def verify(self, **kwargs):
"""
Verifies that an instance of this class adhers to the given
restrictions.
"""
super(MetadataStatement, self).verify(**kwargs)
if "signing_keys" in self:
if 'signing_keys_uri' in self:
raise VerificationError(
'You can only have one of "signing_keys" and '
'"signing_keys_uri" in a metadata statement')
else:
# signing_keys MUST be a JWKS
kj = KeyJar()
try:
kj.import_jwks(self['signing_keys'], '')
except Exception:
raise VerificationError('"signing_keys" not a proper JWKS')
if "metadata_statements" in self and "metadata_statement_uris" in self:
s = set(self['metadata_statements'].keys())
t = set(self['metadata_statement_uris'].keys())
if s.intersection(t):
raise VerificationError(
'You should not have the same key in "metadata_statements" '
'and in "metadata_statement_uris"')
return True
def verify(self, **kwargs):
super(IdToken, self).verify(**kwargs)
if "aud" in self:
if "client_id" in kwargs:
# check that I'm among the recipients
if kwargs["client_id"] not in self["aud"]:
raise NotForMe(
"{} not in aud:{}".format(kwargs["client_id"],
self["aud"]), self)
# Then azp has to be present and be one of the aud values
if len(self["aud"]) > 1:
try:
assert "azp" in self
except AssertionError:
raise VerificationError("azp missing", self)
else:
try:
assert self["azp"] in self["aud"]
except AssertionError:
raise VerificationError(
"Mismatch between azp and aud claims", self)
if "azp" in self:
if "client_id" in kwargs:
if kwargs["client_id"] != self["azp"]:
raise NotForMe(
"{} != azp:{}".format(kwargs["client_id"],
self["azp"]), self)
_now = time_util.utc_time_sans_frac()
try:
_skew = kwargs['skew']
except KeyError:
_skew = 0
try:
_exp = self['exp']
except KeyError:
raise MissingRequiredAttribute('exp')
else:
if (_now - _skew) > _exp:
raise EXPError('Invalid expiration time')
try:
_storage_time = kwargs['nonce_storage_time']
except KeyError:
_storage_time = NONCE_STORAGE_TIME
try:
_iat = self['iat']
except KeyError:
raise MissingRequiredAttribute('iat')
else:
if (_iat + _storage_time) < (_now - _skew):
raise IATError('Issued too long ago')
return True
def verify(self, **kwargs):
if "aud" in self:
if "client_id" in kwargs:
# check that I'm among the recipients
if kwargs["client_id"] not in self["aud"]:
raise NotForMe("", self)
# Then azp has to be present and be one of the aud values
if len(self["aud"]) > 1:
try:
assert "azp" in self
except AssertionError:
raise VerificationError("azp missing", self)
else:
try:
assert self["azp"] in self["aud"]
except AssertionError:
raise VerificationError(
"Mismatch between azp and aud claims", self)
if "azp" in self:
if "client_id" in kwargs:
if kwargs["client_id"] != self["azp"]:
raise NotForMe("", self)
return super(IdToken, self).verify(**kwargs)
def verify_id_token(instance, check_hash=False, **kwargs):
# Try to decode the JWT, checks the signature
args = {}
for arg in TOKEN_VERIFY_ARGS:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
_jws = str(instance["id_token"])
# It can be encrypted, so try to decrypt first
_jwe = JWE_factory(_jws)
if _jwe is not None:
try:
_jws = _jwe.decrypt(keys=kwargs["keyjar"].get_decrypt_key())
except JWEException as err:
raise VerificationError("Could not decrypt id_token", err)
_packer = JWT()
_body = _packer.unpack(_jws).payload()
if "keyjar" in kwargs:
try:
if _body["iss"] not in kwargs["keyjar"]:
raise ValueError("Unknown issuer")
except KeyError:
raise MissingRequiredAttribute("iss")
if _jwe is not None:
# Use the original encrypted token to set correct headers
idt = IdToken().from_jwt(str(instance["id_token"]), **args)
else:
idt = IdToken().from_jwt(_jws, **args)
if not idt.verify(**kwargs):
raise VerificationError("Could not verify id_token", idt)
if check_hash:
_alg = idt.jws_header["alg"]
if _alg != "none":
hfunc = "HS" + _alg[-3:]
else:
# This is allowed only for `code` and it needs to be checked by a Client
hfunc = None
if "access_token" in instance and hfunc is not None:
if "at_hash" not in idt:
raise MissingRequiredAttribute("Missing at_hash property", idt)
if idt["at_hash"] != jws.left_hash(instance["access_token"],
hfunc):
raise AtHashError("Failed to verify access_token hash", idt)
if "code" in instance and hfunc is not None:
if "c_hash" not in idt:
raise MissingRequiredAttribute("Missing c_hash property", idt)
if idt["c_hash"] != jws.left_hash(instance["code"], hfunc):
raise CHashError("Failed to verify code hash", idt)
return idt
def verify_id_token(instance, check_hash=False, **kwargs):
# Try to decode the JWT, checks the signature
args = {}
for arg in ["key", "keyjar", "algs", "sender"]:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
_jws = str(instance["id_token"])
# It can be encrypted, so try to decrypt first
_jwe = JWE_factory(_jws)
if _jwe is not None:
try:
_jws = _jwe.decrypt(keys=kwargs['keyjar'].get_decrypt_key())
except JWEException as err:
raise VerificationError("Could not decrypt id_token", err)
_packer = JWT()
_body = _packer.unpack(_jws).payload()
if 'keyjar' in kwargs:
try:
if _body['iss'] not in kwargs['keyjar']:
raise ValueError('Unknown issuer')
except KeyError:
raise MissingRequiredAttribute('iss')
if _jwe is not None:
# Use the original encrypted token to set correct headers
idt = IdToken().from_jwt(str(instance['id_token']), **args)
else:
idt = IdToken().from_jwt(_jws, **args)
if not idt.verify(**kwargs):
raise VerificationError("Could not verify id_token", idt)
if check_hash:
_alg = idt.jws_header["alg"]
# What if _alg == 'none'
hfunc = "HS" + _alg[-3:]
if "access_token" in instance:
if "at_hash" not in idt:
raise MissingRequiredAttribute("Missing at_hash property", idt)
if idt["at_hash"] != jws.left_hash(instance["access_token"],
hfunc):
raise AtHashError("Failed to verify access_token hash", idt)
if "code" in instance:
if "c_hash" not in idt:
raise MissingRequiredAttribute("Missing c_hash property", idt)
if idt["c_hash"] != jws.left_hash(instance["code"], hfunc):
raise CHashError("Failed to verify code hash", idt)
return idt
def verify(self, **kwargs):
super(AuthorizationResponse, self).verify(**kwargs)
if 'client_id' in self:
if self['client_id'] != kwargs['client_id']:
raise VerificationError('client_id mismatch')
if 'iss' in self:
try:
# Issuer URL for the authorization server issuing the response.
if self['iss'] != kwargs['iss']:
raise VerificationError('Issuer mismatch')
except KeyError:
logger.info('No issuer set in the Client config')
pass
return True
def verify(self, **kwargs):
"""
Implementations MUST either return both a Client Configuration Endpoint
and a Registration Access Token or neither of them.
:param kwargs:
:return: True if the message is OK otherwise False
"""
if "registration_client_uri" in self:
if not "registration_access_token":
raise VerificationError((
"Only one of registration_client_uri"
" and registration_access_token present"), self)
elif "registration_access_token" in self:
raise VerificationError((
"Only one of registration_client_uri"
" and registration_access_token present"), self)
return super(RegistrationResponse, self).verify(**kwargs)
def verify(self, **kwargs):
super(AuthorizationResponse, self).verify(**kwargs)
if "client_id" in self:
try:
if self["client_id"] != kwargs["client_id"]:
raise VerificationError("client_id mismatch")
except KeyError:
logger.info("No client_id to verify against")
pass
if "iss" in self:
try:
# Issuer URL for the authorization server issuing the response.
if self["iss"] != kwargs["iss"]:
raise VerificationError("Issuer mismatch")
except KeyError:
logger.info("No issuer set in the Client config")
pass
return True
def verify(self, **kwargs):
super(AuthorizationResponse, self).verify(**kwargs)
if "aud" in self:
if "client_id" in kwargs:
# check that it's for me
if kwargs["client_id"] not in self["aud"]:
return False
if "id_token" in self:
# Try to decode the JWT, checks the signature
args = {}
for arg in ["key", "keyjar", "algs", "sender"]:
try:
args[arg] = kwargs[arg]
except KeyError:
pass
idt = IdToken().from_jwt(str(self["id_token"]), **args)
if not idt.verify(**kwargs):
raise VerificationError("Could not verify id_token", idt)
_alg = idt.jws_header["alg"]
# What if _alg == 'none'
hfunc = "HS" + _alg[-3:]
if "access_token" in self:
try:
assert "at_hash" in idt
except AssertionError:
raise MissingRequiredAttribute("Missing at_hash property",
idt)
try:
assert idt["at_hash"] == jws.left_hash(
self["access_token"], hfunc)
except AssertionError:
raise AtHashError("Failed to verify access_token hash",
idt)
if "code" in self:
try:
assert "c_hash" in idt
except AssertionError:
raise MissingRequiredAttribute("Missing c_hash property",
idt)
try:
assert idt["c_hash"] == jws.left_hash(self["code"], hfunc)
except AssertionError:
raise CHashError("Failed to verify code hash", idt)
self["id_token"] = idt
return True
def verify(self, **kwargs):
if "birthdate" in self:
# Either YYYY-MM-DD or just YYYY or 0000-MM-DD
try:
_ = time.strptime(self["birthdate"], "%Y-%m-%d")
except ValueError:
try:
_ = time.strptime(self["birthdate"], "%Y")
except ValueError:
try:
_ = time.strptime(self["birthdate"], "0000-%m-%d")
except ValueError:
raise VerificationError("Birthdate format error", self)
return super(OpenIDSchema, self).verify(**kwargs)
def verify(self, **kwargs):
"""
Verify that the response is valid.
Implementations MUST either return both a Client Configuration Endpoint
and a Registration Access Token or neither of them.
:param kwargs:
:return: True if the message is OK otherwise False
"""
super(RegistrationResponse, self).verify(**kwargs)
has_reg_uri = "registration_client_uri" in self
has_reg_at = "registration_access_token" in self
if has_reg_uri != has_reg_at:
raise VerificationError(("Only one of registration_client_uri"
" and registration_access_token present"),
self)
return True
def verify(self, **kwargs):
super(OpenIDSchema, self).verify(**kwargs)
if "birthdate" in self:
# Either YYYY-MM-DD or just YYYY or 0000-MM-DD
try:
time.strptime(self["birthdate"], "%Y-%m-%d")
except ValueError:
try:
time.strptime(self["birthdate"], "%Y")
except ValueError:
try:
time.strptime(self["birthdate"], "0000-%m-%d")
except ValueError:
raise VerificationError("Birthdate format error", self)
if any(val is None for val in self.values()):
return False
return True
def verify(self, **kwargs):
super(IdToken, self).verify(**kwargs)
try:
if kwargs["iss"] != self["iss"]:
raise IssuerMismatch("{} != {}".format(kwargs["iss"],
self["iss"]))
except KeyError:
pass
if "aud" in self:
if "client_id" in kwargs:
# check that I'm among the recipients
if kwargs["client_id"] not in self["aud"]:
raise NotForMe(
"{} not in aud:{}".format(kwargs["client_id"],
self["aud"]),
self,
)
# Then azp has to be present and be one of the aud values
if len(self["aud"]) > 1:
if "azp" not in self:
raise VerificationError("azp missing", self)
if self["azp"] not in self["aud"]:
raise VerificationError(
"Mismatch between azp and aud claims", self)
if "azp" in self:
if "client_id" in kwargs:
if kwargs["client_id"] != self["azp"]:
raise NotForMe(
"{} != azp:{}".format(kwargs["client_id"],
self["azp"]), self)
_now = time_util.utc_time_sans_frac()
try:
_skew = kwargs["skew"]
except KeyError:
_skew = 0
try:
_exp = self["exp"]
except KeyError:
raise MissingRequiredAttribute("exp")
else:
if (_now - _skew) > _exp:
raise EXPError("Invalid expiration time")
try:
_storage_time = kwargs["nonce_storage_time"]
except KeyError:
_storage_time = NONCE_STORAGE_TIME
try:
_iat = self["iat"]
except KeyError:
raise MissingRequiredAttribute("iat")
else:
if (_iat + _storage_time) < (_now - _skew):
raise IATError("Issued too long ago")
if _now < (_iat - _skew):
raise IATError("Issued in the future")
if _exp < _iat:
raise EXPError("Invalid expiration time")
return True
