Skip to content

Latest commit

 

History

History
197 lines (145 loc) · 6.9 KB

PROVIDER.md

File metadata and controls

197 lines (145 loc) · 6.9 KB
Raw

Openid Connect Provider Identity Provider.

A SPID/CIE implementation of a OpenID Connect Provider fully compliant to AgID SPID guidelines and CIE id guidelines.

General settings

All the Provider settings paramenter are available at spid_cie_oidc.provider.settings and can be inherited in the general settings file of your project.

These are the following:

  • OIDCFED_DEFAULT_PROVIDER_PROFILE, default profile of the service, if the OP is Spid or CIE.

Example

OIDCFED_DEFAULT_PROVIDER_PROFILE = getattr(
    settings,
    "OIDCFED_PROVIDER_PROFILE",
    "Spid"
)
  • OIDCFED_PROVIDER_PROFILES_MEDIA, Logo of the service, for each profile.

Example

OIDCFED_PROVIDER_PROFILES_MEDIA = getattr(
    settings,
    "OIDCFED_PROVIDER_PROFILES_MEDIA",
    {
        "spid": {
            "logo": "svg/spid-logo-c-lb.svg"
        },
        "cie": {
            "logo": "images/logo-cie.png"
        },
    },
)
  • OIDCFED_PROVIDER_PROFILES, json validation schemas for each profile.

Example

OIDCFED_PROVIDER_PROFILES = getattr(
    settings,
    "OIDCFED_PROVIDER_PROFILES",
    {
        "spid": {
            "authorization_request": AuthenticationRequestSpid,
            "op_metadata": OPMetadataSpid,
            "authorization_code": TokenAuthnCodeRequest,
            "refresh_token": TokenRefreshRequest,
            "revocation_request": RevocationRequest,
            "introspection_request" : IntrospectionRequest,
        },
        "cie": {
            "authorization_request": AuthenticationRequestCie,
            "op_metadata": OPMetadataCie,
            "authorization_code": TokenAuthnCodeRequest,
            "refresh_token": TokenRefreshRequest,
            "revocation_request": RevocationRequest,
            "introspection_request" : IntrospectionRequest,
        },
    },
)
  • OIDCFED_PROVIDER_MAX_REFRESH How many times a token can be refreshed.

Example

OIDCFED_PROVIDER_MAX_REFRESH = 1
  • OIDCFED_PROVIDER_ATTRIBUTES_SPID_MAP map of attributes for a spid provider, an example here
  • OIDCFED_PROVIDER_ATTRIBUTES_CIE_MAP map of attributes for a cie provider, an example here
  • OIDCFED_PROVIDER_ATTRIBUTES_MAP map of all provider attributes, an example here
  • OIDCFED_PROVIDER_PROFILES_ID_TOKEN_CLAIMS claims that can be requested to token endpoint.

Example

OIDCFED_PROVIDER_PROFILES_ID_TOKEN_CLAIMS = dict(
    spid = dict(), # means that SPID doesn't support user claims in the id_token
    cie = OIDCFED_PROVIDER_ATTRIBUTES_CIE_MAP
)

-OIDCFED_PROVIDER_SALT, salt used in the hash function used to create the subject identifier of the resource owner (the user).

Example

OIDCFED_PROVIDER_SALT = getattr(settings, "OIDCFED_PROVIDER_SALT", "CHANGEME")
  • OIDCFED_PROVIDER_HISTORY_PER_PAGE, max entries per page to show in the page of access history.

Example

OIDCFED_PROVIDER_HISTORY_PER_PAGE = getattr(settings, "OIDCFED_PROVIDER_HISTORY_PER_PAGE", 50)
  • OIDCFED_PROVIDER_AUTH_CODE_MAX_AGE lifetime of validity of an auth code.

Example

OIDCFED_PROVIDER_AUTH_CODE_MAX_AGE = getattr(
    settings,
    "OIDCFED_PROVIDER_AUTH_CODE_MAX_AGE",
    10
)
  • OIDCFED_PROVIDER_PROFILES_DEFAULT_ACR default acr value in the Authentication Request if not sumbmitted by RP.

Example

OIDCFED_PROVIDER_PROFILES_DEFAULT_ACR = dict(
    spid = AcrValues.l2.value,
    cie = AcrValues.l2.value
)
  • OIDCFED_ATTRNAME_I18N, attributes internationalization, an example an example here.

Endpoints

The webpath where the provider serve its features are the following.

entity configuration (.well-known/openid-federation)

As inherited from spid_cie_oidc.entity.

authorization

The webpath is customizable in the urls.py file and by default it's configured here and correspond to spid_cie_oidc.provider.views.AuthzRequestView.

The Authorization Endpoint support the use of the HTTP GET and POST methods.

An exemple of accepted request is here

In the case of successful user authentication, the response contains the following parameters:

  • code, REQUIRED. Authorization code.
  • state, REQUIRED. State value enclosed in the authentication requests.
  • iss, REQUIRED for CIE, OPTIONAL for Spid. Issuer identifier of the OP.
  • scope, REQUIRED if the scopes are different from those required by RP.

token

The webpath is customizable in the urls.py file and by default it's configured here and correspond to spid_cie_oidc.provider.views.TokenEndpoint.

Token endpoint support the use only of the HTTP POST method and accepts as grant_type both 'authorization_code' and 'refresh_token'.

token introspection

The webpath is customizable in the urls.py file and by default it's configured here and correspond to spid_cie_oidc.provider.views.IntrospectionEndpoint.

Introspection endpoint support the use only of the HTTP POST method, an example of acceptet request is here

In the response the only REQUIRED attribute is active, boolean indicator of whether the presented token is currently active.

token revocation

The webpath is customizable in the urls.py file and by default it's configured here and correspond to spid_cie_oidc.provider.views.RevocationEndpoint.

Revocation endpoint support the use only of the HTTP POST method.

In case of successful token invalidation, responds with an HTTP 200 code.

userinfo

The webpath is customizable in the urls.py file and by default it's configured here and correspond to spid_cie_oidc.provider.views.UserInfoEndpoint.

The UserInfo Endpoint returns an encrypthed jwt of the user claims.

Login history page

OIDC Provider login history The user can consult the history of his accesses and also can revoke the access tokens for selected RPs.

SPID/CIE QAD and compliances tests

WiP