IdentityPython · bajnokk · Jul 14, 2022 · Mar 13, 2023 · Mar 13, 2023 · Mar 16, 2023
diff --git a/example/plugins/frontends/openid_connect_frontend.yaml.example b/example/plugins/frontends/openid_connect_frontend.yaml.example
@@ -33,6 +33,11 @@ config:
   sub_hash_salt: randomSALTvalue
 
   provider:
+    # If you do not specify the issuer here, then BASE will be used as Issuer.
+    # Note that even though this setting must be specified as a full URL,
+    # provider discovery will only work, if the request can be routed back to
+    # SATOSA.
+    issuer: https://op.example.com/satosa/OIDC
     client_registration_supported: Yes
     response_types_supported: ["code", "id_token token"]
     subject_types_supported: ["pairwise"]

diff --git a/src/satosa/backends/base.py b/src/satosa/backends/base.py
@@ -29,7 +29,7 @@ def __init__(self, auth_callback_func, internal_attributes, base_url, name):
         self.auth_callback_func = auth_callback_func
         self.internal_attributes = internal_attributes
         self.converter = AttributeMapper(internal_attributes)
-        self.base_url = base_url
+        self.base_url = base_url.rstrip("/") if base_url else ""
         self.name = name
 
     def start_auth(self, context, internal_request):

diff --git a/src/satosa/base.py b/src/satosa/base.py
@@ -6,6 +6,7 @@
 import uuid
 
 from saml2.s_utils import UnknownSystemEntity
+from urllib.parse import urlparse
 
 from satosa import util
 from .context import Context
@@ -38,6 +39,8 @@ def __init__(self, config):
         """
         self.config = config
 
+        base_path = urlparse(self.config["BASE"]).path.lstrip("/")
+
         logger.info("Loading backend modules...")
         backends = load_backends(self.config, self._auth_resp_callback_func,
                                  self.config["INTERNAL_ATTRIBUTES"])
@@ -63,8 +66,10 @@ def __init__(self, config):
                                             self.config["BASE"]))
             self._link_micro_services(self.response_micro_services, self._auth_resp_finish)
 
-        self.module_router = ModuleRouter(frontends, backends,
-                                          self.request_micro_services + self.response_micro_services)
+        self.module_router = ModuleRouter(frontends,
+                                          backends,
+                                          self.request_micro_services + self.response_micro_services,
+                                          base_path)
 
     def _link_micro_services(self, micro_services, finisher):
         if not micro_services:

diff --git a/src/satosa/context.py b/src/satosa/context.py
@@ -76,10 +76,6 @@ def path(self, p):
             raise ValueError("path can't start with '/'")
         self._path = p
 
-    def target_entity_id_from_path(self):
-        target_entity_id = self.path.split("/")[1]
-        return target_entity_id
-
     def decorate(self, key, value):
         """
         Add information to the context

diff --git a/src/satosa/frontends/base.py b/src/satosa/frontends/base.py
@@ -2,6 +2,9 @@
 Holds a base class for frontend modules used in the SATOSA proxy.
 """
 from ..attribute_mapping import AttributeMapper
+from ..util import join_paths
+
+from urllib.parse import urlparse
 
 
 class FrontendModule(object):
@@ -14,17 +17,22 @@ def __init__(self, auth_req_callback_func, internal_attributes, base_url, name):
         :type auth_req_callback_func:
         (satosa.context.Context, satosa.internal.InternalData) -> satosa.response.Response
         :type internal_attributes: dict[str, dict[str, str | list[str]]]
+        :type base_url: str
         :type name: str
 
         :param auth_req_callback_func: Callback should be called by the module after the
         authorization response has been processed.
+        :param internal_attributes: attribute mapping
+        :param base_url: base url of the proxy
         :param name: name of the plugin
         """
         self.auth_req_callback_func = auth_req_callback_func
         self.internal_attributes = internal_attributes
         self.converter = AttributeMapper(internal_attributes)
-        self.base_url = base_url
+        self.base_url = base_url or ""
         self.name = name
+        self.endpoint_baseurl = join_paths(self.base_url, self.name)
+        self.endpoint_basepath = urlparse(self.endpoint_baseurl).path.lstrip("/")
 
     def handle_authn_response(self, context, internal_resp):
         """

diff --git a/src/satosa/frontends/openid_connect.py b/src/satosa/frontends/openid_connect.py
@@ -37,7 +37,7 @@
 from ..response import BadRequest, Created
 from ..response import SeeOther, Response
 from ..response import Unauthorized
-from ..util import rndstr
+from ..util import join_paths, rndstr
 
 import satosa.logging_util as lu
 from satosa.internal import InternalData
@@ -62,7 +62,8 @@ def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url,
 
         self.config = conf
         provider_config = self.config["provider"]
-        provider_config["issuer"] = base_url
+        if not provider_config.get("issuer"):
+            provider_config["issuer"] = base_url
 
         self.signing_key = RSAKey(
             key=rsa_load(self.config["signing_key_path"]),
@@ -97,7 +98,6 @@ def __init__(self, auth_req_callback_func, internal_attributes, conf, base_url,
         else:
             cdb = {}
 
-        self.endpoint_baseurl = "{}/{}".format(self.base_url, self.name)
         self.provider = _create_provider(
             provider_config,
             self.endpoint_baseurl,
@@ -173,6 +173,19 @@ def register_endpoints(self, backend_names):
         :rtype: list[(str, ((satosa.context.Context, Any) -> satosa.response.Response, Any))]
         :raise ValueError: if more than one backend is configured
         """
+        # See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
+        #
+        # We skip the scheme + host + port of the issuer URL, because we can only map the
+        # path for the provider config endpoint. We are safe to use urlparse().path here,
+        # because for issuer OIDC allows only https URLs without query and fragment parts.
+        issuer = self.provider.configuration_information["issuer"]
+        autoconf_path = ".well-known/openid-configuration"
+        provider_config = (
+            "^{}$".format(join_paths(urlparse(issuer).path.lstrip("/"), autoconf_path)),
+            self.provider_config,
+        )
+        jwks_uri = ("^{}/jwks$".format(self.endpoint_basepath), self.jwks)
-        jwks_uri = ("^{}/jwks$".format(self.endpoint_basepath), self.jwks)
+        jwks_uri = ("^{}$".format(join_paths(self.endpoint_basepath, "jwks")), self.jwks)
-        jwks_uri = ("^{}/jwks$".format(self.endpoint_basepath), self.jwks)
+        jwks_uri = ("^{}$".format(join_paths(self.endpoint_basepath, "jwks")), self.jwks)
+
         backend_name = None
         if len(backend_names) != 1:
             # only supports one backend since there currently is no way to publish multiple authorization endpoints
@@ -189,40 +202,49 @@ def register_endpoints(self, backend_names):
         else:
             backend_name = backend_names[0]
 
-        provider_config = ("^.well-known/openid-configuration$", self.provider_config)
-        jwks_uri = ("^{}/jwks$".format(self.name), self.jwks)
-
         if backend_name:
             # if there is only one backend, include its name in the path so the default routing can work
-            auth_endpoint = "{}/{}/{}/{}".format(self.base_url, backend_name, self.name, AuthorizationEndpoint.url)
+            auth_endpoint = join_paths(
+                self.base_url,
+                backend_name,
+                self.name,
+                AuthorizationEndpoint.url,
+            )
             self.provider.configuration_information["authorization_endpoint"] = auth_endpoint
             auth_path = urlparse(auth_endpoint).path.lstrip("/")
         else:
-            auth_path = "{}/{}".format(self.name, AuthorizationEndpoint.url)
+            auth_path = join_paths(self.endpoint_basepath, AuthorizationRequest.url)
 
         authentication = ("^{}$".format(auth_path), self.handle_authn_request)
         url_map = [provider_config, jwks_uri, authentication]
 
         if any("code" in v for v in self.provider.configuration_information["response_types_supported"]):
-            self.provider.configuration_information["token_endpoint"] = "{}/{}".format(
-                self.endpoint_baseurl, TokenEndpoint.url
+            self.provider.configuration_information["token_endpoint"] = join_paths(
+                self.endpoint_baseurl,
+                TokenEndpoint.url,
             )
             token_endpoint = (
-                "^{}/{}".format(self.name, TokenEndpoint.url), self.token_endpoint
+                "^{}".format(join_paths(self.endpoint_basepath, TokenEndpoint.url)),
+                self.token_endpoint,
             )
             url_map.append(token_endpoint)
 
             self.provider.configuration_information["userinfo_endpoint"] = (
-                "{}/{}".format(self.endpoint_baseurl, UserinfoEndpoint.url)
+                join_paths(self.endpoint_baseurl, UserinfoEndpoint.url)
             )
             userinfo_endpoint = (
-                "^{}/{}".format(self.name, UserinfoEndpoint.url), self.userinfo_endpoint
+                "^{}".format(
+                    join_paths(self.endpoint_basepath, UserinfoEndpoint.url)
+                ),
+                self.userinfo_endpoint,
             )
             url_map.append(userinfo_endpoint)
 
         if "registration_endpoint" in self.provider.configuration_information:
             client_registration = (
-                "^{}/{}".format(self.name, RegistrationEndpoint.url),
+                "^{}".format(
+                    join_paths(self.endpoint_basepath, RegistrationEndpoint.url)
+                ),
                 self.client_registration,
             )
             url_map.append(client_registration)

diff --git a/src/satosa/frontends/ping.py b/src/satosa/frontends/ping.py
@@ -3,6 +3,7 @@
 import satosa.logging_util as lu
 from satosa.frontends.base import FrontendModule
 from satosa.response import Response
+from satosa.util import join_paths
 
 
 logger = logging.getLogger(__name__)
@@ -43,7 +44,7 @@ def register_endpoints(self, backend_names):
         :rtype: list[(str, ((satosa.context.Context, Any) -> satosa.response.Response, Any))]
         :raise ValueError: if more than one backend is configured
         """
-        url_map = [("^{}".format(self.name), self.ping_endpoint)]
+        url_map = [("^{}".format(join_paths(self.endpoint_basepath, self.name)), self.ping_endpoint)]
 
         return url_map
 

diff --git a/src/satosa/frontends/saml2.py b/src/satosa/frontends/saml2.py
@@ -117,7 +117,7 @@ def register_endpoints(self, backend_names):
 
         if self.enable_metadata_reload():
             url_map.append(
-                ("^%s/%s$" % (self.name, "reload-metadata"), self._reload_metadata))
+                ("^%s/%s$" % (self.endpoint_basepath, "reload-metadata"), self._reload_metadata))
 
         self.idp_config = self._build_idp_config_endpoints(
             self.config[self.KEY_IDP_CONFIG], backend_names)
@@ -511,15 +511,19 @@ def _register_endpoints(self, providers):
         """
         url_map = []
 
+        backend_providers = "|".join(providers)
+        base_path = urlparse(self.base_url).path.lstrip("/")
+        if base_path:
+            base_path = base_path + "/"
         for endp_category in self.endpoints:
             for binding, endp in self.endpoints[endp_category].items():
-                valid_providers = ""
-                for provider in providers:
-                    valid_providers = "{}|^{}".format(valid_providers, provider)
-                valid_providers = valid_providers.lstrip("|")
-                parsed_endp = urlparse(endp)
-                url_map.append(("(%s)/%s$" % (valid_providers, parsed_endp.path),
-                                functools.partial(self.handle_authn_request, binding_in=binding)))
+                endp_path = urlparse(endp).path
+                url_map.append(
+                    (
+                        "^{}({})/{}$".format(base_path, backend_providers, endp_path),
+                        functools.partial(self.handle_authn_request, binding_in=binding)
+                    )
+                )
 
         if self.expose_entityid_endpoint():
             logger.debug("Exposing frontend entity endpoint = {}".format(self.idp.config.entityid))
@@ -675,11 +679,18 @@ def _load_idp_dynamic_endpoints(self, context):
         :param context:
         :return: An idp server
         """
-        target_entity_id = context.target_entity_id_from_path()
+        target_entity_id = self._target_entity_id_from_path(context.path)
         idp_conf_file = self._load_endpoints_to_config(context.target_backend, target_entity_id)
         idp_config = IdPConfig().load(idp_conf_file)
         return Server(config=idp_config)
 
+    def _target_entity_id_from_path(self, request_path):
+        path = request_path.lstrip("/")
+        base_path = urlparse(self.base_url).path.lstrip("/")
+        if base_path and path.startswith(base_path):
+            path = path[len(base_path):].lstrip("/")
+        return path.split("/")[1]
+
     def _load_idp_dynamic_entity_id(self, state):
         """
         Loads an idp server with the entity id saved in state
@@ -705,7 +716,7 @@ def handle_authn_request(self, context, binding_in):
         :type binding_in: str
         :rtype: satosa.response.Response
         """
-        target_entity_id = context.target_entity_id_from_path()
+        target_entity_id = self._target_entity_id_from_path(context.path)
         target_entity_id = urlsafe_b64decode(target_entity_id).decode()
         context.decorate(Context.KEY_TARGET_ENTITYID, target_entity_id)
 
@@ -723,7 +734,7 @@ def _create_state_data(self, context, resp_args, relay_state):
         :rtype: dict[str, dict[str, str] | str]
         """
         state = super()._create_state_data(context, resp_args, relay_state)
-        state["target_entity_id"] = context.target_entity_id_from_path()
+        state["target_entity_id"] = self._target_entity_id_from_path(context.path)
         return state
 
     def handle_backend_error(self, exception):
@@ -758,13 +769,16 @@ def _register_endpoints(self, providers):
         """
         url_map = []
 
+        backend_providers = "|".join(providers)
+        base_path = urlparse(self.base_url).path.lstrip("/")
+        if base_path:
+            base_path = base_path + "/"
         for endp_category in self.endpoints:
             for binding, endp in self.endpoints[endp_category].items():
-                valid_providers = "|^".join(providers)
-                parsed_endp = urlparse(endp)
+                endp_path = urlparse(endp).path
                 url_map.append(
                     (
-                        r"(^{})/\S+/{}".format(valid_providers, parsed_endp.path),
+                        "^{}({})/\S+/{}$".format(base_path, backend_providers, endp_path),
                         functools.partial(self.handle_authn_request, binding_in=binding)
                     )
                 )

diff --git a/src/satosa/micro_services/account_linking.py b/src/satosa/micro_services/account_linking.py
@@ -12,6 +12,7 @@
 from ..exception import SATOSAAuthenticationError
 from ..micro_services.base import ResponseMicroService
 from ..response import Redirect
+from ..util import join_paths
 
 import satosa.logging_util as lu
 logger = logging.getLogger(__name__)
@@ -161,4 +162,13 @@ def register_endpoints(self):
 
         :return: A list of endpoints bound to a function
         """
-        return [("^account_linking%s$" % self.endpoint, self._handle_al_response)]
+        return [
+            (
+                "^{}$".format(
+                    join_paths(
+                        self.base_path, "account_linking", self.endpoint
+                    )
-                    join_paths(
-                        self.base_path, "account_linking", self.endpoint
-                    )
+                    join_paths(self.endpoint_basepath, self.endpoint)
-                    join_paths(
-                        self.base_path, "account_linking", self.endpoint
-                    )
+                    join_paths(self.endpoint_basepath, self.endpoint)
+                ),
+                self._handle_al_response,
+            )
+        ]
diff --git a/src/satosa/micro_services/base.py b/src/satosa/micro_services/base.py
@@ -2,6 +2,7 @@
 Micro service for SATOSA
 """
 import logging
+from urllib.parse import urlparse
 
 logger = logging.getLogger(__name__)
 
@@ -14,6 +15,7 @@ class MicroService(object):
     def __init__(self, name, base_url, **kwargs):
         self.name = name
         self.base_url = base_url
+        self.base_path = urlparse(base_url).path.lstrip("/")
         self.next = None
 
     def process(self, context, data):

diff --git a/src/satosa/micro_services/consent.py b/src/satosa/micro_services/consent.py
@@ -16,6 +16,7 @@
 from satosa.internal import InternalData
 from satosa.micro_services.base import ResponseMicroService
 from satosa.response import Redirect
+from satosa.util import join_paths
 
 
 logger = logging.getLogger(__name__)
@@ -238,4 +239,13 @@ def register_endpoints(self):
 
         :return: A list of endpoints bound to a function
         """
-        return [("^consent%s$" % self.endpoint, self._handle_consent_response)]
+        return [
+            (
+                "^{}$".format(
+                    join_paths(
+                        self.base_path, "consent", self.endpoint
+                    )
-                    join_paths(
-                        self.base_path, "consent", self.endpoint
-                    )
+                    join_paths(self.endpoint_basepath, self.endpoint)
-                    join_paths(
-                        self.base_path, "consent", self.endpoint
-                    )
+                    join_paths(self.endpoint_basepath, self.endpoint)
+                ),
+                self._handle_consent_response,
+            )
+        ]