def decode_jwt_token(token):
unverified_header = jwt.get_unverified_header(token)
unverified_claims = jwt.decode(token, verify=False)
if unverified_header.get(claims.KEY_ID):
unverified_key_id = str(unverified_header.get(claims.KEY_ID))
else:
unverified_key_id = None
if claims.ISSUER not in unverified_claims:
raise MissingRequiredClaimError(claims.ISSUER)
unverified_issuer = str(unverified_claims[claims.ISSUER])
if api_settings.ACCEPTED_ISSUERS is not None and unverified_issuer not in api_settings.ACCEPTED_ISSUERS:
raise InvalidIssuerError("Invalid issuer")
public_key, key_id = get_public_key_and_key_id(issuer=unverified_issuer,
key_id=unverified_key_id)
options = {
"verify_exp": api_settings.VERIFY_EXPIRATION,
"verify_iss": api_settings.VERIFY_ISSUER,
"verify_aud": api_settings.VERIFY_AUDIENCE,
}
payload = jwt.decode(
jwt=token,
key=public_key,
verify=api_settings.VERIFY_SIGNATURE,
algorithms=api_settings.DECODE_ALGORITHMS
or [api_settings.ENCODE_ALGORITHM],
options=options,
leeway=api_settings.EXPIRATION_LEEWAY,
audience=api_settings.IDENTITY,
issuer=unverified_issuer,
)
if payload.get(claims.TOKEN) not in (claims.TOKEN_SESSION,
claims.TOKEN_AUTHORIZATION):
raise InvalidTokenError("Unknown token type")
if not payload.get(claims.SESSION_ID):
raise MissingRequiredClaimError("Session ID is missing.")
if not payload.get(claims.USER_ID):
raise MissingRequiredClaimError("User ID is missing.")
return payload
def decode_jwt_token(token):
unverified_header = jwt.get_unverified_header(token)
unverified_claims = jwt.decode(token, verify=False)
if unverified_header.get(claims.KEY_ID):
unverified_key_id = six.text_type(unverified_header.get(claims.KEY_ID))
else:
unverified_key_id = None
if claims.ISSUER not in unverified_claims:
raise MissingRequiredClaimError(claims.ISSUER)
unverified_issuer = six.text_type(unverified_claims[claims.ISSUER])
if api_settings.ACCEPTED_ISSUERS is not None and unverified_issuer not in api_settings.ACCEPTED_ISSUERS:
raise InvalidIssuerError('Invalid issuer')
public_key, key_id = get_public_key_and_key_id(issuer=unverified_issuer, key_id=unverified_key_id)
options = {
'verify_exp': api_settings.VERIFY_EXPIRATION,
'verify_aud': True,
'verify_iss': True,
}
payload = jwt.decode(
jwt=token,
key=public_key,
verify=api_settings.VERIFY_SIGNATURE,
algorithms=api_settings.DECODE_ALGORITHMS or [api_settings.ENCODE_ALGORITHM],
options=options,
leeway=api_settings.EXPIRATION_LEEWAY,
audience=api_settings.IDENTITY,
issuer=unverified_issuer,
)
if payload.get(claims.TOKEN) not in (claims.TOKEN_SESSION, claims.TOKEN_AUTHORIZATION):
raise InvalidTokenError('Unknown token type')
if payload.get(claims.ISSUER) != api_settings.IDENTITY and payload.get(claims.TOKEN) != claims.TOKEN_AUTHORIZATION:
raise InvalidTokenError('Only authorization tokens are accepted from other issuers')
if not payload.get(claims.SESSION_ID):
raise MissingRequiredClaimError('Session ID is missing.')
if not payload.get(claims.USER_ID):
raise MissingRequiredClaimError('User ID is missing.')
return payload
def wrapper(*args, **kwargs):
verify_jwt_in_request()
try:
claims = get_jwt()
roles = claims["roles"]
if role_name not in roles and not optional:
raise NoAuthorizationError
except KeyError as e:
raise MissingRequiredClaimError("roles")
return fn(*args, **kwargs)
def get_user_guid(decoded_token):
if 'axa_guid' in decoded_token.keys():
guid = decoded_token['axa_guid']
return guid
else:
raise MissingRequiredClaimError('axa_guid')
def check_scope(decoded_token):
if 'scope' in decoded_token.keys():
scopes = decoded_token['scope']
return scopes.split(' ')
else:
raise MissingRequiredClaimError('scope')
def test_missing_required_claim_error_has_proper_str():
exc = MissingRequiredClaimError('abc')
assert str(exc) == 'Token is missing the "abc" claim'