Update the app to Python 3

Author: mtrojanowski

.gitignore

@@ -33,6 +33,7 @@ var/
 .installed.cfg
 *.egg
 
+
 # PyInstaller
 #  Usually these files are written by a python script from a template
 #  before PyInstaller builds the exe, so as to inject date/other infos into it.
@@ -91,6 +92,8 @@ celerybeat-schedule
 .venv/
 venv/
 ENV/
+bin/
+pyvenv.cfg
 
 # Spyder project settings
 .spyderproject

Dockerfile

@@ -9,7 +9,7 @@
 # For further information, please contact Curity AB.
 #
 
-FROM python:2.7
+FROM python:3.9
 MAINTAINER Curity AB
 
 ADD requirements.txt /usr/src/

Pipfile

@@ -6,8 +6,8 @@ name = "pypi"
 [dev-packages]
 
 [packages]
-pyjwkest = "==1.3.1"
-Flask = "==0.12.3"
+pyjwkest = "1.4.2"
+Flask = "1.1.2"
 
 [requires]
-python_version = "2.7"
+python_version = "3.9"

Pipfile.lock

@@ -16,7 +16,7 @@ Browse to https://localhost:5443 to see the app.
 
 ## Dependencies
 
-**python 2.x** (tested with python 2.7.10)
+**python 3.x** (tested with python 3.9.1)
 
 **OpenSSL 1.0** to be able to do modern TLS versions. Python together with 0.9.x has a bug that makes it impossible to select protocol in the handshake, so it cannot connect to servers that have disabled SSLv2.
 
@@ -53,7 +53,7 @@ Name                     | Type |  Description
 To run the example in a Docker container, build an image and run a container like this.:
 
 ```bash
-$ docker build -t curityio/openid-python-example
+$ docker build -t curityio/openid-python-example .
 $ docker run -ti curityio/openid-python-example
 
 ```

README.md

@@ -17,8 +17,8 @@
 ##########################################################################
 
 import sys
-import urllib2
-from urlparse import urlparse
+from urllib.request import Request, urlopen
+from urllib.error import URLError, HTTPError
 
 from flask import redirect, request, render_template, session, abort, Flask
 from jwkest import BadSignature
@@ -63,7 +63,7 @@ def index():
     if 'redirect_uri' not in _config:
         _config['redirect_uri'] = _config['base_url'].rstrip('/') + '/callback'
 
-    if isinstance(user, (str, unicode)):
+    if isinstance(user, (bytes, str)):
         # User is a string! Probably a bunch of HTML from a previous error. Just bail and hope for the best.
         return user
 
@@ -131,7 +131,7 @@ def logout():
         del _session_store[session['session_id']]
     session.clear()
 
-    print "Logging out at ", _config['end_session_endpoint']
+    print("Logging out at ", _config['end_session_endpoint'])
     logout_request = _config['end_session_endpoint'] + '?client_id=' + _config['client_id'] + '&post_logout_redirect_uri=' + _config['base_url']
     return redirect(logout_request)
 
@@ -196,7 +196,7 @@ def revoke():
 
         try:
             _client.revoke(token, token_type_hint)
-        except urllib2.URLError as e:
+        except URLError as e:
             return create_error(error_message, e)
 
     return redirect_with_baseurl('/')
@@ -247,12 +247,12 @@ def call_api():
                 access_token = user.access_token
             else:
                 user.api_response = None
-                print 'No access token in session'
+                print('No access token in session')
 
                 return redirect_with_baseurl("/")
 
             try:
-                req = urllib2.Request(_config['api_endpoint'])
+                req = Request(_config['api_endpoint'])
                 req.add_header('User-Agent', 'CurityExample/1.0')
                 req.add_header("Authorization", "Bearer %s" % access_token)
                 req.add_header("Accept", 'application/json')
@@ -261,16 +261,16 @@ def call_api():
                     req.add_header('Ocp-Apim-Subscription-Key', _config['subscription_key'])
                     req.add_header('Ocp-Apim-Trace', 'true')
 
-                response = urllib2.urlopen(req, context=tools.get_ssl_context(_config))
+                response = urlopen(req, context=tools.get_ssl_context(_config))
                 user.api_response = {'code': response.code, 'data': response.read()}
-            except urllib2.HTTPError as e:
+            except HTTPError as e:
                 user.api_response = {'code': e.code, 'data': e.read()}
             except Exception as e:
                 message = e.message if len(e.message) > 0 else "unknown error"
                 user.api_response = {"code": "unknown error", "data": message}
         else:
             user.api_response = None
-            print 'No API endpoint configured'
+            print('No API endpoint configured')
 
     return redirect_with_baseurl('/')
 
@@ -311,7 +311,7 @@ def oauth_callback():
         # This is the callback for a hybrid or implicit flow
         return render_template('index.html')
 
-    if 'state' not in session or session['state'] != request.args['state']:
+    if 'state' not in session or session['state'].decode() != request.args['state']:
         return create_error('Missing or invalid state')
 
     if "code_verifier" not in session:
@@ -332,7 +332,7 @@ def callback(params):
     session.pop('state', None)
 
     try:
-        token_data = _client.get_token(params['code'], session["code_verifier"])
+        token_data = _client.get_token(params['code'], session["code_verifier"].decode())
     except Exception as e:
         return create_error('Could not fetch token(s)', e)
 
@@ -377,8 +377,8 @@ def create_error(message, exception=None):
     :param message:
     :return: redirects to index.html with the error message
     """
-    print 'Caught error!'
-    print message, exception
+    print('Caught error!')
+    print(message, exception)
     if _app:
         user = UserSession()
         if 'session_id' in session:
@@ -396,7 +396,7 @@ def load_config():
     :return:
     """
     if len(sys.argv) > 1:
-        print "Using an alternative config file: %s" % sys.argv[1]
+        print("Using an alternative config file: %s" % sys.argv[1])
         filename = sys.argv[1]
     else:
         filename = 'settings.json'
@@ -419,7 +419,7 @@ def redirect_with_baseurl(path):
     if 'jwks_uri' in _config:
         _jwt_validator = JwtValidator(_config)
     else:
-        print 'Found no url to JWK set, will not be able to validate JWT signature.'
+        print('Found no url to JWK set, will not be able to validate JWT signature.')
         _jwt_validator = None
 
     # create a session store
@@ -442,7 +442,7 @@ def redirect_with_baseurl(path):
     debug = _config['debug'] = 'debug' in _config and _config['debug']
 
     if debug:
-        print 'Running conf:'
+        print('Running conf:')
         print_json(_config)
 
     if _disable_https:

app.py

@@ -17,8 +17,10 @@
 import json
 import os
 import time
-import urllib
-import urllib2
+from urllib.parse import urlencode
+from urllib.request import urlopen
+from urllib.error import URLError
+from urllib.request import Request
 
 from jwkest.jwk import KEYS
 from jwkest.jws import JWS
@@ -42,7 +44,7 @@ class Client:
     def __init__(self, config):
         self.config = config
 
-        print 'Getting ssl context for oauth server'
+        print('Getting ssl context for oauth server')
         self.ctx = tools.get_ssl_context(self.config)
         self.__init_config()
         self.client_data = None
@@ -51,14 +53,14 @@ def __init_config(self):
 
         if 'issuer' in self.config:
             meta_data_url = self.config['issuer'] + '/.well-known/openid-configuration'
-            print 'Fetching config from: %s' % meta_data_url
-            meta_data = urllib2.urlopen(meta_data_url, context=self.ctx)
+            print('Fetching config from: %s' % meta_data_url)
+            meta_data = urlopen(meta_data_url, context=self.ctx)
             if meta_data:
                 self.config.update(json.load(meta_data))
             else:
-                print 'Unexpected response on discovery document: %s' % meta_data
+                print('Unexpected response on discovery document: %s' % meta_data)
         else:
-            print 'Found no issuer in config, can not perform discovery. All endpoint config needs to be set manually'
+            print('Found no issuer in config, can not perform discovery. All endpoint config needs to be set manually')
 
         # Mandatory settings
         if 'authorization_endpoint' not in self.config:
@@ -68,20 +70,20 @@ def __init_config(self):
 
         self.read_credentials_from_file()
         if 'client_id' not in self.config:
-            print 'Client is not registered.'
+            print('Client is not registered.')
 
         if 'scope' not in self.config:
             self.config['scope'] = 'openid'
 
     def read_credentials_from_file(self):
         if not os.path.isfile(REGISTERED_CLIENT_FILENAME):
-            print 'Client is not dynamically registered'
+            print('Client is not dynamically registered')
             return
 
         try:
             registered_client = json.loads(open(REGISTERED_CLIENT_FILENAME).read())
         except Exception as e:
-            print 'Could not read credentials from file', e
+            print('Could not read credentials from file', e)
             return
         self.config['client_id'] = registered_client['client_id']
         self.config['client_secret'] = registered_client['client_secret']
@@ -94,8 +96,8 @@ def register(self):
         :raises: raises error when http call fails
         """
         if 'registration_endpoint' not in self.config:
-            print 'Authorization server does not support Dynamic Client Registration. Please configure client ' \
-                  'credentials manually '
+            print('Authorization server does not support Dynamic Client Registration. Please configure client ' \
+                  'credentials manually ')
             return
 
         if 'client_id' in self.config:
@@ -108,7 +110,7 @@ def register(self):
             dcr_access_token = self.get_registration_token()
 
         if 'template_client' in self.config:
-            print 'Registering client using template_client: %s' % self.config['template_client']
+            print('Registering client using template_client: %s' % self.config['template_client'])
             data = {
                 'software_id': self.config['template_client']
             }
@@ -120,7 +122,7 @@ def register(self):
             }
 
             if self.config['debug']:
-                print 'Registering client with data:\n %s' % json.dumps(data)
+                print('Registering client with data:\n %s' % json.dumps(data))
 
         register_response = self.__urlopen(self.config['registration_endpoint'], data=json.dumps(data),
                                            context=self.ctx, token=dcr_access_token)
@@ -153,7 +155,7 @@ def revoke(self, token, token_type_hint="access_token"):
         :raises: raises error when http call fails
         """
         if 'revocation_endpoint' not in self.config:
-            print 'No revocation endpoint set'
+            print('No revocation endpoint set')
             return
 
         data = {
@@ -163,7 +165,7 @@ def revoke(self, token, token_type_hint="access_token"):
             'client_secret': self.config['client_secret']
         }
 
-        self.__urlopen(self.config['revocation_endpoint'], urllib.urlencode(data), context=self.ctx)
+        self.__urlopen(self.config['revocation_endpoint'], urlencode(data), context=self.ctx)
 
     def refresh(self, refresh_token):
         """
@@ -177,7 +179,7 @@ def refresh(self, refresh_token):
             'client_id': self.config['client_id'],
             'client_secret': self.config['client_secret']
         }
-        token_response = self.__urlopen(self.config['token_endpoint'], urllib.urlencode(data), context=self.ctx)
+        token_response = self.__urlopen(self.config['token_endpoint'], urlencode(data), context=self.ctx)
         return json.loads(token_response.read())
 
     def get_authn_req_url(self, session, acr, forceAuthN, scope, forceConsent, allowConsentOptionDeselection,
@@ -247,15 +249,16 @@ def get_authn_req_url(self, session, acr, forceAuthN, scope, forceConsent, allow
         elif send_parameters_via == "request_uri":
             request_args = None  # TODO: Implement request URI support
 
-        login_url = "%s%s%s" % (self.config['authorization_endpoint'], delimiter, urllib.urlencode(request_args))
+        login_url = "%s%s%s" % (self.config['authorization_endpoint'], delimiter, urlencode(request_args))
 
-        print "Redirect to %s" % login_url
+        print("Redirect to %s" % login_url)
 
         return login_url
 
     def get_token(self, code, code_verifier):
         """
         :param code: The authorization code to use when getting tokens
+        :param code_verifier: The original code verifier sent with the authorization request
         :return the json response containing the tokens
         """
         data = {'client_id': self.config['client_id'], "client_secret": self.config['client_secret'],
@@ -266,9 +269,9 @@ def get_token(self, code, code_verifier):
 
         # Exchange code for tokens
         try:
-            token_response = self.__urlopen(self.config['token_endpoint'], urllib.urlencode(data), context=self.ctx)
-        except urllib2.URLError as te:
-            print "Could not exchange code for tokens"
+            token_response = self.__urlopen(self.config['token_endpoint'], urlencode(data), context=self.ctx)
+        except URLError as te:
+            print("Could not exchange code for tokens")
             raise te
         return json.loads(token_response.read())
 
@@ -294,14 +297,14 @@ def get_registration_token(self):
         }
 
         try:
-            token_response = self.__urlopen(self.config['token_endpoint'], urllib.urlencode(data), context=self.ctx)
-        except urllib2.URLError as te:
-            print "Could not get DCR access token"
+            token_response = self.__urlopen(self.config['token_endpoint'], urlencode(data), context=self.ctx)
+        except URLError as te:
+            print("Could not get DCR access token")
             raise te
 
         json_response = json.loads(token_response.read())
         if self.config['debug']:
-            print 'Got DCR token response: %s ' % json_response
+            print('Got DCR token response: %s ' % json_response)
 
         return json_response['access_token']
 
@@ -322,14 +325,17 @@ def __urlopen(self, url, data=None, context=None, token=None):
         if token:
             headers['Authorization'] = 'Bearer %s' % token
 
-        request = urllib2.Request(url, data, headers)
+        if data is not None:
+            data = data.encode('utf-8')
+
+        request = Request(url, data, headers)
 
         if self.config['debug']:
-            print 'Request url: ' + url
-            print 'Request headers:\n' + json.dumps(headers)
-            print 'Request data:\n' + json.dumps(data)
+            print('Request url: ' + url)
+            print('Request headers:\n' + json.dumps(headers))
+            print('Request data:\n' + json.dumps(data.decode() if data is not None else None))
 
-        return urllib2.urlopen(request, context=context)
+        return urlopen(request, context=context)
 
     def __authn_req_args(self, state, scope, code_challenge, code_challenge_method="plain"):
         """

client.py

@@ -54,7 +54,7 @@ def load_config(self):
         return self.store
 
     def _load_from_file(self, filename):
-        print 'Loading settings from %s' % filename
+        print('Loading settings from %s' % filename)
         self.store = json.loads(open(filename).read())
 
     def _update_config_from_environment(self):

config.py

@@ -1,7 +1,7 @@
 version: '2'
 services:
   oidc-example:
-    image: curity/oidc-python-demo:0.1
+    image: curity/oidc-python-demo:latest
     ports:
       - 5443:5443
     environment: