Beispiel #1
0
    def get_userinfo_access_token(self, access_token: str) -> Tuple[int, Dict]:
        """ Get the user info if the user supplied an access token"""
        # TODO: error handling (no jwt)
        # TODO: allow issuer parameter in header here
        userinfo = {}
        LOGGING.debug(access_token)
        try:
            access_token_obj = jwt.JWT()
            access_token_obj.unpack(access_token)
            LOGGING.debug(access_token_obj.payload())
            issuer = access_token_obj.payload()['iss']
        except BadSyntax:
            LOGGING.debug("Decoding Access Token failed")
            if 'x-arpoc-issuer' in cherrypy.request.headers:
                LOGGING.debug("issuer hint found")
                issuer = cherrypy.request.headers['x-arpoc-issuer']
            else:
                raise Exception("400 - Bad Request")  # TODO

        # check if issuer is in provider list
        client = None
        for provider_name, obj in self.__oidc_provider.items():
            LOGGING.debug(obj)
            if obj.issuer == issuer:
                client = obj
                client_name = provider_name

        valid_until = 0
        if client:
            if self.cfg.openid_providers[client_name].do_token_introspection:
                # do userinfo with provided AT
                # we need here the oauth extension client
                args = ["client_id", "client_authn_method", "keyjar", "config"]
                kwargs = {x: client.__getattribute__(x) for x in args}
                oauth_client = oic.extension.client.Client(**kwargs)
                for key, val in client.__dict__.items():
                    if key.endswith("_endpoint"):
                        oauth_client.__setattr__(key, val)
                oauth_client.client_secret = client.client_secret
                introspection_res = oauth_client.do_token_introspection(
                    request_args={
                        'token': access_token,
                        'state': rndstr()
                    },
                    authn_method='client_secret_basic')
                if introspection_res['active']:
                    if 'exp' in introspection_res:
                        valid_until = introspection_res['exp']
                    else:
                        valid_until = arpoc.utils.now() + 30
            else:
                valid_until = arpoc.utils.now() + 30
            userinfo = client.do_user_info_request(access_token=access_token)
        else:
            LOGGING.info(
                "Access token received, but no suitable provider in configuration"
            )
            LOGGING.info("Access token issuer %s", issuer)
        return valid_until, dict(userinfo)
Beispiel #2
0
        def _decode_and_verify():
            jwt_claims = jwt.JWT().unpack(auth_token).payload()
            _verify_required_claims_exist(jwt_claims)

            issuer = jwt_claims["iss"]
            keys = self._jwks_supplier.supply(issuer)
            try:
                return jws.JWS().verify_compact(auth_token, keys)
            except (jwkest.BadSignature, jws.NoSuitableSigningKeys,
                    jws.SignerAlgError) as exception:
                raise suppliers.UnauthenticatedException(
                    "Signature verification failed", exception)