A request/response example

this feature MAY be implemented in spid_cie_oidc.authority.

GET /federation_adv_list HTTP/1.1
Host: registry.spid.gov.it

200 OK
Last-Modified: Mon, 17 Dec 2018 11:15:56 GMT
Content-Type: application/json



{
 "iss": "https://registry.spid.gov.it/",
 "iat": 1620050972,
 "entities": [
   {
    "https://rp.example.it/spid/": {
       "iat": 1588455866,
   },
   {
    "https://rp.another.it/spid/": {
       "iat": 1588455856,
   },
   {
    "https://rp.it/spid/": {
       "iat": 1588355866,
   },
   ... # many other entries
 ],
"page": 1,
"total_pages": 2,
"total_entries": 189,
"next_page_path": "/federation_adv_list/?page=2",
"prev_page_path": ""
}

at this stage

following error occurs

django.db.utils.IntegrityError: Problem installing fixtures: The row in table 'spid_cie_oidc_provider_oidcsession' with primary key '1' has an invalid foreign key: spid_cie_oidc_provider_oidcsession.user_id contains a value '1' that does not have a corresponding value in spid_cie_oidc_accounts_user.id.

A Metadata discovery won't be executed if there wan't at least a valid and verified trust mark in the entity configuration of the requestor

We need that all the trust chains and statements validations/operations must be independent from django framework.

This way the code can be used/imported as it is even in a different python framework.

at the same time we MAY support the resuse of already cached statements, instead of download them each time.

this can be done in two different way:

1. pass all the cached entries as argument -> bad
2. create and dynamically import a proxy function that queries the django ORM. This function can be configured as a string in a general setting and imported dynamicall runtime -> good

with the second choice we'll get all the statements on each occurence

User claims in idToken as CIE specifications

We're considering the requirement to improve the mechanism to mint new trust marks with more dynamic claim then these:
https://github.com/peppelinux/spid-cie-oidc-django/blob/49649c2117ecd8fab2dda0bc7a9397030a996795/spid_cie_oidc/onboarding/models.py#L231

we must consider also to have exp claim dynamically defined (this is an easy win)

https://bitbucket.org/openid/connect/issues/1456/scopes-metadata-parameter-needs-to-be

We have trust chain builder with an inmemory cache

we need a storage mechanism to entity.models.TrustChain

we may serialize the TrustChain().trust_path and also sto the TrustChain().finale_metadata in the model

both RP and OP will query the TrustChain model and only if it were expired they will execute the TrustchainBuilder

The endpoint is protected by private key jwt so unattacher can't brute force or predict a refresh token.
Having said this we propose to answer even with other http status code different from 200

We need a pydatic schema to validate every objects involved in a authn code flow.
We start this task with the validation of authn requests.

The goal is to have an exportable json schema, that can be used by other developers, for other languages/SDK, to reuse our validation approach.

in entity.settings we defined the allowd algs

but in federation entity configuration we don't check if in the submitted metadata we have some values not supported.

TODO: log a warning message to the user or raise a ValidationError

This is to allow an entity to check whether a trust mark is still active or not. The query MUST be sent to the trust mark issuer.

The request MUST be an HTTP request using the GET method and the https scheme to a resolved status endpoint with the following query string parameters:

sub
OPTIONAL. The entity_id for the entity to which the trust mark was issued.

id
OPTIONAL. Identifier of the trust mark.

iat
OPTIONAL. When the trust mark was issued. If iat is not specified and the trust issuer have issued several trust marks with the id specified in the request to the entity identified by sub. Then the last last one is assumed.

trust_mark
OPTIONAL. The whole trust mark

If a user declined his consent, he must be redirected to the RP (with an error page)

@dezhizhang1985 this is the README where we illustrate to a new user how to run the example project
https://github.com/peppelinux/spid-cie-oidc-django/blob/dev/docs/technical_specifications/ONBOARDING.md

we need also to put a screenshot of all the pages related to the onboarding service
this will be done when we'll release v0.3.0

How to create a SPID/CIE Button

1. configure idps OIDCFED_IDENTITY_PROVIDERS = ["http://127.0.0.1:8000/oidc/op/"] in settings.py
2. fetch manage.py fetch_openid_providers --start
3. open the landing page of the RP in the browser

required!

possible solution ?

        'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),

on the track here:
#21

spid_cie_oidc.onboarding comes with an admin backend that allows operators to register new entities as descendants of their trust anchor or intermediate entity.

It would be useful to have a frontend accessible by means of SPID/CIE authentication that allows to verify the ownership of a user to start an administrative practice of onboarding and the registration of a new entity.

the Trust Chain must have a global expiration attribute and a method that tells if it's expired or not

if a user gets logged in and he is a staff (user.is_staff == True) we MUST redirect the user to the testing page instead of the consent one.

In the testing page the user (staff) can select one of the several test we'll have to check the compliances of a RP to SPID and/or CIE id.

the user can also be able to change the attributes, remove or add, to be released to the RPs.

Add this attributes to authn request schema validator both for spid and cie:

• sub
• iss
• iat
• exp
• jti
• aud

jti can be produced like this:

import uuid

jti: str(uuid.uuid4())

during the build of the trust chain a loop may occour due to a bad configurations on entities in a federation.
In this case the trust chain builder have to break that short circuit :)

We must be able to load in our project only the authority features to create a trust anchor or an intermediary, without taking also the onboarding demo.

Having said this we'll have another app called authority that loads the models we have in the actual onboarding
The onboarding app will only have the demo frontend and models for an authority/intermediary

here
https://github.com/peppelinux/spid-cie-oidc-django/blob/673fb962cdaf36b39832ca55f5b8a91f6e65087b/spid_cie_oidc/onboarding/schemas/authn_requests.py#L51

we have CIE user claims
we need also the spid user claims

Hi @francescatronconi

I have just adjusted the sample data and made some bugfix in trust chain evaluation here:
1e3ab6a

What I realized is that we need metadata validators for openid_provider and openid_relying_party to be developed as standalone schemas and also included in models validators

in entity.models.FederationEntityConfiguration and in authority.models.FederationEntityDescendants

I had jwks out of rp metadata and lost a few minutes due to this.

That said I think if it’s okay with you we should continue on pydantic and the metadata of OP and RP
Metadata is on OIDC CIE, section 3, page 8

I'll start over this
#43

here

https://github.com/peppelinux/spid-cie-oidc-django/blob/f1694c6ae5f26d3e249f05f23e0e15cc8f8da2e7/spid_cie_oidc/authority/tests/test_02_trust_anchor_intermediary.py#L171

we need more coverage with faulty use cases

in provider.settings

OIDCFED_PROVIDER_MAX_REFRESH = 1

in provider.views.TokenEndpoint.grant_refresh_token we have to count how many token have been issued and check if the threshold have been exceeded

this issue is also linked to this other
#76

I get authz request to work, and that's the initialization url
http://localhost:8001/oidc/spid/begin?provider=http://127.0.0.1:8000/oidc/op

@dezhizhang1985 that's what the SPID/CIE button MUST trigger

anyway the kind of auth request not use the request object.

in the /docs folder

here
https://github.com/peppelinux/spid-cie-oidc-django/pull/75/files#diff-d623506a77bf9eb93df08f99f22fe7580d3f2cf12dc3bd3111a8a18baa945245R583

Windows 11
Pytrhon 3.10.2
pip 22.0.4

some text decoding problem seems to be on this line

We need to document how to get a working oidc provider

TODO:

• spid_cie_oidc/relying_party/management/commands/fetch_openid_providers.py
• spid_cie_oidc/provider/management/commands/fetch_openid_relying_parties.py

in the onboarding tools we need a tool where the user submits a metadata and a metadata policy, so a form with two textfield

the result is a final metadata with the applied policy.

the view that handle this feature will implement what's already done and documented here:
https://github.com/italia/spid-cie-oidc-django/blob/main/docs/FEDERATION_METADATA_POLICY.md

Add a url and a view that renders a landing page with spid button

• a CIE and a SPID button in a bootstrap italia template, raw example here look at the JS code
• The SPID button MUST be built using all the valid trust chains related to OPs
• Authn request trigger that calls this webpath

this method MUST be implemented

https://github.com/peppelinux/spid-cie-oidc-django/blob/5e5032eb64eb8172c3e974d96f8484d8f87f9251/spid_cie_oidc/provider/views.py#L522

We have a form to submit a new registration

we need that a is_staff user can enable a descendant, without assigning any profiles (any active trust marks) to test it in the federation

As made up by @selfissued here
https://bitbucket.org/openid/connect/pull-requests/129

in the onboarding frontend we need some tools to

• create a jwk
• convert a PEM certificate/key to private/public jwk
• create a trust chain by submitting only a sub
• validating a trust mark
• decode a jwt and verify if a jwk is also submitted

@dezhizhang1985 we need different logo for different Provider profiles, as defined here for example:
https://github.com/italia/spid-cie-oidc-django/blob/main/spid_cie_oidc/provider/settings.py

We need to implement this endpoint for Provider and also handle this http request in the rp initiated logout endpoint of the RP

we need to:

• create a view for this

  • in the POST method we need to calidate the client_assertion, as here f233568
  • check if the issuedtoken is still valid and not expired, anyway.
  • revoke the issued token and all the tokens linked to the parent oidc session
  • destroy the user session, see: 17530d0#diff-95680d9a64d71e280f1266c1cbf174154db4ae2d114ed044aacabb2a8706cf1cR44

• add it in the provider's urls.py file

• create functions for convert a PEM certificate/key to private/public jwk

Done here:
3db5e85

here:
https://github.com/italia/spid-cie-oidc-django/blob/main/spid_cie_oidc/relying_party/views.py#L588

we just need to implement a shuffle method to randomize the elements ordering inside of a list

@mauro ^

Here
https://github.com/peppelinux/spid-cie-oidc-django/blob/provider/spid_cie_oidc/provider/views.py#L779

We need a fancy page for the RP's resource echo attributes

here
#10