def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None, refresh_token=None): """ Sets a cookie containing a JWT on the response. """ # Skip setting JWT cookies for most unit tests, since it raises errors when # a login oauth client cannot be found in the database in ``_get_login_oauth_client``. # This solution is not ideal, but see https://github.com/edx/edx-platform/pull/19180#issue-226706355 # for a discussion of alternative solutions that did not work or were halted. if settings.FEATURES.get('DISABLE_SET_JWT_COOKIES_FOR_TESTS', False): return # For security reasons, the JWT that is embedded inside the cookie expires # much sooner than the cookie itself, per the following setting. expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] oauth_application = _get_login_oauth_client() if refresh_token: access_token = refresh_dot_access_token( request, oauth_application.client_id, refresh_token, expires_in=expires_in, ) else: access_token = create_dot_access_token( request, user, oauth_application, expires_in=expires_in, scopes=['email', 'profile'], ) jwt = create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True) jwt_header_and_payload, jwt_signature = _parse_jwt(jwt) _set_jwt_cookies( response, cookie_settings, jwt_header_and_payload, jwt_signature, access_token['refresh_token'], )
def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None, refresh_token=None): """ Sets a cookie containing a JWT on the response. """ if _are_jwt_cookies_disabled(): return # For security reasons, the JWT that is embedded inside the cookie expires # much sooner than the cookie itself, per the following setting. expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] oauth_application = _get_login_oauth_client() if refresh_token: access_token = refresh_dot_access_token( request, oauth_application.client_id, refresh_token, expires_in=expires_in, ) else: access_token = create_dot_access_token( request, user, oauth_application, expires_in=expires_in, scopes=['email', 'profile'], ) jwt = create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True) jwt_header_and_payload, jwt_signature = _parse_jwt(jwt) _set_jwt_cookies( response, cookie_settings, jwt_header_and_payload, jwt_signature, access_token['refresh_token'], )
def _build_jwt_response_from_access_token_response(self, request, response): """ Builds the content of the response, including the JWT token. """ token_dict = json.loads(response.content) jwt = create_jwt_from_token(token_dict, self.get_adapter(request)) token_dict.update({ 'access_token': jwt, 'token_type': 'JWT', }) return json.dumps(token_dict)
def _build_jwt_response_from_access_token_response(self, request, response): """ Builds the content of the response, including the JWT token. """ token_dict = json.loads(response.content) jwt = create_jwt_from_token(token_dict, self.get_adapter(request)) token_dict.update({ 'access_token': jwt, 'token_type': 'JWT', }) return json.dumps(token_dict)
def _create_jwt(request, user, expires_in): """ Creates and returns a jwt for the given user with the given expires_in value. """ oauth_application = _get_login_oauth_client() access_token = create_dot_access_token( # Note: Scopes for JWT cookies do not require additional permissions request, user, oauth_application, expires_in=expires_in, scopes=['user_id', 'email', 'profile'], ) return create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True)
def _create_jwt(request, user, expires_in): """ Creates and returns a jwt for the given user with the given expires_in value. """ oauth_application = _get_login_oauth_client() access_token = create_dot_access_token( # Note: Scopes for JWT cookies do not require additional permissions request, user, oauth_application, expires_in=expires_in, scopes=['user_id', 'email', 'profile'], ) return create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True)
def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None, refresh_token=None): """ Sets a cookie containing a JWT on the response. """ # Skip setting JWT cookies for most unit tests, since it raises errors when # a login oauth client cannot be found in the database in ``_get_login_oauth_client``. # This solution is not ideal, but see https://github.com/edx/edx-platform/pull/19180#issue-226706355 # for a discussion of alternative solutions that did not work or were halted. if settings.FEATURES.get('DISABLE_SET_JWT_COOKIES_FOR_TESTS', False): return # For Ironwood, we don't set JWK settings by default. Make sure we don't fail trying # to use empty settings. This means by default, micro-frontends won't work, but Ironwood # has none. Also, OAuth scopes won't work, but that is still a new and specialized feature. # Installations that need them can create JWKs and add them to the settings. private_signing_jwk = settings.JWT_AUTH['JWT_PRIVATE_SIGNING_JWK'] if private_signing_jwk == "None" or not private_signing_jwk: return # For security reasons, the JWT that is embedded inside the cookie expires # much sooner than the cookie itself, per the following setting. expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] oauth_application = _get_login_oauth_client() if refresh_token: access_token = refresh_dot_access_token( request, oauth_application.client_id, refresh_token, expires_in=expires_in, ) else: access_token = create_dot_access_token( request, user, oauth_application, expires_in=expires_in, scopes=['email', 'profile'], ) jwt = create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True) jwt_header_and_payload, jwt_signature = _parse_jwt(jwt) _set_jwt_cookies( response, cookie_settings, jwt_header_and_payload, jwt_signature, access_token['refresh_token'], )
def _create_jwt_for_token( self, oauth_adapter, use_asymmetric_key, client_restricted=False, ): """ Creates and returns the jwt returned by jwt_api.create_jwt_from_token. """ client = self._create_client(oauth_adapter, client_restricted) expires_in = 60 * 60 expires = now() + timedelta(seconds=expires_in) token_dict = dict( access_token=oauth_adapter.create_access_token_for_test('token', client, self.user, expires), expires_in=expires_in, scope=' '.join(self.default_scopes) ) return jwt_api.create_jwt_from_token(token_dict, oauth_adapter, use_asymmetric_key=use_asymmetric_key)
def _create_jwt_for_token( self, oauth_adapter, use_asymmetric_key, client_restricted=False, ): """ Creates and returns the jwt returned by jwt_api.create_jwt_from_token. """ client = self._create_client(oauth_adapter, client_restricted) expires_in = 60 * 60 expires = now() + timedelta(seconds=expires_in) token_dict = dict( access_token=oauth_adapter.create_access_token_for_test('token', client, self.user, expires), expires_in=expires_in, scope=' '.join(self.default_scopes) ) return jwt_api.create_jwt_from_token(token_dict, oauth_adapter, use_asymmetric_key=use_asymmetric_key)
def _create_and_set_jwt_cookies(response, request, cookie_settings, user=None, refresh_token=None): """ Sets a cookie containing a JWT on the response. """ # Skip setting JWT cookies for most unit tests, since it raises errors when # a login oauth client cannot be found in the database in ``_get_login_oauth_client``. # This solution is not ideal, but see https://github.com/edx/edx-platform/pull/19180#issue-226706355 # for a discussion of alternative solutions that did not work or were halted. if settings.FEATURES.get('DISABLE_SET_JWT_COOKIES_FOR_TESTS', False): return # For security reasons, the JWT that is embedded inside the cookie expires # much sooner than the cookie itself, per the following setting. expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] oauth_application = _get_login_oauth_client() if refresh_token: access_token = refresh_dot_access_token( request, oauth_application.client_id, refresh_token, expires_in=expires_in, ) else: access_token = create_dot_access_token( # Note: Scopes for JWT cookies do not require additional permissions request, user, oauth_application, expires_in=expires_in, scopes=['user_id', 'email', 'profile'], ) jwt = create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True) jwt_header_and_payload, jwt_signature = _parse_jwt(jwt) _set_jwt_cookies( response, cookie_settings, jwt_header_and_payload, jwt_signature, access_token['refresh_token'], )
def _create_and_set_jwt_cookies(response, request, user=None, refresh_token=None): """ Sets a cookie containing a JWT on the response. """ if not JWT_COOKIES_FLAG.is_enabled(): return # JWT cookies expire at the same time as other login-related cookies # so that cookie-based login determination remains consistent. cookie_settings = standard_cookie_settings(request) # For security reasons, the JWT that is embedded inside the cookie expires # much sooner than the cookie itself, per the following setting. expires_in = settings.JWT_AUTH['JWT_IN_COOKIE_EXPIRATION'] oauth_application = _get_login_oauth_client() if refresh_token: access_token = refresh_dot_access_token( request, oauth_application.client_id, refresh_token, expires_in=expires_in, ) else: access_token = create_dot_access_token( request, user, oauth_application, expires_in=expires_in, ) jwt = create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True) jwt_header_and_payload, jwt_signature = _parse_jwt(jwt) _set_jwt_cookies( response, cookie_settings, jwt_header_and_payload, jwt_signature, access_token['refresh_token'], )
def _create_and_set_jwt_cookies(response, request, user=None, refresh_token=None): """ Sets a cookie containing a JWT on the response. """ if not JWT_COOKIES_FLAG.is_enabled(): return # TODO (ARCH-246) Need to fix configuration of token expiration settings. cookie_settings = standard_cookie_settings(request) _set_jwt_expiration(cookie_settings) expires_in = cookie_settings['max_age'] oauth_application = _get_login_oauth_client() if refresh_token: access_token = refresh_dot_access_token( request, oauth_application.client_id, refresh_token, expires_in=expires_in, ) else: access_token = create_dot_access_token( request, user, oauth_application, expires_in=expires_in, ) jwt = create_jwt_from_token(access_token, DOTAdapter(), use_asymmetric_key=True) jwt_header_and_payload, jwt_signature = _parse_jwt(jwt) _set_jwt_cookies( response, cookie_settings, jwt_header_and_payload, jwt_signature, access_token['refresh_token'], )