def verify_client(inst, areq, authn, type_method=TYPE_METHOD):
"""
Guess authentication method and get client from that.
:param inst: Entity instance
:param areq: The request
:param authn: client authentication information
:return: tuple containing client id and client authentication method
"""
if authn: # HTTP Basic auth (client_secret_basic)
cid = get_client_id(inst.cdb, areq, authn)
auth_method = "client_secret_basic"
elif "client_secret" in areq: # client_secret_post
client_id = get_client_id(inst.cdb, areq, authn)
logger.debug("Verified Client ID: %s" % client_id)
cid = ClientSecretBasic(inst).verify(areq, client_id)
auth_method = "client_secret_post"
elif "client_assertion" in areq: # client_secret_jwt or private_key_jwt
check_key_availability(inst, areq["client_assertion"])
for typ, method in type_method:
if areq["client_assertion_type"] == typ:
cid, auth_method = method(inst).verify(areq)
break
else:
logger.error(
"UnknownAssertionType: {}".format(areq["client_assertion_type"])
)
raise UnknownAssertionType(areq["client_assertion_type"], areq)
else:
logger.error("Missing client authentication.")
raise FailedAuthentication("Missing client authentication.")
if isinstance(areq, AccessTokenRequest):
try:
_method = inst.cdb[cid]["token_endpoint_auth_method"]
except KeyError:
_method = "client_secret_basic"
if _method != auth_method:
logger.error(
"Wrong authentication method used: {} != {}".format(
auth_method, _method
)
)
raise FailedAuthentication("Wrong authentication method used")
# store which authn method was used where
try:
inst.cdb[cid]["auth_method"][areq.__class__.__name__] = auth_method
except KeyError:
try:
inst.cdb[cid]["auth_method"] = {areq.__class__.__name__: auth_method}
except KeyError:
pass
return cid
def verify_client(inst, areq, authn, type_method=TYPE_METHOD):
"""
Initiated Guessing !
:param areq: The request
:param authn: client authentication information
:return: tuple containing client id and client authentication method
"""
if authn: # HTTP Basic auth (client_secret_basic)
cid = get_client_id(inst.cdb, areq, authn)
auth_method = 'client_secret_basic'
elif "client_secret" in areq: # client_secret_post
client_id = get_client_id(inst.cdb, areq, authn)
logger.debug("Verified Client ID: %s" % client_id)
cid = ClientSecretBasic(inst).verify(areq, client_id)
auth_method = 'client_secret_post'
elif "client_assertion" in areq: # client_secret_jwt or private_key_jwt
for typ, method in type_method:
if areq["client_assertion_type"] == typ:
cid, auth_method = method(inst).verify(areq)
break
else:
raise UnknownAssertionType(areq["client_assertion_type"], areq)
else:
raise FailedAuthentication("Missing client authentication.")
if isinstance(areq, AccessTokenRequest):
try:
_method = inst.cdb[cid]['token_endpoint_auth_method']
except KeyError:
_method = 'client_secret_basic'
if _method != auth_method:
raise FailedAuthentication("Wrong authentication method used")
# store which authn method was used where
try:
inst.cdb[cid]['auth_method'][areq.__class__.__name__] = auth_method
except KeyError:
try:
inst.cdb[cid]['auth_method'] = {
areq.__class__.__name__: auth_method
}
except KeyError:
pass
return cid
def get_client_id(cdb, req, authn):
"""
Verify the client and return the client id
:param req: The request
:param authn: Authentication information from the HTTP header
:return:
"""
logger.debug("REQ: %s" % req.to_dict())
if authn:
if authn.startswith("Basic "):
logger.debug("Basic auth")
(_id, _secret) = base64.b64decode(
authn[6:].encode("utf-8")).decode("utf-8").split(":")
_id = as_unicode(_id)
if _id not in cdb:
logger.debug("Unknown client_id")
raise FailedAuthentication("Unknown client_id")
else:
if not valid_client_info(cdb[_id]):
logger.debug("Invalid Client info")
raise FailedAuthentication("Invalid Client")
if _secret != cdb[_id]["client_secret"]:
logger.debug("Incorrect secret")
raise FailedAuthentication("Incorrect secret")
else:
if authn[:6].lower() == "bearer":
logger.debug("Bearer auth")
_token = authn[7:]
else:
raise FailedAuthentication("AuthZ type I don't know")
try:
_id = cdb[_token]
except KeyError:
logger.debug("Unknown access token")
raise FailedAuthentication("Unknown access token")
else:
try:
_id = str(req["client_id"])
if _id not in cdb:
logger.debug("Unknown client_id")
raise FailedAuthentication("Unknown client_id")
if not valid_client_info(cdb[_id]):
raise FailedAuthentication("Invalid client_id")
except KeyError:
raise FailedAuthentication("Missing client_id")
return _id
def get_client_id(cdb, req, authn):
"""
Verify the client and return the client id.
:param req: The request
:param authn: Authentication information from the HTTP header
:return:
"""
logger.debug("REQ: %s" % sanitize(req.to_dict()))
_secret = None
if not authn:
try:
_id = str(req["client_id"])
except KeyError:
raise FailedAuthentication("Missing client_id")
elif authn.startswith("Basic "):
logger.debug("Basic auth")
(_id, _secret) = (
base64.b64decode(authn[6:].encode("utf-8")).decode("utf-8").split(":")
)
# Either as string or encoded
if _id not in cdb:
_bid = as_bytes(_id)
_id = _bid
elif authn[:6].lower() == "bearer":
logger.debug("Bearer auth")
_token = authn[7:]
try:
_id = cdb[_token]
except KeyError:
logger.debug("Unknown access token")
raise FailedAuthentication("Unknown access token")
else:
raise FailedAuthentication("AuthZ type I don't know")
# We have the client_id by now, so let's verify it
_cinfo = cdb.get(_id)
if _cinfo is None:
raise FailedAuthentication("Unknown client")
if not valid_client_info(_cinfo):
logger.debug("Invalid Client info")
raise FailedAuthentication("Invalid Client")
if _secret is not None:
if _secret != _cinfo["client_secret"]:
logger.debug("Incorrect secret")
raise FailedAuthentication("Incorrect secret")
# All should be good, so return it
return _id
def get_client_id(self, req, authn):
"""
Verify the client and return the client id
:param req: The request
:param authn: Authentication information from the HTTP header
:return:
"""
logger.debug("REQ: %s" % req.to_dict())
if authn:
if authn.startswith("Basic "):
logger.debug("Basic auth")
(_id, _secret) = base64.b64decode(authn[6:]).split(":")
if _id not in self.cdb:
logger.debug("Unknown client_id")
raise FailedAuthentication("Unknown client_id")
else:
try:
assert _secret == self.cdb[_id]["client_secret"]
except AssertionError:
logger.debug("Incorrect secret")
raise FailedAuthentication("Incorrect secret")
else:
try:
assert authn[:6].lower() == "bearer"
logger.debug("Bearer auth")
_token = authn[7:]
except AssertionError:
raise FailedAuthentication("AuthZ type I don't know")
try:
_id = self.cdb[_token]
except KeyError:
logger.debug("Unknown access token")
raise FailedAuthentication("Unknown access token")
else:
try:
_id = req["client_id"]
if _id not in self.cdb:
logger.debug("Unknown client_id")
raise FailedAuthentication("Unknown client_id")
except KeyError:
raise FailedAuthentication("Missing client_id")
return _id
def verify_client(inst, areq, authn, type_method=TYPE_METHOD):
"""
Initiated Guessing !
:param areq: The request
:param authn: client authentication information
:return:
"""
if authn: # HTTP Basic auth (client_secret_basic)
return get_client_id(inst.cdb, areq, authn)
elif "client_secret" in areq: # client_secret_post
client_id = get_client_id(inst.cdb, areq, authn)
logger.debug("Verified Client ID: %s" % client_id)
return ClientSecretBasic(inst).verify(areq, client_id)
elif "client_assertion" in areq: # client_secret_jwt or private_key_jwt
for typ, method in type_method:
if areq["client_assertion_type"] == typ:
return method(inst).verify(areq)
else:
raise UnknownAssertionType(areq["client_assertion_type"], areq)
else:
raise FailedAuthentication("Missing client authentication.")