TMP WORK ON EXTENDING ROUTER

diracx-routers/src/diracx/routers/fastapi_classes.py

@@ -2,7 +2,7 @@
 
 import asyncio
 import contextlib
-from typing import TypeVar
+from typing import Any, Callable, TypeVar
 
 from fastapi import APIRouter, FastAPI
 
@@ -81,3 +81,21 @@ def __init__(
         super().__init__(dependencies=dependencies)
         self.diracx_require_auth = require_auth
         self.diracx_path_root = path_root
+
+    def add_api_route(self, path: str, endpoint: Callable[..., Any], **kwargs):
+
+        route_index = self._get_route_index_by_path_and_methods(
+            path, set(kwargs.get("methods", []))
+        )
+        if route_index >= 0:
+            # route_to_del = self.routes[route_index]
+
+            self.routes.pop(route_index)
+
+        return super().add_api_route(path, endpoint, **kwargs)
+
+    def _get_route_index_by_path_and_methods(self, path: str, methods: set[str]) -> int:
+        for index, route in enumerate(self.routes):
+            if route.path == path and methods == route.methods:
+                return index
+        return -1

extensions/gubbins/gubbins-routers/pyproject.toml

@@ -29,6 +29,7 @@ types = [
 
 [project.entry-points."diracx.services"]
 lollygag = "gubbins.routers.lollygag:router"
+auth = "gubbins.routers.auth:router"
 
 [tool.setuptools.packages.find]
 where = ["src"]

extensions/gubbins/gubbins-routers/src/gubbins/routers/auth.py

@@ -0,0 +1,21 @@
+from diracx.routers.auth import router as diracx_auth_router
+from diracx.routers.fastapi_classes import DiracxRouter
+from fastapi import HTTPException, status
+
+router = DiracxRouter(require_auth=False)
+router.include_router(diracx_auth_router)
+
+# Just overriding does not work: https://github.com/tiangolo/fastapi/discussions/8489
+
+
+@router.post("/device")
+async def forbid_device_flow(client_id: str, scope: str, *args, **kwargs):
+    """Initiate the device flow against DIRAC authorization Server.
+    Scope must have exactly up to one `group` (otherwise default) and
+    one or more `property` scope.
+    If no property, then get default one.
+
+    Offers the user to go with the browser to
+    `auth/<vo>/device?user_code=XYZ`
+    """
+    raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="BOOOOOM")

extensions/gubbins/gubbins-routers/tests/data/lhcb-auth.web.cern.ch/.well-known/openid-configuration

@@ -0,0 +1 @@
+{"request_parameter_supported":true,"introspection_endpoint":"https://lhcb-auth.web.cern.ch/introspect","claims_parameter_supported":false,"scopes_supported":["openid","profile","email","address","phone","offline_access","eduperson_scoped_affiliation","eduperson_entitlement","eduperson_assurance","wlcg","wlcg.groups","entitlements"],"issuer":"https://lhcb-auth.web.cern.ch/","userinfo_encryption_enc_values_supported":["XC20P","A256CBC+HS512","A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128CBC+HS256"],"id_token_encryption_enc_values_supported":["XC20P","A256CBC+HS512","A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128CBC+HS256"],"authorization_endpoint":"https://lhcb-auth.web.cern.ch/authorize","request_object_encryption_enc_values_supported":["XC20P","A256CBC+HS512","A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512","A128CBC+HS256"],"device_authorization_endpoint":"https://lhcb-auth.web.cern.ch/devicecode","userinfo_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512"],"claims_supported":["sub","name","preferred_username","given_name","family_name","middle_name","nickname","profile","picture","zoneinfo","locale","updated_at","email","email_verified","organisation_name","groups","wlcg.groups","external_authn"],"op_policy_uri":"https://lhcb-auth.web.cern.ch/about","claim_types_supported":["normal"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","client_secret_jwt","private_key_jwt","none"],"token_endpoint":"https://lhcb-auth.web.cern.ch/token","response_types_supported":["code","token"],"request_uri_parameter_supported":false,"userinfo_encryption_alg_values_supported":["RSA-OAEP-512","RSA-OAEP","RSA-OAEP-256","RSA1_5","RSA-OAEP-384"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials","password","urn:ietf:params:oauth:grant-type:token-exchange","urn:ietf:params:oauth:grant-type:device_code"],"revocation_endpoint":"https://lhcb-auth.web.cern.ch/revoke","userinfo_endpoint":"https://lhcb-auth.web.cern.ch/userinfo","op_tos_uri":"https://lhcb-auth.web.cern.ch/about","token_endpoint_auth_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512"],"require_request_uri_registration":false,"code_challenge_methods_supported":["plain","S256"],"id_token_encryption_alg_values_supported":["RSA-OAEP-512","RSA-OAEP","RSA-OAEP-256","RSA1_5","RSA-OAEP-384"],"jwks_uri":"https://lhcb-auth.web.cern.ch/jwk","subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512","none"],"registration_endpoint":"https://lhcb-auth.web.cern.ch/iam/api/client-registration","request_object_signing_alg_values_supported":["HS256","HS384","HS512","RS256","RS384","RS512","ES256","ES384","ES512","PS256","PS384","PS512"],"request_object_encryption_alg_values_supported":["RSA-OAEP-512","RSA-OAEP","RSA-OAEP-256","RSA1_5","RSA-OAEP-384"]}