def test_validate_aud(self): id_token = jwt.encode({'alg': 'HS256'}, {'aud': 'foo'}, 'k') claims_options = { 'aud': { 'essential': True, 'value': 'foo' } } claims = jwt.decode(id_token, 'k', claims_options=claims_options) claims.validate() claims.options = { 'aud': {'values': ['bar']} } self.assertRaises( errors.InvalidClaimError, claims.validate ) id_token = jwt.encode({'alg': 'HS256'}, {'aud': ['foo', 'bar']}, 'k') claims = jwt.decode(id_token, 'k', claims_options=claims_options) claims.validate() # no validate claims.options = {'aud': {'values': []}} claims.validate()
def test_encode_sensitive_data(self): # check=False won't raise error jwt.encode({'alg': 'HS256'}, {'password': ''}, 'k', check=False) self.assertRaises(errors.InsecureClaimError, jwt.encode, {'alg': 'HS256'}, {'password': ''}, 'k') self.assertRaises(errors.InsecureClaimError, jwt.encode, {'alg': 'HS256'}, {'text': '4242424242424242'}, 'k')
def test_validate_exp(self): id_token = jwt.encode({'alg': 'HS256'}, {'exp': 'invalid'}, 'k') claims = jwt.decode(id_token, 'k') self.assertRaises(errors.InvalidClaimError, claims.validate) id_token = jwt.encode({'alg': 'HS256'}, {'exp': 1234}, 'k') claims = jwt.decode(id_token, 'k') self.assertRaises(errors.ExpiredTokenError, claims.validate)
def test_validate_nbf(self): id_token = jwt.encode({'alg': 'HS256'}, {'nbf': 'invalid'}, 'k') claims = jwt.decode(id_token, 'k') self.assertRaises(errors.InvalidClaimError, claims.validate) id_token = jwt.encode({'alg': 'HS256'}, {'nbf': 1234}, 'k') claims = jwt.decode(id_token, 'k') claims.validate() id_token = jwt.encode({'alg': 'HS256'}, {'nbf': 1234}, 'k') claims = jwt.decode(id_token, 'k') self.assertRaises(errors.InvalidTokenError, claims.validate, 123)
def generate_resource_token(requester, file_path, duration: int, requested_permissions): duration = int(duration) subject = file_path issuer = requester audience = "public" permissions = requested_permissions issued_at = int(time()) expires_at = issued_at + timedelta(seconds=duration).total_seconds() token_id = str(uuid4()) secret = current_app.config["JWT_KEY"] token = jwt.encode( { "alg": "HS256", "typ": "JWT" }, { "sub": subject, "iss": issuer, "aud": audience, "permissions": permissions, "iat": issued_at, "exp": expires_at, "jti": token_id, }, secret, ).decode("utf-8") return token
def no_claims_token(header, pem): """Returns a token, with no claims""" claims = {} token = jwt.encode(header, claims, pem) return token.decode("utf-8")
def auth(): site = session.get('site') location = session.get('location') if not site: abort(400) if site not in config['sites']: abort(404) token = oauth.azuread.authorize_access_token() user = oauth.azuread.parse_id_token(token) preferred_username = user["preferred_username"].lower() usergroup_set = set(user['groups'] or []) sitegroup_set = set(config['sites'][site]['groups'] or []) allowed_users = config['sites'][site]['users'] or [] if not (len(usergroup_set.intersection(sitegroup_set)) > 0 or preferred_username in allowed_users): abort(403, description= f"User {preferred_username} has no read access to space {site}.") header = {'alg': 'HS256'} payload = { 'iss': 'Gitbook Visitor Authenticator', 'exp': user['exp'], # Use AzureAD token expiry & issuing date 'iat': user['iat'] # } key = config['sites'][site]['key'] gitbooktoken = jwt.encode(header, payload, key).decode("utf-8") redirecturl = f"{config['sites'][site]['url']}{location}?jwt_token={gitbooktoken}" return redirect(redirecturl)
def generate(self, grant_type, client, user=None, scope=None, expires_in=None): """Generate a bearer token for OAuth 2.0 authorization token endpoint. :param client: the client that making the request. :param grant_type: current requested grant_type. :param user: current authorized user. :param expires_in: if provided, use this value as expires_in. :param scope: current requested scope. :return: Token dict """ token_data = self.get_token_data(grant_type, client, user, scope, expires_in) access_token = jwt.encode({'alg': self.alg}, token_data, key=self.secret_key, check=False) token = { 'token_type': 'Bearer', 'access_token': to_native(access_token), 'expires_in': expires_in } if scope: token['scope'] = scope return token
def auth_token(app) -> str: """ { "sub": "1", "name": "test", "permissions": ["read: files", "write: files"], "iat": 1516239022 } """ username = "******" permissions = [ "read: files", "write: files", "read: disk_storage", "write: disk_storage", ] token = jwt.encode( { "alg": "HS256" }, { "sub": 2, "name": username, "permissions": permissions }, app.config["JWT_KEY"], ).decode("utf-8") return token
def create_jwt_claim(priv_key, payload, alg=None): if alg is None: alg = 'RS256' header = {'alg': alg} return jwt.encode(header, payload, priv_key)
def generate_token(self, scopes=None, write=False, azp=False, add_claims=True, overrides=None): if scopes is None: scopes = [] header = {"typ": "JWT", "alg": "RS512"} payload = {"iss": "{}".format(CONFIG.AUTH_TOKEN_ISSUER), "sub": "*****@*****.**", "aud": ["https://*.{}".format(CONFIG.DNS_DOMAIN), "https://*.local"], "exp": int(time.time() + 3600), "iat": int(time.time()), "scope": " ".join(scopes)} if azp: payload["azp"] = str(uuid.uuid4()) else: payload["client_id"] = str(uuid.uuid4()) nmos_claims = {} if add_claims: for api in scopes: nmos_claims["x-nmos-{}".format(api)] = {"read": ["*"]} if write: nmos_claims["x-nmos-{}".format(api)]["write"] = ["*"] payload.update(nmos_claims) if overrides: payload.update(overrides) key = open(CONFIG.AUTH_TOKEN_PRIVKEY).read() token = jwt.encode(header, payload, key).decode() return token
def issue_jwt(filename='../keys/fit.private.key'): """ issue_jwt: create jwt based on rsa key file @input: filename @output: jwt string """ encoded_jwt = None iat_time = int(time.time()) #when was this jwt issued nbf_time = iat_time + 1 #valid in one second exp_time = nbf_time + 60 * 60 * 24 # expires in a day header = {'alg': 'RS256'} payload = { #custom fields 'name': 'John Doe', 'classes': ['BI-HWB', 'BI-PST', 'BI-SI1.2', 'BI-SSB'], #standard fields 'iss': 'FIT CVUT', 'sub': 'SSB Demo', 'aud': 'https://bi.ssb/demo', 'exp': exp_time, 'nbf': nbf_time, 'iat': iat_time, 'jti': 'JWT ID' } with open(filename, 'r') as f: key = f.read() encoded_jwt = jwt.encode(header, payload, key) return encoded_jwt
def create_auth_token(login, auth_data, private_key): header = {'alg': 'RS256'} payload = { 'login': login, 'access': auth_data['access'], } return jwt.encode(header, payload, private_key)
def gen_access_token(): header = { "alg": "RS512", "typ": "JWT" } payload = { "iss": "ap-z420-5.rd.bbc.co.uk", "sub": "demo", "nbf": 1581420052, "exp": 2581420052, # Expires in Year 2051 "aud": "*.rd.bbc.co.uk", "client_id": "my_client", "x-nmos-connection": { "read": ["*"] }, "x-nmos-registration": { "read": ["*"], "write": ["*"] }, "scope": "connection registration", "iat": 1581420052 } return jwt.encode( header, payload, TEST_PRIV_KEY ).decode('utf-8')
def _create_token( self, type_token: str, exp_time: Optional[int], *, custom_claims, ) -> str: # Data section claims = { "iat": timezone.now(), "nbf": timezone.now(), "jti": str(uuid.uuid4()), "type": type_token, **custom_claims, } if exp_time: claims["exp"] = exp_time if self.issuer: claims["iss"] = self.issuer if self.audience: claims["aud"] = self.audience key = JsonWebKey.import_key(self.private_key) headers = {"alg": "RS256", "kid": key.thumbprint()} return jwt.encode(header=headers, payload=claims, key=key)
def generate_token(self, subject): """ Return a tuple of the generated token and its expiration :param subject: :return: """ if not self.signing_key: raise OauthNotConfiguredError('SP not configured') else: header = {'alg': self.signing_alg} ts = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc) expiration_ts = ts + datetime.timedelta(seconds=self.expiration_seconds) payload = { 'iss': self.issuer, 'sub': subject, 'exp': expiration_ts, 'iat': ts, 'jti': uuid.uuid4().hex } return jwt.encode(header=header, payload=payload, key=self.signing_key), expiration_ts
async def token(req: web.Request) -> web.Response: """Auth endpoint.""" global nonce, user_eppn, user_family_name, user_given_name id_token = { "at_hash": "fSi3VUa5i2o2SgY5gPJZgg", "sub": "smth", "eduPersonAffiliation": "member;staff", "eppn": user_eppn, "displayName": f"{user_given_name} {user_family_name}", "iss": "http://*****:*****@test.what;[email protected]", "auth_time": 1606579533, "name": f"{user_given_name} {user_family_name}", "schacHomeOrganization": "test.what", "exp": 9999999999, "iat": 1561621913, "family_name": user_family_name, "email": user_eppn, } data = { "access_token": "test", "id_token": jwt.encode(header, id_token, jwk_pair[1]).decode("utf-8") } logging.info(data) return web.json_response(data)
def login(): username = request.json["username"] password = request.json["password"] user = service.find_user(username) successful_login = user is not None and service.does_password_match( password, user["password"]) if successful_login: header = {"alg": "HS256"} payload = { "sub": user["id"], "name": user["username"], "permissions": service.get_user_permissions(user["id"]), "iat": int(time()), "exp": int(time()) + timedelta(hours=1).total_seconds(), } key = current_app.config["JWT_KEY"] token = jwt.encode(header, payload, key).decode("utf-8") current_app.logger.info("User successfully logged in. " + str({"username": username})) return {"JWT": token} current_app.logger.info("User failed to log in. " + str({"username": username})) return make_response("Incorrect username or password.", 400)
def generate_id_token( token, user_info, key, iss, aud, alg='RS256', exp=3600, nonce=None, auth_time=None, code=None): now = int(time.time()) if auth_time is None: auth_time = now payload = { 'iss': iss, 'aud': aud, 'iat': now, 'exp': now + exp, 'auth_time': auth_time, } if nonce: payload['nonce'] = nonce if code: payload['c_hash'] = to_native(create_half_hash(code, alg)) access_token = token.get('access_token') if access_token: payload['at_hash'] = to_native(create_half_hash(access_token, alg)) payload.update(user_info) return to_native(jwt.encode({'alg': alg}, payload, key))
async def send_wrapper(message: Message) -> None: if message["type"] == "http.response.start": if scope["session"]: if "exp" not in scope["session"]: scope["session"]["exp"] = int( time.time()) + self.max_age data = jwt.encode(self.jwt_header, scope["session"], str(self.jwt_secret.encode)) headers = MutableHeaders(scope=message) header_value = "%s=%s; path=/; Max-Age=%d; %s" % ( self.session_cookie, data.decode("utf-8"), self.max_age, self.security_flags, ) if self.domain: # pragma: no cover header_value += f"; domain={self.domain}" headers.append("Set-Cookie", header_value) elif not initial_session_was_empty: # The session has been cleared. headers = MutableHeaders(scope=message) header_value = "%s=%s; %s" % ( self.session_cookie, "null; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;", self.security_flags, ) if self.domain: # pragma: no cover header_value += f"; domain={self.domain}" headers.append("Set-Cookie", header_value) await send(message)
def test_getIdPClients(): """Try to load external identity provider settings""" # Try to get identity provider by name result = idps.getIdProvider("SomeIdP", jwks="my_jwks") assert result["OK"], result["Message"] assert result["Value"].jwks == "my_jwks" assert result["Value"].issuer == "https://idp.url/" assert result["Value"].client_id == "IdP_client_id" assert result["Value"].client_secret == "IdP_client_secret" assert result["Value"].get_metadata("jwks_uri") == "https://idp.url/jwk" # Try to get identity provider for token issued by it result = idps.getIdProviderForToken( jwt.encode( { "alg": "HS256" }, dict( sub="user", iss=result["Value"].issuer, iat=int(time.time()), exp=int(time.time()) + (12 * 3600), ), "secret", ).decode("utf-8")) assert result["OK"], result["Message"] assert result["Value"].issuer == "https://idp.url/"
def encode_server_token(server): """ Generates the Auth Token :return: string """ try: payload = { "sub": server["hostname"], "aud": "deployment-api", "authorization": { "roles": ["server"] }, "server_id": server["id"], "hostname": server["hostname"], "ip": server["ip"], "exp": datetime.datetime.utcnow() + datetime.timedelta(days=1000, seconds=5), "iat": datetime.datetime.utcnow(), } return jwt.encode({"alg": "HS256"}, payload, Config.SECRET_KEY) except: return None
def genereate_access_token(client, grant_type, user, scope): """Generate an access token give a JWT Bearer Grant Token. OAuth2 has no requirements about what the access token should be. Since we want the access token to be a JWT we are going to return a JWT Access Token as described in https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-10 """ provider_account = get_provider_account() provider_jwk = account_to_jwk(provider_account) header = { "typ": "at+JWT", "alg": "ES256K", } claims = { "iss": provider_account.address, "client_id": client.address, "aud": client.resource, } if client.service_agreement_id is not None: claims.update({"sub": client.service_agreement_id}) if client.did is not None: claims.update({"did": client.did}) if client.execution_id is not None: claims.update({"execution_id": client.execution_id}) return jwt.encode(header, claims, provider_jwk).decode()
def generate_refresh_token(email: str) -> str: """Generate and return a JWT refresh token. Parameters ---------- email : str The email address of the user Returns ------- str The generated token """ time = datetime.utcnow() + \ timedelta(hours=settings.REFRESH_TOKEN_EXP_TIME) header = {'alg': 'RS256'} refresh_token_payload = { "token_type": "refresh", 'email': email, 'exp': int(time.strftime('%s')), 'iat': datetime.utcnow(), 'jti': make_unique_uuid4_code(), } key = read_file(settings.PRIV_REFRESH_TOKEN_KEY) refresh_token = jwt.encode( header, refresh_token_payload, key).decode('utf-8') return refresh_token
def test_post_request_invalid_token_signature(mock_app, pem, monkeypatch, basic_query): """test receiving a POST request containing a token that triggers the InvalidTokenError""" # generate a random token not using the test public key wrong_token = jwt.encode({"alg": "HS256"}, {"aud": ["foo", "bar"]}, "k").decode( "utf-8" ) assert wrong_token # Monkeypatch Elixir JWT server public key def mock_public_server(*args, **kwargs): return pem # Elixir key is not collected from elixir server, but mocked monkeypatch.setattr(auth, "elixir_key", mock_public_server) headers = copy.deepcopy(HEADERS) headers["Authorization"] = "Bearer " + wrong_token # When a POST request with the wrong token is sent response = mock_app.test_client().post( "/apiv1.0/query?", headers=headers, data=json.dumps(basic_query) ) data = json.loads(response.data) # it should return bad signature error assert response.status_code == 403 assert "bad_signature" in data["errorMessage"]
def generate_access_token(email: str) -> str: """Generate and return a JWT access token. Example: TODO ------- >>> generate_access_token('*****@*****.**') >>> "ffer" Parameters ---------- email : str The email address of the user Returns ------- str The JWT generated token """ time = datetime.utcnow() + \ timedelta(minutes=settings.ACCESS_TOKEN_EXP_TIME) header = {'alg': 'RS256'} access_token_payload = { "token_type": "access", 'email': email, 'exp': int(time.strftime('%s')), 'iat': datetime.utcnow(), 'jti': make_unique_uuid4_code(), } key = read_file(settings.PRIV_ACCESS_TOKEN_KEY) access_token = jwt.encode( header, access_token_payload, key).decode('utf-8') return access_token
def test_validate_iat(self): id_token = jwt.encode({'alg': 'HS256'}, {'iat': 'invalid'}, 'k') claims = jwt.decode(id_token, 'k') self.assertRaises( errors.InvalidClaimError, claims.validate )
async def authenticate_user(request): data = await request.json() try: user_name, user_pass = data["user_name"], data["user_pass"] except KeyError: raise web.HTTPUnprocessableEntity(text="Not all keys provided!") users = request.app["user_pass"] if user_name in users and users[user_name] == user_pass: private_key = request.app["private_key"] current_datetime = datetime.utcnow() expiration_delta = timedelta(seconds=15) payload = { 'iss': 'Project Agora', 'exp': current_datetime + expiration_delta } header = {'alg': 'RS256'} return web.Response( text=jwt.encode(header, payload, private_key).decode()) else: raise web.HTTPUnprocessableEntity( text="Invalid username/password combination")
def generate_token(self, subject): """ Return a tuple of the generated token and its expiration :param subject: :return: """ if not self.signing_key: raise OauthNotConfiguredError("SP not configured") else: header = {"alg": self.signing_alg} ts = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc) expiration_ts = ts + datetime.timedelta(seconds=self.expiration_seconds) payload = { "iss": self.issuer, "sub": subject, "exp": expiration_ts, "iat": ts, "jti": uuid.uuid4().hex, } return ( jwt.encode(header=header, payload=payload, key=self.signing_key), expiration_ts, )
def jwtCreater(pl='', secret='xRt*YMDqyCCxYxi9a@LgcGpnmM2X8i&6', header={ "alg": "HS256", "typ": "JWT" }) -> str: return jwt.encode(header, pl, secret).decode('utf-8')