49b9bb6724
Deploy Docs / deploy-docs (push) Failing after 1s
Conformance Tests / client-conformance (push) Failing after 3s
Conformance Tests / server-conformance (push) Failing after 1s
GitHub Actions Security Analysis / zizmor (push) Failing after 1s
CI / checks (push) Failing after 59m20s
CI / all-green (push) Waiting to run
44 lines
1.7 KiB
Python
44 lines
1.7 KiB
Python
"""A stand-in enterprise identity provider: it signs the ID-JAGs the demo authorization server trusts.
|
|
|
|
In production the IdP is a separate service (Okta, Microsoft Entra ID, ...) and the client obtains
|
|
the ID-JAG from it with an RFC 8693 token-exchange request, presenting the signed-in user's ID
|
|
token. `issue_id_jag` collapses that whole step into one in-process signing call so the story runs
|
|
unattended; the README's caveats spell out what a real deployment changes.
|
|
"""
|
|
|
|
import time
|
|
import uuid
|
|
|
|
import jwt
|
|
|
|
IDP_ISSUER = "https://idp.example.com"
|
|
# Demo only: a real IdP signs with its private key and the authorization server verifies the
|
|
# signature against the IdP's published JWKS. A shared HMAC secret keeps this story self-contained.
|
|
IDP_SIGNING_KEY = "demo-idp-signing-key"
|
|
|
|
|
|
def issue_id_jag(*, subject: str, client_id: str, audience: str, resource: str, scope: str) -> str:
|
|
"""The IdP's short-lived, signed statement that `subject`, via `client_id`, may reach `resource`.
|
|
|
|
This is where the enterprise enforces policy: an IdP that does not authorize the combination
|
|
simply never issues the ID-JAG, and there is nothing for the client to present. The `typ`
|
|
header and the claim set are fixed by the Identity Assertion JWT Authorization Grant profile.
|
|
"""
|
|
now = int(time.time())
|
|
return jwt.encode(
|
|
{
|
|
"iss": IDP_ISSUER,
|
|
"sub": subject,
|
|
"aud": audience,
|
|
"client_id": client_id,
|
|
"resource": resource,
|
|
"scope": scope,
|
|
"jti": str(uuid.uuid4()),
|
|
"iat": now,
|
|
"exp": now + 300,
|
|
},
|
|
IDP_SIGNING_KEY,
|
|
algorithm="HS256",
|
|
headers={"typ": "oauth-id-jag+jwt"},
|
|
)
|