diff --git a/example/satosa/pyeudiw_backend.yaml b/example/satosa/pyeudiw_backend.yaml index e2560722..d1d9e091 100644 --- a/example/satosa/pyeudiw_backend.yaml +++ b/example/satosa/pyeudiw_backend.yaml @@ -61,7 +61,7 @@ config: unique_identifiers: - tax_id_code - unique_id - subject_id_salt: CHANGEME! + subject_id_random_value: CHANGEME! network: httpc_params: diff --git a/pyeudiw/openid4vp/direct_post_response.py b/pyeudiw/openid4vp/direct_post_response.py index 38eae6a7..5099256e 100644 --- a/pyeudiw/openid4vp/direct_post_response.py +++ b/pyeudiw/openid4vp/direct_post_response.py @@ -28,7 +28,7 @@ def __init__(self, jwt: str, jwks_by_kids: dict, nonce: str = ""): @property def payload(self) -> dict: - # TODO: detect if if it encrypted otherwise ... + # TODO: detect if it is encrypted otherwise ... # here we support only the encrypted jwt if not self._payload: self.decrypt() diff --git a/pyeudiw/satosa/backend.py b/pyeudiw/satosa/backend.py index 2aa3bdee..c8131646 100644 --- a/pyeudiw/satosa/backend.py +++ b/pyeudiw/satosa/backend.py @@ -307,11 +307,12 @@ def _translate_response(self, response: dict, issuer: str, context: Context): internal_resp = InternalData(auth_info=auth_info) sub = "" + pepper = self.config.get("user_attributes", {})['subject_id_random_value'] for i in self.config.get("user_attributes", {}).get("unique_identifiers", []): if response.get(i): _sub = response[i] sub = hashlib.sha256( - f"{_sub}~{self.config['user_attributes']['subject_id_salt']}".encode( + f"{_sub}~{pepper}".encode( ) ).hexdigest() break @@ -325,9 +326,8 @@ def _translate_response(self, response: dict, issuer: str, context: Context): "setting a random one for interop for internal frontends" ) ) - # TODO - add a salt here sub = hashlib.sha256( - json.dumps(response).encode() + f"{json.dumps(response).encode()}~{pepper}".encode() ).hexdigest() response["sub"] = [sub] @@ -731,9 +731,6 @@ def handle_error( level="error" ): - # TODO: evaluate with UX designers if Jinja2 template - # loader and rendering is required, it seems not. - _msg = f"{message}:" if err: _msg += f" {err}." diff --git a/pyeudiw/tests/settings.py b/pyeudiw/tests/settings.py index f572b3e3..6a940ea5 100644 --- a/pyeudiw/tests/settings.py +++ b/pyeudiw/tests/settings.py @@ -46,6 +46,10 @@ "scopes": ["pid-sd-jwt:unique_id+given_name+family_name"], "default_acr_value": "https://www.spid.gov.it/SpidL2", }, + 'user_attributes': { + "unique_identifiers": ["tax_id_code", "unique_id"], + "subject_id_random_value": "CHANGEME!" + }, 'network': { "httpc_params": httpc_params },