def get_service_jwt(service_credentials, group: str = None, email=True, email_claim=False, audience=None):
iat = time.time()
exp = iat + 3600
payload = {'iss': service_credentials["client_email"],
'sub': service_credentials["client_email"],
'aud': audience or Config.get_audience(),
'iat': iat,
'exp': exp,
'scope': ['email', 'openid', 'offline_access']
}
if group:
payload[Config.get_OIDC_group_claim()] = group
if email:
payload['email'] = service_credentials["client_email"]
if email_claim:
payload[Config.get_OIDC_email_claim()] = service_credentials["client_email"]
additional_headers = {'kid': service_credentials["private_key_id"]}
signed_jwt = jwt.encode(payload, service_credentials["private_key"], headers=additional_headers,
algorithm='RS256').decode()
return signed_jwt
def assert_authorized_group(group: typing.List[str], token: dict) -> None:
if token.get(Config.get_OIDC_group_claim()) in group:
return
logger.info(f"User not in authorized group: {group}, {token}")
raise DSSForbiddenException()
