def get_keycloak_certificates(**kwargs) -> tuple: try: jwks_client = jwt.PyJWKClient(Config.KEYCLOAK_CERTS_URL) kwargs['signing_key'] = jwks_client.get_signing_key_from_jwt( kwargs.get('access_token')).key except Exception as e: kwargs['error'] = str(e) return False, kwargs return True, kwargs
def __init__(self, user_pool_id, client_id): self.user_pool_id = user_pool_id self.user_pool_region = self.user_pool_id.split("_")[0] self.client_id = client_id self.cognito = boto3.client("cognito-idp", region_name=self.user_pool_region) self.jwks = jwt.PyJWKClient(self.jwks_url) self._tokens = {} self._claims = {}
# Usage: provide access token as first command line argument, e.g. # $ python sandbox.py <token> from pprint import pprint import sys import jwt import cryptography.hazmat.primitives.serialization JWKS_URI = 'http://localhost:8081/auth/realms/mo/protocol' \ '/openid-connect/certs' access_token = sys.argv[1] client = jwt.PyJWKClient(JWKS_URI) signing = client.get_signing_key_from_jwt(access_token) data = jwt.decode( access_token, signing.key, algorithms=['RS256'] ) pprint(data) # Encoding with own key # Create key pair with # ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key # openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub # (see https://gist.github.com/ygotthilf/baa58da5c3dd1f69fae9)
import flask, os, requests, jwt from flask import json from covid_form import app from .config import conf_json oauth_conf = conf_json['oauth'] org_guid = oauth_conf['org_guid'] client_id = oauth_conf['client_id'] redirect_uri = oauth_conf['redirect_uri'] oauth_domain = oauth_conf['oauth_domain'] cached_config = requests.get(f"https://login.microsoftonline.com/{org_guid}/v2.0/.well-known/openid-configuration").json() jwk_client = jwt.PyJWKClient(cached_config['jwks_uri']) def get_name_from_jwt(tk): return decode_jwt(tk)['name'] def get_oauth_uri(): nonce = get_nonce() flask.session['nonce'] = nonce return f'https://login.microsoftonline.com/{org_guid}/oauth2/v2.0/authorize?' + urlencode(dict( client_id = client_id, response_type = "id_token", redirect_uri = redirect_uri, scope = "openid profile", nonce = nonce,
payload_str = '{"user":"******"}' payload_data = json.loads(payload_str) print(payload_data) payload_b = payload_str.encode() payload_b64 = base64.urlsafe_b64encode(payload_b).rstrip(b"=") # JWS Signing Input == ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload)) sig_b = private_key.sign( header_b64 + b'.' + payload_b64, padding.PKCS1v15( ), # PKCS1v15 aka PKCS1 is equivalent to RS256 (RSA_PKCS1_PADDING) hashes.SHA256()) sig = base64.urlsafe_b64encode(sig_b).rstrip(b"=") # print the json token encoded = '{}.{}.{}'.format(header_b64.decode(), payload_b64.decode(), sig.decode()) print(encoded) print("----- VERIFY -----") header = jwt.get_unverified_header(encoded) print(header) payload = jwt.decode(encoded, options={"verify_signature": False}) print(payload) jwks_client = jwt.PyJWKClient(jku_url) signing_key = jwks_client.get_signing_key_from_jwt(encoded) payload = jwt.decode(encoded, signing_key.key, algorithms=["RS256"]) print(payload)
os.environ.get('AUTH0_API_AUDIENCE', 'https://{$project_name}.us.auth0.com/api/v2/'), 'AUTH0_API_BASE_URL': os.environ.get('AUTH0_API_BASE_URL', 'https://{$project_name}.us.auth0.com/api/v2'), 'AUTH0_CLAIMS_NAMESPACE': os.environ.get('AUTH0_CLAIMS_NAMESPACE', 'https://cri.com/{$project_name}'), 'AUTH0_TOKEN_ENDPOINT': os.environ.get('AUTH0_TOKEN_ENDPOINT', 'https://{$project_name}.us.auth0.com/oauth/token'), 'AUTH0_CLIENT_ID': os.environ.get('AUTH0_CLIENT_ID', '--your-client-id--'), 'AUTH0_CLIENT_SECRET': os.environ.get('AUTH0_CLIENT_SECRET', '--your-client-secret--') } JWK_CLIENT = jwt.PyJWKClient( f'https://{SETTINGS["ES_AUTH_JWT_DOMAIN"]}/.well-known/jwks.json') _jwks = JWK_CLIENT.get_signing_keys() SIGNING_KEYS = {jwk.key_id: jwk.key for jwk in _jwks} # cancellable if SETTINGS['ES_AUTH_JWT_AUDIENCE'] == '': del SETTINGS['ES_AUTH_JWT_AUDIENCE'] for setting in SETTINGS: key = setting.upper() if ('PASSWORD' not in key) and ('SECRET' not in key): LOG.info('%s: %s', setting, SETTINGS[setting])
import logging import functools import flask import jwt from bot import config logger = logging.getLogger(__name__) jwks_client = jwt.PyJWKClient(config.JWKS_URL) def verify(token): signing_key = jwks_client.get_signing_key_from_jwt(token) data = jwt.decode( token, signing_key.key, algorithms=["RS256"], audience=config.JWT_AUDIENCE ) return data def check_team(data): sub = data['sub'] uid_tid = sub.split('|')[-1] tid = uid_tid.split('-')[0] return tid == config.ALLOWED_TEAM def authorize(f):