Files
wehub-resource-sync 49b9bb6724
Deploy Docs / deploy-docs (push) Failing after 1s
Conformance Tests / client-conformance (push) Failing after 3s
Conformance Tests / server-conformance (push) Failing after 1s
GitHub Actions Security Analysis / zizmor (push) Failing after 1s
CI / checks (push) Failing after 59m20s
CI / all-green (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 12:10:27 +08:00

44 lines
1.7 KiB
Python

"""A stand-in enterprise identity provider: it signs the ID-JAGs the demo authorization server trusts.
In production the IdP is a separate service (Okta, Microsoft Entra ID, ...) and the client obtains
the ID-JAG from it with an RFC 8693 token-exchange request, presenting the signed-in user's ID
token. `issue_id_jag` collapses that whole step into one in-process signing call so the story runs
unattended; the README's caveats spell out what a real deployment changes.
"""
import time
import uuid
import jwt
IDP_ISSUER = "https://idp.example.com"
# Demo only: a real IdP signs with its private key and the authorization server verifies the
# signature against the IdP's published JWKS. A shared HMAC secret keeps this story self-contained.
IDP_SIGNING_KEY = "demo-idp-signing-key"
def issue_id_jag(*, subject: str, client_id: str, audience: str, resource: str, scope: str) -> str:
"""The IdP's short-lived, signed statement that `subject`, via `client_id`, may reach `resource`.
This is where the enterprise enforces policy: an IdP that does not authorize the combination
simply never issues the ID-JAG, and there is nothing for the client to present. The `typ`
header and the claim set are fixed by the Identity Assertion JWT Authorization Grant profile.
"""
now = int(time.time())
return jwt.encode(
{
"iss": IDP_ISSUER,
"sub": subject,
"aud": audience,
"client_id": client_id,
"resource": resource,
"scope": scope,
"jti": str(uuid.uuid4()),
"iat": now,
"exp": now + 300,
},
IDP_SIGNING_KEY,
algorithm="HS256",
headers={"typ": "oauth-id-jag+jwt"},
)