iSHARE OIDC Testing Application

A Flask-based testing application that demonstrates OIDC authentication with the iSHARE DMI ecosystem using JWE-encrypted JWT tokens.

Overview

This application implements the iSHARE OIDC authentication flow using:

• OIDC Authorization Code Flow with PKCE for secure authentication
• JWE-encrypted JWT tokens instead of traditional client_id/client_secret
• iSHARE-compliant JWT creation using the python-ishare library
• Browser-based authentication flow for proper cookie handling

Please note that the application only implements the OIDC flow and does not implement the lookup of parties in an iSHARE Satellite (which would usually be part of an iSHARE implementation).

Features

• ✅ iSHARE-compliant JWT token creation and JWE encryption
• ✅ OIDC authorization code flow with PKCE
• ✅ Browser-based authentication with proper session management
• ✅ User profile display with token information
• ✅ Optimized session storage (minimal cookie size)
• ✅ Error handling and user feedback

Prerequisites

• Python 3.8+
• iSHARE client certificates (private key and certificate chain)
• A registration with an iSHARE Participant Registry in an iSHARE network (UAT, PRD)
• Registration with an iSHARE Identity Provider (IdP)
• Optionally (check with IdP) registration for the data space

Installation

1. Clone the repository:

   git clone <repository-url>
   cd python-ishare-idp-client

2. Install dependencies:

   pip install -r requirements.txt

3. Configure environment variables:

   cp env.example .env
   # Edit .env with your iSHARE configuration

4. Place your iSHARE certificates:

   pki/
   ├── your-client-private-key.pem
   └── your-client-certificate.pem
   

Configuration

Modify the .env file to configure the environment variables.

Usage

1. Start the application:

   python app.py

2. Access the application: Open your browser and navigate to http://localhost:5000

3. Test the authentication flow:

   • Click "Login with iSHARE" to initiate authentication
   • Complete the authentication on the iSHARE provider
   • View your profile and token information

Architecture

Core Components

• app.py - Flask application with routes and session management
• oidc_client.py - OIDC client handling authentication flow
• ishare_jwt.py - iSHARE JWT creation and JWE encryption
• config.py - Application configuration
• templates/ - HTML templates for the web interface

Authentication Flow

1. Authorization Request: Browser submits POST request with JWE-encrypted JWT
2. User Authentication: User authenticates with iSHARE provider
3. Authorization Code: Provider redirects back with authorization code
4. Token Exchange: Application exchanges code for access/ID tokens
5. User Info: Application retrieves user information
6. Session Management: User data stored in optimized session

Security Features

• PKCE (Proof Key for Code Exchange) for secure authorization
• State parameter for CSRF protection
• Nonce for replay attack prevention
• JWE encryption for secure token transmission
• Session optimization to prevent cookie size issues

API Endpoints

• GET / - Home page
• GET /login - Initiate authentication
• GET /callback - Handle authentication callback
• GET /profile - User profile page
• GET /logout - Logout and redirect to provider
• GET /api/user - API endpoint for user information
• GET /api/refresh - Token refresh endpoint (disabled)

Development

Project Structure

python-ishare-idp-client/
├── app.py                 # Flask application
├── config.py              # Configuration settings
├── oidc_client.py         # OIDC client implementation
├── ishare_jwt.py          # iSHARE JWT/JWE handling
├── requirements.txt       # Python dependencies
├── env.example           # Environment variables template
├── pki/                  # iSHARE certificates directory
├── templates/            # HTML templates
│   ├── base.html
│   ├── index.html
│   ├── profile.html
│   └── error.html
└── README.md

Key Dependencies

• Flask - Web framework
• python-ishare - iSHARE JWT creation
• jwcrypto - JWE encryption/decryption
• PyJWT - JWT handling
• cryptography - PKI operations
• requests - HTTP client

Troubleshooting

Common Issues

1. Certificate not found: Ensure your iSHARE certificates are in the pki/ directory
2. Invalid issuer: Verify the OIDC_ISSUER matches your provider configuration
3. Cookie too large: The application optimizes session storage automatically
4. Authentication failed: Check your iSHARE client configuration and certificates

Debug Mode

The application runs in debug mode by default. Check the console output for detailed error information.

License

This project is for testing purposes only. Ensure compliance with iSHARE specifications and your organization's security policies.

Support

For issues related to:

• iSHARE specifications: Consult the official iSHARE documentation on https://framework.ishare.eu and https://dev.ishare.eu

To-do

• Implement logout