def verify(self, **kwargs):
"""Authorization Request parameters that are OPTIONAL in the OAuth 2.0
specification MAY be included in the OpenID Request Object without also
passing them as OAuth 2.0 Authorization Request parameters, with one
exception: The scope parameter MUST always be present in OAuth 2.0
Authorization Request parameters.
All parameter values that are present both in the OAuth 2.0
Authorization Request and in the OpenID Request Object MUST exactly
match."""
args = {}
for arg in ["key", "keyjar"]:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
if "request" in self:
if isinstance(self["request"], basestring):
# Try to decode the JWT, checks the signature
oidr = OpenIDRequest().from_jwt(str(self["request"]), **args)
# verify that nothing is change in the original message
for key, val in oidr.items():
if key in self:
assert self[key] == val
# replace the JWT with the parsed and verified instance
self["request"] = oidr
if "id_token" in self:
if isinstance(self["id_token"], basestring):
idt = IdToken().from_jwt(str(self["id_token"]), **args)
self["id_token"] = idt
if "response_type" not in self:
raise MissingRequiredAttribute("response_type missing", self)
_rt = self["response_type"]
if "token" in _rt or "id_token" in _rt:
try:
assert "nonce" in self
except AssertionError:
raise MissingRequiredAttribute("Nonce missing", self)
try:
assert "openid" in self["scope"]
except AssertionError:
raise MissingRequiredValue("openid in scope", self)
if "offline_access" in self["scope"]:
try:
assert "consent" in self["prompt"]
except AssertionError:
raise MissingRequiredValue("consent in prompt", self)
if "prompt" in self:
if "none" in self["prompt"] and len(self["prompt"]) > 1:
raise InvalidRequest("prompt none combined with other value",
self)
return super(AuthorizationRequest, self).verify(**kwargs)
def verify(self, **kwargs):
if "aud" in self:
if "client_id" in kwargs:
# check that it's for me
if kwargs["client_id"] not in self["aud"]:
return False
if "id_token" in self:
# Try to decode the JWT, checks the signature
args = {}
for arg in ["key", "keyjar", "algs", "sender"]:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
idt = IdToken().from_jwt(str(self["id_token"]), **args)
if not idt.verify(**kwargs):
raise VerificationError("Could not verify id_token", idt)
_alg = idt.jws_header["alg"]
# What if _alg == 'none'
hfunc = "HS" + _alg[-3:]
if "access_token" in self:
try:
assert "at_hash" in idt
except AssertionError:
raise MissingRequiredAttribute("Missing at_hash property",
idt)
try:
assert idt["at_hash"] == jws.left_hash(
self["access_token"], hfunc)
except AssertionError:
raise AtHashError(
"Failed to verify access_token hash", idt)
if "code" in self:
try:
assert "c_hash" in idt
except AssertionError:
raise MissingRequiredAttribute("Missing c_hash property",
idt)
try:
assert idt["c_hash"] == jws.left_hash(self["code"], hfunc)
except AssertionError:
raise CHashError("Failed to verify code hash", idt)
self["id_token"] = idt
return super(AuthorizationResponse, self).verify(**kwargs)
def create_registration_request(self, **kwargs):
"""
Create a registration request
:param kwargs: parameters to the registration request
:return:
"""
req = RegistrationRequest()
for prop in req.parameters():
try:
req[prop] = kwargs[prop]
except KeyError:
try:
req[prop] = self.behaviour[prop]
except KeyError:
pass
if "post_logout_redirect_uris" not in req:
try:
req["post_logout_redirect_uris"] = self.post_logout_redirect_uris
except AttributeError:
pass
if "redirect_uris" not in req:
try:
req["redirect_uris"] = self.redirect_uris
except AttributeError:
raise MissingRequiredAttribute("redirect_uris", req)
return req
def federated_client_registration_request(self, **kwargs):
req = ClientMetadataStatement()
try:
pp = kwargs['fo_pattern']
except KeyError:
pp = '.'
req['metadata_statements'] = self.pick_signed_metadata_statements(pp)
try:
req['redirect_uris'] = kwargs['redirect_uris']
except KeyError:
try:
req["redirect_uris"] = self.redirect_uris
except AttributeError:
raise MissingRequiredAttribute("redirect_uris", kwargs)
return req
def verify(self, **kwargs):
"""Authorization Request parameters that are OPTIONAL in the OAuth 2.0
specification MAY be included in the OpenID Request Object without also
passing them as OAuth 2.0 Authorization Request parameters, with one
exception: The scope parameter MUST always be present in OAuth 2.0
Authorization Request parameters.
All parameter values that are present both in the OAuth 2.0
Authorization Request and in the OpenID Request Object MUST exactly
match."""
args = {}
for arg in ["key", "keyjar"]:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
if "id_token_hint" in self:
if isinstance(self["id_token_hint"], basestring):
idt = IdToken().from_jwt(str(self["id_token_hint"]), **args)
self["id_token_hint"] = idt
if "response_type" not in self:
raise MissingRequiredAttribute("response_type missing", self)
try:
assert "openid" in self["scope"]
except AssertionError:
raise MissingRequiredValue("openid in scope", self)
if "offline_access" in self["scope"]:
try:
assert "consent" in self["prompt"]
except AssertionError:
raise MissingRequiredValue("consent in prompt", self)
if "prompt" in self:
if "none" in self["prompt"] and len(self["prompt"]) > 1:
raise InvalidRequest("prompt none combined with other value",
self)
return super(AuthorizationRequest, self).verify(**kwargs)