[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnunet] 41/45: -changes for using token endpoint & added t
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnunet] 41/45: -changes for using token endpoint & added token endpoint |
|
Date: |
Sun, 25 Feb 2018 16:25:45 +0100 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository gnunet.
commit ddbd4e85b1128d2547d551b885eef01bfab5046d
Author: Phil <address@hidden>
AuthorDate: Mon Feb 5 13:58:16 2018 +0100
-changes for using token endpoint & added token endpoint
---
src/identity-attribute/identity_attribute.c | 28 ++
src/identity-provider/jwt.c | 31 +-
src/identity-provider/jwt.h | 9 +
.../plugin_rest_identity_provider.c | 449 +++++++++------------
src/identity-provider/test_idp.conf | 5 +-
src/include/gnunet_identity_attribute_lib.h | 6 +
6 files changed, 254 insertions(+), 274 deletions(-)
diff --git a/src/identity-attribute/identity_attribute.c
b/src/identity-attribute/identity_attribute.c
index cf50d058e..0111668fe 100644
--- a/src/identity-attribute/identity_attribute.c
+++ b/src/identity-attribute/identity_attribute.c
@@ -240,6 +240,34 @@ GNUNET_IDENTITY_ATTRIBUTE_claim_new (const char* attr_name,
return attr;
}
+/**
+ * Add a new claim list entry.
+ *
+ * @param claim_list the attribute name
+ * @param attr_name the attribute name
+ * @param type the attribute type
+ * @param data the attribute value
+ * @param data_size the attribute value size
+ * @return
+ */
+void
+GNUNET_IDENTITY_ATTRIBUTE_list_add (struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList
*claim_list,
+ const char* attr_name,
+ uint32_t type,
+ const void* data,
+ size_t data_size)
+{
+ struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le;
+ le = GNUNET_new (struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry);
+ le->claim = GNUNET_IDENTITY_ATTRIBUTE_claim_new (attr_name,
+ type,
+ data,
+ data_size);
+ GNUNET_CONTAINER_DLL_insert (claim_list->list_head,
+ claim_list->list_tail,
+ le);
+}
+
size_t
GNUNET_IDENTITY_ATTRIBUTE_list_serialize_get_size (const struct
GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attrs)
{
diff --git a/src/identity-provider/jwt.c b/src/identity-provider/jwt.c
index 2f1e3240b..02a920f14 100644
--- a/src/identity-provider/jwt.c
+++ b/src/identity-provider/jwt.c
@@ -39,6 +39,8 @@
#define JWT_TYP_VALUE "jwt"
+#define SERVER_ADDRESS "https://localhost";
+
static char*
create_jwt_header(void)
{
@@ -57,22 +59,22 @@ create_jwt_header(void)
/**
* Create a JWT from attributes
*
- * @param sub_key the public of the subject
+ * @param aud_key the public of the subject
* @param attrs the attribute list
* @param priv_key the key used to sign the JWT
* @return a new base64-encoded JWT string.
*/
char*
-jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
+jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
const struct
GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attrs,
const struct
GNUNET_CRYPTO_EcdsaPrivateKey *priv_key)
{
struct GNUNET_IDENTITY_ATTRIBUTE_ClaimListEntry *le;
- struct GNUNET_CRYPTO_EcdsaPublicKey iss_key;
+ struct GNUNET_CRYPTO_EcdsaPublicKey sub_key;
struct GNUNET_CRYPTO_EcdsaSignature signature;
struct GNUNET_CRYPTO_EccSignaturePurpose *purpose;
char* audience;
- char* issuer;
+ char* subject;
char* header;
char* padding;
char* body_str;
@@ -84,20 +86,29 @@ jwt_create_from_list (const struct
GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
char* attr_val_str;
json_t* body;
- GNUNET_CRYPTO_ecdsa_key_get_public (priv_key, &iss_key);
+ //exp REQUIRED time expired from config
+ //iat REQUIRED time now
+ //auth_time only if max_age
+ //nonce only if nonce
+ // OPTIONAL acr,amr,azp
+ GNUNET_CRYPTO_ecdsa_key_get_public (priv_key, &sub_key);
/* TODO maybe we should use a local identity here */
- issuer = GNUNET_STRINGS_data_to_string_alloc (&iss_key,
+ subject = GNUNET_STRINGS_data_to_string_alloc (&sub_key,
sizeof (struct
GNUNET_CRYPTO_EcdsaPublicKey));
- audience = GNUNET_STRINGS_data_to_string_alloc (sub_key,
+ audience = GNUNET_STRINGS_data_to_string_alloc (aud_key,
sizeof (struct
GNUNET_CRYPTO_EcdsaPublicKey));
header = create_jwt_header ();
body = json_object ();
/* TODO who is the issuer? local IdP or subject ? See self-issued tokens? */
+ //iss REQUIRED case sensitive server uri with https
+ //TODO change server address
json_object_set_new (body,
- "iss", json_string (issuer));
+ "iss", json_string (SERVER_ADDRESS));
+ //sub REQUIRED public key identity, not exceed 255 ASCII length
json_object_set_new (body,
- "sub", json_string (issuer));
+ "sub", json_string (subject));
/* TODO what should be in here exactly? */
+ //aud REQUIRED public key client_id must be there
json_object_set_new (body,
"aud", json_string (audience));
for (le = attrs->list_head; NULL != le; le = le->next)
@@ -135,7 +146,7 @@ jwt_create_from_list (const struct
GNUNET_CRYPTO_EcdsaPublicKey *sub_key,
while (NULL != padding)
padding = strtok(NULL, "=");
- GNUNET_free (issuer);
+ GNUNET_free (subject);
GNUNET_free (audience);
/**
diff --git a/src/identity-provider/jwt.h b/src/identity-provider/jwt.h
new file mode 100644
index 000000000..072958973
--- /dev/null
+++ b/src/identity-provider/jwt.h
@@ -0,0 +1,9 @@
+#ifndef JWT_H
+#define JWT_H
+
+char*
+jwt_create_from_list (const struct GNUNET_CRYPTO_EcdsaPublicKey *aud_key,
+ const struct
GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attrs,
+ const struct
GNUNET_CRYPTO_EcdsaPrivateKey *priv_key);
+
+#endif
diff --git a/src/identity-provider/plugin_rest_identity_provider.c
b/src/identity-provider/plugin_rest_identity_provider.c
index 119476bb9..a0adf1b38 100644
--- a/src/identity-provider/plugin_rest_identity_provider.c
+++ b/src/identity-provider/plugin_rest_identity_provider.c
@@ -39,6 +39,7 @@
#include "gnunet_signatures.h"
#include "gnunet_identity_attribute_lib.h"
#include "gnunet_identity_provider_service.h"
+#include "jwt.h"
/**
* REST root namespace
@@ -226,7 +227,6 @@ struct OIDC_Variables
char *login_identity;
- json_t *post_object;
};
/**
@@ -439,8 +439,6 @@ cleanup_handle (struct RequestHandle *handle)
GNUNET_free(handle->oidc->scope);
if (NULL != handle->oidc->state)
GNUNET_free(handle->oidc->state);
- if (NULL != handle->oidc->post_object)
- json_decref(handle->oidc->post_object);
GNUNET_free(handle->oidc);
}
if ( NULL != handle->attr_list )
@@ -501,6 +499,7 @@ do_error (void *cls)
handle->response_code = MHD_HTTP_BAD_REQUEST;
}
resp = GNUNET_REST_create_response (json_error);
+ MHD_add_response_header (resp, "Content-Type", "application/json");
handle->proc (handle->proc_cls, resp, handle->response_code);
GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle);
GNUNET_free (json_error);
@@ -1346,37 +1345,40 @@ oidc_ticket_issue_cb (void* cls,
{
struct RequestHandle *handle = cls;
struct MHD_Response *resp;
- struct GNUNET_HashCode cache_key;
- char* ticket_str;
- char* redirect_uri;
- char* jwt;
+ char *ticket_str;
+ char *redirect_uri;
+ char *code_json_string;
+ char *code_base64_final_string;
handle->idp_op = NULL;
resp = GNUNET_REST_create_response ("");
if (NULL != ticket) {
ticket_str = GNUNET_STRINGS_data_to_string_alloc (ticket,
sizeof (struct
GNUNET_IDENTITY_PROVIDER_Ticket));
-
- //TODO Check if this is right:
-// GNUNET_CRYPTO_hash (ticket_str, strlen (ticket_str), &cache_key);
-// jwt = jwt_create_from_list (handle->oidc->client_pkey,
-// handle->attr_list,
-// handle->priv_key);
-// //TODO Check success of function
-// GNUNET_CONTAINER_multihashmap_put (
-// OIDC_identity_grants, &cache_key, jwt,
-// GNUNET_CONTAINER_MULTIHASHMAPOPTION_MULTIPLE);
-
+// json_t *object=json_object();
+// json_object_set_new(object,"ticket",json_string(ticket_str));
+// if(NULL != handle->oidc->nonce)
+// {
+// json_object_set_new(object,"nonce",json_string(handle->oidc->nonce));
+// }
+ GNUNET_asprintf (&code_json_string, "{\"ticket\":\"%s\"%s%s%s}",
+ ticket_str,
+ (NULL != handle->oidc->nonce) ? ", \"nonce\":\"" : "",
+ (NULL != handle->oidc->nonce) ? handle->oidc->nonce : "",
+ (NULL != handle->oidc->nonce) ? "\"" : "");
+
GNUNET_STRINGS_base64_encode(code_json_string,strlen(code_json_string),&code_base64_final_string);
GNUNET_asprintf (&redirect_uri, "%s?%s=%s&state=%s",
handle->oidc->redirect_uri,
handle->oidc->response_type,
- ticket_str, handle->oidc->state);
+ code_base64_final_string, handle->oidc->state);
MHD_add_response_header (resp, "Location", redirect_uri);
handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND);
GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle);
GNUNET_free (redirect_uri);
GNUNET_free (ticket_str);
+ GNUNET_free (code_json_string);
+ GNUNET_free (code_base64_final_string);
return;
}
handle->emsg = GNUNET_strdup("server_error");
@@ -1578,7 +1580,7 @@ namestore_iteration_callback (
*
* @param cls the `struct RequestHandle`
*/
-static void namestore_iteration_finished_GET (void *cls)
+static void namestore_iteration_finished (void *cls)
{
struct RequestHandle *handle = cls;
struct GNUNET_HashCode cache_key;
@@ -1596,7 +1598,7 @@ static void namestore_iteration_finished_GET (void *cls)
handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key
(handle->ego_entry->ego);
handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start
(handle->namestore_handle, &handle->priv_key,
&oidc_iteration_error, handle,
&namestore_iteration_callback, handle,
- &namestore_iteration_finished_GET,
handle);
+ &namestore_iteration_finished,
handle);
return;
}
if (GNUNET_NO == handle->oidc->is_client_trusted)
@@ -1735,14 +1737,14 @@ static void namestore_iteration_finished_GET (void *cls)
}
/**
- * Responds to authorization GET request
+ * Responds to authorization GET and url-encoded POST request
*
* @param con_handle the connection handle
* @param url the url
* @param cls the RequestHandle
*/
static void
-authorize_GET_cont (struct GNUNET_REST_RequestHandle *con_handle,
+authorize_cont (struct GNUNET_REST_RequestHandle *con_handle,
const char* url,
void *cls)
{
@@ -1808,233 +1810,9 @@ authorize_GET_cont (struct GNUNET_REST_RequestHandle
*con_handle,
handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start (
handle->namestore_handle, &handle->priv_key, &oidc_iteration_error,
handle, &namestore_iteration_callback, handle,
- &namestore_iteration_finished_GET, handle);
+ &namestore_iteration_finished, handle);
}
-///**
-// * Iteration over all results finished, build final
-// * response.
-// *
-// * @param cls the `struct RequestHandle`
-// */
-//static void namestore_iteration_finished_POST (void *cls)
-//{
-// struct RequestHandle *handle = cls;
-// json_t *cache_object;
-// char *expected_redirect_uri;
-// char *expected_scope;
-// char delimiter[]=" ";
-// int number_of_ignored_parameter, iterator;
-//
-//
-// handle->ego_entry = handle->ego_entry->next;
-//
-// if(NULL != handle->ego_entry){
-// handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key
(handle->ego_entry->ego);
-// handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start
(handle->namestore_handle, &handle->priv_key,
-// &oidc_iteration_error, handle,
&namestore_iteration_callback, handle,
-// &namestore_iteration_finished_POST,
handle);
-// return;
-// }
-// if (GNUNET_YES != handle->oidc->is_client_trusted)
-// {
-// handle->emsg = GNUNET_strdup("unauthorized_client");
-// handle->edesc = GNUNET_strdup("The client is not authorized to request
an "
-// "authorization code using this method.");
-// GNUNET_SCHEDULER_add_now (&do_error, handle);
-// return;
-// }
-//
-// // REQUIRED value: redirect_uri
-// cache_object = json_object_get (handle->oidc->post_object,
OIDC_REDIRECT_URI_KEY);
-// if ( NULL == cache_object || !json_is_string(cache_object) )
-// {
-// handle->emsg=GNUNET_strdup("invalid_request");
-// handle->edesc=GNUNET_strdup("missing parameter redirect_uri");
-// GNUNET_SCHEDULER_add_now (&do_error, handle);
-// return;
-// }
-// handle->oidc->redirect_uri = json_string_value (cache_object);
-//
-// GNUNET_asprintf (&expected_redirect_uri, "https://%s.zkey";,
handle->oidc->client_id);
-// // verify the redirect uri matches https://<client_id>.zkey[/xyz]
-// if( 0 != strncmp( expected_redirect_uri, handle->oidc->redirect_uri,
strlen(expected_redirect_uri)) )
-// {
-// handle->emsg=GNUNET_strdup("invalid_request");
-// handle->edesc=GNUNET_strdup("Invalid redirect_uri");
-// GNUNET_SCHEDULER_add_now (&do_error, handle);
-// GNUNET_free(expected_redirect_uri);
-// return;
-// }
-// handle->oidc->redirect_uri = GNUNET_strdup(handle->oidc->redirect_uri);
-// GNUNET_free(expected_redirect_uri);
-//
-// // REQUIRED value: response_type
-// cache_object = json_object_get (handle->oidc->post_object,
OIDC_RESPONSE_TYPE_KEY);
-// if ( NULL == cache_object || !json_is_string(cache_object) )
-// {
-// handle->emsg=GNUNET_strdup("invalid_request");
-// handle->edesc=GNUNET_strdup("missing parameter response_type");
-// GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
-// return;
-// }
-// handle->oidc->response_type = json_string_value (cache_object);
-// handle->oidc->response_type = GNUNET_strdup (handle->oidc->response_type);
-//
-// // REQUIRED value: scope
-// cache_object = json_object_get (handle->oidc->post_object, OIDC_SCOPE_KEY);
-// if ( NULL == cache_object || !json_is_string(cache_object) )
-// {
-// handle->emsg=GNUNET_strdup("invalid_request");
-// handle->edesc=GNUNET_strdup("missing parameter scope");
-// GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
-// return;
-// }
-// handle->oidc->scope = json_string_value (cache_object);
-// handle->oidc->scope = GNUNET_strdup(handle->oidc->scope);
-//
-// //OPTIONAL value: nonce
-// cache_object = json_object_get (handle->oidc->post_object, OIDC_NONCE_KEY);
-// if ( NULL != cache_object && json_is_string(cache_object) )
-// {
-// handle->oidc->nonce = json_string_value (cache_object);
-// //TODO: what do we do with the nonce?
-// handle->oidc->nonce = GNUNET_strdup (handle->oidc->nonce);
-// }
-//
-// //TODO check other values and use them accordingly
-// number_of_ignored_parameter = sizeof(OIDC_ignored_parameter_array) /
sizeof(char *);
-// for( iterator = 0; iterator < number_of_ignored_parameter; iterator++ )
-// {
-// cache_object = json_object_get (handle->oidc->post_object,
OIDC_ignored_parameter_array[iterator]);
-// if( NULL != cache_object && json_is_string(cache_object) )
-// {
-// handle->emsg=GNUNET_strdup("access_denied");
-// GNUNET_asprintf (&handle->edesc, "Server will not handle parameter:
%s",
-// OIDC_ignored_parameter_array[iterator]);
-// GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
-// return;
-// }
-// }
-//
-// // Checks if response_type is 'code'
-// if( 0 != strcmp( handle->oidc->response_type,
OIDC_EXPECTED_AUTHORIZATION_RESPONSE_TYPE ) )
-// {
-// handle->emsg=GNUNET_strdup("unsupported_response_type");
-// handle->edesc=GNUNET_strdup("The authorization server does not support "
-// "obtaining this authorization code.");
-// GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
-// return;
-// }
-//
-// // Checks if scope contains 'openid'
-// expected_scope = GNUNET_strdup(handle->oidc->scope);
-// expected_scope = strtok (expected_scope, delimiter);
-// while (NULL != expected_scope)
-// {
-// if ( 0 == strcmp (OIDC_EXPECTED_AUTHORIZATION_SCOPE, expected_scope) )
-// {
-// break;
-// }
-// expected_scope = strtok (NULL, delimiter);
-// }
-// if (NULL == expected_scope)
-// {
-// handle->emsg = GNUNET_strdup("invalid_scope");
-// handle->edesc=GNUNET_strdup("The requested scope is invalid, unknown, or
"
-// "malformed.");
-// GNUNET_SCHEDULER_add_now (&do_redirect_error, handle);
-// return;
-// }
-//
-// GNUNET_free(expected_scope);
-//
-// if( NULL != handle->oidc->login_identity )
-// {
-// GNUNET_SCHEDULER_add_now(&login_check,handle);
-// return;
-// }
-//
-// GNUNET_SCHEDULER_add_now(&login_redirection,handle);
-//}
-//
-//
-///**
-// * Responds to authorization POST request
-// *
-// * @param con_handle the connection handle
-// * @param url the url
-// * @param cls the RequestHandle
-// */
-//static void
-//authorize_POST_cont (struct GNUNET_REST_RequestHandle *con_handle,
-// const char* url,
-// void *cls)
-//{
-// struct RequestHandle *handle = cls;
-// json_t *cache_object;
-// json_error_t error;
-// handle->oidc->post_object = json_loads (handle->rest_handle->data, 0,
&error);
-//
-// //gets identity of login try with cookie
-// cookie_identity_interpretation(handle);
-//
-// //RECOMMENDED value: state - REQUIRED for answers
-// cache_object = json_object_get (handle->oidc->post_object, OIDC_STATE_KEY);
-// if ( NULL != cache_object && json_is_string(cache_object) )
-// {
-// handle->oidc->state = json_string_value (cache_object);
-// handle->oidc->state = GNUNET_strdup(handle->oidc->state);
-// }
-//
-// // REQUIRED value: client_id
-// cache_object = json_object_get (handle->oidc->post_object,
-// OIDC_CLIENT_ID_KEY);
-// if ( NULL == cache_object || !json_is_string(cache_object) )
-// {
-// handle->emsg = GNUNET_strdup("invalid_request");
-// handle->edesc = GNUNET_strdup("missing parameter client_id");
-// handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
-// GNUNET_SCHEDULER_add_now (&do_error, handle);
-// return;
-// }
-// handle->oidc->client_id = json_string_value (cache_object);
-// handle->oidc->client_id = GNUNET_strdup(handle->oidc->client_id);
-//
-// if ( GNUNET_OK
-// != GNUNET_CRYPTO_ecdsa_public_key_from_string (
-// handle->oidc->client_id, strlen (handle->oidc->client_id),
-// &handle->oidc->client_pkey) )
-// {
-// handle->emsg = GNUNET_strdup("unauthorized_client");
-// handle->edesc = GNUNET_strdup("The client is not authorized to request
an "
-// "authorization code using this method.");
-// handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
-// GNUNET_SCHEDULER_add_now (&do_error, handle);
-// return;
-// }
-//
-// if ( NULL == handle->ego_head )
-// {
-// //TODO throw error or ignore if egos are missing?
-// handle->emsg = GNUNET_strdup("server_error");
-// handle->edesc = GNUNET_strdup ("Egos are missing");
-// handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
-// GNUNET_SCHEDULER_add_now (&do_error, handle);
-// return;
-// }
-//
-// handle->ego_entry = handle->ego_head;
-// handle->priv_key = *GNUNET_IDENTITY_ego_get_private_key
(handle->ego_head->ego);
-// handle->oidc->is_client_trusted = GNUNET_NO;
-//
-// // Checks if client_id is valid:
-// handle->namestore_handle_it = GNUNET_NAMESTORE_zone_iteration_start (
-// handle->namestore_handle, &handle->priv_key, &oidc_iteration_error,
-// handle, &namestore_iteration_callback, handle,
-// &namestore_iteration_finished_POST, handle);
-//}
-
/**
* Combines an identity with a login time and responds OK to login request
*
@@ -2097,6 +1875,7 @@ token_cont(struct GNUNET_REST_RequestHandle *con_handle,
//TODO static strings
//TODO Unauthorized with Header Field
//TODO Do not allow multiple equal parameter names
+ //TODO free
struct RequestHandle *handle = cls;
struct GNUNET_HashCode cache_key;
@@ -2107,9 +1886,11 @@ token_cont(struct GNUNET_REST_RequestHandle *con_handle,
char *user_psw = NULL, *client_id, *psw;
char *expected_psw;
int client_exists = GNUNET_NO;
+ struct MHD_Response *resp;
//Check Authorization Header
- GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY, strlen
(OIDC_AUTHORIZATION_HEADER_KEY),
+ GNUNET_CRYPTO_hash (OIDC_AUTHORIZATION_HEADER_KEY,
+ strlen (OIDC_AUTHORIZATION_HEADER_KEY),
&cache_key);
if ( GNUNET_NO == GNUNET_CONTAINER_multihashmap_contains
(handle->rest_handle->header_param_map,
&cache_key) )
@@ -2229,7 +2010,6 @@ token_cont(struct GNUNET_REST_RequestHandle *con_handle,
redirect_uri = GNUNET_CONTAINER_multihashmap_get (
handle->rest_handle->url_param_map, &cache_key);
-
//check client_id
for (handle->ego_entry = handle->ego_head; NULL != handle->ego_entry->next; )
{
@@ -2248,8 +2028,6 @@ token_cont(struct GNUNET_REST_RequestHandle *con_handle,
return;
}
-
-
//Check parameter grant_type == "authorization_code"
if (0 != strcmp("authorization_code", grant_type))
{
@@ -2259,12 +2037,6 @@ token_cont(struct GNUNET_REST_RequestHandle *con_handle,
return;
}
-
-
- //TODO consume code
-
-
-
// check redirect_uri
GNUNET_asprintf (&expected_redirect_uri, "https://%s.zkey";, client_id);
// verify the redirect uri matches https://<client_id>.zkey[/xyz]
@@ -2278,10 +2050,163 @@ token_cont(struct GNUNET_REST_RequestHandle
*con_handle,
}
GNUNET_free(expected_redirect_uri);
- //return something
+ char* output;
+ GNUNET_STRINGS_base64_decode(code,strlen(code),&output);
+
+ json_t *root;
+ json_error_t error;
+ json_t *ticket_string;
+ json_t *nonce;
+ root = json_loads (output, 0, &error);
+ ticket_string = json_object_get (root, "ticket");
+ nonce = json_object_get (root, "nonce");
+
+
+ struct GNUNET_IDENTITY_PROVIDER_Ticket *ticket = GNUNET_new(struct
GNUNET_IDENTITY_PROVIDER_Ticket);
+ if(ticket_string == NULL && !json_is_string(ticket_string))
+ {
+ handle->emsg = GNUNET_strdup("invalid_request");
+ handle->edesc = GNUNET_strdup("invalid code.");
+ GNUNET_SCHEDULER_add_now (&do_error, handle);
+ return;
+ }
+ if ( GNUNET_OK
+ != GNUNET_STRINGS_string_to_data (json_string_value(ticket_string),
+ strlen
(json_string_value(ticket_string)),
+ ticket,
+ sizeof(struct
GNUNET_IDENTITY_PROVIDER_Ticket)))
+ {
+ handle->emsg = GNUNET_strdup("invalid_request");
+ handle->edesc = GNUNET_strdup("invalid code..");
+ GNUNET_SCHEDULER_add_now (&do_error, handle);
+ return;
+ }
+ //TODO lookup if audience is the current client
+ //TODO change
+ struct GNUNET_CRYPTO_EcdsaPublicKey pub_key;
+ GNUNET_IDENTITY_ego_get_public_key(handle->ego_entry->ego,&pub_key);
+ if (0 != memcmp(&pub_key,&ticket->audience,sizeof(struct
GNUNET_CRYPTO_EcdsaPublicKey)))
+ {
+ handle->emsg = GNUNET_strdup("invalid_request");
+ handle->edesc = GNUNET_strdup("invalid code...");
+ GNUNET_SCHEDULER_add_now (&do_error, handle);
+ return;
+ }
+
+ //create jwt
+ unsigned long long int expiration_time;
+ if ( GNUNET_OK
+ != GNUNET_CONFIGURATION_get_value_number(cfg, "identity-rest-plugin",
+ "expiration_time",
&expiration_time) )
+ {
+ handle->emsg = GNUNET_strdup("server_error");
+ handle->edesc = GNUNET_strdup ("gnunet configuration failed");
+ handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR;
+ GNUNET_SCHEDULER_add_now (&do_error, handle);
+ return;
+ }
+
+ struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList *cl = GNUNET_new (struct
GNUNET_IDENTITY_ATTRIBUTE_ClaimList);
+ //aud REQUIRED public key client_id must be there
+ GNUNET_IDENTITY_ATTRIBUTE_list_add(cl,
+ "aud",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ client_id,
+ strlen(client_id));
+ //exp REQUIRED time expired from config
+ //TODO time as seconds
+ struct GNUNET_TIME_Absolute exp_time = GNUNET_TIME_relative_to_absolute (
+ GNUNET_TIME_relative_multiply (GNUNET_TIME_relative_get_second_ (),
+ expiration_time));
+ const char* exp_time_string =
GNUNET_STRINGS_absolute_time_to_string(exp_time);
+ GNUNET_IDENTITY_ATTRIBUTE_list_add (cl,
+ "exp",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ exp_time_string,
+ strlen(exp_time_string));
+ //iat REQUIRED time now
+ //TODO time as seconds
+ struct GNUNET_TIME_Absolute time_now = GNUNET_TIME_absolute_get();
+ const char* time_now_string =
GNUNET_STRINGS_absolute_time_to_string(time_now);
+ GNUNET_IDENTITY_ATTRIBUTE_list_add (cl,
+ "iat",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ time_now_string,
+ strlen(time_now_string));
+ //nonce only if nonce
+ if ( NULL != nonce && json_is_string(nonce) )
+ {
+ GNUNET_IDENTITY_ATTRIBUTE_list_add (cl,
+ "nonce",
+ GNUNET_IDENTITY_ATTRIBUTE_TYPE_STRING,
+ json_string_value(nonce),
+ strlen(json_string_value(nonce)));
+ }
+
+ //TODO auth_time only if max_age
+ //TODO OPTIONAL acr,amr,azp
+
+ //TODO lookup client for client == audience of ticket
+ struct EgoEntry *ego_entry;
+ for (ego_entry = handle->ego_head; NULL != ego_entry; ego_entry =
ego_entry->next)
+ {
+ GNUNET_IDENTITY_ego_get_public_key (ego_entry->ego, &pub_key);
+ if (0 == memcmp (&pub_key, &ticket->audience, sizeof(struct
GNUNET_CRYPTO_EcdsaPublicKey)))
+ {
+ break;
+ }
+ }
+ if ( NULL == ego_entry )
+ {
+ handle->emsg = GNUNET_strdup("invalid_request");
+ handle->edesc = GNUNET_strdup("invalid code....");
+ GNUNET_SCHEDULER_add_now (&do_error, handle);
+ return;
+ }
+ char *id_token = jwt_create_from_list(&ticket->audience,
+ cl,
+
GNUNET_IDENTITY_ego_get_private_key(ego_entry->ego));
+
+ // random access_token
+ char* access_token_number;
+ char* access_token;
+ uint64_t random_number;
+ random_number = GNUNET_CRYPTO_random_u64(GNUNET_CRYPTO_QUALITY_NONCE,
UINT64_MAX);
+ GNUNET_asprintf(&access_token_number, "%" PRIu64, random_number);
+
GNUNET_STRINGS_base64_encode(access_token_number,strlen(access_token_number),&access_token);
+
+
+ char *json_error;
+ //TODO optional refresh_token and scope
+ GNUNET_asprintf (&json_error,
+ "{ \"access_token\" : \"%s\", "
+ "\"token_type\" : \"Bearer\", "
+ "\"expires_in\" : %d, "
+ "\"id_token\" : \"%s\"}",
+ access_token,
+ expiration_time,
+ id_token);
+
+ resp = GNUNET_REST_create_response (json_error);
+
+ MHD_add_response_header (resp, "Cache-Control", "no-store");
+ MHD_add_response_header (resp, "Pragma", "no-cache");
+ MHD_add_response_header (resp, "Content-Type", "application/json");
+ handle->proc (handle->proc_cls, resp, MHD_HTTP_OK);
+ GNUNET_SCHEDULER_add_now (&cleanup_handle_delayed, handle);
+ //necessary? should be
+// handle->idp_op =
GNUNET_IDENTITY_PROVIDER_ticket_consume(handle->idp,GNUNET_IDENTITY_ego_get_private_key(handle->ego_entry->ego),ticket,consume_cont,
handle);
+ GNUNET_IDENTITY_ATTRIBUTE_list_destroy(cl);
+ //TODO write method
+ handle->idp_op =
GNUNET_IDENTITY_PROVIDER_ticket_consume(handle->idp,GNUNET_IDENTITY_ego_get_private_key(ego_entry->ego),ticket,consume_cont,handle);
+ GNUNET_free(access_token_number);
+ GNUNET_free(credentials);
+ GNUNET_free(access_token);
GNUNET_free(user_psw);
- json_decref(handle->oidc->post_object);
+ GNUNET_free(code);
+ GNUNET_free(id_token);
+ json_decref(root);
}
/**
@@ -2297,8 +2222,8 @@ init_cont (struct RequestHandle *handle)
{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES,
&list_attribute_cont},
{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES,
&add_attribute_cont},
{MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS,
&list_tickets_cont},
- {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_GET_cont},
- {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_GET_cont},
+ {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont},
+ {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont},
//url-encoded
{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_LOGIN, &login_cont},
{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_TOKEN, &token_cont},
{MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE,
&revoke_ticket_cont},
diff --git a/src/identity-provider/test_idp.conf
b/src/identity-provider/test_idp.conf
index b4bb448df..b11b43ae2 100644
--- a/src/identity-provider/test_idp.conf
+++ b/src/identity-provider/test_idp.conf
@@ -28,5 +28,6 @@ ZONE_PUBLISH_TIME_WINDOW = 1 h
DNS_ROOT=PD67SGHF3E0447TU9HADIVU9OM7V4QHTOG0EBU69TFRI2LG63DR0
[identity-rest-plugin]
-address = http://localhost:8000/#/identities
-psw = mysupersecretpassword
\ No newline at end of file
+address = http://localhost:8000/#/login
+psw = mysupersecretpassword
+expiration_time = 3600
\ No newline at end of file
diff --git a/src/include/gnunet_identity_attribute_lib.h
b/src/include/gnunet_identity_attribute_lib.h
index 316b0bf95..8879ba925 100644
--- a/src/include/gnunet_identity_attribute_lib.h
+++ b/src/include/gnunet_identity_attribute_lib.h
@@ -148,6 +148,12 @@ GNUNET_IDENTITY_ATTRIBUTE_list_serialize_get_size (const
struct GNUNET_IDENTITY_
void
GNUNET_IDENTITY_ATTRIBUTE_list_destroy (struct
GNUNET_IDENTITY_ATTRIBUTE_ClaimList *attrs);
+void
+GNUNET_IDENTITY_ATTRIBUTE_list_add (struct GNUNET_IDENTITY_ATTRIBUTE_ClaimList
*attrs,
+ const char* attr_name,
+ uint32_t type,
+ const void* data,
+ size_t data_size);
/**
* Serialize an attribute list
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnunet] 45/45: -fix, (continued)
- [GNUnet-SVN] [gnunet] 45/45: -fix, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 23/45: -fix login time, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 30/45: -fix get request without authorization code, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 26/45: -wip post request testing required and namestore handle fix required, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 42/45: -wip token endpoint fix, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 36/45: -wip token request, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 43/45: -wip token endpoint refactor, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 34/45: -wip token request, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 25/45: -wip post authentication, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 29/45: -wip attribute collection, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 41/45: -changes for using token endpoint & added token endpoint,
gnunet <=
- [GNUnet-SVN] [gnunet] 32/45: -fix GET request, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 40/45: -wip token endpoint, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 44/45: -wip UserInfo Endpoint, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 33/45: -fix get and post authorization request, gnunet, 2018/02/25
- [GNUnet-SVN] [gnunet] 31/45: -fix GET login finished, gnunet, 2018/02/25