From dd5d2adaa891e2741f12ca612eaf66590f2e6630 Mon Sep 17 00:00:00 2001 From: Andrea Ranaldi Date: Wed, 2 Oct 2024 20:07:23 +0200 Subject: [PATCH] new oidcop default config from SATOSA-oidcop repository (#163) --- .../plugins/frontends/oidcop_frontend.yaml | 447 ++++++++++-------- 1 file changed, 244 insertions(+), 203 deletions(-) diff --git a/example/plugins/frontends/oidcop_frontend.yaml b/example/plugins/frontends/oidcop_frontend.yaml index c47148ab..a351f62b 100644 --- a/example/plugins/frontends/oidcop_frontend.yaml +++ b/example/plugins/frontends/oidcop_frontend.yaml @@ -2,264 +2,305 @@ module: satosa_oidcop.idpy_oidcop.OidcOpFrontend name: OIDC config: - domain: &domain localhost - server_name: *domain - base_url: &base_url + domain: &domain localhost + server_name: *domain + base_url: &base_url - storage: - class: "satosa_oidcop.core.storage.mongo.Mongodb" - kwargs: - url: mongodb://satosa-mongo:27017/oidcop - connection_params: - username: !ENV MONGODB_USERNAME - password: !ENV MONGODB_PASSWORD - connectTimeoutMS: 5000 - socketTimeoutMS: 5000 - serverSelectionTimeoutMS: 5000 - db_name: oidcop - collections: - # type: collection name - session: session - client: client + storage: + class: "satosa_oidcop.core.storage.mongo.Mongodb" + kwargs: + url: mongodb://satosa-mongo:27017/oidcop + connection_params: + username: !ENV MONGODB_USERNAME + password: !ENV MONGODB_PASSWORD + connectTimeoutMS: 5000 + socketTimeoutMS: 5000 + serverSelectionTimeoutMS: 5000 + db_name: oidcop + collections: + # type: collection name + session: session + client: client - default_target_backend: spidSaml2 - salt_size: 8 + default_target_backend: spidSaml2 + salt_size: 8 - op: - server_info: - add_on: - pkce: - function: idpyoidc.server.oauth2.add_on.pkce.add_support - kwargs: - code_challenge_method: S256 S384 S512 - essential: false - authentication: - user: - acr: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword - class: satosa_oidcop.core.user_authn.SatosaAuthnMethod - authz: - class: idpyoidc.server.authz.AuthzHandling + op: + server_info: + add_on: + pkce: + function: idpyoidc.server.oauth2.add_on.pkce.add_support kwargs: - grant_config: - expires_in: 43200 - usage_rules: - access_token: {} - authorization_code: - max_usage: 1 - supports_minting: + code_challenge_method: S256 S384 S512 + essential: false + authentication: + user: + acr: urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword + class: satosa_oidcop.core.user_authn.SatosaAuthnMethod + authz: + class: idpyoidc.server.authz.AuthzHandling + kwargs: + grant_config: + expires_in: 43200 + usage_rules: + access_token: {} + authorization_code: + max_usage: 1 + supports_minting: - access_token - refresh_token - id_token - refresh_token: - supports_minting: + refresh_token: + supports_minting: - access_token - refresh_token - capabilities: - grant_types_supported: + capabilities: + grant_types_supported: - authorization_code - urn:ietf:params:oauth:grant-type:jwt-bearer - refresh_token - subject_types_supported: + subject_types_supported: - public - pairwise - scopes_supported: + scopes_supported: - openid - profile - offline_access - claims_supported: + claims_supported: - sub - given_name - birthdate - email - endpoint: - provider_info: - class: idpyoidc.server.oidc.provider_config.ProviderConfiguration - kwargs: - client_authn_method: null - path: .well-known/openid-configuration - authorization: - class: idpyoidc.server.oidc.authorization.Authorization - kwargs: - claims_parameter_supported: true - client_authn_method: null - request_object_encryption_alg_values_supported: &id001 + endpoint: + provider_info: + class: idpyoidc.server.oidc.provider_config.ProviderConfiguration + kwargs: + client_authn_method: null + path: .well-known/openid-configuration + authorization: + class: idpyoidc.server.oidc.authorization.Authorization + kwargs: + claims_parameter_supported: true + client_authn_method: null + request_object_encryption_alg_values_supported: &id001 - RSA-OAEP - RSA-OAEP-256 - request_parameter_supported: true - request_uri_parameter_supported: true - response_modes_supported: + request_parameter_supported: true + request_uri_parameter_supported: true + response_modes_supported: - query - fragment - form_post - response_types_supported: + response_types_supported: - code - path: OIDC/authorization - token: - class: idpyoidc.server.oidc.token.Token - kwargs: - client_authn_method: + path: OIDC/authorization + token: + class: idpyoidc.server.oidc.token.Token + kwargs: + client_authn_method: - client_secret_post - client_secret_basic - client_secret_jwt - private_key_jwt - path: OIDC/token - userinfo: - class: idpyoidc.server.oidc.userinfo.UserInfo - kwargs: - claim_types_supported: + path: OIDC/token + userinfo: + class: idpyoidc.server.oidc.userinfo.UserInfo + kwargs: + claim_types_supported: - normal - aggregated - distributed - userinfo_encryption_alg_values_supported: *id001 - userinfo_signing_alg_values_supported: &id002 + userinfo_encryption_alg_values_supported: *id001 + userinfo_signing_alg_values_supported: &id002 - RS256 - RS512 - ES256 - ES512 - path: OIDC/userinfo - introspection: - class: idpyoidc.server.oauth2.introspection.Introspection - kwargs: - client_authn_method: + path: OIDC/userinfo + introspection: + class: idpyoidc.server.oauth2.introspection.Introspection + kwargs: + client_authn_method: - client_secret_post - client_secret_basic - client_secret_jwt - private_key_jwt - release: + release: - username - path: OIDC/introspection - # uncomment this for dynamic client registration - #registration: - #class: idpyoidc.server.oidc.registration.Registration - #kwargs: - #client_authn_method: null - #client_id_generator: - #class: idpyoidc.server.oidc.registration.random_client_id - #kwargs: {} - #client_secret_expiration_time: 432000 - #path: OIDC/registration - registration_read: - class: idpyoidc.server.oidc.read_registration.RegistrationRead - kwargs: - client_authn_method: + path: OIDC/introspection + # uncomment this for dynamic client registration + #registration: + #class: idpyoidc.server.oidc.registration.Registration + #kwargs: + #client_authn_method: null + #client_id_generator: + #class: idpyoidc.server.oidc.registration.random_client_id + #kwargs: {} + #client_secret_expiration_time: 432000 + #path: OIDC/registration + registration_read: + class: idpyoidc.server.oidc.read_registration.RegistrationRead + kwargs: + client_authn_method: - bearer_header - path: OIDC/registration_read - # TODO - Logout in SATOSA haven't been implemented - #end_session: - #class: idpyoidc.server.oidc.session.Session - #kwargs: - #backchannel_logout_session_supported: true - #backchannel_logout_supported: true - #frontchannel_logout_session_supported: true - #frontchannel_logout_supported: true - #logout_verify_url: verify_logout - #post_logout_uri_path: post_logout - #signing_alg: ES256 - #path: OIDC/session - httpc_params: - verify: false - issuer: *base_url - keys: - key_defs: + path: OIDC/registration_read + # TODO - Logout in SATOSA haven't been implemented + #end_session: + #class: idpyoidc.server.oidc.session.Session + #kwargs: + #backchannel_logout_session_supported: true + #backchannel_logout_supported: true + #frontchannel_logout_session_supported: true + #frontchannel_logout_supported: true + #logout_verify_url: verify_logout + #post_logout_uri_path: post_logout + #signing_alg: ES256 + #path: OIDC/session + httpc_params: + verify: false + issuer: *base_url + keys: + key_defs: - type: RSA use: - - sig + - sig - crv: P-256 type: EC use: - - sig - private_path: data/oidc_op/private/jwks.json - public_path: data/static/jwks.json - read_only: false - uri_path: OIDC/jwks.json - login_hint2acrs: - class: idpyoidc.server.login_hint.LoginHint2Acrs - kwargs: - scheme_map: - email: + - sig + private_path: data/oidc_op/private/jwks.json + public_path: data/static/jwks.json + read_only: false + uri_path: OIDC/jwks.json + login_hint2acrs: + class: idpyoidc.server.login_hint.LoginHint2Acrs + kwargs: + scheme_map: + email: - urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword - session_params: - password: !ENV SATOSA_ENCRYPTION_KEY - salt: !ENV SATOSA_SALT - sub_func: - pairwise: - class: idpyoidc.server.session.manager.PairWiseID - kwargs: - salt: !ENV SATOSA_SALT - public: - class: idpyoidc.server.session.manager.PublicID - kwargs: - salt: !ENV SATOSA_SALT - template_dir: templates - token_handler_args: - code: + session_params: + encrypter: + class: cryptojwt.jwe.fernet.FernetEncrypter + kwargs: + password: !ENV SATOSA_ENCRYPTION_KEY + salt: !ENV SATOSA_SALT + keys: + key_defs: + - type: OCT + use: + - enc + kid: password + - type: OCT + use: + - enc + kid: salt + sub_func: + pairwise: + class: idpyoidc.server.session.manager.PairWiseID kwargs: - lifetime: 600 - id_token: - class: idpyoidc.server.token.id_token.IDToken + salt: !ENV SATOSA_SALT + public: + class: idpyoidc.server.session.manager.PublicID kwargs: - id_token_encryption_alg_values_supported: *id001 - id_token_encryption_enc_values_supported: + salt: !ENV SATOSA_SALT + template_dir: templates + token_handler_args: + code: + kwargs: + lifetime: 600 + crypt_conf: + kwargs: + password: !ENV SATOSA_ENCRYPTION_KEY + salt: !ENV SATOSA_SALT + keys: + key_defs: + - type: OCT + use: + - enc + kid: password + - type: OCT + use: + - enc + kid: salt + id_token: + class: idpyoidc.server.token.id_token.IDToken + kwargs: + id_token_encryption_alg_values_supported: *id001 + id_token_encryption_enc_values_supported: - A128CBC-HS256 - A192CBC-HS384 - A256CBC-HS512 - A128GCM - A192GCM - A256GCM - id_token_signing_alg_values_supported: *id002 - #jwks_file: data/oidc_op/private/token_jwks.json - # jwks_def: - # private_path: data/oidc_op/private/token_jwks.json - # read_only: False - # key_defs: - # - type: oct - # bytes: 24 - # use: - # - enc - # kid: code - # - type: oct - # bytes: 24 - # use: - # - enc - # kid: token - # - type: oct - # bytes: 24 - # use: - # - enc - # kid: refresh - refresh: - kwargs: - lifetime: 86400 - token: - class: idpyoidc.server.token.jwt_token.JWTToken - kwargs: - lifetime: 3600 - userinfo: - class: satosa_oidcop.core.user_info.SatosaOidcUserInfo - #kwargs: - #whatever: - #key: value - # until SATOSA won't support logout the oidcop cookies are quite useless - #cookie_handler: - #class: idpyoidc.server.cookie_handler.CookieHandler - #kwargs: - #flags: - #httponly: true - #samesite: None - #secure: true - #keys: - #key_defs: - #- kid: enc - #type: OCT - #use: - #- enc - #- kid: sig - #type: OCT - #use: - #- sig - #private_path: data/oidc_op/private/cookie_jwks.json - #read_only: false - #name: - #register: oidc_op_rp - #session: oidc_op - #session_management: sman + id_token_signing_alg_values_supported: *id002 + #jwks_file: data/oidc_op/private/token_jwks.json + # jwks_def: + # private_path: data/oidc_op/private/token_jwks.json + # read_only: False + # key_defs: + # - type: oct + # bytes: 24 + # use: + # - enc + # kid: code + # - type: oct + # bytes: 24 + # use: + # - enc + # kid: token + # - type: oct + # bytes: 24 + # use: + # - enc + # kid: refresh + refresh: + kwargs: + lifetime: 86400 + crypt_conf: + kwargs: + password: !ENV SATOSA_ENCRYPTION_KEY + salt: !ENV SATOSA_SALT + keys: + key_defs: + - type: OCT + use: + - enc + kid: password + - type: OCT + use: + - enc + kid: salt + token: + class: idpyoidc.server.token.jwt_token.JWTToken + kwargs: + lifetime: 3600 + userinfo: + class: satosa_oidcop.core.user_info.SatosaOidcUserInfo + #kwargs: + #whatever: + #key: value + # until SATOSA won't support logout the oidcop cookies are quite useless + #cookie_handler: + #class: idpyoidc.server.cookie_handler.CookieHandler + #kwargs: + #flags: + #httponly: true + #samesite: None + #secure: true + #keys: + #key_defs: + #- kid: enc + #type: OCT + #use: + #- enc + #- kid: sig + #type: OCT + #use: + #- sig + #private_path: data/oidc_op/private/cookie_jwks.json + #read_only: false + #name: + #register: oidc_op_rp + #session: oidc_op + #session_management: sman