为sanic提供的OpenID提供者框架
项目描述
这是一个正在进行中的项目,可以称其为Alpha阶段。如果有人发现这很有用/想使用它,请提交一个问题,我会非常乐意修复它,使其对其他人也有帮助。
上次检查时,它通过了大约82/93个当你勾选 webfinger、动态信息发现、动态客户端注册 并选择 code 响应类型时出现的OpenID提供者认证测试。
对于授权代码流来说相当可用。但仍需要大量重新架构和清理,但我正在努力使其可以连接到各种后端,如DynamoDB/Redis进行令牌/客户端存储。
文档和示例将很快推出。
先决条件
该软件包期望使用并配置了 sanic_jinja2 和 sanic_session。
测试
如上所述,它通过了我在它上面运行的OpenID测试的大部分。以下是我尚未通过的那些测试
签名 + 加密
还没弄清楚为什么用户信息加密/签名不起作用。
OP-IDToken-SigEnc
OP-UserInfo-SigEnc
OP-request_uri-SigEnc
声明
这部分还没来得及处理
OP-claims-acr-essential
OP-claims-acr-voluntary
OP-claims-acr=1
弹出窗口
不在弹出窗口中显示
OP-display-popup
其他请求参数
这部分还没处理。
OP-Req-acr_values
密钥轮换
需要一些方法来轮换密钥
OP-Rotation-OP-Enc
OP-Rotation-OP-Sig
OP-Rotation-RP-Enc
OP-Rotation-RP-Sig
密钥创建
RSA密钥
openssl genrsa -nodes -out rsa.pem 4096ECDSA密钥
openssl ecparam -name prime256v1 -genkey -noout -out ec.pem
openssl ec -in ec.pem -pubout -out ec.pubOpenID Connect节点示例
app.js
/*
*
* Note: This example is a "full" example that registers a new client with the OIDC server each time. This returns a client ID and secret.
* In reality, you should only register once per service and then save the client information for future use.
* I would advise using this script to register your client and test it - It will console.log the ID and secret which you can then hardcode:
* https://github.com/panva/node-openid-client#manually-recommended
*
* In production, I import a modified version of this script with promise support. Make sure it's finished discovery before defining your
* error handlers!
*/
//******* Config
const config = {
/* jshint ignore:start */
//Server we're going to auth with
authServer: "https://authserver",
//Access token provided by admin for initial registration
initialAccessToken: "dcb89d4c-fec4-11e8-8eb2-f2801f1b9fd1",
//Listen port
port: 3000,
//All the settings required to register our client
registration: {
//IDP prefers ES256 encryption
id_token_signed_response_alg: 'ES256',
//Array of all potential redirect URI's
redirect_uris: ["http://127.0.0.1:3000/callback", "http://127.0.0.1/callback"],
//String space-delimited list of all potentially required scopes
scope: "openid email profile",
grant_types: ['authorization_code'],
application_type: 'web',
//Name of client - For reference only
client_name: 'Some client',
subject_type: 'public',
response_types: ["code"]
},
auth: {
//uri the IDP redirects to after authentication - Must be in the array above
redirect_uri: "http://127.0.0.1:3000/callback",
//Scopes we want for authentication
scope: "openid email profile",
id_token_signed_response_alg: 'ES256'
}
/* jshint ignore:end */
}
//******* End Config
const { Issuer } = require('openid-client');
const { Strategy } = require('openid-client');
const session = require('express-session');
const express = require('express');
const app = express();
const passport = require('passport');
// Set up Express sessions in memory - Please don't do this in production, use something to store your sessions
// so we can load balance.
app.use(session({
secret: 'asupersecretpassword',
resave: true,
saveUninitialized: true
}));
//Make sure to initialise before we start discovery
app.use(passport.initialize());
app.use(passport.session());
//Discover settings from OID server
Issuer.discover(config.authServer)
.then(customIssuer => {
const opts = { initialAccessToken: config.initialAccessToken };
const metadata = config.registration;
// You only need to do client registration once (ever) - You should do it during development and then hardcode the client id and secret
// Below is an example of a hardcoded client, rather than a client that registers each time
// See more in the docs: https://github.com/panva/node-openid-client#manually-recommended
// const client = new customIssuer.Client({
// client_id: '83fc3323d3c045a4',
// client_secret: '7f9b5e1721a244c989d011839595b766',
// id_token_signed_response_alg: 'ES256'
// });
customIssuer.Client.register(metadata, opts)
.then(client => {
console.log("!!!!! Save this information for re-use later! !!!!!")
console.log("Client ID: " + client.client_id)
console.log("Client Secret: " + client.client_secret)
console.log("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!")
console.log("Metadata: " + JSON.stringify(client.metadata, null, 2))
const params = config.auth;
// Setting up our strategy + validation function
passport.use('oidc', new Strategy({client, params, passReqToCallback: null, sessionKey: null, usePKCE: false}, (tokenset, userinfo, done) => {
return done(null, userinfo)
}));
passport.serializeUser((user, done) => {
// This is where you'd get any extra locally-stored data from the database or something for accessing in req.user
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
// GET /login will start authentication
app.get('/login', passport.authenticate('oidc'));
// GET /callback redirected from IDP with code
app.get('/callback', passport.authenticate('oidc', {
successRedirect: '/',
failureRedirect: '/login'
}));
// Force every other request to check if user is authed, if not then redirect to /login and start auth
app.use((req, res, next) => {
if (!req.user) {
res.redirect('/login');
} else {
next();
}
})
// Example authenticated endpoint
app.get('/',(req, res) => {
console.log(`User ${req.user.name} has logged in.`);
res.send(req.user);
})
app.listen(config.port, () => console.log(`Example app listening on port ${config.port}!`))
});
})package.json
{
"name": "openidtest",
"version": "1.0.0",
"description": "",
"main": "app.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.16.4",
"express-session": "^1.15.6",
"passport": "^0.4.0",
"passport-openid-connect": "^0.1.0"
}
}
关闭
sanic_openid_connect_provider-0.9.0.tar.gz的哈希值
| 算法 | 哈希摘要 | |
|---|---|---|
| SHA256 | 5c25df70259ff096ce5f54a5b35fb1b1f2d01a012af3578b14a082157f93d4a8 |
|
| MD5 | ed2282cdcd49af3f23751089ed301cc6 |
|
| BLAKE2b-256 | 85cefa5a34bf4fc4eabb12e1a083df6cb0e1f964aa4bd977d03b82cfde8ce763 |
关闭
sanic_openid_connect_provider-0.9.0-py3-none-any.whl的哈希值
| 算法 | 哈希摘要 | |
|---|---|---|
| SHA256 | b010f33825641dfffea2c6b32bdcd96ba57fb9ebbdf7b5c216b84bc3f3f82ccb |
|
| MD5 | e30447dcd90d4e735f6489ecdcf2875e |
|
| BLAKE2b-256 | 3a3446a5ee54e8e545591330ea77c1015ac76be14de8c7e5c1ff03942be8710c |
