def verify(self, **kwargs): """Authorization Request parameters that are OPTIONAL in the OAuth 2.0 specification MAY be included in the OpenID Request Object without also passing them as OAuth 2.0 Authorization Request parameters, with one exception: The scope parameter MUST always be present in OAuth 2.0 Authorization Request parameters. All parameter values that are present both in the OAuth 2.0 Authorization Request and in the OpenID Request Object MUST exactly match.""" args = {} for arg in ["key", "keyjar"]: try: args[arg] = kwargs[arg] except KeyError: pass if "request" in self: if isinstance(self["request"], basestring): # Try to decode the JWT, checks the signature oidr = OpenIDRequest().from_jwt(str(self["request"]), **args) # verify that nothing is change in the original message for key, val in oidr.items(): if key in self: assert self[key] == val # replace the JWT with the parsed and verified instance self["request"] = oidr if "id_token" in self: if isinstance(self["id_token"], basestring): idt = IdToken().from_jwt(str(self["id_token"]), **args) self["id_token"] = idt if "response_type" not in self: raise MissingRequiredAttribute("response_type missing", self) _rt = self["response_type"] if "token" in _rt or "id_token" in _rt: try: assert "nonce" in self except AssertionError: raise MissingRequiredAttribute("Nonce missing", self) try: assert "openid" in self["scope"] except AssertionError: raise MissingRequiredValue("openid in scope", self) if "offline_access" in self["scope"]: try: assert "consent" in self["prompt"] except AssertionError: raise MissingRequiredValue("consent in prompt", self) if "prompt" in self: if "none" in self["prompt"] and len(self["prompt"]) > 1: raise InvalidRequest("prompt none combined with other value", self) return super(AuthorizationRequest, self).verify(**kwargs)
def verify(self, **kwargs): if "aud" in self: if "client_id" in kwargs: # check that it's for me if kwargs["client_id"] not in self["aud"]: return False if "id_token" in self: # Try to decode the JWT, checks the signature args = {} for arg in ["key", "keyjar", "algs", "sender"]: try: args[arg] = kwargs[arg] except KeyError: pass idt = IdToken().from_jwt(str(self["id_token"]), **args) if not idt.verify(**kwargs): raise VerificationError("Could not verify id_token", idt) _alg = idt.jws_header["alg"] # What if _alg == 'none' hfunc = "HS" + _alg[-3:] if "access_token" in self: try: assert "at_hash" in idt except AssertionError: raise MissingRequiredAttribute("Missing at_hash property", idt) try: assert idt["at_hash"] == jws.left_hash( self["access_token"], hfunc) except AssertionError: raise AtHashError( "Failed to verify access_token hash", idt) if "code" in self: try: assert "c_hash" in idt except AssertionError: raise MissingRequiredAttribute("Missing c_hash property", idt) try: assert idt["c_hash"] == jws.left_hash(self["code"], hfunc) except AssertionError: raise CHashError("Failed to verify code hash", idt) self["id_token"] = idt return super(AuthorizationResponse, self).verify(**kwargs)
def create_registration_request(self, **kwargs): """ Create a registration request :param kwargs: parameters to the registration request :return: """ req = RegistrationRequest() for prop in req.parameters(): try: req[prop] = kwargs[prop] except KeyError: try: req[prop] = self.behaviour[prop] except KeyError: pass if "post_logout_redirect_uris" not in req: try: req["post_logout_redirect_uris"] = self.post_logout_redirect_uris except AttributeError: pass if "redirect_uris" not in req: try: req["redirect_uris"] = self.redirect_uris except AttributeError: raise MissingRequiredAttribute("redirect_uris", req) return req
def federated_client_registration_request(self, **kwargs): req = ClientMetadataStatement() try: pp = kwargs['fo_pattern'] except KeyError: pp = '.' req['metadata_statements'] = self.pick_signed_metadata_statements(pp) try: req['redirect_uris'] = kwargs['redirect_uris'] except KeyError: try: req["redirect_uris"] = self.redirect_uris except AttributeError: raise MissingRequiredAttribute("redirect_uris", kwargs) return req
def verify(self, **kwargs): """Authorization Request parameters that are OPTIONAL in the OAuth 2.0 specification MAY be included in the OpenID Request Object without also passing them as OAuth 2.0 Authorization Request parameters, with one exception: The scope parameter MUST always be present in OAuth 2.0 Authorization Request parameters. All parameter values that are present both in the OAuth 2.0 Authorization Request and in the OpenID Request Object MUST exactly match.""" args = {} for arg in ["key", "keyjar"]: try: args[arg] = kwargs[arg] except KeyError: pass if "id_token_hint" in self: if isinstance(self["id_token_hint"], basestring): idt = IdToken().from_jwt(str(self["id_token_hint"]), **args) self["id_token_hint"] = idt if "response_type" not in self: raise MissingRequiredAttribute("response_type missing", self) try: assert "openid" in self["scope"] except AssertionError: raise MissingRequiredValue("openid in scope", self) if "offline_access" in self["scope"]: try: assert "consent" in self["prompt"] except AssertionError: raise MissingRequiredValue("consent in prompt", self) if "prompt" in self: if "none" in self["prompt"] and len(self["prompt"]) > 1: raise InvalidRequest("prompt none combined with other value", self) return super(AuthorizationRequest, self).verify(**kwargs)