def deser_id_token(inst, str=""):
if not str:
return None
jso = json.loads(jwt.unpack(str)[1])
# gather all the necessary keys
# my own first
collection = inst.keystore.get_verify_key()
if "iss" in jso:
for key, val in inst.keystore.collect_keys(jso["iss"]).items():
try:
collection[key].extend(val)
except KeyError:
collection[key] = val
if "aud" in jso:
for key, val in inst.keystore.collect_keys(jso["aud"]).items():
try:
collection[key].extend(val)
except KeyError:
collection[key] = val
jwt.verify(str, collection)
return IdToken().from_dict(jso)
def __call__(self, environ, trace, location, response, content, features):
_id_token = environ["response_message"]["id_token"]
jso = json.loads(jwt.unpack(_id_token)[1])
user_id = jso["user_id"]
self.request_args["idtoken_claims"] = {"user_id": {"value": user_id}}
return OpenIDRequestCode.__call__(self, environ, trace, location,
response, content, features)
def test_assertion_jwt():
cli = Client("Foo")
cli.client_secret = "secert"
at = oic.assertion_jwt(cli, {}, audience="audience", algorithm="none")
print at
header, claim, crypto, header_b64, claim_b64 = unpack(at)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "prn", "jti", "exp", "iat"])
def _id_token(self, session, loa="2", keytype="rsa",
code=None, access_token=None, user_info=None):
_idtoken = self.server.make_id_token(session, loa,
self.name, keytype, code,
access_token, user_info)
logger.debug("id_token: %s" % unpack(_idtoken)[1])
return _idtoken
def test_1():
claimset = {"iss":"joe",
"exp":1300819380,
"http://example.com/is_root": True}
_jwt = jwt.pack(claimset)
part = jwt.unpack(_jwt)
print part
assert part[0] == {u'alg': u'none'}
assert part[1] == \
'{"iss":"joe","exp":1300819380,"http://example.com/is_root":true}'
def test_private_key_jwt():
cli = Client("FOO")
cli.token_endpoint = "https://example.com/token"
cli.keystore.set_sign_key(rsapub, "rsa")
cli.keystore.set_verify_key(rsapub, "rsa")
cis = AccessTokenRequest()
at = oic.private_key_jwt(cli, cis)
assert at == {}
cas = cis["client_assertion"]
header, claim, crypto, header_b64, claim_b64 = unpack(cas)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "prn", "jti", "exp", "iat"])
print header
assert header == {"alg": "RS256"}
def test_client_secret_jwt():
cli = Client("Foo")
cli.token_endpoint = "https://example.com/token"
cli.client_secret = "foobar"
cis = AccessTokenRequest()
at = oic.client_secret_jwt(cli, cis)
assert at == {}
assert cis["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in cis
cas = cis["client_assertion"]
header, claim, crypto, header_b64, claim_b64 = unpack(cas)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "prn", "jti", "exp", "iat"])
print header
assert header == {"alg": "HS256"}
def test_make_id_token():
srv = Server(KEYS)
session = {"user_id": "user0", "client_id": "http://oic.example/rp"}
issuer = "http://oic.example/idp"
code = "abcdefghijklmnop"
idt_jwt = srv.make_id_token(session, loa="2", issuer=issuer, code=code, access_token="access_token")
jwt_keys = srv.keystore.get_keys("ver", owner=None)
idt = IdToken().from_jwt(idt_jwt, key=jwt_keys)
print idt
header = unpack(idt_jwt)
lha = left_hash(code, func="HS" + header[0]["alg"][-3:])
assert lha == idt["c_hash"]
atr = AccessTokenResponse(id_token=idt_jwt, access_token="access_token", token_type="Bearer")
atr["code"] = code
assert atr.verify(key=jwt_keys)
def from_jwt(self, txt, key, verify=True):
"""
Given a signed JWT, verify its correctness and then create a class
instance from the content.
:param txt: The JWT
:param key: keys that might be used to verify the signature of the JWT
:param verify: Whether the signature should be verified or not
:return: A class instance
"""
try:
jso = jwt.unpack(txt)[1]
if isinstance(jso, basestring):
jso = json.loads(jso)
if verify:
if key is None:
key = {}
try:
_keys = key['.']
except KeyError:
_keys = {}
for ent in ["iss", "aud", "client_id"]:
_keys = gather_keys(_keys, key, jso, ent)
if "iss" not in jso and "aud" not in jso:
for owner, _spec in key.items():
if owner == ".":
continue
for typ, keys in _spec.items():
try:
_keys[typ].extend(keys)
except KeyError:
_keys[typ] = keys
jwt.verify(txt, _keys)
except Exception:
raise
return self.from_dict(jso)
def verify(self, **kwargs):
if "aud" in self:
if "client_id" in kwargs:
# check that it's for me
if self["aud"] != kwargs["client_id"]:
return False
if "id_token" in self:
# Try to decode the JWT, checks the signature
idt = IdToken().from_jwt(str(self["id_token"]), kwargs["key"])
if not idt.verify(**kwargs):
return False
hfunc = "HS"+ jwt.unpack(self["id_token"])[0]["alg"][-3:]
if "access_token" in self:
try:
assert "at_hash" in idt
except AssertionError:
raise Exception("Missing at_hash property")
try:
assert idt["at_hash"] == jwt.left_hash(
self["access_token"], hfunc )
except AssertionError:
raise Exception("Failed to verify access_token hash")
if "code" in self:
try:
assert "c_hash" in idt
except AssertionError:
raise Exception("Missing c_hash property")
try:
assert idt["c_hash"] == jwt.left_hash(self["code"], hfunc)
except AssertionError:
raise Exception("Failed to verify code hash")
self["id_token"] = idt
return super(self.__class__, self).verify(**kwargs)
