async def get_subject_by_provider(request: Request, provider_name: str,
                                  token_str: str) -> str:
    if provider_name.startswith(
            f"cognito-idp.{request.app.state.region}.amazonaws.com/"):
        try:
            jwks = await get_jwks(
                "https://{provider_name}/.well-known/jwks.json")
            token = JsonWebToken().decode(token_str, key=jwks)
            token.validate_iss()
            token.validate_sub()
            token.validate_exp(request.scope[NOW_KEY].timestamp(), LEEWAY)
        except (httpx.HTTPError, JoseError):
            logger.error("failed to validate token", exc_info=True)
            raise NotAuthorizedException(
                "Invalid login token. Not a valid OpenId Connect identity token."
            )
    else:
        raise NotImplementedError()
Beispiel #2
0
async def get_subject_by_provider(request: Request, provider_name: str,
                                  token_str: str) -> str:
    m = COGNITO_IDP_ENDPOINT_URL_RE.match(provider_name)
    if m is not None:
        url_base = (request.app.state.user_pool_emulator_url_base.rstrip("/") +
                    "/" + m.group("pool_id"))
        try:
            jwks = await get_jwks(f"{url_base}/.well-known/jwks.json")
            token = JsonWebToken().decode(token_str, key=jwks)
            token.validate_iss()
            token.validate_sub()
            token.validate_exp(request.scope[NOW_KEY].timestamp(), LEEWAY)
        except (httpx.HTTPError, JoseError):
            logger.error("failed to validate token", exc_info=True)
            raise NotAuthorizedException(
                "Invalid login token. Not a valid OpenId Connect identity token."
            )
        return token["sub"]
    else:
        raise NotImplementedError()