2:05 a.m.
* Peter Schober <peter.schober at univie.ac.at> [2020-03-30 21:29]:
And looking at _create_provider() at
frontends/openid_connect.py the
code would use the file referenced by client_db_path if db_uri isn't set
[...]
Could someone share a json sample to put into the file referenced by
client_db_path (if that's how it's supposed to work)?
For posterity:
insert_client_in_client_db() from one of the tests
https://github.com/IdentityPython/SATOSA/blob/master/tests/satosa/frontends…
provided useful input. At least I got satosa to load the client from
the configured file in client_db_path (in
plugins/frontends/openid_connect_frontend.yaml) with this JSON:
{
"someClientId": {
"response_types": [
"code"
],
"redirect_uris": [
"https://some.example.org/auth/callback"
],
"client_secret": "someClientSecret"
}
}
After a restart of the application server (satosa doesn't seem to pick
up the changes in the client_db otherwise) triggering a login at the
OIDC-enabled application now gets me to:
"Requesting provider: someClientId"
and that in turn triggers a SAML authn request and someone stablishes
the missing state that seemingly caused the "Unkown error" I was
asking about in another thread (with no answers), then SAML WebSSO
completes, attributes are being mapped and I am back "Routing to
frontend: oidc". So far so good.
Of course things still fail with yet another exception:
pyop.exceptions.InvalidAuthorizationCode: eff...cd79 unknown
AFAICT here's the flow, starting with creating that authz code:
[pyop.authz_state.create_authorization_code] creating authz code for scope=openid email
profile
[pyop.authz_state.create_authorization_code] new authz_code=eff...cd79 to
client_id=someClientId for sub=someid at example.org valid_until=1585612419
...
[satosa.proxy_server.unpack_request] read request data: {'grant_type':
'authorization_code', 'code': 'eff...cd79',
'redirect_uri': 'https://some.example.org/auth/callback'}
...
[pyop.client_authentication.verify_client_authentication] client authentication in
Authorization header Basic base64-encoded-client_id_colon_client_secret
[satosa.frontends.openid_connect.token_endpoint] invalid request: eff...cd79 unknown
Traceback (most recent call last):
File
"/usr/local/venv/SATOSA/lib/python3.7/site-packages/satosa/frontends/openid_connect.py",
line 363, in token_endpoint
response = self.provider.handle_token_request(urlencode(context.request), headers)
File "/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/provider.py",
line 324, in handle_token_request
return self._do_code_exchange(token_request, extra_id_token_claims)
File "/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/provider.py",
line 352, in _do_code_exchange
authentication_request =
self.authz_state.get_authorization_request_for_code(token_request['code'])
File
"/usr/local/venv/SATOSA/lib/python3.7/site-packages/pyop/authz_state.py", line
320, in get_authorization_request_for_code
raise InvalidAuthorizationCode('{} unknown'.format(authorization_code))
pyop.exceptions.InvalidAuthorizationCode: eff...cd79 unknown
I'd have to know anything about oidc in order to know where to even
look how the authz code created above is now unknown and what could
have failed there.
Again, feel free to jump in with responses at any time.
-peter