def test_picks_last_valid_key_id(self):
signer = self.create_signer_for_issuer('issuer-with-many-keys')
token = signer.generate_jwt('audience')
key_identifier = key._get_key_id_from_jwt_header(token)
expected_key_id = 'issuer-with-many-keys/key3.pem'
self.assertEqual(key_identifier.key_id, expected_key_id)
def test_picks_last_valid_key_id(self):
signer = self.create_signer_for_issuer('issuer-with-many-keys')
token = signer.generate_jwt('audience')
key_identifier = key._get_key_id_from_jwt_header(token)
expected_key_id = 'issuer-with-many-keys/key3.pem'
self.assertEqual(key_identifier.key_id, expected_key_id)
def verify_jwt(self, a_jwt, audience, leeway=0, **requests_kwargs):
"""Verify if the token is correct
Returns:
dict: the claims of the given jwt if verification is successful.
Raises:
ValueError: if verification failed.
"""
key_identifier = key._get_key_id_from_jwt_header(a_jwt)
public_key = self._retrieve_pub_key(key_identifier, requests_kwargs)
return self._decode_jwt(a_jwt,
key_identifier,
public_key,
audience=audience,
leeway=leeway)
def verify_jwt(self, a_jwt, audience, leeway=0, **requests_kwargs):
""" returns the claims of the given jwt iff verification
is successful.
"""
options = {
'verify_signature': True,
'require_exp': True,
'require_iat': True,
}
key_identifier = key._get_key_id_from_jwt_header(a_jwt)
public_key = self.public_key_retriever.retrieve(
key_identifier, **requests_kwargs)
claims = jwt.decode(a_jwt,
key=public_key,
algorithms=self.algorithms,
options=options,
audience=audience,
leeway=leeway)
if not (key_identifier.key_id.startswith('%s/' % claims['iss'])
or key_identifier.key_id == claims['iss']):
raise ValueError('Issuer does not own the supplied public key')
if self._subject_should_match_issuer and (
claims.get('sub') and claims['iss'] != claims['sub']):
raise ValueError('Issuer does not match the subject.')
_aud = claims['aud']
_exp = int(claims['exp'])
_iat = int(claims['iat'])
if _exp - _iat > 3600:
_msg = ("Claims validity, '%s', exceeds the maximum 1 hour." %
(_exp - _iat))
raise ValueError(_msg)
_jti = claims['jti']
if _jti in self._seen_jti:
raise ValueError("The jti, '%s', has already been used." % _jti)
else:
if len(self._seen_jti) > 100:
self._seen_jti = set()
self._seen_jti.add(_jti)
return claims
def verify_jwt(self, a_jwt, audience, leeway=0, **requests_kwargs):
""" returns the claims of the given jwt iff verification
is successful.
"""
options = {
'verify_signature': True,
'require_exp': True,
'require_iat': True,
}
key_identifier = key._get_key_id_from_jwt_header(a_jwt)
public_key = self.public_key_retriever.retrieve(
key_identifier, **requests_kwargs)
claims = jwt.decode(
a_jwt, key=public_key,
algorithms=self.algorithms,
options=options,
audience=audience,
leeway=leeway)
if not (key_identifier.key_id.startswith('%s/' % claims['iss']) or
key_identifier.key_id == claims['iss']):
raise ValueError('Issuer does not own the supplied public key')
if self._subject_should_match_issuer and (
claims.get('sub') and claims['iss'] != claims['sub']):
raise ValueError('Issuer does not match the subject.')
_aud = claims['aud']
_exp = int(claims['exp'])
_iat = int(claims['iat'])
if _exp - _iat > 3600:
_msg = ("Claims validity, '%s', exceeds the maximum 1 hour." %
(_exp - _iat))
raise ValueError(_msg)
_jti = claims['jti']
if _jti in self._seen_jti:
raise ValueError("The jti, '%s', has already been used." % _jti)
else:
if len(self._seen_jti) > 100:
self._seen_jti = set()
self._seen_jti.add(_jti)
return claims
