The OidcHandler gets either called from a ServiceProxy instance or from an App instance.

A ServiceProxy instance either wants subject attributes (get_userinfo) or returns with an request for specific claims (need_claims). In the get_userinfo method it is checked if the user supplied an access token via the HTTP request headers (command line usage) or if an access token is saved in the session of the user (webbrowser usage). If an access token was found, the user information from the cache are returned. If the cache does not contain information, then an empty dictionary is returned. Note that here no authentication is enforced. If the need_claims method was called, the evaluation process returned that one or more specific subject attribute was missing to evaluate a rule. These claims are then converted to a list of scopes. These scopes are then asked for in the userinfo request if an access token was was found, or the user gets redirected either to a list of OpenID connect providers where he can choose his provider, or he gets redirected to the OpenID connect provider if only one is supported.

The App instance calls the OidcHandler to setup the connection with the OpenID Connect Providers. Either the client id and client secret were already found (create_client_from_secrets) or the client (our proxy) must register at the provider (register_first_time).

!include ../classes.plantuml
remove arpoc.App
remove arpoc.ac.Policy
remove arpoc.ac.Policy_Set
remove arpoc.ac.AC_Entity
remove arpoc.ac.Rule
remove arpoc.ac.AC_Container
remove arpoc.ac.EvaluationResult
remove arpoc.ac.conflict_resolution.AnyOfAny
remove arpoc.ac.conflict_resolution.And
remove arpoc.ac.conflict_resolution.ConflictResolution
remove arpoc.ac.common.Effects
remove arpoc.ac.parser.TransformAttr
remove arpoc.ac.parser.TopLevelTransformer
remove arpoc.ac.parser.OperatorTransformer
remove arpoc.ac.parser.MiddleLevelTransformer
remove arpoc.ac.parser.ExistsTransformer
remove arpoc.ac.lark_adapter.MyTransformer
remove arpoc.ac.lark_adapter.CombinedTransformer
remove arpoc.base.ServiceProxy
remove arpoc.base.TLSOnlyDispatcher
remove arpoc.cache.Cache
remove arpoc.cache.CacheItem
remove arpoc.config.ACConfig
remove arpoc.config.Misc
remove arpoc.config.OIDCProxyConfig
remove arpoc.config.ProviderConfig
remove arpoc.config.ProxyConfig
remove arpoc.config.ServiceConfig
remove arpoc.exceptions.ACEntityMissing
remove arpoc.exceptions.AttributeMissing
remove arpoc.exceptions.BadRuleSyntax
remove arpoc.exceptions.BadSemantics
remove arpoc.exceptions.ConfigError
remove arpoc.exceptions.DuplicateKeyError
remove arpoc.exceptions.EnvironmentAttributeMissing
remove arpoc.exceptions.OIDCProxyException
remove arpoc.exceptions.ObjectAttributeMissing
remove arpoc.exceptions.SubjectAttributeMissing
remove arpoc.pap.PAPNode
remove arpoc.pap.PolicyAdministrationPoint
remove arpoc.ac.parser.BinaryNumeralOperator
remove arpoc.ac.parser.BinaryOperator
remove arpoc.ac.parser.BinaryOperatorAnd
remove arpoc.ac.parser.BinaryOperatorIn
remove arpoc.ac.parser.BinaryOperatorOr
remove arpoc.ac.parser.BinarySameTypeOperator
remove arpoc.ac.parser.BinaryStringOperator
remove arpoc.ac.parser.Equal
remove arpoc.ac.parser.Greater
remove arpoc.ac.parser.Lesser
remove arpoc.ac.parser.NotEqual
remove arpoc.ac.parser.UOP
remove arpoc.ac.parser.matches
remove arpoc.ac.parser.startswith
remove arpoc.plugins.EnvironmentDict
remove arpoc.plugins.ObjectDict
remove arpoc.plugins.ObligationsDict
remove arpoc.plugins.PrioritizedItem
remove arpoc.plugins._lib.EnvironmentAttribute
remove arpoc.plugins._lib.ObjectSetter
remove arpoc.plugins._lib.Obligation
remove arpoc.plugins.env_attr_time.EnvAttrDateTime
remove arpoc.plugins.env_attr_time.EnvAttrTime
remove arpoc.plugins.env_attr_time.EnvAttrTimeHour
remove arpoc.plugins.env_attr_time.EnvAttrTimeMinute
remove arpoc.plugins.env_attr_time.EnvAttrTimeSecond
remove arpoc.plugins.obj_json.obj_json
remove arpoc.plugins.obj_urlmap.ObjUrlmap
remove arpoc.plugins.obl_loggers.Log
remove arpoc.plugins.obl_loggers.LogFailed
remove arpoc.plugins.obl_loggers.LogSuccessful
remove arpoc.special_pages.Userinfo


All subject attributes are claims of an OpenID Connect provider. Therefore we need to communicate with OpenID Connect Provider, act as a relying party and comply with the respective standards. The library pyoidc ([pyoidc]) enables us to comply with the standard without implementing it on our own.


If the user does a request with an access token included, we need to contact the issuer of this access token to ensure that the access token is valid. Because many issuers (TODO: cite/prove) use JWTs we can parse them and contact the issuer that is stated inside the JWT. pyoidc uses for this task the library pyjwkest ([pyjwkest]) which we use as well.