owner_authenticate_softcert.py fails against fhir-directory-test.vzd.ti-dienste.de
Closed this issue · 2 comments
awesome-manuel commented
samples/directory-samples-python/directory_samples/owner_authenticate_softcert.py fails against the current deployment of fhir-directory-test.vzd.ti-dienste.de
$ poetry run owner_authenticate_softcert
Request openid-configuration manifest
curl -X GET "https://idp-ref.app.ti-dienste.de/.well-known/openid-configuration"
{
'iat': 1689675216,
'exp': 1689761616,
'issuer': 'https://idp-ref.app.ti-dienste.de',
'jwks_uri': 'https://idp-ref.app.ti-dienste.de/certs',
'uri_disc': 'https://idp-ref.app.ti-dienste.de/.well-known/openid-configuration',
'authorization_endpoint': 'https://idp-ref.app.ti-dienste.de/auth',
'sso_endpoint': 'https://idp-ref.app.ti-dienste.de/auth/sso_response',
'token_endpoint': 'https://idp-ref.app.ti-dienste.de/token',
'auth_pair_endpoint': 'https://idp-ref.app.ti-dienste.de/auth/alternative',
'uri_pair': 'https://idp-pairing-ref.zentral.idp.splitdns.ti-dienste.de/pairings',
'kk_app_list_uri': 'https://idp-ref.app.ti-dienste.de/directory/kk_apps',
'third_party_authorization_endpoint': 'https://idp-ref.app.ti-dienste.de/extauth',
'uri_puk_idp_enc': 'https://idp-ref.app.ti-dienste.de/certs/puk_idp_enc',
'uri_puk_idp_sig': 'https://idp-ref.app.ti-dienste.de/certs/puk_idp_sig',
'code_challenge_methods_supported': ['S256'],
'response_types_supported': ['code'],
'grant_types_supported': ['authorization_code'],
'id_token_signing_alg_values_supported': ['BP256R1'],
'acr_values_supported': ['gematik-ehealth-loa-high'],
'response_modes_supported': ['query'],
'token_endpoint_auth_methods_supported': ['none'],
'scopes_supported': [
'openid',
'e-rezept',
'e-rezept-dev',
'ebtm-bdr',
'ebtm-bdr2',
'fh-fokus-demis',
'fhir-vzd',
'gem-auth',
'gmtik-demis',
'ird-bmg',
'ogr-nexenio-demo',
'ogr-nexenio-dev',
'ogr-nexenio-preprod',
'ogr-nexenio-test',
'organspende-register',
'pairing',
'rpdoc-emma',
'rpdoc-emma-phab',
'ti-messenger',
'ti-score',
'ti-score2',
'zvr-bnotk'
],
'subject_types_supported': ['pairwise']
}
puk_idp_sig
{"kid":"puk_idp_sig","thumbprint":"uRVsMEFmGpiL33r-fIcnSZ17g5BeiMIq7ftrmoz6Idg"}
Begin /owner-authenticate
curl -X GET "https://fhir-directory-test.vzd.ti-dienste.de/owner-authenticate"
{'Date': 'Tue, 18 Jul 2023 14:31:37 GMT', 'Server': 'Apache', 'X-Frame-Options': 'SAMEORIGIN, DENY', 'Strict-Transport-Security':
'max-age=63072000;includeSubDomains', 'Vary': 'Origin,Access-Control-Request-Method,Access-Control-Request-Headers', 'Location':
'https://idp-test.app.ti-dienste.de/auth?response_type=code&client_id=GEMgematFHI1KPraWvqT&scope=fhir-vzd+openid&redirect_uri=https%3A%2F%2Ffh
ir-directory-test.vzd.ti-dienste.de%2Fsignin-gematik-idp-dienst&state=D7XWAvXwEDTw5AV-TiCXJQ&code_challenge=oOLFpPcl5uyvC7bYtYmHpUiMGsWEgfI3Ds
rmMwhitvo&code_challenge_method=S256', 'X-Content-Type-Options': 'nosniff', 'X-XSS-Protection': '1; mode=block', 'Cache-Control': 'no-cache,
no-store, max-age=0, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Length': '0', 'Content-Security-Policy': "default-src
'self' fhir-directory-test.vzd.ti-dienste.de;", 'Keep-Alive': 'timeout=15, max=100', 'Connection': 'Keep-Alive'}
curl -X GET "https://idp-test.app.ti-dienste.de/auth?response_type=code&client_id=GEMgematFHI1KPraWvqT&scope=fhir-vzd+openid&redirect_uri=https%3A%2F%2Ffhir-directory-test.vzd.ti-dienste.de%2Fsignin-gematik-idp-dienst&state=D7XWAvXwEDTw5AV-TiCXJQ&code_challenge=oOLFpPcl5uyvC7bYtYmHpUiMGsWEgfI3DsrmMwhitvo&code_challenge_method=S256"
200
{
"challenge":
"eyJhbGciOiJCUDI1NlIxIiwia2lkIjoicHVrX2lkcF9zaWciLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2lkcC10ZXN0LmFwcC50aS1kaWVuc3RlLmRlIiwiaWF0IjoxNjg5Nj
kwNjk3LCJleHAiOjE2ODk2OTA4NzcsInRva2VuX3R5cGUiOiJjaGFsbGVuZ2UiLCJqdGkiOiJkZmYzNTRhOC0zM2JlLTRiOGEtODQ3Zi0yMjliMzEyYTZkNDAiLCJzbmMiOiI3ODA3Mjhm
MDFkMzU0NmYwYjU4NzA2YWY0Mzc4ZGE4YiIsInNjb3BlIjoiZmhpci12emQgb3BlbmlkIiwiY29kZV9jaGFsbGVuZ2UiOiJvT0xGcFBjbDV1eXZDN2JZdFltSHBVaU1Hc1dFZ2ZJM0Rzcm
1Nd2hpdHZvIiwiY29kZV9jaGFsbGVuZ2VfbWV0aG9kIjoiUzI1NiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9maGlyLWRpcmVjdG9yeS10ZXN0
LnZ6ZC50aS1kaWVuc3RlLmRlL3NpZ25pbi1nZW1hdGlrLWlkcC1kaWVuc3QiLCJjbGllbnRfaWQiOiJHRU1nZW1hdEZISTFLUHJhV3ZxVCIsInN0YXRlIjoiRDdYV0F2WHdFRFR3NUFWLV
RpQ1hKUSJ9.BGb_9oyjvMrB71l47ixVIO891L20r3XWH7Wr41uRtxUxxYZM_OuMh3mB5aznMCua3xD1LrSYcTKE_bWkp-vxGA",
"user_consent": {
"requested_scopes": {
"openid": "Der Zugriff auf den ID-Token",
"fhir-vzd": "Zugriff auf die FHIR-VZD-Funktionalitaet zur Anmeldung am VZD."
},
"requested_claims": {
"professionOID": "Zustimmung zur Verarbeitung der Rolle",
"idNummer": "Zustimmung zur Verarbeitung der Id (z.B. Krankenversichertennummer, Telematik-Id)"
}
}
}
Extract challenge
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "api-vzd/samples/directory-samples-python/directory_samples/owner_authenticate_softcert.py", line 69, in main
challenge_jws.verify(puk_idp_sig)
File "api-vzd/samples/directory-samples-python/.venv/lib/python3.10/site-packages/jwcrypto/jws.py", line 386, in verify
raise InvalidJWSSignature('Verification failed for all '
jwcrypto.jws.InvalidJWSSignature: Verification failed for all signatures["Failed: [InvalidJWSSignature('Verification failed')]"]
spilikin commented
Hi Manuel,
thanks for pointing this out. There was a bug with default values:
I fixed it, please try again. I also updated the README in python samples to reflect all possible ENV-Variables.
Cheers,
Serg
awesome-manuel commented
Thanks for the quick fix