def validate_token_request(self, request):
try:
check_csrf_token(request, token='assertion')
except BadCSRFToken:
raise InvalidClientError(request=request)
# An object with the confidential client_id and client_secret.
request.client = LOCAL_CLIENT
if request.client is None:
raise InvalidClientError(request=request)
request.client_id = request.client_id or request.client.client_id
def _verify(self, key, audience):
if self.expiry - self.not_before > self.MAX_LIFETIME:
raise InvalidGrantError('Grant token lifetime is too long.')
try:
jwt.decode(self._token,
algorithms=['HS256'],
audience=audience,
key=key,
leeway=self.LEEWAY)
except TypeError:
raise InvalidClientError('Client is invalid.')
except jwt.DecodeError:
raise InvalidGrantError('Invalid grant token signature.')
except jwt.exceptions.InvalidAlgorithmError:
raise InvalidGrantError('Invalid grant token signature algorithm.')
except jwt.MissingRequiredClaimError as exc:
if exc.claim == 'aud':
raise errors.MissingJWTGrantTokenClaimError('aud', 'audience')
else:
raise errors.MissingJWTGrantTokenClaimError(exc.claim)
except jwt.InvalidAudienceError:
raise errors.InvalidJWTGrantTokenClaimError('aud', 'audience')
except jwt.ImmatureSignatureError:
raise InvalidGrantError('Grant token is not yet valid.')
except jwt.ExpiredSignatureError:
raise InvalidGrantError('Grant token is expired.')
except jwt.InvalidIssuedAtError:
raise InvalidGrantError(
'Grant token issue time (iat) is in the future.')
def _verify(self, key, audience): # pylint:disable=too-complex
if self.expiry - self.not_before > self.MAX_LIFETIME:
raise InvalidGrantError("Grant token lifetime is too long.")
try:
jwt.decode(
self._token,
algorithms=["HS256"],
audience=audience,
key=key,
leeway=self.LEEWAY,
)
except TypeError as err:
raise InvalidClientError("Client is invalid.") from err
except jwt.DecodeError as err:
raise InvalidGrantError("Invalid grant token signature.") from err
except jwt.exceptions.InvalidAlgorithmError as err:
raise InvalidGrantError(
"Invalid grant token signature algorithm.") from err
except jwt.MissingRequiredClaimError as err:
if err.claim == "aud":
raise MissingJWTGrantTokenClaimError("aud",
"audience") from err
raise MissingJWTGrantTokenClaimError(err.claim) from err
except jwt.InvalidAudienceError as err:
raise InvalidJWTGrantTokenClaimError("aud", "audience") from err
except jwt.ImmatureSignatureError as err:
raise InvalidGrantError("Grant token is not yet valid.") from err
except jwt.ExpiredSignatureError as err:
raise InvalidGrantError("Grant token is expired.") from err
except jwt.InvalidIssuedAtError as err:
raise InvalidGrantError(
"Grant token issue time (iat) is in the future.") from err
def authorize(self, auth):
""""""
# check for access token (dict)
if isinstance(auth, dict):
# check if access token is still valid
expires_at = datetime.fromtimestamp(auth.get("expires_at"))
now = datetime.now()
if expires_at > now:
self.access_token = auth
self.session.headers[
"Authorization"] = f"Bearer {self.access_token.get('access_token')}"
self.metadata = self._metadata()
return "Authorized!"
else:
raise TokenExpiredError("Access token expired!")
# check for client credentials (tuple)
if isinstance(auth, tuple):
client_id, client_secret = auth
# fetch new access token
token_url = f"{self.base_url}/oauth/access_token/"
auth = HTTPBasicAuth(client_id, client_secret)
client = BackendApplicationClient(client_id=client_id)
session = OAuth2Session(client=client)
token_dict = session.fetch_token(token_url=token_url, auth=auth)
self.access_token = token_dict
self.session.headers[
"Authorization"] = f"Bearer {self.access_token.get('access_token')}"
self.metadata = self._metadata()
return "Authorized!"
else:
raise InvalidClientError(
"You must provide a valid access token file or client credentials."
)