def validate_token_request(self, request): try: check_csrf_token(request, token='assertion') except BadCSRFToken: raise InvalidClientError(request=request) # An object with the confidential client_id and client_secret. request.client = LOCAL_CLIENT if request.client is None: raise InvalidClientError(request=request) request.client_id = request.client_id or request.client.client_id
def _verify(self, key, audience): if self.expiry - self.not_before > self.MAX_LIFETIME: raise InvalidGrantError('Grant token lifetime is too long.') try: jwt.decode(self._token, algorithms=['HS256'], audience=audience, key=key, leeway=self.LEEWAY) except TypeError: raise InvalidClientError('Client is invalid.') except jwt.DecodeError: raise InvalidGrantError('Invalid grant token signature.') except jwt.exceptions.InvalidAlgorithmError: raise InvalidGrantError('Invalid grant token signature algorithm.') except jwt.MissingRequiredClaimError as exc: if exc.claim == 'aud': raise errors.MissingJWTGrantTokenClaimError('aud', 'audience') else: raise errors.MissingJWTGrantTokenClaimError(exc.claim) except jwt.InvalidAudienceError: raise errors.InvalidJWTGrantTokenClaimError('aud', 'audience') except jwt.ImmatureSignatureError: raise InvalidGrantError('Grant token is not yet valid.') except jwt.ExpiredSignatureError: raise InvalidGrantError('Grant token is expired.') except jwt.InvalidIssuedAtError: raise InvalidGrantError( 'Grant token issue time (iat) is in the future.')
def _verify(self, key, audience): # pylint:disable=too-complex if self.expiry - self.not_before > self.MAX_LIFETIME: raise InvalidGrantError("Grant token lifetime is too long.") try: jwt.decode( self._token, algorithms=["HS256"], audience=audience, key=key, leeway=self.LEEWAY, ) except TypeError as err: raise InvalidClientError("Client is invalid.") from err except jwt.DecodeError as err: raise InvalidGrantError("Invalid grant token signature.") from err except jwt.exceptions.InvalidAlgorithmError as err: raise InvalidGrantError( "Invalid grant token signature algorithm.") from err except jwt.MissingRequiredClaimError as err: if err.claim == "aud": raise MissingJWTGrantTokenClaimError("aud", "audience") from err raise MissingJWTGrantTokenClaimError(err.claim) from err except jwt.InvalidAudienceError as err: raise InvalidJWTGrantTokenClaimError("aud", "audience") from err except jwt.ImmatureSignatureError as err: raise InvalidGrantError("Grant token is not yet valid.") from err except jwt.ExpiredSignatureError as err: raise InvalidGrantError("Grant token is expired.") from err except jwt.InvalidIssuedAtError as err: raise InvalidGrantError( "Grant token issue time (iat) is in the future.") from err
def authorize(self, auth): """""" # check for access token (dict) if isinstance(auth, dict): # check if access token is still valid expires_at = datetime.fromtimestamp(auth.get("expires_at")) now = datetime.now() if expires_at > now: self.access_token = auth self.session.headers[ "Authorization"] = f"Bearer {self.access_token.get('access_token')}" self.metadata = self._metadata() return "Authorized!" else: raise TokenExpiredError("Access token expired!") # check for client credentials (tuple) if isinstance(auth, tuple): client_id, client_secret = auth # fetch new access token token_url = f"{self.base_url}/oauth/access_token/" auth = HTTPBasicAuth(client_id, client_secret) client = BackendApplicationClient(client_id=client_id) session = OAuth2Session(client=client) token_dict = session.fetch_token(token_url=token_url, auth=auth) self.access_token = token_dict self.session.headers[ "Authorization"] = f"Bearer {self.access_token.get('access_token')}" self.metadata = self._metadata() return "Authorized!" else: raise InvalidClientError( "You must provide a valid access token file or client credentials." )