def verify_jwt(token: str) -> typing.Optional[typing.Mapping]: try: unverified_token = jwt.decode(token, verify=False) except jwt.DecodeError: logger.info(f"Failed to decode JWT: {token}", exc_info=True) raise DSSException(401, 'Unauthorized', 'Failed to decode token.') assert_authorized_issuer(unverified_token) issuer = unverified_token['iss'] public_keys = get_public_keys(issuer) try: token_header = jwt.get_unverified_header(token) verified_tok = jwt.decode( token, key=public_keys[token_header["kid"]], issuer=issuer, audience=Config.get_audience(), algorithms=allowed_algorithms, ) logger.info("""{"valid": true, "token": %s}""", json.dumps(verified_tok)) except jwt.PyJWTError as ex: # type: ignore logger.info("""{"valid": false, "token": %s}""", json.dumps(unverified_token), exc_info=True) raise DSSException(401, 'Unauthorized', 'Authorization token is invalid') from ex return verified_tok
def get_service_jwt(service_credentials, group: str = None, email=True, email_claim=False, audience=None): iat = time.time() exp = iat + 3600 payload = {'iss': service_credentials["client_email"], 'sub': service_credentials["client_email"], 'aud': audience or Config.get_audience(), 'iat': iat, 'exp': exp, 'scope': ['email', 'openid', 'offline_access'] } if group: payload[Config.get_OIDC_group_claim()] = group if email: payload['email'] = service_credentials["client_email"] if email_claim: payload[Config.get_OIDC_email_claim()] = service_credentials["client_email"] additional_headers = {'kid': service_credentials["private_key_id"]} signed_jwt = jwt.encode(payload, service_credentials["private_key"], headers=additional_headers, algorithm='RS256').decode() return signed_jwt