OIDC_CLIENT_ALG_KEYS_HOOK specification

This update allows users of the plugin to set up custom retrieval of RSA keys used to encode/decode ID tokens.

Author: Naman Shenoy

docs/sections/settings.rst

@@ -244,4 +244,63 @@ A flag which toggles whether the scope is returned with successful response on i
 
 Must be ``True`` to include ``scope`` into the successful response
 
-Default is ``False``.
+Default is ``False``.
+
+OIDC_CLIENT_ALG_KEYS_HOOK
+=========================
+
+OPTIONAL. ``str``
+
+A string with the location of your function hook.
+Here you can customize the retrieval of the RSA keys for the ID token encoding and decoding.
+
+.. note::
+    To ensure that the RSA keys provided by the ``/jwks`` endpoint is consistent with the
+    values retrieved from this hook function, define the ``OIDC_JWKS_RESPONSE_HOOK`` response appropriately.
+
+The hook function receives following arguments:
+
+ * ``client``: Instance of the client.
+
+The hook function should return a list of `jwkest.jwk.RSAKey` of the available keys.
+
+Default is::
+
+    def default_get_client_alg_keys(client):
+        """
+        Takes a client and returns the set of keys associated with it.
+        Returns a list of keys.
+        """
+        if client.jwt_alg == 'RS256':
+            keys = []
+            for rsakey in RSAKey.objects.all():
+                keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))
+            if not keys:
+                raise Exception('You must add at least one RSA Key.')
+        elif client.jwt_alg == 'HS256':
+            keys = [SYMKey(key=client.client_secret, alg=client.jwt_alg)]
+        else:
+            raise Exception('Unsupported key algorithm.')
+
+        return keys
+
+
+OIDC_JWKS_RESPONSE_HOOK
+=======================
+
+OPTIONAL. ``str``
+
+A string with the location of your function hook.
+Here you can provide a customized list of JWKS that will be returned by the ``/jwks`` endpoint.
+
+.. note::
+    To ensure that the RSA keys provided by the ``/jwks`` endpoint is consistent with the
+    values retrieved from this hook function, define the ``OIDC_CLIENT_ALG_KEYS_HOOK`` appropriately.
+
+This hook function takes in no arguments, and should returns a list of dictionaries with the following keys:
+* 'kty' with the value 'RSA'
+* 'alg' with the value 'RS256'
+* 'use' with the value 'sig'
+* 'kid' with the kid for the key
+* 'n'   with the  base64 representation of the modulus parameter
+* 'e'   with the base64 representation of the exponent parameter

oidc_provider/lib/utils/token.py

@@ -8,6 +8,7 @@
 from jwkest.jwk import SYMKey
 from jwkest.jws import JWS
 from jwkest.jwt import JWT
+from jwkest import long_to_base64
 
 from oidc_provider.lib.utils.common import get_issuer, run_processing_hook
 from oidc_provider.lib.claims import StandardScopeClaims
@@ -147,8 +148,16 @@ def create_code(user, client, scope, nonce, is_authentication,
 
     return code
 
-
 def get_client_alg_keys(client):
+    """
+    Hook to customize RSA Key retrieval.
+    :param client:
+    :return:
+    """
+    client_alg_keys_hook = settings.get('OIDC_CLIENT_ALG_KEYS_HOOK')
+    return settings.import_from_str(client_alg_keys_hook)(client)
+
+def default_get_client_alg_keys(client):
     """
     Takes a client and returns the set of keys associated with it.
     Returns a list of keys.
@@ -165,3 +174,22 @@ def get_client_alg_keys(client):
         raise Exception('Unsupported key algorithm.')
 
     return keys
+
+def default_get_jwks():
+    """
+    Returns a list of dictionaries containing the JWKs for return by the ``jwks`` endpoint
+    """
+    dic = dict(keys=[])
+
+    for rsakey in RSAKey.objects.all():
+        public_key = importKey(rsakey.key).publickey()
+        dic['keys'].append({
+            'kty': 'RSA',
+            'alg': 'RS256',
+            'use': 'sig',
+            'kid': rsakey.kid,
+            'n': long_to_base64(public_key.n),
+            'e': long_to_base64(public_key.e),
+        })
+    
+    return dic

oidc_provider/settings.py

@@ -129,6 +129,24 @@ def OIDC_IDTOKEN_PROCESSING_HOOK(self):
         """
         return 'oidc_provider.lib.utils.common.default_idtoken_processing_hook'
 
+    @property
+    def OIDC_CLIENT_ALG_KEYS_HOOK(self):
+        """
+        OPTIONAL. A string with the location of your hook.
+        Used to specify which keys to return for a particular client and algorithm.
+        Returns jwkest.jwk.SYMKey
+        """
+        return 'oidc_provider.lib.utils.token.default_get_client_alg_keys'
+    
+    @property
+    def OIDC_JWKS_RESPONSE_HOOK(self):
+        """
+        OPTIONAL. A string with the location of your hook.
+        Used to specify the list of JWKS for your app.
+        Returns a list of dictionaries that will form the response of the ``jwks`` endpoint.
+        """
+        return 'oidc_provider.lib.utils.token.default_get_jwks'
+
     @property
     def OIDC_INTROSPECTION_PROCESSING_HOOK(self):
         """

oidc_provider/views.py

@@ -296,19 +296,8 @@ def get(self, request, *args, **kwargs):
 
 class JwksView(View):
     def get(self, request, *args, **kwargs):
-        dic = dict(keys=[])
-
-        for rsakey in RSAKey.objects.all():
-            public_key = RSA.importKey(rsakey.key).publickey()
-            dic['keys'].append({
-                'kty': 'RSA',
-                'alg': 'RS256',
-                'use': 'sig',
-                'kid': rsakey.kid,
-                'n': long_to_base64(public_key.n),
-                'e': long_to_base64(public_key.e),
-            })
-
+        jwks_hook = settings.get('OIDC_JWKS_RESPONSE_HOOK')
+        dic = settings.import_from_str(jwks_hook)()
         response = JsonResponse(dic)
         response['Access-Control-Allow-Origin'] = '*'