def assertion_jwt(cli, keys, audience, algorithm):
_now = utc_now()
at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
aud=audience, jti=rndstr(8),
exp=_now + 600, iat=_now)
return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm, lifetime=600):
_now = utc_time_sans_frac()
at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
aud=audience, jti=rndstr(32),
exp=_now + lifetime, iat=_now)
return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm, lifetime=600):
_now = utc_time_sans_frac()
at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
aud=audience, jti=rndstr(16),
exp=_now + lifetime, iat=_now)
return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm):
_now = time.time()
at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
aud=audience, jti=rndstr(8),
exp=_now + 600, iat=_now)
return at.to_jwt(key=keys, algorithm=algorithm)
def verify(self, areq, **kwargs):
try:
try:
argv = {'sender': areq['client_id']}
except KeyError:
argv = {}
bjwt = AuthnToken().from_jwt(areq["client_assertion"],
keyjar=self.cli.keyjar,
**argv)
except (Invalid, MissingKey) as err:
logger.info("%s" % sanitize(err))
raise AuthnFailure("Could not verify client_assertion.")
logger.debug("authntoken: %s" % sanitize(bjwt.to_dict()))
areq['parsed_client_assertion'] = bjwt
# logger.debug("known clients: %s" % sanitize(self.cli.cdb.keys()))
try:
cid = kwargs["client_id"]
except KeyError:
cid = bjwt["iss"]
try:
# There might not be a client_id in the request
assert str(cid) in self.cli.cdb # It's a client I know
except KeyError:
pass
# aud can be a string or a list
_aud = bjwt["aud"]
logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl))
# figure out authn method
if alg2keytype(bjwt.jws_header['alg']) == 'oct': # Symmetric key
authn_method = 'client_secret_jwt'
else:
authn_method = 'private_key_jwt'
try:
if isinstance(_aud, six.string_types):
assert str(_aud).startswith(self.cli.baseurl)
else:
for target in _aud:
if target.startswith(self.cli.baseurl):
return cid, authn_method
raise NotForMe("Not for me!")
except AssertionError:
raise NotForMe("Not for me!")
return cid, authn_method
def verify(self, areq, **kwargs):
try:
try:
argv = {"sender": areq["client_id"]}
except KeyError:
argv = {}
bjwt = AuthnToken().from_jwt(areq["client_assertion"], keyjar=self.cli.keyjar, **argv)
except (Invalid, MissingKey) as err:
logger.info("%s" % sanitize(err))
raise AuthnFailure("Could not verify client_assertion.")
logger.debug("authntoken: %s" % sanitize(bjwt.to_dict()))
areq["parsed_client_assertion"] = bjwt
# logger.debug("known clients: %s" % sanitize(self.cli.cdb.keys()))
try:
cid = kwargs["client_id"]
except KeyError:
cid = bjwt["iss"]
try:
# There might not be a client_id in the request
assert str(cid) in self.cli.cdb # It's a client I know
except KeyError:
pass
# aud can be a string or a list
_aud = bjwt["aud"]
logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl))
# figure out authn method
if alg2keytype(bjwt.jws_header["alg"]) == "oct": # Symmetric key
authn_method = "client_secret_jwt"
else:
authn_method = "private_key_jwt"
try:
if isinstance(_aud, six.string_types):
assert str(_aud).startswith(self.cli.baseurl)
else:
for target in _aud:
if target.startswith(self.cli.baseurl):
return cid, authn_method
raise NotForMe("Not for me!")
except AssertionError:
raise NotForMe("Not for me!")
return cid, authn_method
def verify(self, areq, **kwargs):
try:
bjwt = AuthnToken().from_jwt(areq["client_assertion"],
keyjar=self.cli.keyjar)
except (Invalid, MissingKey), err:
logger.info("%s" % err)
return False
def verify(self, areq, **kwargs):
try:
bjwt = AuthnToken().from_jwt(areq["client_assertion"],
keyjar=self.cli.keyjar)
except (Invalid, MissingKey), err:
logger.info("%s" % err)
raise AuthnFailure("Could not verify client_assertion.")
def verify(self, areq, **kwargs):
try:
bjwt = AuthnToken().from_jwt(areq["client_assertion"],
keyjar=self.cli.keyjar)
except (Invalid, MissingKey) as err:
logger.info("%s" % err)
raise AuthnFailure("Could not verify client_assertion.")
logger.debug("authntoken: %s" % bjwt.to_dict())
# logger.debug("known clients: %s" % self.cli.cdb.keys())
try:
cid = kwargs["client_id"]
except KeyError:
cid = bjwt["iss"]
try:
# There might not be a client_id in the request
assert str(cid) in self.cli.cdb # It's a client I know
except KeyError:
pass
# aud can be a string or a list
_aud = bjwt["aud"]
logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl))
try:
if isinstance(_aud, six.string_types):
assert str(_aud).startswith(self.cli.baseurl)
else:
for target in _aud:
if target.startswith(self.cli.baseurl):
return cid
raise NotForMe("Not for me!")
except AssertionError:
raise NotForMe("Not for me!")
return cid
def verify(self, areq, **kwargs):
try:
bjwt = AuthnToken().from_jwt(areq["client_assertion"],
keyjar=self.cli.keyjar)
except (Invalid, MissingKey) as err:
logger.info("%s" % err)
raise AuthnFailure("Could not verify client_assertion.")
logger.debug("authntoken: %s" % bjwt.to_dict())
# logger.debug("known clients: %s" % self.cli.cdb.keys())
try:
cid = kwargs["client_id"]
except KeyError:
cid = bjwt["iss"]
try:
# There might not be a client_id in the request
assert str(cid) in self.cli.cdb # It's a client I know
except KeyError:
pass
# aud can be a string or a list
_aud = bjwt["aud"]
logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl))
try:
if isinstance(_aud, six.string_types):
assert str(_aud).startswith(self.cli.baseurl)
else:
for target in _aud:
if target.startswith(self.cli.baseurl):
return cid
raise NotForMe("Not for me!")
except AssertionError:
raise NotForMe("Not for me!")
return cid
