def make_id_token(self, session, loa="2", issuer="",
alg="RS256", code=None, access_token=None,
user_info=None):
"""
:param session: Session information
:param loa: Level of Assurance/Authentication context
:param issuer: My identifier
:param alg: Which signing algorithm to use for the IdToken
:param code: Access grant
:param access_token: Access Token
:param user_info: If user info are to be part of the IdToken
:return: IDToken instance
"""
#defaults
inawhile = {"days": 1}
# Handle the idtoken_claims
extra = {}
itc = self.id_token_claims(session)
if itc:
try:
inawhile = {"seconds": itc["max_age"]}
except KeyError:
inawhile = {}
if "claims" in itc:
for key, val in itc["claims"].items():
if key == "auth_time":
extra["auth_time"] = time_util.utc_time_sans_frac()
elif key == "acr":
#["2","http://id.incommon.org/assurance/bronze"]
extra["acr"] = verify_acr_level(val, loa)
if user_info is None:
_args = {}
else:
_args = user_info.to_dict()
# Make sure that there are no name clashes
for key in ["iss", "sub", "aud", "exp", "acr", "nonce",
"auth_time"]:
try:
del _args[key]
except KeyError:
pass
halg = "HS%s" % alg[-3:]
if code:
_args["c_hash"] = jws.left_hash(code, halg)
if access_token:
_args["at_hash"] = jws.left_hash(access_token, halg)
idt = IdToken(iss=issuer, sub=session["sub"],
aud = session["client_id"],
exp = time_util.epoch_in_a_while(**inawhile), acr=loa,
iat = time_util.utc_now(),
**_args)
for key, val in extra.items():
idt[key] = val
if "nonce" in session:
idt.nonce = session["nonce"]
return idt
def make_id_token(self, session, loa="2", issuer="",
keytype="rsa", code=None, access_token=None,
user_info=None):
#defaults
inawhile = {"days": 1}
# Handle the idtoken_claims
extra = {}
try:
oidreq = OpenIDRequest().deserialize(session["oidreq"], "json")
itc = oidreq["id_token"]
logger.debug("ID Token claims: %s" % itc.to_dict())
try:
inawhile = {"seconds": itc["max_age"]}
except KeyError:
inawhile = {}
if "claims" in itc:
for key, val in itc["claims"].items():
if key == "auth_time":
extra["auth_time"] = time_util.utc_time_sans_frac()
elif key == "acr":
#["2","http://id.incommon.org/assurance/bronze"]
extra["acr"] = verify_acr_level(val, loa)
except KeyError:
pass
if user_info is None:
_args = {}
else:
_args = user_info.to_dict()
# Make sure that there are no name clashes
for key in ["iss", "user_id", "aud", "exp", "acr", "nonce",
"auth_time"]:
try:
del _args[key]
except KeyError:
pass
if code:
_args["c_hash"] = jwt.left_hash(code, "HS256")
if access_token:
_args["at_hash"] = jwt.left_hash(access_token, "HS256")
idt = IdToken(iss=issuer, user_id=session["user_id"],
aud = session["client_id"],
exp = time_util.epoch_in_a_while(**inawhile), acr=loa,
**_args)
for key, val in extra.items():
idt[key] = val
if "nonce" in session:
idt.nonce = session["nonce"]
# sign with clients secret key
_keystore = self.keystore
if keytype == "hmac":
ckey = {"hmac":
_keystore.get_sign_key("hmac",
owner=session["client_id"])}
algo = "HS256"
elif keytype == "rsa": # own asymmetric key
algo = "RS256"
ckey = {"rsa": _keystore.get_sign_key("rsa")}
else:
algo = "ES256"
ckey = {"ec":_keystore.get_sign_key("ec")}
logger.debug("Sign idtoken with '%s'" % (ckey,))
return idt.to_jwt(key=ckey, algorithm=algo)
