def assertion_jwt(cli, keys, audience, algorithm, lifetime=600):
_now = utc_time_sans_frac()
at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
aud=audience, jti=rndstr(32),
exp=_now + lifetime, iat=_now)
return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm):
_now = utc_now()
at = AuthnToken(iss = cli.client_id, sub = cli.client_id,
aud = audience, jti = rndstr(8),
exp = _now+600, iat = _now)
return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm, lifetime=600):
_now = utc_time_sans_frac()
at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
aud=audience, jti=rndstr(32),
exp=_now + lifetime, iat=_now)
logger.debug('AuthnToken: {}'.format(at.to_dict()))
return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm, lifetime=600):
_now = utc_time_sans_frac()
at = AuthnToken(
iss=cli.client_id,
sub=cli.client_id,
aud=audience,
jti=rndstr(32),
exp=_now + lifetime,
iat=_now,
)
logger.debug("AuthnToken: {}".format(at.to_dict()))
return at.to_jwt(key=keys, algorithm=algorithm)
def verify(self, areq, **kwargs):
try:
try:
argv = {'sender': areq['client_id']}
except KeyError:
argv = {}
bjwt = AuthnToken().from_jwt(areq["client_assertion"],
keyjar=self.cli.keyjar,
**argv)
except (Invalid, MissingKey) as err:
logger.info("%s" % sanitize(err))
raise AuthnFailure("Could not verify client_assertion.")
logger.debug("authntoken: %s" % sanitize(bjwt.to_dict()))
areq['parsed_client_assertion'] = bjwt
# logger.debug("known clients: %s" % sanitize(self.cli.cdb.keys()))
try:
cid = kwargs["client_id"]
except KeyError:
cid = bjwt["iss"]
try:
# There might not be a client_id in the request
assert str(cid) in self.cli.cdb # It's a client I know
except KeyError:
pass
# aud can be a string or a list
_aud = bjwt["aud"]
logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl))
# figure out authn method
if alg2keytype(bjwt.jws_header['alg']) == 'oct': # Symmetric key
authn_method = 'client_secret_jwt'
else:
authn_method = 'private_key_jwt'
try:
if isinstance(_aud, six.string_types):
assert str(_aud).startswith(self.cli.baseurl)
else:
for target in _aud:
if target.startswith(self.cli.baseurl):
return cid, authn_method
raise NotForMe("Not for me!")
except AssertionError:
raise NotForMe("Not for me!")
return cid, authn_method
def verify(self, areq, **kwargs):
try:
try:
argv = {'sender': areq['client_id']}
except KeyError:
argv = {}
bjwt = AuthnToken().from_jwt(areq["client_assertion"],
keyjar=self.cli.keyjar,
**argv)
except (Invalid, MissingKey) as err:
logger.info("%s" % sanitize(err))
raise AuthnFailure("Could not verify client_assertion.")
logger.debug("authntoken: %s" % sanitize(bjwt.to_dict()))
areq['parsed_client_assertion'] = bjwt
# logger.debug("known clients: %s" % sanitize(self.cli.cdb.keys()))
try:
cid = kwargs["client_id"]
except KeyError:
cid = bjwt["iss"]
try:
# There might not be a client_id in the request
assert str(cid) in self.cli.cdb # It's a client I know
except KeyError:
pass
# aud can be a string or a list
_aud = bjwt["aud"]
logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl))
# figure out authn method
if alg2keytype(bjwt.jws_header['alg']) == 'oct': # Symmetric key
authn_method = 'client_secret_jwt'
else:
authn_method = 'private_key_jwt'
if isinstance(_aud, six.string_types):
if not str(_aud).startswith(self.cli.baseurl):
raise NotForMe("Not for me!")
else:
for target in _aud:
if target.startswith(self.cli.baseurl):
return cid, authn_method
raise NotForMe("Not for me!")
return cid, authn_method
def verify(self, areq, **kwargs):
try:
try:
argv = {"sender": areq["client_id"]}
except KeyError:
argv = {}
bjwt = AuthnToken().from_jwt(areq["client_assertion"],
keyjar=self.cli.keyjar,
**argv)
except (Invalid, MissingKey) as err:
logger.info("%s" % sanitize(err))
raise AuthnFailure("Could not verify client_assertion.")
logger.debug("authntoken: %s" % sanitize(bjwt.to_dict()))
areq["parsed_client_assertion"] = bjwt
try:
cid = kwargs["client_id"]
except KeyError:
cid = bjwt["iss"]
# There might not be a client_id in the request
if cid not in self.cli.cdb:
raise AuthnFailure("Unknown client id")
# aud can be a string or a list
_aud = bjwt["aud"]
logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl))
# figure out authn method
if alg2keytype(bjwt.jws_header["alg"]) == "oct": # Symmetric key
authn_method = "client_secret_jwt"
else:
authn_method = "private_key_jwt"
if isinstance(_aud, str):
if not str(_aud).startswith(self.cli.baseurl):
raise NotForMe("Not for me!")
else:
for target in _aud:
if target.startswith(self.cli.baseurl):
return cid, authn_method
raise NotForMe("Not for me!")
return cid, authn_method
def verify_client(environ, areq, cdb):
if "client_secret" in areq: # client_secret_post
identity = areq["client_id"]
if identity in cdb:
if cdb[identity]["client_secret"] == areq["client_secret"]:
return True
elif "client_assertion" in areq: # client_secret_jwt or public_key_jwt
assert areq["client_assertion_type"] == JWT_BEARER
secret = cdb[areq["client_id"]]["client_secret"]
key_col = {"hmac": secret}
bjwt = AuthnToken.deserialize(areq["client_assertion"], "jwt", key=key_col)
return False
def assertion_jwt(cli, keys, audience, algorithm=OIC_DEF_SIGN_ALG):
at = AuthnToken(iss = cli.client_id, prn = cli.client_id,
aud = audience, jti = rndstr(8),
exp = int(epoch_in_a_while(minutes=10)), iat = utc_now())
return at.to_jwt(key=keys, algorithm=algorithm)
