def verify_jwt(token: str) -> typing.Optional[typing.Mapping]:
try:
unverified_token = jwt.decode(token, verify=False)
except jwt.DecodeError:
logger.info(f"Failed to decode JWT: {token}", exc_info=True)
raise DSSException(401, 'Unauthorized', 'Failed to decode token.')
assert_authorized_issuer(unverified_token)
issuer = unverified_token['iss']
public_keys = get_public_keys(issuer)
try:
token_header = jwt.get_unverified_header(token)
verified_tok = jwt.decode(
token,
key=public_keys[token_header["kid"]],
issuer=issuer,
audience=Config.get_audience(),
algorithms=allowed_algorithms,
)
logger.info("""{"valid": true, "token": %s}""",
json.dumps(verified_tok))
except jwt.PyJWTError as ex: # type: ignore
logger.info("""{"valid": false, "token": %s}""",
json.dumps(unverified_token),
exc_info=True)
raise DSSException(401, 'Unauthorized',
'Authorization token is invalid') from ex
return verified_tok
def get_service_jwt(service_credentials, group: str = None, email=True, email_claim=False, audience=None):
iat = time.time()
exp = iat + 3600
payload = {'iss': service_credentials["client_email"],
'sub': service_credentials["client_email"],
'aud': audience or Config.get_audience(),
'iat': iat,
'exp': exp,
'scope': ['email', 'openid', 'offline_access']
}
if group:
payload[Config.get_OIDC_group_claim()] = group
if email:
payload['email'] = service_credentials["client_email"]
if email_claim:
payload[Config.get_OIDC_email_claim()] = service_credentials["client_email"]
additional_headers = {'kid': service_credentials["private_key_id"]}
signed_jwt = jwt.encode(payload, service_credentials["private_key"], headers=additional_headers,
algorithm='RS256').decode()
return signed_jwt
