def verify(self, **kwargs):
"""
Verifies that an instance of this class adheres to the given
restrictions.
:param kwargs: A set of keyword arguments
:return: True if it verifies OK otherwise False.
"""
super(MetadataStatement, self).verify(**kwargs)
if "signing_keys" in self:
if 'signing_keys_uri' in self:
raise VerificationError(
'You can only have one of "signing_keys" and '
'"signing_keys_uri" in a metadata statement')
else:
# signing_keys MUST be a JWKS
kj = KeyJar()
try:
kj.import_jwks(self['signing_keys'], '')
except Exception:
raise VerificationError('"signing_keys" not a proper JWKS')
if "metadata_statements" in self and "metadata_statement_uris" in self:
s = set(self['metadata_statements'].keys())
t = set(self['metadata_statement_uris'].keys())
if s.intersection(t):
raise VerificationError(
'You should not have the same key in "metadata_statements" '
'and in "metadata_statement_uris"')
return True
def verify(self, **kwargs):
super(AuthorizationResponse, self).verify(**kwargs)
if 'client_id' in self:
try:
if self['client_id'] != kwargs['client_id']:
raise VerificationError('client_id mismatch')
except KeyError:
logger.info('No client_id to verify against')
pass
if 'iss' in self:
try:
# Issuer URL for the authorization server issuing the response.
if self['iss'] != kwargs['iss']:
raise VerificationError('Issuer mismatch')
except KeyError:
logger.info('No issuer set in the Client config')
pass
return True
def verify(self, **kwargs):
super(AuthorizationResponse, self).verify(**kwargs)
if "client_id" in self:
try:
if self["client_id"] != kwargs["client_id"]:
raise VerificationError("client_id mismatch")
except KeyError:
logger.info("No client_id to verify against")
pass
if "iss" in self:
try:
# Issuer URL for the authorization server issuing the response.
if self["iss"] != kwargs["iss"]:
raise VerificationError("Issuer mismatch")
except KeyError:
logger.info("No issuer set in the Client config")
pass
return True
def verify(self, **kwargs):
"""
Implementations MUST either return both a Client Configuration Endpoint
and a Registration Access Token or neither of them.
:param kwargs:
:return: True if the message is OK otherwise False
"""
super(RegistrationResponse, self).verify(**kwargs)
has_reg_uri = "registration_client_uri" in self
has_reg_at = "registration_access_token" in self
if has_reg_uri != has_reg_at:
raise VerificationError(("Only one of registration_client_uri"
" and registration_access_token present"),
self)
return True
def verify(self, **kwargs):
super(OpenIDSchema, self).verify(**kwargs)
if "birthdate" in self:
# Either YYYY-MM-DD or just YYYY or 0000-MM-DD
try:
time.strptime(self["birthdate"], "%Y-%m-%d")
except ValueError:
try:
time.strptime(self["birthdate"], "%Y")
except ValueError:
try:
time.strptime(self["birthdate"], "0000-%m-%d")
except ValueError:
raise VerificationError("Birthdate format error", self)
if any(val is None for val in self.values()):
return False
return True
def verify(self, **kwargs):
super(IdToken, self).verify(**kwargs)
try:
if kwargs["iss"] != self["iss"]:
raise IssuerMismatch("{} != {}".format(kwargs["iss"], self["iss"]))
except KeyError:
pass
if "aud" in self:
if "client_id" in kwargs:
# check that I'm among the recipients
if kwargs["client_id"] not in self["aud"]:
raise NotForMe(
'"{}" not in {}'.format(kwargs["client_id"], self["aud"]), self
)
# Then azp has to be present and be one of the aud values
if len(self["aud"]) > 1:
if "azp" in self:
if self["azp"] not in self["aud"]:
raise VerificationError("Mismatch between azp and aud claims", self)
else:
raise VerificationError("azp missing", self)
if "azp" in self:
if "client_id" in kwargs:
if kwargs["client_id"] != self["azp"]:
raise NotForMe("{} != azp:{}".format(kwargs["client_id"], self["azp"]), self)
_now = time_util.utc_time_sans_frac()
try:
_skew = kwargs["skew"]
except KeyError:
_skew = 0
try:
_exp = self["exp"]
except KeyError:
raise MissingRequiredAttribute("exp")
else:
if (_now - _skew) > _exp:
raise EXPError("Invalid expiration time")
try:
_storage_time = kwargs["nonce_storage_time"]
except KeyError:
_storage_time = NONCE_STORAGE_TIME
try:
_iat = self["iat"]
except KeyError:
raise MissingRequiredAttribute("iat")
else:
if (_iat + _storage_time) < (_now - _skew):
raise IATError("Issued too long ago")
elif _iat > _now + _skew:
raise IATError("Issued sometime in the future")
if _exp < _iat:
raise IATError("Expiration time can not be earlier the issued at")
if "nonce" in kwargs and "nonce" in self:
if kwargs["nonce"] != self["nonce"]:
raise ValueError("Not the same nonce")
return True
def verify(self, **kwargs):
super(IdToken, self).verify(**kwargs)
try:
if kwargs['iss'] != self['iss']:
raise IssuerMismatch('{} != {}'.format(kwargs['iss'],
self['iss']))
except KeyError:
pass
if "aud" in self:
if "client_id" in kwargs:
# check that I'm among the recipients
if kwargs["client_id"] not in self["aud"]:
raise NotForMe(
"{} not in aud:{}".format(kwargs["client_id"],
self["aud"]), self)
# Then azp has to be present and be one of the aud values
if len(self["aud"]) > 1:
if "azp" in self:
if self["azp"] not in self["aud"]:
raise VerificationError(
"Mismatch between azp and aud claims", self)
else:
raise VerificationError("azp missing", self)
if "azp" in self:
if "client_id" in kwargs:
if kwargs["client_id"] != self["azp"]:
raise NotForMe(
"{} != azp:{}".format(kwargs["client_id"],
self["azp"]), self)
_now = time_util.utc_time_sans_frac()
try:
_skew = kwargs['skew']
except KeyError:
_skew = 0
try:
_exp = self['exp']
except KeyError:
raise MissingRequiredAttribute('exp')
else:
if (_now - _skew) > _exp:
raise EXPError('Invalid expiration time')
try:
_storage_time = kwargs['nonce_storage_time']
except KeyError:
_storage_time = NONCE_STORAGE_TIME
try:
_iat = self['iat']
except KeyError:
raise MissingRequiredAttribute('iat')
else:
if (_iat + _storage_time) < (_now - _skew):
raise IATError('Issued too long ago')
if 'nonce' in kwargs and 'nonce' in self:
if kwargs['nonce'] != self['nonce']:
raise ValueError('Not the same nonce')
return True