owner_authenticate_softcert.py fails against fhir-directory-test.vzd.ti-dienste.de

[awesome-manuel]

samples/directory-samples-python/directory_samples/owner_authenticate_softcert.py fails against the current deployment of fhir-directory-test.vzd.ti-dienste.de

$ poetry run owner_authenticate_softcert
Request openid-configuration manifest
curl -X GET "https://idp-ref.app.ti-dienste.de/.well-known/openid-configuration"
{
    'iat': 1689675216,
    'exp': 1689761616,
    'issuer': 'https://idp-ref.app.ti-dienste.de',
    'jwks_uri': 'https://idp-ref.app.ti-dienste.de/certs',
    'uri_disc': 'https://idp-ref.app.ti-dienste.de/.well-known/openid-configuration',
    'authorization_endpoint': 'https://idp-ref.app.ti-dienste.de/auth',
    'sso_endpoint': 'https://idp-ref.app.ti-dienste.de/auth/sso_response',
    'token_endpoint': 'https://idp-ref.app.ti-dienste.de/token',
    'auth_pair_endpoint': 'https://idp-ref.app.ti-dienste.de/auth/alternative',
    'uri_pair': 'https://idp-pairing-ref.zentral.idp.splitdns.ti-dienste.de/pairings',
    'kk_app_list_uri': 'https://idp-ref.app.ti-dienste.de/directory/kk_apps',
    'third_party_authorization_endpoint': 'https://idp-ref.app.ti-dienste.de/extauth',
    'uri_puk_idp_enc': 'https://idp-ref.app.ti-dienste.de/certs/puk_idp_enc',
    'uri_puk_idp_sig': 'https://idp-ref.app.ti-dienste.de/certs/puk_idp_sig',
    'code_challenge_methods_supported': ['S256'],
    'response_types_supported': ['code'],
    'grant_types_supported': ['authorization_code'],
    'id_token_signing_alg_values_supported': ['BP256R1'],
    'acr_values_supported': ['gematik-ehealth-loa-high'],
    'response_modes_supported': ['query'],
    'token_endpoint_auth_methods_supported': ['none'],
    'scopes_supported': [
        'openid',
        'e-rezept',
        'e-rezept-dev',
        'ebtm-bdr',
        'ebtm-bdr2',
        'fh-fokus-demis',
        'fhir-vzd',
        'gem-auth',
        'gmtik-demis',
        'ird-bmg',
        'ogr-nexenio-demo',
        'ogr-nexenio-dev',
        'ogr-nexenio-preprod',
        'ogr-nexenio-test',
        'organspende-register',
        'pairing',
        'rpdoc-emma',
        'rpdoc-emma-phab',
        'ti-messenger',
        'ti-score',
        'ti-score2',
        'zvr-bnotk'
    ],
    'subject_types_supported': ['pairwise']
}
puk_idp_sig
{"kid":"puk_idp_sig","thumbprint":"uRVsMEFmGpiL33r-fIcnSZ17g5BeiMIq7ftrmoz6Idg"}
Begin /owner-authenticate
curl -X GET "https://fhir-directory-test.vzd.ti-dienste.de/owner-authenticate"
{'Date': 'Tue, 18 Jul 2023 14:31:37 GMT', 'Server': 'Apache', 'X-Frame-Options': 'SAMEORIGIN, DENY', 'Strict-Transport-Security': 
'max-age=63072000;includeSubDomains', 'Vary': 'Origin,Access-Control-Request-Method,Access-Control-Request-Headers', 'Location': 
'https://idp-test.app.ti-dienste.de/auth?response_type=code&client_id=GEMgematFHI1KPraWvqT&scope=fhir-vzd+openid&redirect_uri=https%3A%2F%2Ffh
ir-directory-test.vzd.ti-dienste.de%2Fsignin-gematik-idp-dienst&state=D7XWAvXwEDTw5AV-TiCXJQ&code_challenge=oOLFpPcl5uyvC7bYtYmHpUiMGsWEgfI3Ds
rmMwhitvo&code_challenge_method=S256', 'X-Content-Type-Options': 'nosniff', 'X-XSS-Protection': '1; mode=block', 'Cache-Control': 'no-cache, 
no-store, max-age=0, must-revalidate', 'Pragma': 'no-cache', 'Expires': '0', 'Content-Length': '0', 'Content-Security-Policy': "default-src 
'self' fhir-directory-test.vzd.ti-dienste.de;", 'Keep-Alive': 'timeout=15, max=100', 'Connection': 'Keep-Alive'}
curl -X GET "https://idp-test.app.ti-dienste.de/auth?response_type=code&client_id=GEMgematFHI1KPraWvqT&scope=fhir-vzd+openid&redirect_uri=https%3A%2F%2Ffhir-directory-test.vzd.ti-dienste.de%2Fsignin-gematik-idp-dienst&state=D7XWAvXwEDTw5AV-TiCXJQ&code_challenge=oOLFpPcl5uyvC7bYtYmHpUiMGsWEgfI3DsrmMwhitvo&code_challenge_method=S256"
200
{
  "challenge": 
"eyJhbGciOiJCUDI1NlIxIiwia2lkIjoicHVrX2lkcF9zaWciLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2lkcC10ZXN0LmFwcC50aS1kaWVuc3RlLmRlIiwiaWF0IjoxNjg5Nj
kwNjk3LCJleHAiOjE2ODk2OTA4NzcsInRva2VuX3R5cGUiOiJjaGFsbGVuZ2UiLCJqdGkiOiJkZmYzNTRhOC0zM2JlLTRiOGEtODQ3Zi0yMjliMzEyYTZkNDAiLCJzbmMiOiI3ODA3Mjhm
MDFkMzU0NmYwYjU4NzA2YWY0Mzc4ZGE4YiIsInNjb3BlIjoiZmhpci12emQgb3BlbmlkIiwiY29kZV9jaGFsbGVuZ2UiOiJvT0xGcFBjbDV1eXZDN2JZdFltSHBVaU1Hc1dFZ2ZJM0Rzcm
1Nd2hpdHZvIiwiY29kZV9jaGFsbGVuZ2VfbWV0aG9kIjoiUzI1NiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9maGlyLWRpcmVjdG9yeS10ZXN0
LnZ6ZC50aS1kaWVuc3RlLmRlL3NpZ25pbi1nZW1hdGlrLWlkcC1kaWVuc3QiLCJjbGllbnRfaWQiOiJHRU1nZW1hdEZISTFLUHJhV3ZxVCIsInN0YXRlIjoiRDdYV0F2WHdFRFR3NUFWLV
RpQ1hKUSJ9.BGb_9oyjvMrB71l47ixVIO891L20r3XWH7Wr41uRtxUxxYZM_OuMh3mB5aznMCua3xD1LrSYcTKE_bWkp-vxGA",
  "user_consent": {
    "requested_scopes": {
      "openid": "Der Zugriff auf den ID-Token",
      "fhir-vzd": "Zugriff auf die FHIR-VZD-Funktionalitaet zur Anmeldung am VZD."
    },
    "requested_claims": {
      "professionOID": "Zustimmung zur Verarbeitung der Rolle",
      "idNummer": "Zustimmung zur Verarbeitung der Id (z.B. Krankenversichertennummer, Telematik-Id)"
    }
  }
}
Extract challenge
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "api-vzd/samples/directory-samples-python/directory_samples/owner_authenticate_softcert.py", line 69, in main
    challenge_jws.verify(puk_idp_sig)
  File "api-vzd/samples/directory-samples-python/.venv/lib/python3.10/site-packages/jwcrypto/jws.py", line 386, in verify
    raise InvalidJWSSignature('Verification failed for all '
jwcrypto.jws.InvalidJWSSignature: Verification failed for all signatures["Failed: [InvalidJWSSignature('Verification failed')]"]

[spilikin]

Hi Manuel,

thanks for pointing this out. There was a bug with default values:

api-vzd/samples/directory-samples-python/directory_samples/owner_authenticate_softcert.py

Line 28 in 5565c18

gematik_idp_base_url = os.getenv("GEMATIK_IDP_BASE_URL") or "https://idp-ref.app.ti-dienste.de/"

I fixed it, please try again. I also updated the README in python samples to reflect all possible ENV-Variables.

Cheers,
Serg

[awesome-manuel]

Thanks for the quick fix