def verify(self, **kwargs):
if "aud" in self:
if "client_id" in kwargs:
# check that I'm among the recipients
if kwargs["client_id"] not in self["aud"]:
raise NotForMe("", self)
if len(self["aud"]) > 1:
# Then azp has to be present and be one of the aud values
try:
assert "azp" in self
except AssertionError:
raise VerificationError("azp missing", self)
else:
try:
assert self["azp"] in self["aud"]
except AssertionError:
raise VerificationError(
"Mismatch between azp and aud claims", self)
if "azp" in self:
if "client_id" in kwargs:
if kwargs["client_id"] != self["azp"]:
raise NotForMe("", self)
return super(IdToken, self).verify(**kwargs)
def verify(self, **kwargs):
if "aud" in self:
if "client_id" in kwargs:
# check that it's for me
if kwargs["client_id"] not in self["aud"]:
return False
if "id_token" in self:
# Try to decode the JWT, checks the signature
args = {}
for arg in ["key", "keyjar"]:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
idt = IdToken().from_jwt(str(self["id_token"]), **args)
if not idt.verify(**kwargs):
raise VerificationError("Could not verify id_token", idt)
hfunc = "HS" + jwkest.unpack(self["id_token"])[0]["alg"][-3:]
if "access_token" in self:
try:
assert "at_hash" in idt
except AssertionError:
raise MissingRequiredAttribute("Missing at_hash property",
idt)
try:
assert idt["at_hash"] == jws.left_hash(
self["access_token"], hfunc)
except AssertionError:
raise VerificationError(
"Failed to verify access_token hash", idt)
if "code" in self:
try:
assert "c_hash" in idt
except AssertionError:
raise MissingRequiredAttribute("Missing c_hash property",
idt)
try:
assert idt["c_hash"] == jws.left_hash(self["code"], hfunc)
except AssertionError:
raise VerificationError("Failed to verify code hash", idt)
self["id_token"] = idt
return super(AuthorizationResponse, self).verify(**kwargs)
def verify(self, **kwargs):
"""
Implementations MUST either return both a Client Configuration Endpoint
and a Registration Access Token or neither of them.
:param kwargs:
:return: True if the message is OK otherwise False
"""
if "registration_client_uri" in self:
if not "registration_access_token":
raise VerificationError(
("Only one of registration_client_uri"
" and registration_access_token present"))
elif "registration_access_token" in self:
raise VerificationError(("Only one of registration_client_uri"
" and registration_access_token present"))
return super(RegistrationResponse, self).verify(**kwargs)
def verify(self, **kwargs):
if "birthdate" in self:
# Either YYYY-MM-DD or just YYYY
try:
_ = time.strptime(self["birthdate"], "%Y-%m-%d")
except ValueError:
try:
_ = time.strptime(self["birthdate"], "%Y")
except ValueError:
raise VerificationError("Birthdate format error")
return super(OpenIDSchema, self).verify(**kwargs)
def verify(self, **kwargs):
if "signing_keys" in self:
if 'signing_keys_uri' in self:
raise VerificationError(
'You can only have one of "signing_keys" and '
'"signing_keys_uri" in a metadata statement')
else:
# signing_keys MUST be a JWKS
kj = KeyJar()
try:
kj.import_jwks(self['signing_keys'], '')
except Exception:
raise VerificationError('"signing_keys" not a proper JWKS')
elif not 'signing_keys_uri' in self:
raise VerificationError(
' You must have one of "signing_keys" or '
'"signing_keys_uri" in a metadata statement')
if "metadata_statements" in self and "metadata_statement_uris" in self:
raise VerificationError(
'You can only have one of "metadata_statements" and '
'"metadata_statement_uris" in a metadata statement')
return True