def validate_at_hash(self):
"""If the ID Token is issued from the Authorization Endpoint with an
access_token value, which is the case for the response_type value
id_token token, this is REQUIRED; it MAY NOT be used when no Access
Token is issued, which is the case for the response_type value
id_token.
"""
access_token = self.params.get('access_token')
if access_token and 'at_hash' not in self:
raise MissingClaimError('at_hash')
super(ImplicitIDToken, self).validate_at_hash()
def validate_auth_time(self):
"""Time when the End-User authentication occurred. Its value is a JSON
number representing the number of seconds from 1970-01-01T0:0:0Z as
measured in UTC until the date/time. When a max_age request is made or
when auth_time is requested as an Essential Claim, then this Claim is
REQUIRED; otherwise, its inclusion is OPTIONAL.
"""
auth_time = self.get('auth_time')
if self.params.get('max_age') and not auth_time:
raise MissingClaimError('auth_time')
if auth_time and not isinstance(auth_time, (int, float)):
raise InvalidClaimError('auth_time')
def validate_nonce(self):
"""String value used to associate a Client session with an ID Token,
and to mitigate replay attacks. The value is passed through unmodified
from the Authentication Request to the ID Token. If present in the ID
Token, Clients MUST verify that the nonce Claim Value is equal to the
value of the nonce parameter sent in the Authentication Request. If
present in the Authentication Request, Authorization Servers MUST
include a nonce Claim in the ID Token with the Claim Value being the
nonce value sent in the Authentication Request. Authorization Servers
SHOULD perform no other processing on nonce values used. The nonce
value is a case sensitive string.
"""
nonce_value = self.params.get('nonce')
if nonce_value:
if 'nonce' not in self:
raise MissingClaimError('nonce')
if nonce_value != self['nonce']:
raise InvalidClaimError('nonce')
def validate_c_hash(self):
"""Code hash value. Its value is the base64url encoding of the
left-most half of the hash of the octets of the ASCII representation
of the code value, where the hash algorithm used is the hash algorithm
used in the alg Header Parameter of the ID Token's JOSE Header. For
instance, if the alg is HS512, hash the code value with SHA-512, then
take the left-most 256 bits and base64url encode them. The c_hash
value is a case sensitive string.
If the ID Token is issued from the Authorization Endpoint with a code,
which is the case for the response_type values code id_token and code
id_token token, this is REQUIRED; otherwise, its inclusion is OPTIONAL.
"""
code = self.params.get('code')
c_hash = self.get('c_hash')
if code:
if not c_hash:
raise MissingClaimError('c_hash')
if not _verify_hash(c_hash, code, self.header['alg']):
raise InvalidClaimError('c_hash')
def validate(self, now=None, leeway=0):
for k in self.ESSENTIAL_CLAIMS:
if k not in self:
raise MissingClaimError(k)
self._validate_essential_claims()
if now is None:
now = int(time.time())
self.validate_iss()
self.validate_sub()
self.validate_aud()
self.validate_exp(now, leeway)
self.validate_nbf(now, leeway)
self.validate_iat(now, leeway)
self.validate_auth_time()
self.validate_nonce()
self.validate_acr()
self.validate_amr()
self.validate_azp()
self.validate_at_hash()
def validate_azp(self):
"""OPTIONAL. Authorized party - the party to which the ID Token was
issued. If present, it MUST contain the OAuth 2.0 Client ID of this
party. This Claim is only needed when the ID Token has a single
audience value and that audience is different than the authorized
party. It MAY be included even when the authorized party is the same
as the sole audience. The azp value is a case sensitive string
containing a StringOrURI value.
"""
aud = self.get('aud')
client_id = self.params.get('client_id')
required = False
if aud and client_id:
if isinstance(aud, list) and len(aud) == 1:
aud = aud[0]
if aud != client_id:
required = True
azp = self.get('azp')
if required and not azp:
raise MissingClaimError('azp')
if azp and client_id and azp != client_id:
raise InvalidClaimError('azp')
def validate_nmos(self, request=None):
if not request:
request = flask_request
# actual 'x-nmos-*' claims in JWT
nmos_token_claims = {
key: val
for key, val in self.items() if key.startswith("x-nmos")
}
# set of valid claims generated by generate_claims_options()
valid_claim_option = {
key: val
for key, val in self.options.items() if key.startswith("x-nmos")
}
if not valid_claim_option: # No options given for validation
logger.writeWarning(
"No x-nmos claim value given for validation in claims options")
return
def _validate_permissions_object(claim_name):
access_permission_object = nmos_token_claims.get(claim_name)
if not access_permission_object:
raise InvalidClaimError(
"{}. Missing from token claims: '{}'.".format(
claim_name, list(nmos_token_claims.keys())))
if request.method in ["GET", "OPTIONS", "HEAD"]:
access_right = "read"
elif request.method in ["PUT", "POST", "PATCH", "DELETE"]:
access_right = "write"
else:
abort(405)
url_access_list = access_permission_object.get(access_right)
if not url_access_list:
raise InvalidClaimError(
"{}. No entry in permissions object for '{}'".format(
claim_name, access_right))
pattern = re.compile(r'/x-nmos/[a-z]+/v[0-9]+\.[0-9]+/(.*)'
) # Capture path after namespace
sub_path = pattern.match(request.path).group(1)
for wildcard_url in url_access_list:
if fnmatch(sub_path, wildcard_url):
return
raise InvalidClaimError(
"{}. No matching paths in token claim: {} for URL path: '{}'".
format(claim_name, url_access_list, sub_path))
# base resources do not require authorization
if request.path in ['/', '/x-nmos', '/x-nmos/']:
return
# if request path is /x-nmos/api_name[/version/], then permit access, providing claim or scope is present
path_regex = re.search(r'^/x-nmos/([a-z]+)/?(v[0-9]+\.[0-9]+)?/?$',
request.path)
if path_regex:
# api_name = path_regex.group(1) # e.g. query, registration, etc.
scope_option = self.options.get("scope").get("value")
# scope in claim_options must be in token or x-nmos-<api_name> claim must exist
if scope_option not in self.get("scope") and \
"x-nmos-{}".format(scope_option) not in list(nmos_token_claims.keys()):
raise MissingClaimError(
"Missing {} from scope claim or 'x-nmos-{}' claim from token"
.format(scope_option, scope_option))
else:
return
# Check that all x-nmos claims in "actual_claims" are in "valid_claims"
if not all(claim_name in nmos_token_claims.keys()
for claim_name in valid_claim_option.keys()):
raise MissingClaimError(
"One of: {} is missing from 'x-nmos' token claims: '{}'".
format(list(valid_claim_option.keys()),
list(nmos_token_claims.keys())))
for claim_name in valid_claim_option.keys():
_validate_permissions_object(claim_name)
def _validate_essential_claims(self):
for k in self.options:
if self.options[k].get('essential') and k not in self:
raise MissingClaimError(k)
def _validate_essential_claims(self):
super(IDToken, self)._validate_essential_claims()
for k in self.ESSENTIAL_CLAIMS:
if k not in self:
raise MissingClaimError(k)
