

Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>

Author: Ali Haider

example/plugins/frontends/openid_connect_frontend.yaml.example

@@ -3,9 +3,35 @@ name: OIDC
 config:
   signing_key_path: frontend.key
   signing_key_id: frontend.key1
-  db_uri: mongodb://db.example.com # optional: only support MongoDB, will default to in-memory storage if not specified
+
+  # Defines the database connection URI for the databases:
+  # - authz_code_db
+  # - access_token_db
+  # - refresh_token_db
+  # - sub_db
+  # - user_db
+  #
+  # supported storage backends:
+  # - In-memory dictionary
+  # - MongoDB (e.g. mongodb://db.example.com)
+  # - Redis (e.g. redis://example/0)
+  # - Stateless (eg. stateless://user:encryptionkey?alg=aes256)
+  #
+  # This configuration is optional.
+  # By default, the in-memory storage is used.
+  db_uri: mongodb://db.example.com
+
+  # Where to store clients.
+  #
+  # If client_db_uri is set, the database connection is used.
+  # Otherwise, if client_db_path is set, the JSON file is used.
+  # By default, an in-memory dictionary is used.
+  client_db_uri: mongodb://db.example.com
   client_db_path: /path/to/your/cdb.json
-  sub_hash_salt: randomSALTvalue # if not specified, it is randomly generated on every startup
+
+  # if not specified, it is randomly generated on every startup
+  sub_hash_salt: randomSALTvalue
+
   provider:
     client_registration_supported: Yes
     response_types_supported: ["code", "id_token token"]

src/satosa/frontends/openid_connect.py

@@ -1,20 +1,32 @@
 """
 A OpenID Connect frontend module for the satosa proxy
 """
+
 import json
 import logging
 from collections import defaultdict
 from urllib.parse import urlencode, urlparse
 
 from jwkest.jwk import rsa_load, RSAKey
+
 from oic.oic import scope2claims
-from oic.oic.message import (AuthorizationRequest, AuthorizationErrorResponse, TokenErrorResponse,
-                             UserInfoErrorResponse)
-from oic.oic.provider import RegistrationEndpoint, AuthorizationEndpoint, TokenEndpoint, UserinfoEndpoint
+from oic.oic.message import AuthorizationRequest
+from oic.oic.message import AuthorizationErrorResponse
+from oic.oic.message import TokenErrorResponse
+from oic.oic.message import UserInfoErrorResponse
+from oic.oic.provider import RegistrationEndpoint
+from oic.oic.provider import AuthorizationEndpoint
+from oic.oic.provider import TokenEndpoint
+from oic.oic.provider import UserinfoEndpoint
+
 from pyop.access_token import AccessToken
 from pyop.authz_state import AuthorizationState
-from pyop.exceptions import (InvalidAuthenticationRequest, InvalidClientRegistrationRequest,
-                             InvalidClientAuthentication, OAuthError, BearerTokenError, InvalidAccessToken)
+from pyop.exceptions import InvalidAuthenticationRequest
+from pyop.exceptions import InvalidClientRegistrationRequest
+from pyop.exceptions import InvalidClientAuthentication
+from pyop.exceptions import OAuthError
+from pyop.exceptions import BearerTokenError
+from pyop.exceptions import InvalidAccessToken
 from pyop.provider import Provider
 from pyop.storage import StorageBase
 from pyop.subject_identifier import HashBasedSubjectIdentifierFactory
@@ -57,7 +69,7 @@ def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url,
         db_uri = self.config.get("db_uri")
         self.user_db = (
             StorageBase.from_uri(db_uri, db_name="satosa", collection="authz_codes")
-            if db_uri
+            if db_uri and not StorageBase.type(db_uri) == "stateless"
             else {}
         )
 
@@ -108,7 +120,9 @@ def handle_authn_response(self, context, internal_resp):
         claims = self.converter.from_internal("openid", internal_resp.attributes)
         # Filter unset claims
         claims = {k: v for k, v in claims.items() if v}
-        self.user_db[internal_resp.subject_id] = dict(combine_claim_values(claims.items()))
+        self.user_db[internal_resp.subject_id] = dict(
+            combine_claim_values(claims.items())
+        )
         auth_resp = self.provider.authorize(
             auth_req,
             internal_resp.subject_id,

tests/flows/test_oidc-saml.py

@@ -1,4 +1,6 @@
+import os
 import json
+import base64
 from urllib.parse import urlparse, urlencode, parse_qsl
 
 import pytest
@@ -20,8 +22,27 @@
 
 
 CLIENT_ID = "client1"
+CLIENT_SECRET = "secret"
+CLIENT_REDIRECT_URI = "https://client.example.com/cb"
 REDIRECT_URI = "https://client.example.com/cb"
 
+@pytest.fixture(scope="session")
+def client_db_path(tmpdir_factory):
+    tmpdir = str(tmpdir_factory.getbasetemp())
+    path = os.path.join(tmpdir, "cdb.json")
+    cdb_json = {
+        CLIENT_ID: {
+            "response_types": ["id_token", "code"],
+            "redirect_uris": [
+                CLIENT_REDIRECT_URI
+            ],
+            "client_secret": CLIENT_SECRET
+        }
+    }
+    with open(path, "w") as f:
+        f.write(json.dumps(cdb_json))
+
+    return path
 
 @pytest.fixture
 def oidc_frontend_config(signing_key_path, mongodb_instance):
@@ -47,6 +68,25 @@ def oidc_frontend_config(signing_key_path, mongodb_instance):
     return data
 
 
+@pytest.fixture
+def oidc_stateless_frontend_config(signing_key_path, client_db_path):
+    data = {
+        "module": "satosa.frontends.openid_connect.OpenIDConnectFrontend",
+        "name": "OIDCFrontend",
+        "config": {
+            "issuer": "https://proxy-op.example.com",
+            "signing_key_path": signing_key_path,
+            "client_db_path": client_db_path,
+            "db_uri": "stateless://user:abc123@localhost",
+            "provider": {
+                "response_types_supported": ["id_token", "code"]
+            }
+        }
+    }
+
+    return data
+
+
 class TestOIDCToSAML:
     def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_config, idp_conf):
         subject_id = "testuser1"
@@ -105,3 +145,134 @@ def test_full_flow(self, satosa_config_dict, oidc_frontend_config, saml_backend_
             (name, values) in id_token_claims.items()
             for name, values in OIDC_USERS[subject_id].items()
         )
+
+    def test_full_stateless_id_token_flow(self, satosa_config_dict, oidc_stateless_frontend_config, saml_backend_config, idp_conf):
+        subject_id = "testuser1"
+
+        # proxy config
+        satosa_config_dict["FRONTEND_MODULES"] = [oidc_stateless_frontend_config]
+        satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config]
+        satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"openid": [attr_name],
+                                                                               "saml": [attr_name]}
+                                                                   for attr_name in USERS[subject_id]}
+        _, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict))
+
+        # application
+        test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), Response)
+
+        # get frontend OP config info
+        provider_config = json.loads(test_client.get("/.well-known/openid-configuration").data.decode("utf-8"))
+
+        # create auth req
+        claims_request = ClaimsRequest(id_token=Claims(**{k: None for k in USERS[subject_id]}))
+        req_args = {"scope": "openid", "response_type": "id_token", "client_id": CLIENT_ID,
+                    "redirect_uri": REDIRECT_URI, "nonce": "nonce",
+                    "claims": claims_request.to_json()}
+        auth_req = urlparse(provider_config["authorization_endpoint"]).path + "?" + urlencode(req_args)
+
+        # make auth req to proxy
+        proxied_auth_req = test_client.get(auth_req)
+        assert proxied_auth_req.status == "303 See Other"
+
+        # config test IdP
+        backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0])
+        idp_conf["metadata"]["inline"].append(backend_metadata_str)
+        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf))
+
+        # create auth resp
+        req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query))
+        url, authn_resp = fakeidp.handle_auth_req(
+            req_params["SAMLRequest"],
+            req_params["RelayState"],
+            BINDING_HTTP_REDIRECT,
+            subject_id,
+            response_binding=BINDING_HTTP_REDIRECT)
+
+        # make auth resp to proxy
+        authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp)
+        authn_resp = test_client.get(authn_resp_req)
+        assert authn_resp.status == "303 See Other"
+
+        # verify auth resp from proxy
+        resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).fragment))
+        signing_key = RSAKey(key=rsa_load(oidc_stateless_frontend_config["config"]["signing_key_path"]),
+                             use="sig", alg="RS256")
+        id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key])
+
+        assert all(
+            (name, values) in id_token_claims.items()
+            for name, values in OIDC_USERS[subject_id].items()
+        )
+
+    def test_full_stateless_code_flow(self, satosa_config_dict, oidc_stateless_frontend_config, saml_backend_config, idp_conf):
+        subject_id = "testuser1"
+
+        # proxy config
+        satosa_config_dict["FRONTEND_MODULES"] = [oidc_stateless_frontend_config]
+        satosa_config_dict["BACKEND_MODULES"] = [saml_backend_config]
+        satosa_config_dict["INTERNAL_ATTRIBUTES"]["attributes"] = {attr_name: {"openid": [attr_name],
+                                                                               "saml": [attr_name]}
+                                                                   for attr_name in USERS[subject_id]}
+        _, backend_metadata = create_entity_descriptors(SATOSAConfig(satosa_config_dict))
+
+        # application
+        test_client = Client(make_app(SATOSAConfig(satosa_config_dict)), Response)
+
+        # get frontend OP config info
+        provider_config = json.loads(test_client.get("/.well-known/openid-configuration").data.decode("utf-8"))
+
+        # create auth req
+        claims_request = ClaimsRequest(id_token=Claims(**{k: None for k in USERS[subject_id]}))
+        req_args = {"scope": "openid", "response_type": "code", "client_id": CLIENT_ID,
+                    "redirect_uri": REDIRECT_URI, "nonce": "nonce",
+                    "claims": claims_request.to_json()}
+        auth_req = urlparse(provider_config["authorization_endpoint"]).path + "?" + urlencode(req_args)
+
+        # make auth req to proxy
+        proxied_auth_req = test_client.get(auth_req)
+        assert proxied_auth_req.status == "303 See Other"
+
+        # config test IdP
+        backend_metadata_str = str(backend_metadata[saml_backend_config["name"]][0])
+        idp_conf["metadata"]["inline"].append(backend_metadata_str)
+        fakeidp = FakeIdP(USERS, config=IdPConfig().load(idp_conf))
+
+        # create auth resp
+        req_params = dict(parse_qsl(urlparse(proxied_auth_req.data.decode("utf-8")).query))
+        url, authn_resp = fakeidp.handle_auth_req(
+            req_params["SAMLRequest"],
+            req_params["RelayState"],
+            BINDING_HTTP_REDIRECT,
+            subject_id,
+            response_binding=BINDING_HTTP_REDIRECT)
+
+        # make auth resp to proxy
+        authn_resp_req = urlparse(url).path + "?" + urlencode(authn_resp)
+        authn_resp = test_client.get(authn_resp_req)
+        assert authn_resp.status == "303 See Other"
+
+        resp_dict = dict(parse_qsl(urlparse(authn_resp.data.decode("utf-8")).query))
+        code = resp_dict["code"]
+        client_id_secret_str = CLIENT_ID + ":" + CLIENT_SECRET
+        auth_header = "Basic %s" % base64.b64encode(client_id_secret_str.encode()).decode()
+
+        authn_resp = test_client.post(provider_config["token_endpoint"],
+                                      data={
+                                          "code": code,
+                                          "grant_type": "authorization_code",
+                                          "redirect_uri": CLIENT_REDIRECT_URI
+                                      },
+                                      headers={'Authorization': auth_header})
+
+        assert authn_resp.status == "200 OK"
+
+        # verify auth resp from proxy
+        resp_dict = json.loads(authn_resp.data.decode("utf-8"))
+        signing_key = RSAKey(key=rsa_load(oidc_stateless_frontend_config["config"]["signing_key_path"]),
+                             use="sig", alg="RS256")
+        id_token_claims = JWS().verify_compact(resp_dict["id_token"], keys=[signing_key])
+
+        assert all(
+            (name, values) in id_token_claims.items()
+            for name, values in OIDC_USERS[subject_id].items()
+        )