def test_custom_email_claims(self): self.addCleanup(self.restore_email_claims, os.environ.pop('OIDC_EMAIL_CLAIM', 'EMPTY')) email = '*****@*****.**' email_claim = '*****@*****.**' tests = [({ 'email': email, Config.get_OIDC_email_claim(): email_claim }, email_claim), ({ Config.get_OIDC_email_claim(): email_claim }, email_claim), ({ 'email': email }, email)] for param, result in tests: with self.subTest(f"no custom claim {param}"): self.assertEqual(security.get_token_email(param), result) os.environ['OIDC_EMAIL_CLAIM'] = 'TEST_CLAIM' for param, result in tests: with self.subTest(f"custom claim {param}"): self.assertEqual(security.get_token_email(param), result) with self.subTest("missing claim"): with self.assertRaises(DSSException) as ex: security.get_token_email({}) self.assertEqual(ex.exception.status, 401) self.assertEqual(ex.exception.message, 'Authorization token is missing email claims.')
def get_token_email(token_info: typing.Mapping[str, typing.Any]) -> str: try: email_claim = Config.get_OIDC_email_claim() return token_info.get(email_claim) or token_info['email'] except KeyError: raise DSSException(401, 'Unauthorized', 'Authorization token is missing email claims.')
def get_service_jwt(service_credentials, group: str = None, email=True, email_claim=False, audience=None): iat = time.time() exp = iat + 3600 payload = {'iss': service_credentials["client_email"], 'sub': service_credentials["client_email"], 'aud': audience or Config.get_audience(), 'iat': iat, 'exp': exp, 'scope': ['email', 'openid', 'offline_access'] } if group: payload[Config.get_OIDC_group_claim()] = group if email: payload['email'] = service_credentials["client_email"] if email_claim: payload[Config.get_OIDC_email_claim()] = service_credentials["client_email"] additional_headers = {'kid': service_credentials["private_key_id"]} signed_jwt = jwt.encode(payload, service_credentials["private_key"], headers=additional_headers, algorithm='RS256').decode() return signed_jwt