Skip to content
This repository was archived by the owner on Jun 23, 2023. It is now read-only.

Refactor client authentication #187

Merged
rohe merged 5 commits into from
Feb 24, 2022
Merged

Refactor client authentication #187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b49cc84
Refactor client authn
nsklikas Feb 14, 2022
44eb00f
Document per client authn method
nsklikas Feb 15, 2022
bc4bc51
Add tests
nsklikas Feb 15, 2022
a3e46a9
Remove class method decorator
nsklikas Feb 21, 2022
03fc918
Add documentation
nsklikas Feb 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions docs/source/contents/conf.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,30 @@ code_challenge_method
The allowed code_challenge methods. The supported code challenge methods are:
``plain, S256, S384, S512``

-------------------
client_authn_method
-------------------

A dictionary with the allowed client authentication methods. The keys are the methods'
names and and the values must be either a class or a path to a python class that will
be imported and used to validate the client. The class should inherit from
`oidcop.client_authn.ClientAuthnMethod` and it must implement the methods
`is_usable` and `_verify`. You can then define which of these methods are allowed per
endpoint by defining a list with the names of the methods allowed in the endpoint's
capabilities. This can be overriden per client by defining `client_authn_method`
in the client's metadata.

Defaults to:
- none: `oidcop.client_authn.NoneAuthn`, no client authentication. Never use this in production
- public: `oidcop.client_authn.PublicAuthn`, used for public clients, requires only a valid`client_id` in the request
- client_secret_basic: `oidcop.client_authn.ClientSecretBasic`, see https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
- client_secret_post: `oidcop.client_authn.ClientSecretPost`, see https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
- bearer_header: `oidcop.client_authn.BearerHeader`, see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
- bearer_body: `oidcop.client_authn.BearerBody`, see https://datatracker.ietf.org/doc/html/rfc6750#section-2.2
- client_secret_jwt: `oidcop.client_authn.ClientSecretJWT`, see https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
- private_key_jwt: `oidcop.client_authn.PrivateKeyJWT`, see https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
- request_param: `oidcop.client_authn.RequestParam`, see https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests

--------------
authentication
--------------
Expand Down Expand Up @@ -831,6 +855,24 @@ The usage rules for each token type. E.g.::
}
}


-------------------
client_authn_method
-------------------

A list with the client authentication methods that are allowed for this client.

This can be overriden per endpoint by adding the prefix `{endpoint_name}_`.
E.g to define `client_authn_method` for a client only for the introspection
endpoint we need to add to the client metadata::

{
"introspection_endpoint_client_authn_method": ["client_secret_basic", "client_secret_post"]
}

NOTE: The client authentication methods defined per client MUST be a subset of the
endpoint's authentication methods, else they are ignored.

--------------
pkce_essential
--------------
Expand Down
Loading