def get_jwks():
    """Return the auth0 jwks."""
    jwks_url = "https://{oidc_domain}/.well-known/jwks.json".format(
        oidc_domain=current_app.config["OIDC_DOMAIN"])
    cache_key = jwks_cache_key(jwks_url)

    jwks = None
    with cache.suppress_failure():
        jwks = cache.get(cache_key)

    if jwks is not None:
        return jwks

    try:
        jwks_response = requests.get(jwks_url)
    except requests.exceptions.Timeout:
        raise ProblemException(
            500,
            "Auth0 Timeout",
            "Authentication server timed out, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )
    except requests.exceptions.ConnectionError:
        raise ProblemException(
            500,
            "Auth0 Connection Problem",
            "Can't connect to authentication server, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )
    except requests.exceptions.HTTPError:
        raise ProblemException(
            500,
            "Auth0 Response Error",
            "Authentication server response was invalid, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )
    except requests.exceptions.RequestException:
        raise ProblemException(
            500,
            "Auth0 Error",
            "Problem communicating with Auth0, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )

    try:
        jwks = jwks_response.json()
    except ValueError:
        logger.error("Auth0 jwks response was not valid json")
        raise ProblemException(
            500,
            "Auth0 Response Error",
            "Authentication server response was invalid, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )

    with cache.suppress_failure():
        cache.set(cache_key, jwks, timeout=60)

    return jwks
Beispiel #2
0
def get_jwks():
    """Return the auth0 jwks."""
    jwks_url = current_app.config['OIDC_JWKS_URL']
    cache_key = jwks_cache_key(jwks_url)

    jwks = None
    with cache.suppress_failure():
        jwks = cache.get(cache_key)

    if jwks is not None:
        return jwks

    try:
        jwks_response = requests.get(jwks_url)
    except requests.exceptions.Timeout:
        raise ProblemException(
            500,
            'Auth0 Timeout',
            'Authentication server timed out, try again later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable
    except requests.exceptions.ConnectionError:
        raise ProblemException(
            500,
            'Auth0 Connection Problem',
            'Can\'t connect to authentication server, try again later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable
    except requests.exceptions.HTTPError:
        raise ProblemException(
            500,
            'Auth0 Response Error',
            'Authentication server response was invalid, try again '
            'later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable
    except requests.exceptions.RequestException:
        raise ProblemException(
            500,
            'Auth0 Error',
            'Problem communicating with Auth0, try again later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable

    try:
        jwks = jwks_response.json()
    except ValueError:
        logger.error('Auth0 jwks response was not valid json')
        raise ProblemException(
            500,
            'Auth0 Response Error',
            'Authentication server response was invalid, try again later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable

    with cache.suppress_failure():
        cache.set(cache_key, jwks, timeout=60)

    return jwks
def get_auth0_userinfo(access_token, user_sub):
    """Return userinfo data from auth0."""
    cache_key = userinfo_cache_key(access_token, user_sub)

    userinfo = None
    with cache.suppress_failure():
        userinfo = cache.get(cache_key)

    if userinfo is not None:
        return userinfo

    try:
        resp = fetch_auth0_userinfo(access_token)
    except requests.exceptions.Timeout:
        raise ProblemException(
            500,
            "Auth0 Timeout",
            "Authentication server timed out, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )
    except requests.exceptions.ConnectionError:
        raise ProblemException(
            500,
            "Auth0 Connection Problem",
            "Can't connect to authentication server, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )
    except requests.exceptions.HTTPError:
        raise ProblemException(
            500,
            "Auth0 Response Error",
            "Authentication server response was invalid, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )
    except requests.exceptions.RequestException:
        raise ProblemException(
            500,
            "Auth0 Error",
            "Problem communicating with Auth0, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )

    if resp.status_code == 429:
        # We should hopefully never hit this in production, so log an error
        # to make sure we investigate.
        logger.error("Auth0 Rate limit hit when requesting userinfo")
        raise ProblemException(
            429,
            "Auth0 Rate Limit",
            "Authentication rate limit hit, please wait before retrying",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429",
        )

    if resp.status_code == 401:
        raise ProblemException(
            401,
            "Auth0 Userinfo Unauthorized",
            "Unauthorized to access userinfo, check openid scope",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401",
        )

    if resp.status_code != 200:
        raise ProblemException(
            403,
            "Authorization Failure",
            "You do not have permission to access this resource",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403",
        )

    try:
        userinfo = resp.json()
    except ValueError:
        logger.error("Auth0 userinfo response was not valid json")
        raise ProblemException(
            500,
            "Auth0 Response Error",
            "Authentication server response was invalid, try again later",
            type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
        )

    with cache.suppress_failure():
        cache.set(cache_key, userinfo, timeout=60)

    return userinfo
Beispiel #4
0
def get_auth0_userinfo(access_token, user_sub):
    """Return userinfo data from auth0."""
    cache_key = userinfo_cache_key(access_token, user_sub)
    userinfo = cache.get(cache_key)
    if userinfo is not None:
        return userinfo

    try:
        resp = fetch_auth0_userinfo(access_token)
    except requests.exceptions.Timeout:
        raise ProblemException(
            500,
            'Auth0 Timeout',
            'Authentication server timed out, try again later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable
    except requests.exceptions.ConnectionError:
        raise ProblemException(
            500,
            'Auth0 Connection Problem',
            'Can\'t connect to authentication server, try again later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable
    except requests.exceptions.HTTPError:
        raise ProblemException(
            500,
            'Auth0 Response Error',
            'Authentication server response was invalid, try again '
            'later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable
    except requests.exceptions.RequestException:
        raise ProblemException(
            500,
            'Auth0 Error',
            'Problem communicating with Auth0, try again later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable

    if resp.status_code == 429:
        # We should hopefully never hit this in production, so log an error
        # to make sure we investigate.
        logger.error({'msg': 'Auth0 Rate limit hit when requesting userinfo'},
                     'auth0.rate_limited')
        raise ProblemException(
            429,
            'Auth0 Rate Limit',
            'Authentication rate limit hit, please wait before '
            'retrying',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429'
        )  # yapf: disable

    if resp.status_code == 401:
        raise ProblemException(
            401,
            'Auth0 Userinfo Unauthorized',
            'Unauthorized to access userinfo, check openid scope',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401'
        )  # yapf: disable

    if resp.status_code != 200:
        raise ProblemException(
            403,
            'Authorization Failure',
            'You do not have permission to access this resource',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403'
        )  # yapf: disable

    try:
        userinfo = resp.json()
    except ValueError:
        logger.error({'msg': 'Auth0 userinfo response was not valid json.'},
                     'auth0.error')
        raise ProblemException(
            500,
            'Auth0 Response Error',
            'Authentication server response was invalid, try again later',
            type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
        )  # yapf: disable

    cache.set(cache_key, userinfo, timeout=60)
    return userinfo