def parse_token(self, data, app=None):
# parse token header and get relevant public key
unverified_header, unverified_claims = jwt.process_jwt(
data['id_token'])
public_key = self.get_public_key(unverified_header.get('kid'))
# verify signature, iat, exp
header, claims = jwt.verify_jwt(data['id_token'],
public_key, ['RS256'],
timedelta(minutes=1),
checks_optional=True)
# Verify we are the intended audience for the token
intended_audiences = [self.intended_aud]
if app is not None:
intended_audiences.append(app.client_id)
if claims.get('aud') is not None and claims.get(
'aud') not in intended_audiences:
raise OAuth2Error(
"JWT aud {} does not match intended audience {}".format(
claims.get('aud'), self.intended_aud))
social_token = SocialToken(token=data['id_token'])
social_token.expires_at = datetime.fromtimestamp(claims['iat'],
tz=timezone.utc)
return social_token
def validate_token(jwkset, token, clock_skew_seconds):
headers, _ = jwt.process_jwt(token)
alg = headers['alg']
kid = headers['kid']
if not alg:
raise Exception('No \'alg\' claim in JWT token header')
if not alg in allowed_algs:
raise Exception('\'%s\' is not an allowed algorithm.' % alg)
if not kid:
raise Exception('No \'kid\' claim in JWT token header')
json_key = jwkset.get_key(kid)
algorithms = [alg]
# Exception raised on invalid token input will be bubble up to the caller.
_, payload = jwt.verify_jwt(token, json_key, algorithms,
datetime.timedelta(seconds=clock_skew_seconds))
typ = payload.get('typ', None)
if typ != 'Bearer':
raise Exception(
'The token is not intended for autorization (\'typ\' should be \'Bearer\', not \'%s\')'
% typ)
return payload
def check_token(token):
try:
token = token.split(' ')[1]
token_processed = jwt.process_jwt(token)
return token_processed[1]
except Exception as err:
return {'id': False}
def complete_login(self, request, app, token, **kwargs):
# token has already been verified, so we can use unverified data here
unverified_header, unverified_claims = jwt.process_jwt(token.token)
extra_data = unverified_claims
logger.debug('IdToken | IdTokenOAuth2Adapter:complete_login()'
'token claims | %s' % str(extra_data))
return self.get_provider().sociallogin_from_response(
request, extra_data)
def auth_verify_apple(openid, access_token):
''' 验证苹果第三方登录(APP端) '''
global apple_public_key_pem
try:
header, token_info = jwt.process_jwt(access_token)
# token_info = jwt.decode(access_token.encode('utf-8'), APPLE_PUBLIC_KEY_PEM,
# algorithms=['RS256'],
# verify=True,
# options={"verify_aud": True}, audience=APPLE_GUANFAN_CLIEND_ID)
# print(token_info, type(token_info))
t_sub = token_info.get('sub', False)
if t_sub:
if t_sub != openid:
return False, "错误的sub apple id"
else:
return False, "没有找到subid"
t_iss = token_info.get('iss', False)
if t_iss:
if t_iss.startswith("https://appleid.apple.com") is False:
return False, "错误的iss签发单位"
else:
return False, "没有找到iss签发单位"
t_aud = token_info.get('aud', False)
if t_aud:
if t_aud != APPLE_GUANFAN_CLIEND_ID:
return False, "错误的aud客户端ID"
else:
return False, "没有找到aud客户端ID"
t_exp = token_info.get('exp', False)
if t_exp:
# print(t_exp, int(curTimeStamp()))
if t_exp < int(curTimeStamp()):
return False, "已过期"
else:
return False, "错误的时间格式!"
return True, 'ok'
except jwt.exceptions.InvalidTokenError as e:
log.warning("苹果:{},{},验证失败1,错误类型:{}".format(openid, access_token[:100],
e.args[0]))
# print(e)
return False, e.args[0]
except ValueError as ve:
log.warning("苹果:{},{},验证失败2,错误类型:{}".format(openid, access_token[:100],
ve.args[0]))
return False, ve.args[0]
except Exception as e:
log.warning("苹果:{},{},验证失败3,错误类型:{}".format(openid, access_token[:100],
e))
return False, e.args[0]
def _decode(self, token=None):
"""Decode JWT token using python_jwt"""
# process token
self.header, self.claims = python_jwt.process_jwt(token)
# debug
logger.debug("Decoded tocken with %s" % (self.header['alg']))
# record useful values
self.issued = datetime.datetime.fromtimestamp(self.claims['iat'])
self.expire = datetime.datetime.fromtimestamp(self.claims['exp'])
def validate_jwt(token, client=None):
from openid_connect_op.models import OpenIDClient
if client is None:
client = OpenIDClient.self_instance()
if client.client_auth_type == OpenIDClient.CLIENT_AUTH_TYPE_SECRET_JWT:
key = jwk.JWK(kty="oct",
use="sig",
alg="HS256",
k=base64url_encode(client.client_hashed_secret))
return jwt.verify_jwt(token, key, ['HS256'], checks_optional=True)
header, __ = jwt.process_jwt(token)
key = client.get_key(alg=header.get('alg', 'RS256'),
kid=header.get('kid', None))
return jwt.verify_jwt(token,
key, [key._params.get('alg', 'RS256')],
checks_optional=True)
async def verify_remote(self, token):
"""Verify a JustAuthenticateMe token by calling the rest api
:param token: idToken (jwt) from JustAuthenticateMe
:returns headers, claims: headers and claims encoded in the user jwt
:raises JAMNotVerified: if verification fails on a token
"""
async with aiohttp.ClientSession(json_serialize=json.dumps) as session:
async with session.post(self.base_url + "verify",
json={"idToken": token}) as response:
if response.status == 200:
return jwt.process_jwt(token)
if response.status == 400:
raise JustAuthenticateMeError("The request was invalid")
if response.status == 401:
raise JAMNotVerified()
if response.status == 404:
data = await response.json()
raise JAMNotFound(data.get("message"))
raise JustAuthenticateMeError("Unknown Error")
def decode_jwt(jwt: str) -> Tuple:
"""Decode JSON web token.
Args:
auth_token (str): The JSON web token
Raises:
JSONWebTokenError: Raised if the signature has expired or if the token is invalid
Returns:
int: The user id
"""
if settings.JWT_ENCRYPT:
token = JWE()
try:
token.deserialize(jwt.replace("\\", ""))
except InvalidJWEData as error:
raise JWEInvalidToken from error
try:
token.decrypt(_encryption_key)
except InvalidJWEData as error:
raise JWEDecryptionError from error
jwt = token.payload.decode("utf-8")
if not settings.JWT_VERIFY:
return process_jwt(jwt)
try:
return verify_jwt(
jwt,
_secret_key,
checks_optional=settings.JWT_VERIFY_EXPIRATION,
iat_skew=settings.JWT_LEEWAY,
allowed_algs=[settings.JWT_ALGORITHM],
)
except (InvalidJWSObject, UnicodeDecodeError) as error:
raise JWTDecodeError from error
except InvalidJWSSignature as error:
raise JWTInvalidSignature from error
except Exception as error:
raise JWTExpired from error
def good(token):
python_jwt.process_jwt(token)
python_jwt.verify_jwt(token, "key", "HS256")
def verify_jwt_token(token):
"""
Verify json web token (jwt)
Parameters
----------
token : str
The token sent to server in the header of the request
Returns
-------
bool
user is allowed to access system
"""
is_valid_user = False
# Get public key id defined in token header and fetch corresponding key
try:
header, claims = jwt.process_jwt(token)
except Exception as e:
logger.debug("Not a valid token %s" % str(e))
return False
# Process issuer and audience first as no point verifying jwt if
# these are invalid
if 'aud' not in claims or JWT_AUDIENCE != claims['aud']:
logger.debug("Invalid audience")
return False
if 'iss' not in claims and JWT_ISSUER != claims['iss']:
logger.debug("Invalid issuer")
return False
# Get public key and validate jwt
keyid = header[u'kid']
pub_key = get_public_key(keyid)
try:
header, claims = jwt.verify_jwt(token,
pub_key,
allowed_algs=['RS256'],
checks_optional=True)
except Exception as e:
logger.debug("Token validation failed: %s" % str(e))
return False
# Verify user is allowed access to fieldprime
userid = claims['serenity/aafIdent']
ident, domain = userid.split('@')
# If CSIRO domain user verify on ident otherwise on email
if domain == 'csiro.au':
is_valid_user, user = verifyUserIdent(ident)
else:
is_valid_user, user = verifyUserEmail(userid)
if is_valid_user:
# Should not be needed if using jwt auth?
# create/set new fieldprime token
# g.newToken = generate_auth_token(user)
# TODO: set these directly
fpSetupG(g, userIdent=user)
return is_valid_user
def python_jwt_process_without_verify(token):
python_jwt.process_jwt(token) # Noncompliant
xxx(token)
def python_jwt_process_with_verify(token):
python_jwt.process_jwt(token)
python_jwt.verify_jwt(token)
def unsign(self, token):
token = str(token)
try:
header_future, payload_future = jwt.process_jwt(token)
header, payload = jwt.verify_jwt(
token,
pub_key=self.key,
allowed_algs=['HS256', 'RS256', 'ES256', 'PS256'])
if not payload.has_key('data'):
error_payload = {
'location': 'JSON Web Token',
'name': self.__class__.__name__,
'description': 'Payload lacks "data" attribute',
'token': token,
'jwt_header': header_future,
'jwt_payload': payload_future,
}
raise JwtVerifyError(error_payload)
# compute metadata without payload data
metadata = payload.copy()
del metadata['data']
return payload['data'], metadata
except (ValueError, TypeError) as ex:
error_payload = {
'location': 'JSON Web Signature',
'name': ex.__class__.__name__,
'description': str(ex),
'token': token,
}
raise JwtVerifyError(error_payload)
except jws.exceptions.SignatureError as ex:
error_payload = {
'location': 'JSON Web Signature',
'name': ex.__class__.__name__,
'description': ex.message,
'token': token,
'jwt_header': header_future,
'jwt_payload': payload_future,
}
raise JwtVerifyError(error_payload)
except jwt._JWTError as ex:
if ex.message == 'expired':
error_payload = {
'location': 'JSON Web Token',
'name': ex.__class__.__name__,
'description': ex.message,
'jwt_header': header_future,
'jwt_expiry': payload_future['exp'],
}
raise JwtExpiryError(error_payload)
else:
error_payload = {
'location': 'JSON Web Token',
'name': ex.__class__.__name__,
'description': ex.message,
'token': token,
'jwt_header': header_future,
'jwt_payload': payload_future,
}
raise JwtVerifyError(error_payload)
def extract_kid(token):
token = jwt.process_jwt(token)
return token[0]['kid']
def unverified_jwt_payload(token):
return jwt.process_jwt(token)[1]
def bad(token):
python_jwt.process_jwt(token)
