def test_verify_id_token_bad_tokens(self):
private_key = datafile('privatekey.pem')
# Wrong number of segments
self._check_jwt_failure('foo', 'Wrong number of segments in token: foo')
# Not json
self._check_jwt_failure('foo.bar.baz','Can\'t parse token')
# Bad signature
jwt = 'foo.%s.baz' % _urlsafe_b64encode('{"a":"b"}')
self._check_jwt_failure(jwt, 'No iat field in token')
# No expiration
signer = PyCryptoSigner.from_string(private_key)
audience = 'https:#www.googleapis.com/auth/id?client_id=' +\
'*****@*****.**'
jwt = make_signed_jwt(signer, {
'aud': 'audience',
'iat': time.time(),
}
)
self._check_jwt_failure(jwt, 'No exp field in token')
# No issued at
jwt = make_signed_jwt(signer, {
'aud': 'audience',
'exp': time.time() + 400,
}
)
self._check_jwt_failure(jwt, 'No iat field in token')
# Too early
jwt = make_signed_jwt(signer, {
'aud': 'audience',
'iat': time.time() + 301,
'exp': time.time() + 400,
})
self._check_jwt_failure(jwt, 'Token used too early')
# Too late
jwt = make_signed_jwt(signer, {
'aud': 'audience',
'iat': time.time() - 500,
'exp': time.time() - 301,
})
self._check_jwt_failure(jwt, 'Token used too late')
# Wrong target
jwt = make_signed_jwt(signer, {
'aud': 'somebody else',
'iat': time.time(),
'exp': time.time() + 300,
})
self._check_jwt_failure(jwt, 'Wrong recipient')
def _create_signed_jwt(self):
private_key = datafile('privatekey.pem')
signer = PyCryptoSigner.from_string(private_key)
audience = '*****@*****.**'
now = long(time.time())
return make_signed_jwt(
signer,
{
'aud': audience,
'iat': now,
'exp': now + 300,
'user': '******',
'metadata': {'meta': 'data'},
})