def CheckToken(token): try: jwt.verify_jwt(token, key, ['PS256']) return True except: return False
def test_exported_key_doesnt_verify_invalid_token( fake_client_app, fake_email, create_fake_client_app ): fake_client_app2 = create_fake_client_app() token = security_token.generate(fake_email, fake_client_app) exported_key_dict = security_client_app.export_public_key(fake_client_app2) key = jwk.JWK(**exported_key_dict) assert fake_client_app.get_key() != fake_client_app2.get_key() with pytest.raises(InvalidJWSSignature): jwt.verify_jwt(token, key, allowed_algs=["ES256"])
def verify_access_token(access_token): try: access_token = access_token[7:] JWT._access_token_in_cache(access_token) jwt.verify_jwt(jwt=access_token, pub_key=JWT._get_private_key(), allowed_algs=['PS256']) except Exception as error: return False, error, 401 # If we get to this point. All good. # Check the token exists. Not sure it is for the user but we have to assume. That is how jwt works. I think. # Token not expired return True, "", 200
def get_token(request): token = Token() authorization = request.headers.get('Authorization') if authorization is None: return token if authorization[0:6].lower() != 'bearer': return token token.jwt = authorization[7:] # 去除前缀“Bearer ” try: jwt_decoded = python_jwt.verify_jwt( token.jwt, jwk.JWK.from_pem(g.config.public_key), ['RS256'], checks_optional=True, ignore_not_implemented=True) claims = jwt_decoded[1] token.username = claims.get('user_name') or claims.get('client_id') token.rules = claims.get('authorities') or [] token.is_valid = True except Exception as e: token.is_valid = False token.jwt = None token.username = None token.rules = [] return token
def gen_client_token(): claims = {'scope': ['web-app'], 'client_id': 'internal'} try: jwt = python_jwt.generate_jwt(claims, priv_key=jwk.JWK.from_pem( g.config.private_key), algorithm='RS256', lifetime=datetime.timedelta(seconds=300), jti_size=16) except: return None try: jwt_decoded = python_jwt.verify_jwt(jwt, pub_key=jwk.JWK.from_pem( g.config.public_key), allowed_algs=['RS256'], checks_optional=True, ignore_not_implemented=True) except: return None result = { 'access_token': jwt, 'token_type': 'bearer', 'scope': 'web-app', "iat": jwt_decoded[1].get('iat'), 'expires_in': jwt_decoded[1].get('exp') - jwt_decoded[1].get('iat') - 1, "jti": jwt_decoded[1].get('jti') } return result
def wrapper(request, *args, **kwargs): # if 'HTTP_X_FORWARDED_FOR' in request.META: # ip = request.META['HTTP_X_FORWARDED_FOR'] # 获取代理前客户端的真实IP地址 # else: # ip = request.META['REMOTE_ADDR'] # 获取客户端IP地址 token = request.headers.get('token', None) if token: try: header, payload = jwt.verify_jwt(token, key, [alg, ]) # 获取JWT中的信息 request.user = payload['user'] if not request.user: result = {'status': 402, 'message': '认证失败'} logger.error('认证失败,未知用户') return JsonResponse(result) else: token_black_list = TokenOP(request.user, token) if not token_black_list.is_valid_token(): # 验证token是否在黑名单中 result = {'status': 402, 'message': '认证失败'} logger.error('认证失败,token失效') return JsonResponse(result) except Exception as e: result = {'status': 402, 'message': '无效的token'} logger.error('认证失败,无效的token') return JsonResponse(result) else: logger.error('认证失败,无效的token') return JsonResponse({'status': 402, 'message': '无效的token'}) logger.debug('认证通过: {}'.format(request.user)) return func(request, *args, **kwargs)
def decode_token(self, token): with open(f"{os.environ['KEY_PATH']}/{os.environ['KEY_NAME']}.pub", 'r') as pb_key: return jwt.verify_jwt( token, jwk.JWK.from_json(pb_key.readline()), ['RS256'] )
def GetToken(self, username, password): try: db = NWD_DB() sub = db.authenticate_user(username, password)[0] if sub != '': key = jwk.JWK.generate(kty='RSA', size=2048) userinfo = db.get_user_info(sub) payload = { 'fname': userinfo['fname'], 'lname': userinfo['lname'], 'phone': userinfo['phone'], 'email': userinfo['email'], 'datejoined': userinfo['datejoined'], 'sub': userinfo['user_id'], } token = jwt.generate_jwt(payload, key, 'PS256', datetime.timedelta(days=1)) header, claims = jwt.verify_jwt(token, key, ['PS256']) for k in payload: assert claims[k] == payload[k] return token else: return '' except: return ''
def validate_token(jwkset, token, clock_skew_seconds): headers, _ = jwt.process_jwt(token) alg = headers['alg'] kid = headers['kid'] if not alg: raise Exception('No \'alg\' claim in JWT token header') if not alg in allowed_algs: raise Exception('\'%s\' is not an allowed algorithm.' % alg) if not kid: raise Exception('No \'kid\' claim in JWT token header') json_key = jwkset.get_key(kid) algorithms = [alg] # Exception raised on invalid token input will be bubble up to the caller. _, payload = jwt.verify_jwt(token, json_key, algorithms, datetime.timedelta(seconds=clock_skew_seconds)) typ = payload.get('typ', None) if typ != 'Bearer': raise Exception( 'The token is not intended for autorization (\'typ\' should be \'Bearer\', not \'%s\')' % typ) return payload
def parse_token(self, data, app=None): # parse token header and get relevant public key unverified_header, unverified_claims = jwt.process_jwt( data['id_token']) public_key = self.get_public_key(unverified_header.get('kid')) # verify signature, iat, exp header, claims = jwt.verify_jwt(data['id_token'], public_key, ['RS256'], timedelta(minutes=1), checks_optional=True) # Verify we are the intended audience for the token intended_audiences = [self.intended_aud] if app is not None: intended_audiences.append(app.client_id) if claims.get('aud') is not None and claims.get( 'aud') not in intended_audiences: raise OAuth2Error( "JWT aud {} does not match intended audience {}".format( claims.get('aud'), self.intended_aud)) social_token = SocialToken(token=data['id_token']) social_token.expires_at = datetime.fromtimestamp(claims['iat'], tz=timezone.utc) return social_token
def validateToken(self, token, secret=None): if not secret: secret = jwk.JWK.from_pem(config.jwt_key) try: header, claims = jwt.verify_jwt(token, secret, ['PS256']) except (jwt._JWTError, jws.InvalidJWSSignature, ValueError): return False return True
def verify(self, incoming_token): secret = self._info.get('secret') if not secret: raise sei_py.base.exception.SeiException( \ False, ['secret not found']) header, claims = jwt.verify_jwt(incoming_token, secret, ['HS256']) return bool(header and claims)
def crear_encuesta(): # Creacion de la cola connection = pika.BlockingConnection( pika.ConnectionParameters(host=os.environ['RABBITMQ_ENDPOINT'])) channel = connection.channel() logger.info('ENCUESTA ') token_type, token = request.headers['Authorization'].split() print token usr = "" try: header, claims = jwt.verify_jwt(token, public_key, ['RS256']) except jws.exceptions.SignatureError: message = "Invalid token" usr = claims['userid'] logger.info('USER : %s ', usr) logger.info('Processing create ') data = request.json cnx = None try: #variables para el request state = "En proceso" total = 0 paramHash = data['hash'] paramTime = data['time'] paramSurvey = data['surveyname'] logger.info('connect : %s', mysql_config) cnx = pymysql.connect(**mysql_config) cursor = cnx.cursor() insert_test = "INSERT INTO jobs (username, surveyname, hash, tiempo, count,state) VALUES (%s,%s,%s,%s,%s,%s)" data = (usr, paramSurvey, paramHash, paramTime, total, state ) # tupla s cursor.execute(insert_test, data) cnx.commit() cursor.close() ret = {"status": "OK"} except pymysql.Error as err: logger.info('error : %s', err) ret = {"status": "FAIL", "msg": err} finally: if cnx: cnx.close() logger.info('---------------ANTES DEL MSG---------------') msg = { "user": usr, "paramHash": paramHash, "paramTime": paramTime, "paramSurvey": paramSurvey } logger.info('SEND : %s ', msg) channel.basic_publish(exchange='', routing_key='newsurvey', body=json.dumps(msg)) connection.close() # ret = {"status": "OK"} return ret
def validate_jwt(token, client=None): from openid_connect_op.models import OpenIDClient if client is None: client = OpenIDClient.self_instance() if client.client_auth_type == OpenIDClient.CLIENT_AUTH_TYPE_SECRET_JWT: key = jwk.JWK(kty="oct", use="sig", alg="HS256", k=base64url_encode(client.client_hashed_secret)) return jwt.verify_jwt(token, key, ['HS256'], checks_optional=True) header, __ = jwt.process_jwt(token) key = client.get_key(alg=header.get('alg', 'RS256'), kid=header.get('kid', None)) return jwt.verify_jwt(token, key, [key._params.get('alg', 'RS256')], checks_optional=True)
def validate_token(token): public_key_file = os.path.join(os.path.dirname(__file__), 'keypair.pub') with open(public_key_file, 'r') as fd: public_key = RSA.importKey(fd.read()) try: header, claims = jwt.verify_jwt(token, public_key, ['RS256']) except jwt.exceptions.SignatureError: print('invalid token signature') raise SystemExit()
def validate_token(token): key = generate_key() try: header, claims = jwt.verify_jwt(token, key, ['RS256']) return dict( user_id=claims['user_id'] ) except: return False
def test_exported_key_verifies_token(fake_client_app, fake_email): token = security_token.generate(fake_email, fake_client_app) exported_key_dict = security_client_app.export_public_key(fake_client_app) key = jwk.JWK(**exported_key_dict) headers, claims = jwt.verify_jwt(token, key, allowed_algs=["ES256"]) assert headers["alg"] == "ES256" assert claims["sub"] == fake_email assert claims["iss"] == f"{config.ISSUER}/app/{fake_client_app.app_id}"
def parse_token(token): try: header, claims = jwt.verify_jwt(token, pub_key, ['RS256']) except jwt._JWTError: # 通常为过期 return "token expired!" except Exception: return "token error!" else: return claims
def test_will_raise_exception_when_typ_is_not_Bearer(): payload = {'typ': 'ID', 'foo': 'bar', 'baz': 42} other_headers = {'kid': key.key_id} token = generate_jwt(payload, key, 'RS256', datetime.timedelta(minutes=5), other_headers=other_headers) assert_raises(Exception, verify_jwt(token, key, ['RS256']))
def run(): token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODY4MTYzMTIsImZvbyI6ImJhciIsImlhdCI6MTU4NjgxNjI1MiwianRpIjoiV1VJbkhrT01RSFMzSC1LUURIYUpZdyIsIm5iZiI6MTU4NjgxNjI1Miwid3VwIjo5MH0.Ep0hCSDh5FBTxwbPadjh-9P42ePrcTmWgWNv46oyQrSB6jgA9z3kPlZ9NKK7v_MmrfV_Pj1MlUhs1-Umvyk8Cr6gDVb7Mm9mcqDxf3e-sgmYCMxmPPofTPX_b0-faDzL7K_zjdjHmoVFUpsIBONZ8jU8YBXHxu4sKJXIyPNPiYp2kzffnMj8TClUXmCMRK7mrHYgD0RHXwdo9aJT3glmtnxGYdHqkV6ygiasOC5jGSdYKf3jBKzY10vYocOvsMniT25a8Z-CbeFNWriCCDcBOB3Z74speoGreqxBrqVu5h8AJ0EPQ6GJvrRSToNMQMCddEsqNGanU-Rt0wibTZ7hbg' key_uri = os.path.join(BASE_DIR, 'afinidata.key') key_file = pem.parse_file(key_uri) key_string = str(key_file[0]).encode() key = jwk.JWK.from_pem(key_string) try: header, claims = jwt.verify_jwt(token, key, ['RS256']) print(header, claims) except: print('expired')
def post(self, request): try: token = request.headers.get('token') header, payload = jwt.verify_jwt(token, key, [alg, ]) token_black_list = TokenOP(payload['user'], token) token_black_list.append_to_black_list() except Exception as e: pass finally: logger.warning('退出登录: {}'.format(payload['user'])) return JsonResponse({'status': 200, 'message': '退出登录'})
def test_generate(fake_email, fake_client_app): token = security_token.generate(fake_email, fake_client_app) assert token is not None headers, claims = jwt.verify_jwt(token, fake_client_app.get_key(), allowed_algs=["ES256"]) assert headers["alg"] == "ES256" assert claims["sub"] == fake_email assert claims["iss"] == f"{config.ISSUER}/app/{fake_client_app.app_id}"
def run(): key_uri = os.path.join(BASE_DIR, 'afinidata.key') key_file = pem.parse_file(key_uri) key_string = str(key_file[0]).encode() payload = {'foo': 'bar', 'wup': 90} priv_key = jwk.JWK.from_pem(key_string) token = jwt.generate_jwt(payload, priv_key, 'RS256', datetime.timedelta(minutes=1)) print('token: ', token) header, claims = jwt.verify_jwt(token, priv_key, ['RS256']) print(header, claims) for k in payload: assert claims[k] == payload[k]
def gen_user_token(user): claims = { 'user_name': user.login, 'authorities': user.authorities, 'scope': ['openid'], 'client_id': 'web_app' } try: access_token = python_jwt.generate_jwt( claims, priv_key=jwk.JWK.from_pem(g.config.private_key), algorithm='RS256', lifetime=datetime.timedelta(seconds=300), # 5 min jti_size=16) except: return None try: jwt_decoded = python_jwt.verify_jwt(access_token, pub_key=jwk.JWK.from_pem( g.config.public_key), allowed_algs=['RS256'], checks_optional=True, ignore_not_implemented=True) except: return None try: refresh_token = python_jwt.generate_jwt( claims, priv_key=jwk.JWK.from_pem(g.config.private_key), algorithm='RS256', lifetime=datetime.timedelta(seconds=604800), # 7 days jti_size=16) except: return None result = { 'access_token': access_token, 'refresh_token': refresh_token, 'token_type': 'bearer', 'scope': 'web-app', 'iat': jwt_decoded[1].get('iat'), 'exp': jwt_decoded[1].get('exp'), 'expires_in': jwt_decoded[1].get('exp') - jwt_decoded[1].get('iat') - 1, 'jti': jwt_decoded[1].get('jti') } return result
def decode_auth_token(auth_token): """ 验证token :param auth_token: string 待校验的token :return: (tuple)|none 如果校验成功则返回usrid和logintime的元组 """ try: _, playload = jwt.verify_jwt(auth_token, key, ['HS256']) if 'usr_id' in playload and 'login_time' in playload: return playload['usr_id'], playload['login_time'] else: return None except Exception as e: return None
def _check_token(token, key, app_id) -> (dict, dict): try: headers, claims = jwt.verify_jwt(token, key, allowed_algs=["ES256"]) except ( jwt._JWTError, UnicodeDecodeError, InvalidJWSObject, InvalidJWSSignature, ValueError, ): raise TokenVerificationError if claims["iss"] != f"{config.ISSUER}/app/{app_id}": raise TokenVerificationError return headers, claims
async def verify_token(self, token): """Verify a JustAuthenticateMe token against jwks. :param token: idToken (jwt) from JustAuthenticateMe :returns headers, claims: headers and claims encoded in the user jwt :raises JAMNotVerified: if verification fails on a token """ try: return jwt.verify_jwt(token, await self.jwk(), ["ES512"]) except InvalidJWSSignature: raise JAMNotVerified() except jwt._JWTError as e: raise JAMNotVerified(str(e)) except Exception: raise JustAuthenticateMeError("Unknown Error")
def verify_jwt(self, token): """ verification token, if pass return claims """ try: _, claims = jwt.verify_jwt(token, self.settings['cookie_secret'], "HS256") except: return is_blacked = self.redis.get("jwt_blacked:%s" % claims["id"]) if is_blacked: return return claims
def test_validate_token(): payload = {'typ': 'Bearer', 'foo': 'bar', 'baz': 42} other_headers = {'kid': key.key_id} token = generate_jwt(payload, key, 'RS256', datetime.timedelta(minutes=5), other_headers=other_headers) header, claims = verify_jwt(token, key, ['RS256']) assert header is not None assert claims is not None keyset = JWKSet() keyset.add(key) assert validate_token(keyset, token, clock_skew_seconds=60)
def verify_token(request): f2 = open('apps/login/pem/PUB.pem', 'rb') PUB_PEM = f2.read() PUB_KEY = jwk.JWK.from_pem(PUB_PEM) # 公共秘钥 f2.close() token = get_token(request) try: header, claims = jwt.verify_jwt(token, pub_key=PUB_KEY, allowed_algs=['RS256']) except: return None else: uid = claims['uid'] return int(uid)
JWT_TOKEN_NOT_BEFORE_TIMEDELTA = 10 print '##### Generating token' private_key_file = os.path.join(os.path.dirname(__file__), 'keypair.priv') #private_key_file = os.path.join(os.path.dirname(__file__), 'otra.priv') with open(private_key_file, 'r') as fd: private_key = RSA.importKey(fd.read()) payload = {'userId': '1234', 'role': 'admin'}; print 'payload =', json.dumps(payload) token = jwt.generate_jwt(payload, private_key, 'RS256', datetime.timedelta(minutes=5)) print 'token:', token print '##### Validating token' public_key_file = os.path.join(os.path.dirname(__file__), 'keypair.pub') with open(public_key_file, 'r') as fd: public_key = RSA.importKey(fd.read()) try: header, claims = jwt.verify_jwt(token, public_key, ['RS256']) except jws.exceptions.SignatureError: print 'invalid token signature!' raise SystemExit() print 'token OK' print 'header:', json.dumps(header) print 'claims:', json.dumps(claims) for k in payload: assert claims[k] == payload[k]