diff --git a/spid_cie_oidc/onboarding/urls.py b/spid_cie_oidc/onboarding/urls.py
index 4aeb3a19..5f06769e 100644
--- a/spid_cie_oidc/onboarding/urls.py
+++ b/spid_cie_oidc/onboarding/urls.py
@@ -35,6 +35,7 @@
onboarding_schemas_token,
onboarding_schemas_jwt_client_assertion,
onboarding_validate_authn_request,
+ onboarding_validate_ec,
)
_PREF = getattr(settings, "OIDC_PREFIX", "")
@@ -130,4 +131,9 @@
onboarding_validate_authn_request,
name="oidc_onboarding_validate_authn_request_jwt",
),
+ path(
+ f"{_PREF}onboarding/tools/validate-ec",
+ onboarding_validate_ec,
+ name="oidc_onboarding_validate_ec",
+ ),
]
diff --git a/spid_cie_oidc/onboarding/views.py b/spid_cie_oidc/onboarding/views.py
index e160bded..f0b2b70d 100644
--- a/spid_cie_oidc/onboarding/views.py
+++ b/spid_cie_oidc/onboarding/views.py
@@ -21,6 +21,7 @@
from spid_cie_oidc.entity.jwtse import unpad_jwt_head, unpad_jwt_payload, verify_jws
from spid_cie_oidc.authority.views import trust_mark_status, resolve_entity_statement
+from spid_cie_oidc.authority.validators import validate_entity_configuration
from spid_cie_oidc.onboarding.schemas.authn_requests import AuthenticationRequestSpid
from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationResponse
from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationErrorResponse
@@ -190,7 +191,8 @@ def onboarding_validate_md(request):
"metadata_type": metadata_type,
"provider_profile": provider_profile,
"title": title,
- "description": description
+ "description": description,
+ "field_name":"metadata"
}
if request.POST.get('md'):
md = request.POST['md']
@@ -199,6 +201,7 @@ def onboarding_validate_md(request):
"provider_profile": provider_profile,
"title": title,
"description":description,
+ "field_name":"metadata",
"md": md
}
md_str_double_quote = md.replace("'", '"')
@@ -228,7 +231,8 @@ def onboarding_validate_authn_request(request):
context = {
"provider_profile": provider_profile,
"title": title,
- "description": description
+ "description": description,
+ "field_name":"jwt"
}
if request.POST.get('md'):
jwt_str = request.POST['md']
@@ -236,6 +240,7 @@ def onboarding_validate_authn_request(request):
"provider_profile": provider_profile,
"title": title,
"description": description,
+ "field_name":"jwt",
"md": jwt_str
}
payload = unpad_jwt_payload(jwt_str)
@@ -248,6 +253,19 @@ def onboarding_validate_authn_request(request):
return render(request, 'onboarding_validate_md.html', context)
return render(request, 'onboarding_validate_md.html', context)
+def onboarding_validate_ec(request):
+ context={}
+ if request.POST:
+ url = request.POST.get("url")
+ context = {"url": url}
+ try:
+ validate_entity_configuration(url)
+ messages.success(request, _('Validation Entity Configuration Successfully'))
+ except Exception as e :
+ messages.error(request, f"Validation Failed: {e}")
+ return render(request, 'onboarding_validate_ec.html', context)
+ return render(request, 'onboarding_validate_ec.html', context)
+
def onboarding_decode_jwt(request):
context = {
diff --git a/spid_cie_oidc/provider/migrations/0006_oidcsession_acr.py b/spid_cie_oidc/provider/migrations/0006_oidcsession_acr.py
new file mode 100644
index 00000000..93dd1e30
--- /dev/null
+++ b/spid_cie_oidc/provider/migrations/0006_oidcsession_acr.py
@@ -0,0 +1,19 @@
+# Generated by Django 4.0.2 on 2022-03-16 16:08
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('spid_cie_oidc_provider', '0005_oidcsession_sid'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='oidcsession',
+ name='acr',
+ field=models.CharField(default='https://www.spid.gov.it/SpidL2', max_length=1024),
+ preserve_default=False,
+ ),
+ ]
diff --git a/spid_cie_oidc/provider/models.py b/spid_cie_oidc/provider/models.py
index 9eeb2bcb..f532313b 100644
--- a/spid_cie_oidc/provider/models.py
+++ b/spid_cie_oidc/provider/models.py
@@ -31,6 +31,7 @@ class OidcSession(TimeStampedModel):
revoked = models.BooleanField(default=False)
auth_code = models.CharField(max_length=2048, blank=False, null=False)
+ acr = models.CharField(max_length=1024, blank=False, null=False)
def set_sid(self, request):
try:
diff --git a/spid_cie_oidc/provider/settings.py b/spid_cie_oidc/provider/settings.py
index f4c60654..a5ccd245 100644
--- a/spid_cie_oidc/provider/settings.py
+++ b/spid_cie_oidc/provider/settings.py
@@ -6,6 +6,8 @@
OPMetadataSpid
)
from spid_cie_oidc.onboarding.schemas.authn_requests import (
+ AcrValuesCie,
+ AcrValuesSpid,
AuthenticationRequestCie,
AuthenticationRequestSpid
)
@@ -103,7 +105,6 @@
)
OIDCFED_PROVIDER_SALT = getattr(settings, "OIDCFED_PROVIDER_SALT", "CHANGEME")
-
OIDCFED_DEFAULT_PROVIDER_PROFILE = getattr(settings, "OIDCFED_PROVIDER_PROFILE", "spid")
OIDCFED_PROVIDER_MAX_REFRESH = 1
@@ -114,6 +115,10 @@
"OIDCFED_PROVIDER_AUTH_CODE_MAX_AGE",
10
)
+OIDCFED_PROVIDER_PROFILES_DEFAULT_ACR = dict(
+ spid = AcrValuesSpid.l2.value,
+ cie = AcrValuesCie.l2.value
+)
OIDCFED_ATTRNAME_I18N = {
# SPID
@@ -149,4 +154,4 @@
# "document_details": ,
# "e_delivery_service": ,
"physical_phone_number": _("Phone number"),
-}
+}
\ No newline at end of file
diff --git a/spid_cie_oidc/relying_party/static/images/logo-cie.png b/spid_cie_oidc/provider/static/images/logo-cie.png
similarity index 100%
rename from spid_cie_oidc/relying_party/static/images/logo-cie.png
rename to spid_cie_oidc/provider/static/images/logo-cie.png
diff --git a/spid_cie_oidc/provider/templates/op_base.html b/spid_cie_oidc/provider/templates/op_base.html
index ba1cb574..41a6bc3b 100644
--- a/spid_cie_oidc/provider/templates/op_base.html
+++ b/spid_cie_oidc/provider/templates/op_base.html
@@ -39,7 +39,7 @@
{% block header_center_org_name %}
-{% trans "OIDC Provider" %}
+{% trans "OIDC Provider" %}
{% endblock header_center_org_name %}
{% block main_menu %}{% endblock main_menu %}
diff --git a/spid_cie_oidc/provider/tests/test_03_refresh_token.py b/spid_cie_oidc/provider/tests/test_03_refresh_token.py
index 69385645..608ba3e8 100644
--- a/spid_cie_oidc/provider/tests/test_03_refresh_token.py
+++ b/spid_cie_oidc/provider/tests/test_03_refresh_token.py
@@ -69,7 +69,7 @@ def setUp(self):
user=User.objects.create(username = "username"),
user_uid="",
nonce="",
- authz_request={"scope": "openid", "nonce": "123"},
+ authz_request={"scope": "openid", "nonce": "123", "acr_values":["https://www.spid.gov.it/SpidL2"]},
client_id="",
auth_code="code",
)
diff --git a/spid_cie_oidc/provider/tests/test_07_fetch_relying_parties.py b/spid_cie_oidc/provider/tests/test_07_fetch_relying_parties.py
index 42faba64..8827d4c5 100644
--- a/spid_cie_oidc/provider/tests/test_07_fetch_relying_parties.py
+++ b/spid_cie_oidc/provider/tests/test_07_fetch_relying_parties.py
@@ -66,7 +66,7 @@ def exec(self, cmd_name:str, *args, **kwargs):
**kwargs,
)
- @override_settings(OIDCFED_IDENTITY_PROVIDERS = {"http://127.0.0.1:8000/oidc/op/" :"http://testserver/"})
+ @override_settings(OIDCFED_IDENTITY_PROVIDERS = {"spid":{"http://127.0.0.1:8000/oidc/op/" :"http://testserver/"}, "cie":{}})
@override_settings(OIDCFED_TRUST_ANCHOR = [])
def test_fetch_rp(self):
self.patcher = patch(
diff --git a/spid_cie_oidc/provider/views/__init__.py b/spid_cie_oidc/provider/views/__init__.py
index 2ac6f8e8..19015941 100644
--- a/spid_cie_oidc/provider/views/__init__.py
+++ b/spid_cie_oidc/provider/views/__init__.py
@@ -237,7 +237,8 @@ def get_id_token(
"at_hash": left_hash(jwt_at, "HS256"),
"c_hash": left_hash(authz.auth_code, "HS256"),
"aud": [authz.client_id],
- "iss": iss_sub
+ "iss": iss_sub,
+ "acr": authz.acr
}
claims = self.get_id_token_claims(authz)
if claims:
diff --git a/spid_cie_oidc/provider/views/authz_request_view.py b/spid_cie_oidc/provider/views/authz_request_view.py
index 353dbe2d..6be4d1ad 100644
--- a/spid_cie_oidc/provider/views/authz_request_view.py
+++ b/spid_cie_oidc/provider/views/authz_request_view.py
@@ -21,6 +21,7 @@
from spid_cie_oidc.provider.models import OidcSession
from spid_cie_oidc.provider.exceptions import AuthzRequestReplay
+from spid_cie_oidc.provider.settings import OIDCFED_DEFAULT_PROVIDER_PROFILE, OIDCFED_PROVIDER_PROFILES_DEFAULT_ACR
from . import OpBase
logger = logging.getLogger(__name__)
@@ -202,6 +203,12 @@ def post(self, request, *args, **kwargs):
request.session["oidc"] = {"auth_code": auth_code}
# store the User session
+ _provider_profile = getattr(
+ settings,
+ 'OIDCFED_DEFAULT_PROVIDER_PROFILE',
+ OIDCFED_DEFAULT_PROVIDER_PROFILE
+ )
+ default_acr = OIDCFED_PROVIDER_PROFILES_DEFAULT_ACR[_provider_profile]
session = OidcSession.objects.create(
user=user,
user_uid=user.username,
@@ -209,6 +216,11 @@ def post(self, request, *args, **kwargs):
authz_request=self.payload,
client_id=self.payload["client_id"],
auth_code=auth_code,
+ acr=(
+ self.payload["acr_values"][-1]
+ if len(self.payload.get("acr_values",[])) > 0
+ else default_acr
+ )
)
session.set_sid(request)
url = reverse("oidc_provider_consent")
diff --git a/spid_cie_oidc/relying_party/management/commands/fetch_openid_providers.py b/spid_cie_oidc/relying_party/management/commands/fetch_openid_providers.py
index c7fa9482..abe91a90 100644
--- a/spid_cie_oidc/relying_party/management/commands/fetch_openid_providers.py
+++ b/spid_cie_oidc/relying_party/management/commands/fetch_openid_providers.py
@@ -41,26 +41,27 @@ def handle(self, *args, **options):
return
res = []
- for op_sub, ta in settings.OIDCFED_IDENTITY_PROVIDERS.items():
- logger.info(f"Fetching Entity Configuration for {op_sub}")
- try:
- tc = get_or_create_trust_chain(
- subject=op_sub,
- trust_anchor=ta,
- metadata_type="openid_provider",
- httpc_params=HTTPC_PARAMS,
- required_trust_marks=getattr(
- settings, "OIDCFED_REQUIRED_TRUST_MARKS", []
- ),
- force=options["force"],
- )
- if tc.is_valid:
- res.append(tc)
+ for op_profile in settings.OIDCFED_IDENTITY_PROVIDERS.keys():
+ for op_sub, ta in settings.OIDCFED_IDENTITY_PROVIDERS[op_profile].items():
+ logger.info(f"Fetching Entity Configuration for {op_sub}")
+ try:
+ tc = get_or_create_trust_chain(
+ subject=op_sub,
+ trust_anchor=ta,
+ metadata_type="openid_provider",
+ httpc_params=HTTPC_PARAMS,
+ required_trust_marks=getattr(
+ settings, "OIDCFED_REQUIRED_TRUST_MARKS", []
+ ),
+ force=options["force"],
+ )
+ if tc.is_valid:
+ res.append(tc)
- logger.info(f"Final Metadata for {tc.sub}:\n\n{tc.metadata}")
+ logger.info(f"Final Metadata for {tc.sub}:\n\n{tc.metadata}")
- except Exception as e:
- logger.error(f"Failed to download {op_sub} due to: {e}")
- continue
+ except Exception as e:
+ logger.error(f"Failed to download {op_sub} due to: {e}")
+ continue
logger.info(f"Found {res}")
diff --git a/spid_cie_oidc/relying_party/settings.py b/spid_cie_oidc/relying_party/settings.py
index 1e547526..d5bfd921 100644
--- a/spid_cie_oidc/relying_party/settings.py
+++ b/spid_cie_oidc/relying_party/settings.py
@@ -1,5 +1,5 @@
from django.conf import settings
-from spid_cie_oidc.onboarding.schemas.authn_requests import AcrValuesCie, AcrValuesSpid
+from spid_cie_oidc.onboarding.schemas.authn_requests import AcrValuesCie, AcrValuesSpid, AuthenticationRequestCie, AuthenticationRequestSpid
from spid_cie_oidc.entity.schemas.rp_metadata import RPMetadataSpid, RPMetadataCie
from spid_cie_oidc.onboarding.schemas.authn_response import AuthenticationResponse, AuthenticationResponseCie
from spid_cie_oidc.onboarding.schemas.token_response import TokenResponse
@@ -15,18 +15,27 @@
}
+OIDCFED_ACR_PROFILES = getattr(
+ settings,
+ "OIDCFED_ACR_PROFILES",
+ dict(
+ spid = AcrValuesSpid.l2.value,
+ cie = AcrValuesCie.l2.value
+ )
+)
+
RP_PROVIDER_PROFILES = getattr(
settings,
"RP_PROVIDER_PROFILES",
{
"spid": {
- "authorization_request": {"acr_values": AcrValuesSpid.l2.value},
+ "authorization_request": AuthenticationRequestSpid,
"rp_metadata": RPMetadataSpid,
"authn_response": AuthenticationResponse,
"token_response": TokenResponse
},
"cie": {
- "authorization_request": {"acr_values": AcrValuesCie.l2.value},
+ "authorization_request": AuthenticationRequestCie,
"rp_metadata": RPMetadataCie,
"authn_response": AuthenticationResponseCie,
"token_response": TokenResponse
diff --git a/spid_cie_oidc/relying_party/static/css/access-button.css b/spid_cie_oidc/relying_party/static/css/access-button.css
index d963e808..085c12df 100644
--- a/spid_cie_oidc/relying_party/static/css/access-button.css
+++ b/spid_cie_oidc/relying_party/static/css/access-button.css
@@ -289,4 +289,125 @@ svg {
overflow: hidden;
clip: rect(0, 0, 0, 0);
border: 0
-}
\ No newline at end of file
+}
+
+.cie-idp-button {
+ position: absolute;
+ z-index: 1039;
+ display: none
+}
+
+.cie-idp-button .cie-idp-button-menu,
+.cie-idp-button .cie-idp-button-panel {
+ list-style: none;
+ background: white;
+ border: solid 1px #ddd;
+ box-shadow: 0 0 5px rgba(0, 0, 0, 0.2);
+ overflow: visible;
+ padding: 0;
+ margin: 0
+}
+
+#cie-idp-button-small-get,
+#cie-idp-button-medium-get,
+#cie-idp-button-small-post,
+#cie-idp-button-medium-post {
+ width: 230px
+}
+
+#cie-idp-button-large-get,
+#cie-idp-button-large-post {
+ width: 270px
+}
+
+#cie-idp-button-xlarge-get,
+#cie-idp-button-xlarge-post {
+ width: 330px
+}
+
+.cie-idp-button .cie-idp-button-panel {
+ padding: 10px
+}
+
+.cie-idp-button.cie-idp-button-tip {
+ margin-top: 8px
+}
+
+.cie-idp-button.cie-idp-button-tip:before {
+ position: absolute;
+ top: -6px;
+ left: 9px;
+ content: "";
+ border-left: 7px solid transparent;
+ border-right: 7px solid transparent;
+ border-bottom: 7px solid #ddd;
+ display: inline-block
+}
+
+.cie-idp-button.cie-idp-button-tip:after {
+ position: absolute;
+ top: -5px;
+ left: 10px;
+ content: "";
+ border-left: 6px solid transparent;
+ border-right: 6px solid transparent;
+ border-bottom: 6px solid white;
+ display: inline-block
+}
+
+.cie-idp-button.cie-idp-button-tip.cie-idp-button-anchor-right:before {
+ left: auto;
+ right: 9px
+}
+
+.cie-idp-button.cie-idp-button-tip.cie-idp-button-anchor-right:after {
+ left: auto;
+ right: 10px
+}
+
+.cie-idp-button.cie-idp-button-scroll .cie-idp-button-menu,
+.cie-idp-button.cie-idp-button-scroll .cie-idp-button-panel {
+ max-height: 180px;
+ overflow: auto
+}
+
+.cie-idp-button .cie-idp-button-menu li {
+ list-style: none;
+ padding: 0 0;
+ margin: 0;
+ line-height: 18px
+}
+
+.cie-idp-button .cie-idp-button-menu li > a,
+.cie-idp-button .cie-idp-button-menu label {
+ display: block;
+ font-family: "Titillium Web", HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;
+ font-weight: 600;
+ font-size: .9em;
+ color: #3b61b6;
+ text-decoration: underline;
+ line-height: 18px;
+ padding-top: 5px;
+ white-space: nowrap;
+ border-bottom: 1px solid #ddd;
+}
+
+.cie-idp-button .cie-idp-button-menu li > a:hover,
+.cie-idp-button .cie-idp-button-menu label:hover {
+ color: #036;
+ cursor: pointer;
+ background-color: #F0F0F0
+}
+
+.cie-idp-button .cie-idp-button-menu li > a img {
+ height: 35px;
+ padding-bottom: 5px;
+ border: 0;
+ width: 100%;
+}
+
+
+
+
+
+
diff --git a/spid_cie_oidc/relying_party/static/js/spid-sp-access-button.js b/spid_cie_oidc/relying_party/static/js/spid-sp-access-button.js
index 1afa796f..86f95848 100644
--- a/spid_cie_oidc/relying_party/static/js/spid-sp-access-button.js
+++ b/spid_cie_oidc/relying_party/static/js/spid-sp-access-button.js
@@ -35,4 +35,44 @@ jQuery && function (t) {
}
}
}), t(document).on("click.spid-idp-button", "[spid-idp-button]", i), t(document).on("click.spid-idp-button", s), t(window).on("resize", e)
+}(jQuery)
+
+
+jQuery && function (t) {
+ function i(i, n) {
+ var d = i ? t(this) : n, o = t(d.attr("cie-idp-button")), r = d.hasClass("cie-idp-button-open")
+ if (i) {
+ if (t(i.target).hasClass("cie-idp-button-ignore")) return
+ i.preventDefault(), i.stopPropagation()
+ } else if (d !== n.target && t(n.target).hasClass("cie-idp-button-ignore")) return
+ s(), r || d.hasClass("cie-idp-button-disabled") || (d.addClass("cie-idp-button-open"), o.data("cie-idp-button-trigger", d).show(), e(), o.trigger("show", { cieIDPButton: o, trigger: d }))
+ }
+
+ function s(i) {
+ var s = i ? t(i.target).parents().addBack() : null
+ if (s && s.is(".cie-idp-button")) {
+ if (!s.is(".cie-idp-button-menu")) return
+ if (!s.is("A")) return
+ }
+ t(document).find(".cie-idp-button:visible").each(function () {
+ var i = t(this)
+ i.hide().removeData("cie-idp-button-trigger").trigger("hide", { cieIDPButton: i })
+ }), t(document).find(".cie-idp-button-open").removeClass("cie-idp-button-open")
+ }
+
+ function e() {
+ var i = t(".cie-idp-button:visible").eq(0), s = i.data("cie-idp-button-trigger"), e = s ? parseInt(s.attr("data-horizontal-offset") || 0, 10) : null, n = s ? parseInt(s.attr("data-vertical-offset") || 0, 10) : null
+ 0 !== i.length && s && (i.hasClass("cie-idp-button-relative") ? i.css({ left: i.hasClass("cie-idp-button-anchor-right") ? s.position().left - (i.outerWidth(!0) - s.outerWidth(!0)) - parseInt(s.css("margin-right"), 10) + e : s.position().left + parseInt(s.css("margin-left"), 10) + e, top: s.position().top + s.outerHeight(!0) - parseInt(s.css("margin-top"), 10) + n }) : i.css({ left: i.hasClass("cie-idp-button-anchor-right") ? s.offset().left - (i.outerWidth() - s.outerWidth()) + e : s.offset().left + e, top: s.offset().top + s.outerHeight() + n }))
+ } t.extend(t.fn, {
+ cieIDPButton: function (e, n) {
+ switch (e) {
+ case "show": return i(null, t(this)), t(this)
+ case "hide": return s(), t(this)
+ case "attach": return t(this).attr("cie-idp-button", n)
+ case "detach": return s(), t(this).removeAttr("cie-idp-button")
+ case "disable": return t(this).addClass("cie-idp-button-disabled")
+ case "enable": return s(), t(this).removeClass("cie-idp-button-disabled")
+ }
+ }
+ }), t(document).on("click.cie-idp-button", "[cie-idp-button]", i), t(document).on("click.cie-idp-button", s), t(window).on("resize", e)
}(jQuery)
\ No newline at end of file
diff --git a/spid_cie_oidc/relying_party/static/js/spid_button.js b/spid_cie_oidc/relying_party/static/js/spid_button.js
index 0cd29b76..a96c57c0 100644
--- a/spid_cie_oidc/relying_party/static/js/spid_button.js
+++ b/spid_cie_oidc/relying_party/static/js/spid_button.js
@@ -16,6 +16,15 @@ $(document).ready(function(){
}
rootList.append(lnkList);
});
+$(document).ready(function(){
+ var rootList = $("#cie-idp-list-medium-root-get");
+ var idpList = rootList.children(".cie-idp-button-link");
+ var lnkList = rootList.children(".cie-idp-support-link");
+ while (idpList.length) {
+ rootList.append(idpList.splice(Math.floor(Math.random() * idpList.length), 1)[0]);
+ }
+ rootList.append(lnkList);
+});
$(document).ready(function(){
var rootList = $("#spid-idp-list-large-root-get");
var idpList = rootList.children(".spid-idp-button-link");
diff --git a/spid_cie_oidc/relying_party/templates/rp_landing.html b/spid_cie_oidc/relying_party/templates/rp_landing.html
index d6444fea..750443b5 100644
--- a/spid_cie_oidc/relying_party/templates/rp_landing.html
+++ b/spid_cie_oidc/relying_party/templates/rp_landing.html
@@ -48,11 +48,12 @@
+
-
+
+
diff --git a/spid_cie_oidc/relying_party/tests/test_06_fetch_openid_providers.py b/spid_cie_oidc/relying_party/tests/test_06_fetch_openid_providers.py
index a83a0843..b0f07a8c 100644
--- a/spid_cie_oidc/relying_party/tests/test_06_fetch_openid_providers.py
+++ b/spid_cie_oidc/relying_party/tests/test_06_fetch_openid_providers.py
@@ -53,7 +53,7 @@ def exec(self, cmd_name:str, *args, **kwargs):
**kwargs,
)
- @override_settings(OIDCFED_IDENTITY_PROVIDERS = {"http://127.0.0.1:8000/oidc/op/" :"http://testserver/"})
+ @override_settings(OIDCFED_IDENTITY_PROVIDERS = {"spid": {"http://127.0.0.1:8000/oidc/op/" :"http://testserver/"}, "cie":{}})
def test_fetch_provider(self):
self.patcher = patch(
"spid_cie_oidc.entity.trust_chain_operations.get_or_create_trust_chain",
diff --git a/spid_cie_oidc/relying_party/views.py b/spid_cie_oidc/relying_party/views.py
index 0e3b1c1b..f10a66e4 100644
--- a/spid_cie_oidc/relying_party/views.py
+++ b/spid_cie_oidc/relying_party/views.py
@@ -27,10 +27,10 @@
from spid_cie_oidc.entity.settings import HTTPC_PARAMS
from spid_cie_oidc.entity.statements import get_http_url
from spid_cie_oidc.entity.trust_chain_operations import get_or_create_trust_chain
-from spid_cie_oidc.onboarding.schemas.authn_requests import AcrValuesSpid
from spid_cie_oidc.relying_party.settings import (
RP_DEFAULT_PROVIDER_PROFILES,
- RP_PROVIDER_PROFILES
+ RP_PROVIDER_PROFILES,
+ OIDCFED_ACR_PROFILES
)
from .models import OidcAuthentication, OidcAuthenticationToken
@@ -79,7 +79,6 @@ def get_oidc_op(self, request) -> TrustChain:
raise InvalidTrustchain(
"Missing provider url. Please try '?provider=https://provider-subject/'"
)
-
trust_anchor = request.GET.get(
"trust_anchor",
settings.OIDCFED_IDENTITY_PROVIDERS.get(
@@ -229,7 +228,8 @@ def get(self, request, *args, **kwargs):
f"Reverted to default {client_conf['redirect_uris'][0]}."
)
redirect_uri = client_conf["redirect_uris"][0]
-
+ _profile = request.GET.get("profile", "spid")
+ _acr = OIDCFED_ACR_PROFILES[_profile]
authz_data = dict(
scope= request.GET.get("scope", None) or "openid",
redirect_uri=redirect_uri,
@@ -238,10 +238,10 @@ def get(self, request, *args, **kwargs):
state=random_string(32),
client_id=client_conf["client_id"],
endpoint=authz_endpoint,
- acr_values=request.GET.get("acr_values", AcrValuesSpid.l2.value),
+ acr_values= _acr,
iat=int(timezone.localtime().timestamp()),
aud=[tc.sub, authz_endpoint],
- claims=RP_REQUEST_CLAIM_BY_PROFILE[request.GET.get("profile", "spid")],
+ claims=RP_REQUEST_CLAIM_BY_PROFILE[_profile],
)
_prompt = request.GET.get("prompt", "consent login")
@@ -588,10 +588,17 @@ def oidc_rp_landing(request):
trust_chains = TrustChain.objects.filter(
type="openid_provider", is_active=True
)
- providers = []
+ spid_providers = []
+ cie_providers = []
for tc in trust_chains:
- if tc.is_valid:
- providers.append(tc)
- random.shuffle(providers)
- content = {"providers": providers}
+ if tc.is_active:
+ if tc.sub in settings.OIDCFED_IDENTITY_PROVIDERS["spid"]:
+ spid_providers.append(tc)
+ elif tc.sub in settings.OIDCFED_IDENTITY_PROVIDERS["cie"]:
+ cie_providers.append(tc)
+ random.shuffle(spid_providers)
+ content = {
+ "spid_providers": spid_providers,
+ "cie_providers" : cie_providers
+ }
return render(request, "rp_landing.html", content)
From 0101e7fcb0cc1c3728ecab3e8ab08ecfe660e4b7 Mon Sep 17 00:00:00 2001
From: peppelinux 
+ {% endif %}
+