search

IdentityPython / oidc-op

An implementation of an OIDC Provider (OP)
Apache License 2.0
65 stars 27 forks source link

'RSAKey' object has no attribute 'key' #5

Closed peppelinux closed 5 years ago

peppelinux commented 5 years ago

running a RP test instance as follow: JWTConnect-Python-OidcRP/chrp$ ./rp.py -t -k conf

its conf is 

PORT = 8089

# If PORT and not default port
BASEURL = "https://localhost:{}".format(PORT)
# else
# BASEURL = "https://localhost"

# If BASE is https these has to be specified
SERVER_CERT = "certs/cert.pem"
SERVER_KEY = "certs/key.pem"
CA_BUNDLE = None

VERIFY_SSL = False

KEYDEFS = [
    {"type": "RSA", "key": '', "use": ["sig"]},
    {"type": "EC", "crv": "P-256", "use": ["sig"]}
]

PRIVATE_JWKS_PATH = "jwks_dir/jwks.json"
PUBLIC_JWKS_PATH = 'static/jwks.json'
# information used when registering the client, this may be the same for all OPs

SERVICES = ['ProviderInfoDiscovery', 'Registration', 'Authorization',
            'AccessToken', 'RefreshAccessToken', 'UserInfo']

SERVICES_DICT = {'accesstoken': {'class': 'oidcservice.oidc.access_token.AccessToken',
                                 'kwargs': {}},
                 'authorization': {'class': 'oidcservice.oidc.authorization.Authorization',
                                   'kwargs': {}},
                 'discovery': {'class': 'oidcservice.oidc.provider_info_discovery.ProviderInfoDiscovery',
                               'kwargs': {}},
                 'end_session': {'class': 'oidcservice.oidc.end_session.EndSession',
                                 'kwargs': {}},
                 'refresh_accesstoken': {'class': 'oidcservice.oidc.refresh_access_token.RefreshAccessToken',
                                         'kwargs': {}},
                 'registration': {'class': 'oidcservice.oidc.registration.Registration',
                                   'kwargs': {}},
                 'userinfo': {'class': 'oidcservice.oidc.userinfo.UserInfo', 'kwargs': {}}}

CLIENT_PREFS = {
    "application_type": "web",
    "application_name": "rphandler",
    "contacts": ["ops@example.com"],
    "response_types": ["code", "id_token", "id_token token", "code id_token",
                       "code id_token token", "code token"],
    "scope": ["openid", "profile", "email", "address", "phone"],
    "token_endpoint_auth_method": "client_secret_basic",
    'services': SERVICES_DICT
}

# The keys in this dictionary are the OPs short user friendly name
# not the issuer (iss) name.

CLIENTS = {
    # The ones that support webfinger, OP discovery and client registration
    # This is the default, any client that is not listed here is expected to
    # support dynamic discovery and registration.
    "": {
        "client_preferences": CLIENT_PREFS,
        "redirect_uris": None,
        "services": {
            'WebFinger': {},
            'ProviderInfoDiscovery': {},
            'Registration': {},
            'Authorization': {},
            'AccessToken': {},
            'RefreshAccessToken': {},
            'UserInfo': {}
        }
    },
  'flop':
      {
        'client_preferences': CLIENT_PREFS,
        'issuer': 'https://127.0.0.1:5000/',
        'redirect_uris': ['https://127.0.0.1:8090/authz_cb/flop'],
        'services': SERVICES_DICT
      }
}

# Whether an attempt to fetch the userinfo should be made
USERINFO = True

I get this exception (OidcRP):

2019-08-28 14:56:50,657 cherrypy.error:INFO [28/Aug/2019:14:56:50] ENGINE Bus STARTED
2019-08-28 14:56:54,752 cprp:INFO ent:127.0.0.1, vpath: ['rp']
2019-08-28 14:56:54,753 oidcrp:INFO client_setup: iss_id=flop, user=
2019-08-28 14:56:54,757 oidcrp.oauth2:DEBUG do_request info: {'method': 'GET', 'url': 'https://127.0.0.1:5000/.well-known/openid-configuration'}
2019-08-28 14:56:54,757 oidcrp.oauth2:DEBUG Doing request with: URL:https://127.0.0.1:5000/.well-known/openid-configuration, method:GET, data:None, https_args:{}
2019-08-28 14:56:54,760 urllib3.connectionpool:DEBUG Starting new HTTPS connection (1): 127.0.0.1:5000
2019-08-28 14:56:54,772 urllib3.connectionpool:DEBUG https://127.0.0.1:5000 "GET /.well-known/openid-configuration HTTP/1.1" 200 3478
2019-08-28 14:56:54,773 oidcrp.oauth2:DEBUG response_body_type: "json"
2019-08-28 14:56:54,773 oidcrp.util:DEBUG resp.headers: {'Date': 'Wed, 28 Aug 2019 12:56:54 GMT', 'Content-Length': '3478', 'Cache-Control': 'no-store', 'Server': 'Werkzeug/0.15.5 Python/3.5.2', 'Content-type': 'application/json', 'Pragma': 'no-cache'}
2019-08-28 14:56:54,774 oidcrp.util:DEBUG resp.txt: {"version": "3.0", "request_parameter_supported": true, "id_token_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "require_request_uri_registration": true, "frontchannel_logout_supported": true, "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt"], "end_session_endpoint": "https://127.0.0.1:5000/session", "request_object_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "subject_types_supported": ["public", "pairwise"], "claim_types_supported": ["normal", "aggregated", "distributed"], "response_types_supported": ["code id_token token", "id_token", "token", "code token", "id_token token", "none", "code id_token", "code"], "grant_types_supported": ["urn:ietf:params:oauth:grant-type:jwt-bearer", "authorization_code", "refresh_token", "implicit"], "claims_supported": ["birthdate", "preferred_username", "sub", "middle_name", "picture", "gender", "address", "zoneinfo", "locale", "nickname", "profile", "website", "family_name", "email_verified", "given_name", "updated_at", "email", "phone_number_verified", "phone_number", "name"], "token_endpoint_auth_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "claims_parameter_supported": true, "backchannel_logout_session_supported": true, "id_token_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "frontchannel_logout_session_supported": true, "backchannel_logout_supported": true, "authorization_endpoint": "https://127.0.0.1:5000/authorization", "check_session_iframe": "https://127.0.0.1:5000/check_session_iframe", "userinfo_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "registration_endpoint": "https://127.0.0.1:5000/registration", "response_modes_supported": ["form_post", "query", "fragment"], "scopes_supported": ["phone", "offline_access", "email", "openid", "address", "profile"], "jwks_uri": "https://127.0.0.1:5000/static/jwks.json", "userinfo_endpoint": "https://127.0.0.1:5000/userinfo", "request_uri_parameter_supported": true, "request_object_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "request_object_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "token_endpoint": "https://127.0.0.1:5000/token", "userinfo_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "acr_values_supported": ["oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD", "oidcendpoint.user_authn.authn_context.UNSPECIFIED"], "userinfo_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "issuer": "https://127.0.0.1:5000"}
2019-08-28 14:56:54,774 oidcrp.oauth2:DEBUG Successful response: {"version": "3.0", "request_parameter_supported": true, "id_token_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "require_request_uri_registration": true, "frontchannel_logout_supported": true, "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt"], "end_session_endpoint": "https://127.0.0.1:5000/session", "request_object_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "subject_types_supported": ["public", "pairwise"], "claim_types_supported": ["normal", "aggregated", "distributed"], "response_types_supported": ["code id_token token", "id_token", "token", "code token", "id_token token", "none", "code id_token", "code"], "grant_types_supported": ["urn:ietf:params:oauth:grant-type:jwt-bearer", "authorization_code", "refresh_token", "implicit"], "claims_supported": ["birthdate", "preferred_username", "sub", "middle_name", "picture", "gender", "address", "zoneinfo", "locale", "nickname", "profile", "website", "family_name", "email_verified", "given_name", "updated_at", "email", "phone_number_verified", "phone_number", "name"], "token_endpoint_auth_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "claims_parameter_supported": true, "backchannel_logout_session_supported": true, "id_token_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "frontchannel_logout_session_supported": true, "backchannel_logout_supported": true, "authorization_endpoint": "https://127.0.0.1:5000/authorization", "check_session_iframe": "https://127.0.0.1:5000/check_session_iframe", "userinfo_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "registration_endpoint": "https://127.0.0.1:5000/registration", "response_modes_supported": ["form_post", "query", "fragment"], "scopes_supported": ["phone", "offline_access", "email", "openid", "address", "profile"], "jwks_uri": "https://127.0.0.1:5000/static/jwks.json", "userinfo_endpoint": "https://127.0.0.1:5000/userinfo", "request_uri_parameter_supported": true, "request_object_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "request_object_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "token_endpoint": "https://127.0.0.1:5000/token", "userinfo_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "acr_values_supported": ["oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD", "oidcendpoint.user_authn.authn_context.UNSPECIFIED"], "userinfo_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "issuer": "https://127.0.0.1:5000"}
2019-08-28 14:56:54,774 oidcservice.service:DEBUG response format: json
2019-08-28 14:56:54,774 oidcservice.service:DEBUG response_cls: ProviderConfigurationResponse
2019-08-28 14:56:54,775 oidcservice.service:DEBUG Initial response parsing => "{'subject_types_supported': ['public', 'pairwise'], 'claim_types_supported': ['normal', 'aggregated', 'distributed'], 'acr_values_supported': ['oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD', 'oidcendpoint.user_authn.authn_context.UNSPECIFIED'], 'backchannel_logout_session_supported': True, 'request_parameter_supported': True, 'check_session_iframe': 'https://127.0.0.1:5000/check_session_iframe', 'registration_endpoint': 'https://127.0.0.1:5000/registration', 'authorization_endpoint': 'https://127.0.0.1:5000/authorization', 'userinfo_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'request_uri_parameter_supported': True, 'scopes_supported': ['phone', 'offline_access', 'email', 'openid', 'address', 'profile'], 'grant_types_supported': ['urn:ietf:params:oauth:grant-type:jwt-bearer', 'authorization_code', 'refresh_token', 'implicit'], 'response_types_supported': ['code id_token token', 'id_token', 'token', 'code token', 'id_token token', 'none', 'code id_token', 'code'], 'request_object_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'frontchannel_logout_session_supported': True, 'backchannel_logout_supported': True, 'require_request_uri_registration': True, 'request_object_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'userinfo_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'token_endpoint_auth_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512'], 'id_token_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'end_session_endpoint': 'https://127.0.0.1:5000/session', 'id_token_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'], 'claims_supported': ['birthdate', 'preferred_username', 'sub', 'middle_name', 'picture', 'gender', 'address', 'zoneinfo', 'locale', 'nickname', 'profile', 'website', 'family_name', 'email_verified', 'given_name', 'updated_at', 'email', 'phone_number_verified', 'phone_number', 'name'], 'token_endpoint': 'https://127.0.0.1:5000/token', 'issuer': 'https://127.0.0.1:5000', 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt'], 'claims_parameter_supported': True, 'version': '3.0', 'request_object_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'], 'jwks_uri': 'https://127.0.0.1:5000/static/jwks.json', 'frontchannel_logout_supported': True, 'userinfo_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'], 'response_modes_supported': ['form_post', 'query', 'fragment'], 'id_token_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'userinfo_endpoint': 'https://127.0.0.1:5000/userinfo'}"
2019-08-28 14:56:54,775 oidcservice.service:DEBUG Verify response with {'iss': 'https://127.0.0.1:5000/', 'verify': True, 'client_id': '', 'keyjar': <KeyJar(issuers=[''])>}
2019-08-28 14:56:54,775 cryptojwt.key_jar:DEBUG Initiating key bundle for issuer: https://127.0.0.1:5000
2019-08-28 14:56:54,775 root:DEBUG KeyBundle fetch keys from: https://127.0.0.1:5000/static/jwks.json
2019-08-28 14:56:54,777 urllib3.connectionpool:DEBUG Starting new HTTPS connection (1): 127.0.0.1:5000
2019-08-28 14:56:54,792 urllib3.connectionpool:DEBUG https://127.0.0.1:5000 "GET /static/jwks.json HTTP/1.1" 200 691
2019-08-28 14:56:54,792 cryptojwt.key_bundle:DEBUG Loaded JWKS: {"keys": [{"kty": "RSA", "use": "sig", "kid": "TGhjUE8xYVRNc0E0UGl4NFBHNzZ2M1dJWXNkaU41TlY5Umxrdk9NT3JRYw", "e": "AQAB", "n": "6Ng0mZKOShKZEFwdJEAlPx-B1oTuH31ZDUvvinZnzkyoEeMfnK2_vxlrf-yHljDtiKBuqSa_wAUXVDKwc5krCUCYMnCPmORzqMkGyB2iqIgz62pQqlUx16ynM0XTTpoC2bgpto-KW3LurfCV6szEQ8nXorEfraXLaG-NkhZCohqC-fPtQyDZCvJCASbjSIATtqD0cXEVjYQyLoxh3WXw2hEWAUkfWSwEwh4saMOGxIWFn0Cs3X7_16yQpCa9Qn8kmgbNb-dndWHec5HyKUooetGkZqv8Pp90tstrza3e8JOtXoFfe0uT7ImuDDSLDgGYDxP6x2nucvQGvSjt8CdzrQ"}, {"kty": "EC", "use": "sig", "kid": "WGx2RmVhaUxaZ2ZmZWYwVngyMHZmaFFUSWJqblhpVURINXdnREZNakdZWQ", "crv": "P-256", "x": "e1HiQ-bNlVsdQ8DV95v6vgoQNXGEOY2Brbu9pz4AJVM", "y": "osKZQ8S20557irH8rklGTgmMwbNOhmObzeFw6KNwZg8"}]} from https://127.0.0.1:5000/static/jwks.json
2019-08-28 14:56:54,793 cryptojwt.key_bundle:DEBUG Loaded JWKS: {"keys": [{"kty": "RSA", "use": "sig", "kid": "TGhjUE8xYVRNc0E0UGl4NFBHNzZ2M1dJWXNkaU41TlY5Umxrdk9NT3JRYw", "e": "AQAB", "n": "6Ng0mZKOShKZEFwdJEAlPx-B1oTuH31ZDUvvinZnzkyoEeMfnK2_vxlrf-yHljDtiKBuqSa_wAUXVDKwc5krCUCYMnCPmORzqMkGyB2iqIgz62pQqlUx16ynM0XTTpoC2bgpto-KW3LurfCV6szEQ8nXorEfraXLaG-NkhZCohqC-fPtQyDZCvJCASbjSIATtqD0cXEVjYQyLoxh3WXw2hEWAUkfWSwEwh4saMOGxIWFn0Cs3X7_16yQpCa9Qn8kmgbNb-dndWHec5HyKUooetGkZqv8Pp90tstrza3e8JOtXoFfe0uT7ImuDDSLDgGYDxP6x2nucvQGvSjt8CdzrQ"}, {"kty": "EC", "use": "sig", "kid": "WGx2RmVhaUxaZ2ZmZWYwVngyMHZmaFFUSWJqblhpVURINXdnREZNakdZWQ", "crv": "P-256", "x": "e1HiQ-bNlVsdQ8DV95v6vgoQNXGEOY2Brbu9pz4AJVM", "y": "osKZQ8S20557irH8rklGTgmMwbNOhmObzeFw6KNwZg8"}]} from https://127.0.0.1:5000/static/jwks.json
2019-08-28 14:56:54,793 oidcservice.oidc.provider_info_discovery:DEBUG service_context behaviour: {'token_endpoint_auth_method': 'client_secret_basic', 'response_types': ['code', 'id_token', 'id_token token', 'code id_token', 'code id_token token', 'code token'], 'scope': ['openid', 'profile', 'email', 'address', 'phone'], 'application_name': 'rphandler', 'services': {'accesstoken': {'kwargs': {'state_db': <oidcservice.state_interface.InMemoryStateDataBase object at 0x7fc5ea099a20>, 'service_context': <oidcservice.service_context.ServiceContext object at 0x7fc5e8058d68>, 'client_authn_factory': <function factory at 0x7fc5ec3d8a60>}, 'class': 'oidcservice.oidc.access_token.AccessToken'}, 'refresh_accesstoken': {'kwargs': {'state_db': <oidcservice.state_interface.InMemoryStateDataBase object at 0x7fc5ea099a20>, 'service_context': <oidcservice.service_context.ServiceContext object at 0x7fc5e8058d68>, 'client_authn_factory': <function factory at 0x7fc5ec3d8a60>}, 'class': 'oidcservice.oidc.refresh_access_token.RefreshAccessToken'}, 'registration': {'kwargs': {'state_db': <oidcservice.state_interface.InMemoryStateDataBase object at 0x7fc5ea099a20>, 'service_context': <oidcservice.service_context.ServiceContext object at 0x7fc5e8058d68>, 'client_authn_factory': <function factory at 0x7fc5ec3d8a60>}, 'class': 'oidcservice.oidc.registration.Registration'}, 'authorization': {'kwargs': {'state_db': <oidcservice.state_interface.InMemoryStateDataBase object at 0x7fc5ea099a20>, 'service_context': <oidcservice.service_context.ServiceContext object at 0x7fc5e8058d68>, 'client_authn_factory': <function factory at 0x7fc5ec3d8a60>}, 'class': 'oidcservice.oidc.authorization.Authorization'}, 'end_session': {'kwargs': {'state_db': <oidcservice.state_interface.InMemoryStateDataBase object at 0x7fc5ea099a20>, 'service_context': <oidcservice.service_context.ServiceContext object at 0x7fc5e8058d68>, 'client_authn_factory': <function factory at 0x7fc5ec3d8a60>}, 'class': 'oidcservice.oidc.end_session.EndSession'}, 'discovery': {'kwargs': {'state_db': <oidcservice.state_interface.InMemoryStateDataBase object at 0x7fc5ea099a20>, 'service_context': <oidcservice.service_context.ServiceContext object at 0x7fc5e8058d68>, 'client_authn_factory': <function factory at 0x7fc5ec3d8a60>}, 'class': 'oidcservice.oidc.provider_info_discovery.ProviderInfoDiscovery'}, 'userinfo': {'kwargs': {'state_db': <oidcservice.state_interface.InMemoryStateDataBase object at 0x7fc5ea099a20>, 'service_context': <oidcservice.service_context.ServiceContext object at 0x7fc5e8058d68>, 'client_authn_factory': <function factory at 0x7fc5ec3d8a60>}, 'class': 'oidcservice.oidc.userinfo.UserInfo'}}, 'application_type': 'web', 'contacts': ['ops@example.com']}
2019-08-28 14:56:54,794 oidcrp.oauth2:DEBUG do_request info: {'method': 'POST', 'url': 'https://127.0.0.1:5000/registration', 'headers': {'Content-Type': 'application/json'}, 'body': '{"response_types": ["code", "id_token", "id_token token", "code id_token", "code id_token token", "code token"], "token_endpoint_auth_method": "client_secret_basic", "post_logout_redirect_uris": ["https://localhost:8089"], "redirect_uris": ["https://127.0.0.1:8090/authz_cb/flop"], "application_type": "web", "contacts": ["ops@example.com"], "grant_types": ["implicit", "authorization_code"]}'}
2019-08-28 14:56:54,794 oidcrp.oauth2:DEBUG Doing request with: URL:https://127.0.0.1:5000/registration, method:POST, data:{"response_types": ["code", "id_token", "id_token token", "code id_token", "code id_token token", "code token"], "token_endpoint_auth_method": "client_secret_basic", "post_logout_redirect_uris": ["https://localhost:8089"], "redirect_uris": ["https://127.0.0.1:8090/authz_cb/flop"], "application_type": "web", "contacts": ["ops@example.com"], "grant_types": ["implicit", "authorization_code"]}, https_args:{'Content-Type': 'application/json'}
2019-08-28 14:56:54,795 urllib3.connectionpool:DEBUG Starting new HTTPS connection (1): 127.0.0.1:5000
2019-08-28 14:56:54,811 urllib3.connectionpool:DEBUG https://127.0.0.1:5000 "POST /registration HTTP/1.1" 400 91
2019-08-28 14:56:54,812 oidcrp.oauth2:ERROR Error response (400): {"error": "invalid_request", "error_description": "'RSAKey' object has no attribute 'key'"}
2019-08-28 14:56:54,812 oidcrp.util:DEBUG resp.headers: {'Content-Length': '91', 'Content-Type': 'text/html; charset=utf-8', 'Server': 'Werkzeug/0.15.5 Python/3.5.2', 'Date': 'Wed, 28 Aug 2019 12:56:54 GMT'}
2019-08-28 14:56:54,812 oidcrp.util:DEBUG resp.txt: {"error": "invalid_request", "error_description": "'RSAKey' object has no attribute 'key'"}
2019-08-28 14:56:54,812 oidcservice.service:DEBUG response format: json
2019-08-28 14:56:54,812 oidcservice.service:DEBUG response_cls: RegistrationResponse
2019-08-28 14:56:54,812 oidcservice.service:DEBUG Initial response parsing => "{'error_description': "'RSAKey' object has no attribute 'key'", 'error': 'invalid_request'}"
2019-08-28 14:56:54,812 oidcservice.service:DEBUG Error response: {'error_description': "'RSAKey' object has no attribute 'key'", 'error': 'invalid_request'}
2019-08-28 14:56:54,813 cherrypy.access.140488011849512:INFO 127.0.0.1 - - [28/Aug/2019:14:56:54] "GET /rp?uid=&iss=flop HTTP/1.1" 500 841 "https://127.0.0.1:8089/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.100 Chrome/76.0.3809.100 Safari/537.36"
2019-08-28 14:56:54,829 cherrypy.access.140488011849512:INFO 127.0.0.1 - - [28/Aug/2019:14:56:54] "GET /favicon.ico HTTP/1.1" 200 1406 "https://127.0.0.1:8089/rp?uid=&iss=flop" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.100 Chrome/76.0.3809.100 Safari/537.36"

Oidc-op side I have this log

2019-08-28 14:50:49,011 werkzeug INFO  * Running on https://127.0.0.1:5000/ (Press CTRL+C to quit)
2019-08-28 14:50:49,012 werkzeug INFO  * Restarting with stat
2019-08-28 14:50:49,308 root DEBUG Configured logging using dictionary
2019-08-28 14:50:49,309 oidcop.configure DEBUG Reading session signer from private/session.json
2019-08-28 14:50:49,309 oidcop.configure DEBUG Set server password to b'mGg5fSju9mhS8tybWxBFmQbauUDAYKPmaSTafSy5Nfk'
2019-08-28 14:50:49,389 werkzeug WARNING  * Debugger is active!
2019-08-28 14:50:49,389 werkzeug INFO  * Debugger PIN: 214-696-756
2019-08-28 14:56:54,769 oidcop.configure INFO At the "provider_config" endpoint
2019-08-28 14:56:54,769 oidcendpoint.endpoint DEBUG - provider_config -
2019-08-28 14:56:54,769 oidcendpoint.endpoint INFO Request: {}
2019-08-28 14:56:54,769 oidcendpoint.endpoint INFO Parsed and verified request: {}
2019-08-28 14:56:54,770 oidcop.configure INFO request: {}
2019-08-28 14:56:54,770 oidcop.configure INFO Response args: {'response_args': {'version': '3.0', 'request_parameter_supported': True, 'token_endpoint_auth_methods_supported': ['client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt'], 'end_session_endpoint': 'https://127.0.0.1:5000/session', 'request_object_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'], 'subject_types_supported': ['public', 'pairwise'], 'claim_types_supported': ['normal', 'aggregated', 'distributed'], 'userinfo_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'response_types_supported': ['code id_token token', 'id_token', 'token', 'code token', 'id_token token', 'none', 'code id_token', 'code'], 'grant_types_supported': ['urn:ietf:params:oauth:grant-type:jwt-bearer', 'authorization_code', 'refresh_token', 'implicit'], 'frontchannel_logout_session_supported': True, 'backchannel_logout_session_supported': True, 'token_endpoint_auth_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512'], 'claims_parameter_supported': True, 'frontchannel_logout_supported': True, 'id_token_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'], 'userinfo_endpoint': 'https://127.0.0.1:5000/userinfo', 'claims_supported': ['birthdate', 'preferred_username', 'sub', 'middle_name', 'picture', 'gender', 'address', 'zoneinfo', 'locale', 'nickname', 'profile', 'website', 'family_name', 'email_verified', 'given_name', 'updated_at', 'email', 'phone_number_verified', 'phone_number', 'name'], 'backchannel_logout_supported': True, 'authorization_endpoint': 'https://127.0.0.1:5000/authorization', 'check_session_iframe': 'https://127.0.0.1:5000/check_session_iframe', 'userinfo_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'request_object_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'registration_endpoint': 'https://127.0.0.1:5000/registration', 'response_modes_supported': ['form_post', 'query', 'fragment'], 'scopes_supported': ['phone', 'offline_access', 'email', 'openid', 'address', 'profile'], 'jwks_uri': 'https://127.0.0.1:5000/static/jwks.json', 'token_endpoint': 'https://127.0.0.1:5000/token', 'request_uri_parameter_supported': True, 'request_object_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'id_token_encryption_enc_values_supported': ['A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM', 'A192GCM', 'A256GCM'], 'issuer': 'https://127.0.0.1:5000', 'id_token_signing_alg_values_supported': ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'PS256', 'PS384', 'PS512', 'none'], 'acr_values_supported': 'oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD oidcendpoint.user_authn.authn_context.UNSPECIFIED', 'userinfo_encryption_alg_values_supported': ['RSA1_5', 'RSA-OAEP', 'RSA-OAEP-256', 'A128KW', 'A192KW', 'A256KW', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW']}}
2019-08-28 14:56:54,771 oidcop.configure DEBUG do_response: {'http_headers': [('Content-type', 'application/json'), ('Pragma', 'no-cache'), ('Cache-Control', 'no-store')], 'response': '{"version": "3.0", "request_parameter_supported": true, "id_token_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "require_request_uri_registration": true, "frontchannel_logout_supported": true, "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt"], "end_session_endpoint": "https://127.0.0.1:5000/session", "request_object_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "subject_types_supported": ["public", "pairwise"], "claim_types_supported": ["normal", "aggregated", "distributed"], "response_types_supported": ["code id_token token", "id_token", "token", "code token", "id_token token", "none", "code id_token", "code"], "grant_types_supported": ["urn:ietf:params:oauth:grant-type:jwt-bearer", "authorization_code", "refresh_token", "implicit"], "claims_supported": ["birthdate", "preferred_username", "sub", "middle_name", "picture", "gender", "address", "zoneinfo", "locale", "nickname", "profile", "website", "family_name", "email_verified", "given_name", "updated_at", "email", "phone_number_verified", "phone_number", "name"], "token_endpoint_auth_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "claims_parameter_supported": true, "backchannel_logout_session_supported": true, "id_token_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "frontchannel_logout_session_supported": true, "backchannel_logout_supported": true, "authorization_endpoint": "https://127.0.0.1:5000/authorization", "check_session_iframe": "https://127.0.0.1:5000/check_session_iframe", "userinfo_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "registration_endpoint": "https://127.0.0.1:5000/registration", "response_modes_supported": ["form_post", "query", "fragment"], "scopes_supported": ["phone", "offline_access", "email", "openid", "address", "profile"], "jwks_uri": "https://127.0.0.1:5000/static/jwks.json", "userinfo_endpoint": "https://127.0.0.1:5000/userinfo", "request_uri_parameter_supported": true, "request_object_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "request_object_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "token_endpoint": "https://127.0.0.1:5000/token", "userinfo_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "acr_values_supported": ["oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD", "oidcendpoint.user_authn.authn_context.UNSPECIFIED"], "userinfo_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "issuer": "https://127.0.0.1:5000"}'}
2019-08-28 14:56:54,771 oidcop.configure DEBUG response_placement: body
2019-08-28 14:56:54,771 oidcop.configure INFO Response: {"version": "3.0", "request_parameter_supported": true, "id_token_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "require_request_uri_registration": true, "frontchannel_logout_supported": true, "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt"], "end_session_endpoint": "https://127.0.0.1:5000/session", "request_object_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "subject_types_supported": ["public", "pairwise"], "claim_types_supported": ["normal", "aggregated", "distributed"], "response_types_supported": ["code id_token token", "id_token", "token", "code token", "id_token token", "none", "code id_token", "code"], "grant_types_supported": ["urn:ietf:params:oauth:grant-type:jwt-bearer", "authorization_code", "refresh_token", "implicit"], "claims_supported": ["birthdate", "preferred_username", "sub", "middle_name", "picture", "gender", "address", "zoneinfo", "locale", "nickname", "profile", "website", "family_name", "email_verified", "given_name", "updated_at", "email", "phone_number_verified", "phone_number", "name"], "token_endpoint_auth_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512"], "claims_parameter_supported": true, "backchannel_logout_session_supported": true, "id_token_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "frontchannel_logout_session_supported": true, "backchannel_logout_supported": true, "authorization_endpoint": "https://127.0.0.1:5000/authorization", "check_session_iframe": "https://127.0.0.1:5000/check_session_iframe", "userinfo_encryption_alg_values_supported": ["RSA1_5", "RSA-OAEP", "RSA-OAEP-256", "A128KW", "A192KW", "A256KW", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"], "registration_endpoint": "https://127.0.0.1:5000/registration", "response_modes_supported": ["form_post", "query", "fragment"], "scopes_supported": ["phone", "offline_access", "email", "openid", "address", "profile"], "jwks_uri": "https://127.0.0.1:5000/static/jwks.json", "userinfo_endpoint": "https://127.0.0.1:5000/userinfo", "request_uri_parameter_supported": true, "request_object_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "request_object_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "token_endpoint": "https://127.0.0.1:5000/token", "userinfo_encryption_enc_values_supported": ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512", "A128GCM", "A192GCM", "A256GCM"], "acr_values_supported": ["oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD", "oidcendpoint.user_authn.authn_context.UNSPECIFIED"], "userinfo_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "none"], "issuer": "https://127.0.0.1:5000"}
2019-08-28 14:56:54,772 werkzeug INFO 127.0.0.1 - - [28/Aug/2019 14:56:54] "GET /.well-known/openid-configuration HTTP/1.1" 200 -
2019-08-28 14:56:54,791 werkzeug INFO 127.0.0.1 - - [28/Aug/2019 14:56:54] "GET /static/jwks.json HTTP/1.1" 200 -
2019-08-28 14:56:54,803 oidcop.configure INFO At the "registration_endpoint" endpoint
2019-08-28 14:56:54,804 oidcendpoint.endpoint DEBUG - registration_endpoint -
2019-08-28 14:56:54,804 oidcendpoint.endpoint INFO Request: {"response_types": ["code", "id_token", "id_token token", "code id_token", "code id_token token", "code token"], "token_endpoint_auth_method": "client_secret_basic", "post_logout_redirect_uris": ["https://localhost:8089"], "redirect_uris": ["https://127.0.0.1:8090/authz_cb/flop"], "application_type": "web", "contacts": ["ops@example.com"], "grant_types": ["implicit", "authorization_code"]}
2019-08-28 14:56:54,804 oidcendpoint.endpoint INFO Parsed and verified request: {'token_endpoint_auth_method': 'client_secret_basic', 'post_logout_redirect_uris': ['https://localhost:8089'], 'response_types': ['code', 'id_token', 'id_token token', 'code id_token', 'code id_token token', 'code token'], 'application_type': 'web', 'contacts': ['ops@example.com'], 'grant_types': ['implicit', 'authorization_code'], 'redirect_uris': ['https://127.0.0.1:8090/authz_cb/flop']}
2019-08-28 14:56:54,804 oidcop.configure INFO request: {'token_endpoint_auth_method': 'client_secret_basic', 'post_logout_redirect_uris': ['https://localhost:8089'], 'response_types': ['code', 'id_token', 'id_token token', 'code id_token', 'code id_token token', 'code token'], 'application_type': 'web', 'contacts': ['ops@example.com'], 'grant_types': ['implicit', 'authorization_code'], 'redirect_uris': ['https://127.0.0.1:8090/authz_cb/flop']}
2019-08-28 14:56:54,805 oidcendpoint.oidc.registration DEBUG _cinfo: {'client_salt': 'ez8eeU1p', 'client_id': 'eD4fg038iVSc', 'client_secret': 'e521dc352773509fd6db373c34472e1c4e181a5143ee32887cb4507e', 'client_id_issued_at': 1566997014, 'registration_client_uri': 'registration?client_id=eD4fg038iVSc', 'registration_access_token': 'o33kTrExhnePZz643jqLy2YBKjwqQJAG', 'client_secret_expires_at': 1567429014}
2019-08-28 14:56:54,805 oidcendpoint.oidc.registration DEBUG found 0 keys for client_id=eD4fg038iVSc
2019-08-28 14:56:54,806 oidcendpoint.oidc.registration INFO registration_response: {'client_id': 'eD4fg038iVSc', 'response_types': ['code', 'id_token', 'id_token token', 'code id_token', 'code id_token token', 'code token'], 'application_type': 'web', 'client_secret_expires_at': 1567429014, 'client_id_issued_at': 1566997014, 'client_secret': 'e521dc352773509fd6db373c34472e1c4e181a5143ee32887cb4507e', 'post_logout_redirect_uris': ['https://localhost:8089'], 'grant_types': ['implicit', 'authorization_code'], 'registration_client_uri': 'registration?client_id=eD4fg038iVSc', 'contacts': ['ops@example.com'], 'token_endpoint_auth_method': 'client_secret_basic', 'redirect_uris': ['https://127.0.0.1:8090/authz_cb/flop'], 'registration_access_token': 'o33kTrExhnePZz643jqLy2YBKjwqQJAG'}
2019-08-28 14:56:54,809 oidcop.configure ERROR ['Traceback (most recent call last):\n', '  File "/home/wert/DEV3/OIDC-Project/oidc-op/flask_op/views.py", line 249, in service_endpoint\n    args = endpoint.process_request(req_args, **kwargs)\n', '  File "/home/wert/DEV3/Django-Identity.env/lib/python3.5/site-packages/oidcendpoint/oidc/registration.py", line 441, in process_request\n    client_id=reg_resp[\'client_id\'])\n', '  File "/home/wert/DEV3/Django-Identity.env/lib/python3.5/site-packages/oidcendpoint/cookie.py", line 446, in new_cookie\n    ttl=endpoint_context.sso_ttl)\n', '  File "/home/wert/DEV3/Django-Identity.env/lib/python3.5/site-packages/oidcendpoint/cookie.py", line 340, in create_cookie\n    sign_alg=self.sign_alg, **c_args)\n', '  File "/home/wert/DEV3/Django-Identity.env/lib/python3.5/site-packages/oidcendpoint/cookie.py", line 188, in make_cookie\n    max_age=max_age, sign_alg=sign_alg)\n', '  File "/home/wert/DEV3/Django-Identity.env/lib/python3.5/site-packages/oidcendpoint/cookie.py", line 168, in make_cookie_content\n    enc_key=enc_key, sign_alg=sign_alg)\n', '  File "/home/wert/DEV3/Django-Identity.env/lib/python3.5/site-packages/oidcendpoint/cookie.py", line 60, in sign_enc_payload\n    mac = signer.sign(bytes_load + bytes_timestamp, sign_key.key)\n', "AttributeError: 'RSAKey' object has no attribute 'key'\n"]
2019-08-28 14:56:54,810 werkzeug INFO 127.0.0.1 - - [28/Aug/2019 14:56:54] "POST /registration HTTP/1.1" 400 -

the logs oidc-op tell us 2019-08-28 14:56:54,805 oidcendpoint.oidc.registration DEBUG found 0 keys for client_id=eD4fg038iVSc.

rohe commented 5 years ago

So what's in "jwks_dir/jwks.json" and 'static/jwks.json' ?

Note that the YAML file uses a set of tools the PY file doesn't. One such is bound to these lines:

OIDC_KEYS: 'private_path': "./priv/jwks.json" 'key_defs': *keydef 'public_path': './static/jwks.json'

Given that in the configuration file the RP will create a new set of keys if the given files don't exist or are empty. I need to convert the YAML config to PY config because the key creation function is quite useful.

rohe commented 5 years ago

Ah, reading the OIDC-op logs it's obvious :-/ In the client registration there MUST be a jwks or a jwks_uri claim. There ain't. So the OP doesn't get any keys from the RP. Now, the question is why the RP isn't registering keys. My guess is that a key file is missing. Which comes back to the: "What's in .. " questions above.

peppelinux commented 5 years ago

So what's in "jwks_dir/jwks.json" and 'static/jwks.json' ?

Regarding oidc-op, conf.yaml

op:
  server_info:
  ...
      jwks:
      private_path: private/private_jwks.json
      key_defs: *key_def
      uri_path: static/jwks.json

I created private_jwks.json in this way python -c 'import json; from cryptojwt.jwk.rsa import new_rsa_key; print(json.dumps(new_rsa_key().to_dict(), indent=2))' (probably wrong, I need instead to deal with init_key_jar). Here its content:

oidc-op$ cat private/private_jwks.json
{
  "e": "AQAB",
  "q": "0bM2G0rs0B_3Yzb46by5o96WzX-K1bcmdyfSWWjNKsZ0TB7I8tpWyJTYgQU_Tl_n_-ID80r77irOkrmkoYu4vX8sfSY2n_lXczp3YS9oHUu4DVzc2aGIyks2KJGR87mUhkpXkOXYokBr0nopVElTnv2rf9x309OojupqfPHtSMU",
  "p": "1B5i7RDfSGtUlFCn4vHeVWlhtoLFDIRCDHW7gwl0eEPjbwzp-u10wTht4cRsc_N0cIPxssxEZdyDMBpDN4D_tSu5NoXN9V30XJG5UMqj--Kzqiqvmd3T6qU1MpEtY0a8HwqZUm53i3ufMb6a4GmpvouXS0Jp3IGU39jU96UKxX8",
  "kid": "Y29IU1RCaEd3NXNZMU5YQ3VCNmNGcFhRVEllRUJjQU0yNXZWSkdxbTVfOA",
  "kty": "RSA",
  "n": "rcFM17ywh94KYrimjoe3lPByDmiuAORau_z4PSCZIh_aqWpQWPBVaAIhjYYSVtbffkOOJDYio0syCBE0ErwDggmXVGy4TH5ZOS6wmAjTmhTDzkfLIphafwg8oSnA1x65Y2057vrfaTp1rHMB1T3bUFeC2tEBajlmSAiJALRRYdK62nIBMkGROBKaMzynMUyWYYSxisVy0eFy2e4fR2uoUGMAeRucL3Vb0G3C1SzxZ1uLJt68b9rlWjdJ4tqe9L6u3hDqxYKupZm8KAAABBYUa-GgwqpXFL_owhJoyJbE2h1_KWQrFU6Ramr7fbtUa8SbpSsdgdZUwsboeLdmbmiyuw",
  "d": "HyTtxCGzNrdK_0T_vb5_3nd2yjRjNA-6X8XJLRPBvwccp49B1Z9Gf70aDIcClIQxTS2Itd7qOIDK9_01a0I-ErnrYRuXsUZYcdJ3nti-LPkZ28islYffeLOeQnj8ctK0Aila4AYhs3fiDcYThwhuXilBcD1UVpjxR2oYPIMVr0XN0mcpuy8VMUrtb3shIJqFKkYhBzujbgVBRH4wnIrKpTJx-p0P3c7nsN8G7Sj7qkboobll4v3ZnJU9ryU-6gbsFXPijXQ3zvxSqGYxI8WEPhD7fDgwSd-dMzARVy-VJhv804LSUrqGXYQgC0GMcw9rh48N7WTScDvbD_bu52HuaQ"
}

I'll take a look into sources to see how it will be created automatically if absent. For example in oidc-op the following is created if absent:

    token_handler_args:
      jwks_def:
        private_path: 'private/token_jwks.json'

This is oidc-op static/jwtk.json

cat static/jkws.json
{"keys": [{"kty": "RSA", "use": "sig", "kid": "TGhjUE8xYVRNc0E0UGl4NFBHNzZ2M1dJWXNkaU41TlY5Umxrdk9NT3JRYw", "e": "AQAB", "n": "6Ng0mZKOShKZEFwdJEAlPx-B1oTuH31ZDUvvinZnzkyoEeMfnK2_vxlrf-yHljDtiKBuqSa_wAUXVDKwc5krCUCYMnCPmORzqMkGyB2iqIgz62pQqlUx16ynM0XTTpoC2bgpto-KW3LurfCV6szEQ8nXorEfraXLaG-NkhZCohqC-fPtQyDZCvJCASbjSIATtqD0cXEVjYQyLoxh3WXw2hEWAUkfWSwEwh4saMOGxIWFn0Cs3X7_16yQpCa9Qn8kmgbNb-dndWHec5HyKUooetGkZqv8Pp90tstrza3e8JOtXoFfe0uT7ImuDDSLDgGYDxP6x2nucvQGvSjt8CdzrQ"}, {"kty": "EC", "use": "sig", "kid": "WGx2RmVhaUxaZ2ZmZWYwVngyMHZmaFFUSWJqblhpVURINXdnREZNakdZWQ", "crv": "P-256", "x": "e1HiQ-bNlVsdQ8DV95v6vgoQNXGEOY2Brbu9pz4AJVM", "y": "osKZQ8S20557irH8rklGTgmMwbNOhmObzeFw6KNwZg8"}]}

Note that the YAML file uses a set of tools the PY file doesn't. One such is bound to these lines:

OIDC_KEYS: 'private_path': "./priv/jwks.json" 'key_defs': *keydef 'public_path': './static/jwks.json' Given that in the configuration file the RP will create a new set of keys if the given files don't exist or are empty.

tested in flask_rp/conf.yaml. It doesn't create the keys if they absent, using:

OIDC_KEYS:
    'private_path': './private/jwks.json'
    'key_defs': *keydef
    'public_path': './static/jwks.json'

This is debug

JWTConnect-Python-OidcRP$ python3 -m flask_rp.wsgi flask_rp/conf.yaml
> ~/DEV3/OIDC-Project/JWTConnect-Python-OidcRP/flask_rp/application.py(17)init_oidc_rp_handler()
-> _kj = init_key_jar(**oidc_keys_conf)
(Pdb) oidc_keys_conf
{'public_path': './static/jwks.json', 'key_defs': [{'key': '', 'type': 'RSA', 'use': ['sig']}, {'crv': 'P-256', 'type': 'EC', 'use': ['sig']}], 'private_path': './private/jwks.json'}
(Pdb) n
> ~/DEV3/OIDC-Project/JWTConnect-Python-OidcRP/flask_rp/application.py(18)init_oidc_rp_handler()
-> _kj.verify_ssl = verify_ssl
(Pdb) _kj
<KeyJar(issuers=[''])>
(Pdb) _kj.__dict__
{'spec2key': {}, 'httpc': <function request at 0x7f2125d40730>, 'verify_ssl': True, 'remove_after': 3600, 'issuer_keys': {'': [<cryptojwt.key_bundle.KeyBundle object at 0x7f21276fc518>]}, 'keybundle_cls': <class 'cryptojwt.key_bundle.KeyBundle'>, 'ca_certs': None}
(Pdb)

I need to convert the YAML config to PY config because the key creation function is quite useful. See https://github.com/rohe/oidc-op/blob/master/src/oidcop/utils.py#L17, it will be trivial to store that IOStream to a real file.

peppelinux commented 5 years ago

ok, to get it to create the jwks files I added read_only=False as follow

OIDC_KEYS:
    'private_path': './flask_rp/private/jwks.json'
    'key_defs': *keydef
    'public_path': './flask_rp/static/jwks.json'
    'read_only': False
rohe commented 5 years ago

Right ! In the default case you don't want it to overwrite what's already there. If there is something there.

rohe commented 5 years ago

You definitely need init_key_jar to create a syntactically correct JWKS file.

peppelinux commented 5 years ago

I go ahead but I understand that in oidcendpoint.do_client_registration I cannot find jwks_uri and jwks` in request, as you already told me but I'm tryng to find the right configuration to get those attributes available in my RP registration request.

the interesting part in oidcendpoint.registration is at line 212

        t = {'jwks_uri': '', 'jwks': None}

        for item in ['jwks_uri', 'jwks']:
            if item in request:
                t[item] = request[item]

        # if it can't load keys because the URL is false it will
        # just silently fail. Waiting for better times.
        _context.keyjar.load_keys(client_id,
                                  jwks_uri=t['jwks_uri'],
                                  jwks=t['jwks'])
        try:
            n_keys = 0
            for kb in _context.keyjar[client_id]:
                n_keys += len(kb.keys())
            msg = "found {} keys for client_id={}"
            logger.debug(msg.format(n_keys, client_id))
peppelinux commented 5 years ago

You definitely need init_key_jar to create a syntactically correct JWKS file.

this is something usefull for the enduser documentation.

peppelinux commented 5 years ago

RPHandler loads corretly my jwks definitions, but they do not appear in the RP registration request. I'm going through this....

JWTConnect-Python-OidcRP/flask_rp/application.py(32)init_oidc_rp_handler()
-> return rph
(Pdb) rph
<oidcrp.RPHandler object at 0x7fad78a10320>
(Pdb) rph.__dict__
{'base_url': 'https://127.0.0.1:8090', 'hash_seed': b'BabyHoldOn', 'client_authn_factory': None, 'client_cls': <class 'oidcrp.oidc.RP'>, 'session_interface': <oidcservice.state_interface.StateInterface object at 0x7fad7a2b7048>, 'extra': {'jwks_path': 'static/jwks.json'}, 'jwks_uri': 'https://127.0.0.1:8090/static/jwks.json', 'services': None, 'keyjar': <KeyJar(issuers=[''])>, 'verify_ssl': False, 'hash2issuer': {}, 'issuer2rp': {}, 'client_configs': {'flop': {'client_preferences': {'token_endpoint_auth_method': ['client_secret_basic', 'client_secret_post'], 'contacts': ['ops@example.com'], 'scope': ['openid', 'profile', 'email', 'address', 'phone'], 'application_type': 'web', 'application_name': 'rphandler', 'response_types': ['code']}, 'issuer': 'https://127.0.0.1:5000/', 'services': {'refresh_accesstoken': {'kwargs': {}, 'class': 'oidcservice.oidc.refresh_access_token.RefreshAccessToken'}, 'userinfo': {'kwargs': {}, 'class': 'oidcservice.oidc.userinfo.UserInfo'}, 'discovery': {'kwargs': {}, 'class': 'oidcservice.oidc.provider_info_discovery.ProviderInfoDiscovery'}, 'authorization': {'kwargs': {}, 'class': 'oidcservice.oidc.authorization.Authorization'}, 'accesstoken': {'kwargs': {}, 'class': 'oidcservice.oidc.access_token.AccessToken'}, 'registration': {'kwargs': {}, 'class': 'oidcservice.oidc.registration.Registration'}, 'end_session': {'kwargs': {}, 'class': 'oidcservice.oidc.end_session.EndSession'}}, 'redirect_uris': ['https://127.0.0.1:8090/authz_cb/flop'], 'keys': {'url': {'https://127.0.0.1:5000': 'https://127.0.0.1:5000/static/jwks.json'}}}}, 'httplib': None, 'state_db': <oidcservice.state_interface.InMemoryStateDataBase object at 0x7fad7a297dd8>}
peppelinux commented 5 years ago

Ah, reading the OIDC-op logs it's obvious :-/ In the client registration there MUST be a jwks or a jwks_uri claim. There ain't. So the OP doesn't get any keys from the RP. Now, the question is why the RP isn't registering keys.

Ok I get it to have jwks_uri paramenter into registration request, this way in RP:

CLIENTS:
  flop:
    client_preferences: *id001
    issuer: https://127.0.0.1:5000/
    keys:
      url:
        'https://127.0.0.1:5000' : https://127.0.0.1:5000/static/jwks.json
    jwks_uri: https://127.0.0.1:8090/static/jwks.json
    redirect_uris: ['https://127.0.0.1:8090/authz_cb/flop']
    services: *id002

Now I can see it in oidcendpoint.registration#212 and op log tell me oidcendpoint.oidc.registration DEBUG found 2 keys for client_id=ZXbrP1P0aYUG. Where these are:

{"keys": [{"kid": "OVRhTkUxY0hmb284VTRCNTBwSXlsN0lMNldPX3pYUkk1RjB3SDg3Tm9naw", "e": "AQAB", "kty": "RSA", "use": "sig", "n": "9_wL2eQdFfc41L52Dm_YvBV2jT6_41jC8LsseNe6L5-wA6hSeX12zv72SwzulQ7TldQVNEG3heTKlWXWcFFyQZlzplhyZn_RsTho8lgqnXDV-jWdysSK9y3NyxWMJhgeAcWy7HUQUrUezS8vob91mpewk5pLpMmbnDTQdGD_iKYechF7XQqSekzJqO8j5d2p7-Wnz06iByRdSG82MKHhQXwN1y9Y3TVDwZ8wgO8f9lYOfeQMRvQih9R2w-1ceiwuxgSMB-0-EpTWkdZokq_ybzeNaCTwBzYVBgScYkEL3BoIhkh09uWh4YU2QUely6K5RRxWBg1CdpRTdSOoK6L1uw"}, {"kid": "YjI2VTQ3UnZiUlVFR19id1dtTnR6LUM4OG9nNHFyd3F6QVlrR3l6Nk83aw", "y": "U8XAhxQTWoDViyN8XapSSV9DE0jo9hidVI6sMXWxjTE", "kty": "EC", "crv": "P-256", "x": "VgCYJIANpfDHcWdyy3UBwDby1uKcrs8eTW4grOS0Ssk", "use": "sig"}]}

But the exception 'RSAKey' object has no attribute 'key' still persists. So I found the error, it was the format of cookie_sign_jwk.json, in fact the exception raises into oidcendpoint.cookie.#60 (sign_enc_payload):

    cookie_dealer:
      class: oidcendpoint.cookie.CookieDealer
      kwargs:
        sign_jwk: 'private/cookie_sign_jwk.json'

I can close this issue and deal with a documentation on the Readme about the creation of this file via cryptojwt.

peppelinux commented 5 years ago

I think that It would be good if the following resource: https://github.com/rohe/ojou_course/blob/master/presentation/JWx.pdf

can be linked into cryptojwt documentation. As it come, good enough for primers