def parse_token(self, data, app=None): # parse token header and get relevant public key unverified_header, unverified_claims = jwt.process_jwt( data['id_token']) public_key = self.get_public_key(unverified_header.get('kid')) # verify signature, iat, exp header, claims = jwt.verify_jwt(data['id_token'], public_key, ['RS256'], timedelta(minutes=1), checks_optional=True) # Verify we are the intended audience for the token intended_audiences = [self.intended_aud] if app is not None: intended_audiences.append(app.client_id) if claims.get('aud') is not None and claims.get( 'aud') not in intended_audiences: raise OAuth2Error( "JWT aud {} does not match intended audience {}".format( claims.get('aud'), self.intended_aud)) social_token = SocialToken(token=data['id_token']) social_token.expires_at = datetime.fromtimestamp(claims['iat'], tz=timezone.utc) return social_token
def validate_token(jwkset, token, clock_skew_seconds): headers, _ = jwt.process_jwt(token) alg = headers['alg'] kid = headers['kid'] if not alg: raise Exception('No \'alg\' claim in JWT token header') if not alg in allowed_algs: raise Exception('\'%s\' is not an allowed algorithm.' % alg) if not kid: raise Exception('No \'kid\' claim in JWT token header') json_key = jwkset.get_key(kid) algorithms = [alg] # Exception raised on invalid token input will be bubble up to the caller. _, payload = jwt.verify_jwt(token, json_key, algorithms, datetime.timedelta(seconds=clock_skew_seconds)) typ = payload.get('typ', None) if typ != 'Bearer': raise Exception( 'The token is not intended for autorization (\'typ\' should be \'Bearer\', not \'%s\')' % typ) return payload
def check_token(token): try: token = token.split(' ')[1] token_processed = jwt.process_jwt(token) return token_processed[1] except Exception as err: return {'id': False}
def complete_login(self, request, app, token, **kwargs): # token has already been verified, so we can use unverified data here unverified_header, unverified_claims = jwt.process_jwt(token.token) extra_data = unverified_claims logger.debug('IdToken | IdTokenOAuth2Adapter:complete_login()' 'token claims | %s' % str(extra_data)) return self.get_provider().sociallogin_from_response( request, extra_data)
def auth_verify_apple(openid, access_token): ''' 验证苹果第三方登录(APP端) ''' global apple_public_key_pem try: header, token_info = jwt.process_jwt(access_token) # token_info = jwt.decode(access_token.encode('utf-8'), APPLE_PUBLIC_KEY_PEM, # algorithms=['RS256'], # verify=True, # options={"verify_aud": True}, audience=APPLE_GUANFAN_CLIEND_ID) # print(token_info, type(token_info)) t_sub = token_info.get('sub', False) if t_sub: if t_sub != openid: return False, "错误的sub apple id" else: return False, "没有找到subid" t_iss = token_info.get('iss', False) if t_iss: if t_iss.startswith("https://appleid.apple.com") is False: return False, "错误的iss签发单位" else: return False, "没有找到iss签发单位" t_aud = token_info.get('aud', False) if t_aud: if t_aud != APPLE_GUANFAN_CLIEND_ID: return False, "错误的aud客户端ID" else: return False, "没有找到aud客户端ID" t_exp = token_info.get('exp', False) if t_exp: # print(t_exp, int(curTimeStamp())) if t_exp < int(curTimeStamp()): return False, "已过期" else: return False, "错误的时间格式!" return True, 'ok' except jwt.exceptions.InvalidTokenError as e: log.warning("苹果:{},{},验证失败1,错误类型:{}".format(openid, access_token[:100], e.args[0])) # print(e) return False, e.args[0] except ValueError as ve: log.warning("苹果:{},{},验证失败2,错误类型:{}".format(openid, access_token[:100], ve.args[0])) return False, ve.args[0] except Exception as e: log.warning("苹果:{},{},验证失败3,错误类型:{}".format(openid, access_token[:100], e)) return False, e.args[0]
def _decode(self, token=None): """Decode JWT token using python_jwt""" # process token self.header, self.claims = python_jwt.process_jwt(token) # debug logger.debug("Decoded tocken with %s" % (self.header['alg'])) # record useful values self.issued = datetime.datetime.fromtimestamp(self.claims['iat']) self.expire = datetime.datetime.fromtimestamp(self.claims['exp'])
def validate_jwt(token, client=None): from openid_connect_op.models import OpenIDClient if client is None: client = OpenIDClient.self_instance() if client.client_auth_type == OpenIDClient.CLIENT_AUTH_TYPE_SECRET_JWT: key = jwk.JWK(kty="oct", use="sig", alg="HS256", k=base64url_encode(client.client_hashed_secret)) return jwt.verify_jwt(token, key, ['HS256'], checks_optional=True) header, __ = jwt.process_jwt(token) key = client.get_key(alg=header.get('alg', 'RS256'), kid=header.get('kid', None)) return jwt.verify_jwt(token, key, [key._params.get('alg', 'RS256')], checks_optional=True)
async def verify_remote(self, token): """Verify a JustAuthenticateMe token by calling the rest api :param token: idToken (jwt) from JustAuthenticateMe :returns headers, claims: headers and claims encoded in the user jwt :raises JAMNotVerified: if verification fails on a token """ async with aiohttp.ClientSession(json_serialize=json.dumps) as session: async with session.post(self.base_url + "verify", json={"idToken": token}) as response: if response.status == 200: return jwt.process_jwt(token) if response.status == 400: raise JustAuthenticateMeError("The request was invalid") if response.status == 401: raise JAMNotVerified() if response.status == 404: data = await response.json() raise JAMNotFound(data.get("message")) raise JustAuthenticateMeError("Unknown Error")
def decode_jwt(jwt: str) -> Tuple: """Decode JSON web token. Args: auth_token (str): The JSON web token Raises: JSONWebTokenError: Raised if the signature has expired or if the token is invalid Returns: int: The user id """ if settings.JWT_ENCRYPT: token = JWE() try: token.deserialize(jwt.replace("\\", "")) except InvalidJWEData as error: raise JWEInvalidToken from error try: token.decrypt(_encryption_key) except InvalidJWEData as error: raise JWEDecryptionError from error jwt = token.payload.decode("utf-8") if not settings.JWT_VERIFY: return process_jwt(jwt) try: return verify_jwt( jwt, _secret_key, checks_optional=settings.JWT_VERIFY_EXPIRATION, iat_skew=settings.JWT_LEEWAY, allowed_algs=[settings.JWT_ALGORITHM], ) except (InvalidJWSObject, UnicodeDecodeError) as error: raise JWTDecodeError from error except InvalidJWSSignature as error: raise JWTInvalidSignature from error except Exception as error: raise JWTExpired from error
def good(token): python_jwt.process_jwt(token) python_jwt.verify_jwt(token, "key", "HS256")
def verify_jwt_token(token): """ Verify json web token (jwt) Parameters ---------- token : str The token sent to server in the header of the request Returns ------- bool user is allowed to access system """ is_valid_user = False # Get public key id defined in token header and fetch corresponding key try: header, claims = jwt.process_jwt(token) except Exception as e: logger.debug("Not a valid token %s" % str(e)) return False # Process issuer and audience first as no point verifying jwt if # these are invalid if 'aud' not in claims or JWT_AUDIENCE != claims['aud']: logger.debug("Invalid audience") return False if 'iss' not in claims and JWT_ISSUER != claims['iss']: logger.debug("Invalid issuer") return False # Get public key and validate jwt keyid = header[u'kid'] pub_key = get_public_key(keyid) try: header, claims = jwt.verify_jwt(token, pub_key, allowed_algs=['RS256'], checks_optional=True) except Exception as e: logger.debug("Token validation failed: %s" % str(e)) return False # Verify user is allowed access to fieldprime userid = claims['serenity/aafIdent'] ident, domain = userid.split('@') # If CSIRO domain user verify on ident otherwise on email if domain == 'csiro.au': is_valid_user, user = verifyUserIdent(ident) else: is_valid_user, user = verifyUserEmail(userid) if is_valid_user: # Should not be needed if using jwt auth? # create/set new fieldprime token # g.newToken = generate_auth_token(user) # TODO: set these directly fpSetupG(g, userIdent=user) return is_valid_user
def python_jwt_process_without_verify(token): python_jwt.process_jwt(token) # Noncompliant xxx(token)
def python_jwt_process_with_verify(token): python_jwt.process_jwt(token) python_jwt.verify_jwt(token)
def unsign(self, token): token = str(token) try: header_future, payload_future = jwt.process_jwt(token) header, payload = jwt.verify_jwt( token, pub_key=self.key, allowed_algs=['HS256', 'RS256', 'ES256', 'PS256']) if not payload.has_key('data'): error_payload = { 'location': 'JSON Web Token', 'name': self.__class__.__name__, 'description': 'Payload lacks "data" attribute', 'token': token, 'jwt_header': header_future, 'jwt_payload': payload_future, } raise JwtVerifyError(error_payload) # compute metadata without payload data metadata = payload.copy() del metadata['data'] return payload['data'], metadata except (ValueError, TypeError) as ex: error_payload = { 'location': 'JSON Web Signature', 'name': ex.__class__.__name__, 'description': str(ex), 'token': token, } raise JwtVerifyError(error_payload) except jws.exceptions.SignatureError as ex: error_payload = { 'location': 'JSON Web Signature', 'name': ex.__class__.__name__, 'description': ex.message, 'token': token, 'jwt_header': header_future, 'jwt_payload': payload_future, } raise JwtVerifyError(error_payload) except jwt._JWTError as ex: if ex.message == 'expired': error_payload = { 'location': 'JSON Web Token', 'name': ex.__class__.__name__, 'description': ex.message, 'jwt_header': header_future, 'jwt_expiry': payload_future['exp'], } raise JwtExpiryError(error_payload) else: error_payload = { 'location': 'JSON Web Token', 'name': ex.__class__.__name__, 'description': ex.message, 'token': token, 'jwt_header': header_future, 'jwt_payload': payload_future, } raise JwtVerifyError(error_payload)
def extract_kid(token): token = jwt.process_jwt(token) return token[0]['kid']
def unverified_jwt_payload(token): return jwt.process_jwt(token)[1]
def bad(token): python_jwt.process_jwt(token)