def verify_claims(jwt, **claims):
private_claims = get_private_claims(jwt)
for k, v in claims.items():
if k[0] == '_':
match = private_claims.get(k[1:]) == v
else:
match = jwt.get(k) == v
if not match:
return False
return True
def callback():
logger.debug('In callback')
""" Step 3: Retrieving an access token.
The user has been redirected back from the provider to your registered
callback URL. With this redirection comes an authorization code
included in the redirect URL.
We will use that to obtain an access token.
"""
jwt = get_jwt_token(request.cookies, oauth_state)
logger.info('got jwt token: %s', jwt)
logger.info('looking for: %s', oauth_state_key)
if oauth_state_key not in jwt:
# something is wrong with the state token,
# so redirect back to start over.
logger.warn('no state passed to openid callback')
return redirect(url_for('.index'))
initial_path = url_for('.index')
if oauth_initial_path_key in jwt:
initial_path = jwt[oauth_initial_path_key]
logger.debug('initial_path: %s', initial_path)
client = OAuth2Session(client_id,
state=jwt.get('oauth_state'),
redirect_uri=redirect_uri)
token = client.fetch_token(token_endpoint,
client_secret=client_secret,
authorization_response=base_uri +
request.full_path)
userinfo = client.get(userinfo_endpoint).json()
# Save the token
cookie = JWTCookie()
exp_seconds = 60 * 60 * 4
if "ExpiresIn" in token:
exp_seconds = token['ExpiresIn']
jwt_token_params = jwt_params(exp_seconds=exp_seconds,
oauth_token=token,
**userinfo)
cookie.add_jwt(oauth_token, jwt_token_params)
cookie.remove_jwt(oauth_state)
print('initial_path', initial_path)
return cookie.populate_resp(make_response(redirect(initial_path)))
def get_username(jwt):
username = jwt.get('nickname') # nickname is equal to username in Auth0
tenant = jwt.get('https://next-ocr.io/tenant')
authenticate(remote_user=username, tenant=tenant)
return username
def verify_exp(jwt):
exp = jwt.get('exp')
return not exp or time.time() < exp
def get_private_claims(jwt):
aud = jwt.get('aud')
if aud:
return jwt.get(aud, {})
return {}
def get(self, parameter):
jwt = self.decode() if self.has_jwt() else {}
return jwt.get(parameter, None)
def token_to_userid(token):
jwt = verify_token(token)
if not jwt:
return False
return users.lookup(jwt.get('sub')).get('id')