Customize RSA key import and JWKs endpoint response via hooks

docs/sections/settings.rst

@@ -244,4 +244,85 @@ A flag which toggles whether the scope is returned with successful response on i
 
 Must be ``True`` to include ``scope`` into the successful response
 
-Default is ``False``.
+Default is ``False``.
+
+OIDC_CLIENT_ALG_KEYS_HOOK
+=========================
+
+OPTIONAL. ``str``
+
+A string with the location of your function hook.
+Here you can customize the retrieval of the RSA keys for the ID token encoding and decoding.
+
+.. note::
+    To ensure that the RSA keys provided by the ``/jwks`` endpoint is consistent with the
+    values retrieved from this hook function, define the ``OIDC_JWKS_RESPONSE_HOOK`` response appropriately.
+
+The hook function receives following arguments:
+
+ * ``client``: Instance of the client.
+
+The hook function should return a `List[jwkest.jwk.RSAKey]` of the available keys.
+
+Default is::
+
+    def default_get_client_alg_keys(client):
+        """
+        Takes a client and returns the set of keys associated with it.
+        Returns a list of keys.
+        """
+        if client.jwt_alg == 'RS256':
+            keys = []
+            for rsakey in RSAKey.objects.all():
+                keys.append(jwk_RSAKey(key=importKey(rsakey.key), kid=rsakey.kid))
+            if not keys:
+                raise Exception('You must add at least one RSA Key.')
+        elif client.jwt_alg == 'HS256':
+            keys = [SYMKey(key=client.client_secret, alg=client.jwt_alg)]
+        else:
+            raise Exception('Unsupported key algorithm.')
+
+        return keys
+
+
+OIDC_JWKS_RESPONSE_HOOK
+=======================
+
+OPTIONAL. ``str``
+
+A string with the location of your function hook.
+Here you can provide a customized list of JWKS that will be returned by the ``/jwks`` endpoint.
+
+.. note::
+    To ensure that the RSA keys provided by the ``/jwks`` endpoint is consistent with the
+    values retrieved from this hook function, define the ``OIDC_CLIENT_ALG_KEYS_HOOK`` appropriately.
+
+This hook function takes in no arguments, and should returns a list of dictionaries with the following keys:
+* 'kty' with the value 'RSA'
+* 'alg' with the value 'RS256'
+* 'use' with the value 'sig'
+* 'kid' with the kid for the key
+* 'n'   with the  base64 representation of the modulus parameter
+* 'e'   with the base64 representation of the exponent parameter
+
+Default is::
+
+    def default_get_jwks():
+    """
+    Returns a list of dictionaries containing the JWKs for return by the ``jwks`` endpoint
+    """
+
+        dic = dict(keys=[])
+
+        for rsakey in RSAKey.objects.all():
+            public_key = importKey(rsakey.key).publickey()
+            dic['keys'].append({
+                'kty': 'RSA',
+                'alg': 'RS256',
+                'use': 'sig',
+                'kid': rsakey.kid,
+                'n': long_to_base64(public_key.n),
+                'e': long_to_base64(public_key.e),
+            })
+
+        return dic

example/app/urls.py

@@ -9,7 +9,9 @@
 
 urlpatterns = [
     url(r'^$', TemplateView.as_view(template_name='home.html'), name='home'),
-    url(r'^accounts/login/$', auth_views.LoginView.as_view(template_name='login.html'), name='login'),
+    url(r'^accounts/login/$', auth_views.LoginView.as_view(
+        template_name='login.html'
+    ), name='login'),
     url(r'^accounts/logout/$', auth_views.LogoutView.as_view(next_page='/'), name='logout'),
     url(r'^', include('oidc_provider.urls', namespace='oidc_provider')),
     url(r'^admin/', admin.site.urls),

oidc_provider/lib/utils/token.py

@@ -8,6 +8,7 @@
 from jwkest.jwk import SYMKey
 from jwkest.jws import JWS
 from jwkest.jwt import JWT
+from jwkest import long_to_base64
 
 from oidc_provider.lib.utils.common import get_issuer, run_processing_hook
 from oidc_provider.lib.claims import StandardScopeClaims
@@ -149,6 +150,16 @@ def create_code(user, client, scope, nonce, is_authentication,
 
 
 def get_client_alg_keys(client):
+    """
+    Hook to customize RSA Key retrieval.
+    :param client:
+    :return:
+    """
+    client_alg_keys_hook = settings.get('OIDC_CLIENT_ALG_KEYS_HOOK')
+    return settings.import_from_str(client_alg_keys_hook)(client)
+
+
+def default_get_client_alg_keys(client):
     """
     Takes a client and returns the set of keys associated with it.
     Returns a list of keys.
@@ -165,3 +176,23 @@ def get_client_alg_keys(client):
         raise Exception('Unsupported key algorithm.')
 
     return keys
+
+
+def default_get_jwks():
+    """
+    Returns a list of dictionaries containing the JWKs for return by the ``jwks`` endpoint
+    """
+    dic = dict(keys=[])
+
+    for rsakey in RSAKey.objects.all():
+        public_key = importKey(rsakey.key).publickey()
+        dic['keys'].append({
+            'kty': 'RSA',
+            'alg': 'RS256',
+            'use': 'sig',
+            'kid': rsakey.kid,
+            'n': long_to_base64(public_key.n),
+            'e': long_to_base64(public_key.e),
+        })
+
+    return dic

oidc_provider/settings.py

@@ -129,6 +129,24 @@ def OIDC_IDTOKEN_PROCESSING_HOOK(self):
         """
         return 'oidc_provider.lib.utils.common.default_idtoken_processing_hook'
 
+    @property
+    def OIDC_CLIENT_ALG_KEYS_HOOK(self):
+        """
+        OPTIONAL. A string with the location of your hook.
+        Used to specify which keys to return for a particular client and algorithm.
+        Returns jwkest.jwk.SYMKey
+        """
+        return 'oidc_provider.lib.utils.token.default_get_client_alg_keys'
+
+    @property
+    def OIDC_JWKS_RESPONSE_HOOK(self):
+        """
+        OPTIONAL. A string with the location of your hook.
+        Used to specify the list of JWKS for your app.
+        Returns a list of dictionaries that will form the response of the ``jwks`` endpoint.
+        """
+        return 'oidc_provider.lib.utils.token.default_get_jwks'
+
     @property
     def OIDC_INTROSPECTION_PROCESSING_HOOK(self):
         """

oidc_provider/version.py

@@ -1 +1 @@
-__version__ = '0.8.0'
+__version__ = '0.9.0'

oidc_provider/views.py

@@ -9,7 +9,6 @@
 except ImportError:
     from urllib.parse import urlsplit, parse_qs, urlunsplit, urlencode
 
-from Cryptodome.PublicKey import RSA
 from django.contrib.auth.views import (
     redirect_to_login,
     LogoutView,
@@ -26,7 +25,6 @@
 from django.views.decorators.clickjacking import xframe_options_exempt
 from django.views.decorators.http import require_http_methods
 from django.views.generic import View
-from jwkest import long_to_base64
 
 from oidc_provider.compat import get_attr_or_callable
 from oidc_provider.lib.claims import StandardScopeClaims
@@ -50,7 +48,6 @@
 from oidc_provider.lib.utils.token import client_id_from_id_token
 from oidc_provider.models import (
     Client,
-    RSAKey,
     ResponseType)
 from oidc_provider import settings
 from oidc_provider import signals
@@ -291,19 +288,8 @@ def get(self, request, *args, **kwargs):
 
 class JwksView(View):
     def get(self, request, *args, **kwargs):
-        dic = dict(keys=[])
-
-        for rsakey in RSAKey.objects.all():
-            public_key = RSA.importKey(rsakey.key).publickey()
-            dic['keys'].append({
-                'kty': 'RSA',
-                'alg': 'RS256',
-                'use': 'sig',
-                'kid': rsakey.kid,
-                'n': long_to_base64(public_key.n),
-                'e': long_to_base64(public_key.e),
-            })
-
+        jwks_hook = settings.get('OIDC_JWKS_RESPONSE_HOOK')
+        dic = settings.import_from_str(jwks_hook)()
         response = JsonResponse(dic)
         response['Access-Control-Allow-Origin'] = '*'