def make_id_token(self, session, loa="2", issuer="", alg="RS256", code=None, access_token=None, user_info=None): """ :param session: Session information :param loa: Level of Assurance/Authentication context :param issuer: My identifier :param alg: Which signing algorithm to use for the IdToken :param code: Access grant :param access_token: Access Token :param user_info: If user info are to be part of the IdToken :return: IDToken instance """ #defaults inawhile = {"days": 1} # Handle the idtoken_claims extra = {} itc = self.id_token_claims(session) if itc: try: inawhile = {"seconds": itc["max_age"]} except KeyError: inawhile = {} if "claims" in itc: for key, val in itc["claims"].items(): if key == "auth_time": extra["auth_time"] = time_util.utc_time_sans_frac() elif key == "acr": #["2","http://id.incommon.org/assurance/bronze"] extra["acr"] = verify_acr_level(val, loa) if user_info is None: _args = {} else: _args = user_info.to_dict() # Make sure that there are no name clashes for key in ["iss", "sub", "aud", "exp", "acr", "nonce", "auth_time"]: try: del _args[key] except KeyError: pass halg = "HS%s" % alg[-3:] if code: _args["c_hash"] = jws.left_hash(code, halg) if access_token: _args["at_hash"] = jws.left_hash(access_token, halg) idt = IdToken(iss=issuer, sub=session["sub"], aud = session["client_id"], exp = time_util.epoch_in_a_while(**inawhile), acr=loa, iat = time_util.utc_now(), **_args) for key, val in extra.items(): idt[key] = val if "nonce" in session: idt.nonce = session["nonce"] return idt
def make_id_token(self, session, loa="2", issuer="", keytype="rsa", code=None, access_token=None, user_info=None): #defaults inawhile = {"days": 1} # Handle the idtoken_claims extra = {} try: oidreq = OpenIDRequest().deserialize(session["oidreq"], "json") itc = oidreq["id_token"] logger.debug("ID Token claims: %s" % itc.to_dict()) try: inawhile = {"seconds": itc["max_age"]} except KeyError: inawhile = {} if "claims" in itc: for key, val in itc["claims"].items(): if key == "auth_time": extra["auth_time"] = time_util.utc_time_sans_frac() elif key == "acr": #["2","http://id.incommon.org/assurance/bronze"] extra["acr"] = verify_acr_level(val, loa) except KeyError: pass if user_info is None: _args = {} else: _args = user_info.to_dict() # Make sure that there are no name clashes for key in ["iss", "user_id", "aud", "exp", "acr", "nonce", "auth_time"]: try: del _args[key] except KeyError: pass if code: _args["c_hash"] = jwt.left_hash(code, "HS256") if access_token: _args["at_hash"] = jwt.left_hash(access_token, "HS256") idt = IdToken(iss=issuer, user_id=session["user_id"], aud = session["client_id"], exp = time_util.epoch_in_a_while(**inawhile), acr=loa, **_args) for key, val in extra.items(): idt[key] = val if "nonce" in session: idt.nonce = session["nonce"] # sign with clients secret key _keystore = self.keystore if keytype == "hmac": ckey = {"hmac": _keystore.get_sign_key("hmac", owner=session["client_id"])} algo = "HS256" elif keytype == "rsa": # own asymmetric key algo = "RS256" ckey = {"rsa": _keystore.get_sign_key("rsa")} else: algo = "ES256" ckey = {"ec":_keystore.get_sign_key("ec")} logger.debug("Sign idtoken with '%s'" % (ckey,)) return idt.to_jwt(key=ckey, algorithm=algo)