def validate_claims(self, id_token, params):
jwt = JWT()
claims = jwt.decode(id_token,
'secret',
claims_cls=HybridIDToken,
claims_params=params)
claims.validate()
def validate_claims(self, id_token, params):
jwt = JWT(['HS256'])
claims = jwt.decode(id_token,
'secret',
claims_cls=ImplicitIDToken,
claims_params=params)
claims.validate()
def test_authorize_token(self):
self.prepare_data()
rv = self.client.post('/oauth/authorize', data={
'response_type': 'code',
'client_id': 'code-client',
'state': 'bar',
'scope': 'openid profile',
'redirect_uri': 'https://a.b',
'user_id': '1'
})
self.assertIn('code=', rv.location)
params = dict(url_decode(urlparse.urlparse(rv.location).query))
self.assertEqual(params['state'], 'bar')
code = params['code']
headers = self.create_basic_header('code-client', 'code-secret')
rv = self.client.post('/oauth/token', data={
'grant_type': 'authorization_code',
'redirect_uri': 'https://a.b',
'code': code,
}, headers=headers)
resp = json.loads(rv.data)
self.assertIn('access_token', resp)
self.assertIn('id_token', resp)
jwt = JWT()
claims = jwt.decode(
resp['id_token'], 'secret',
claims_cls=CodeIDToken,
claims_options={'iss': {'value': 'Authlib'}}
)
claims.validate()
def test_init_algorithms(self):
_jwt = JWT(['RS256'])
self.assertRaises(UnsupportedAlgorithmError, _jwt.encode,
{'alg': 'HS256'}, {}, 'k')
_jwt = JWT('RS256')
self.assertRaises(UnsupportedAlgorithmError, _jwt.encode,
{'alg': 'HS256'}, {}, 'k')
def fetch_user_info(self):
options = {
'iss' : {'essential':True, 'value':self.issuer},
'aud' : {'essential':True, 'value':self.client_id},
'exp' : {'essential':True}
}
id_token = JWT().decode(self.token['id_token'], self.load_key, claims_options=options)
id_token.validate() # checking signature is not strictly necessary but let's do it anyway
sub = self.name + '/' + id_token.sub
return UserInfo(sub=sub)
def _jwt_encode(alg, payload, key):
jwt = JWT(algorithms=alg)
header = {'alg': alg}
if isinstance(key, dict):
# JWK set format
if 'keys' in key:
key = random.choice(key['keys'])
header['kid'] = key['kid']
elif 'kid' in key:
header['kid'] = key['kid']
return to_native(jwt.encode(header, payload, key))
def validate_token(response):
id_token = response.get('id_token', None)
keys = requests.get('https://id.twitch.tv/oauth2/keys').json()
jwt = JWT()
claims = jwt.decode(id_token, keys, claims_cls=CodeIDToken)
try:
claims.validate()
except errors.InvalidClaimError:
pass
except errors.InvalidTokenError:
pass
def generate_id_token(self,
token,
request,
nonce=None,
auth_time=None,
code=None):
scopes = scope_to_list(token['scope'])
if not scopes or scopes[0] != 'openid':
return None
# TODO: merge scopes and claims
user_info = self.generate_user_info(request.user, scopes)
now = int(time.time())
if auth_time is None:
auth_time = now
config = self.server.config
payload = {
'iss': config['jwt_iss'],
'aud': [request.client.client_id],
'iat': now,
'exp': now + config['jwt_exp'],
'auth_time': auth_time,
}
if nonce:
payload['nonce'] = nonce
# calculate at_hash
alg = config['jwt_alg']
access_token = token.get('access_token')
if access_token:
payload['at_hash'] = to_native(create_half_hash(access_token, alg))
# calculate c_hash
if code:
payload['c_hash'] = to_native(create_half_hash(code, alg))
payload.update(user_info)
jwt = JWT(algorithms=alg)
header = {'alg': alg}
key = config['jwt_key']
if isinstance(key, dict):
# JWK set format
if 'keys' in key:
key = random.choice(key['keys'])
header['kid'] = key['kid']
elif 'kid' in key:
header['kid'] = key['kid']
return to_native(jwt.encode(header, payload, key))
def parse_openid(client, response, nonce=None):
jwk_set = _get_google_jwk_set(client)
id_token = response['id_token']
claims_params = dict(nonce=nonce,
client_id=client.client_id,
access_token=response['access_token'])
jwt = JWT()
claims = jwt.decode(
id_token,
key=jwk_set,
claims_cls=CodeIDToken,
claims_options=GOOGLE_CLAIMS_OPTIONS,
claims_params=claims_params,
)
claims.validate(leeway=120)
return UserInfo(claims)
def generate_id_token(self,
token,
request,
nonce=None,
auth_time=None,
code=None):
scopes = scope_to_list(token['scope'])
if not scopes or scopes[0] != 'openid':
return None
# TODO: merge scopes and claims
user_info = self.generate_user_info(request.user, scopes)
now = int(time.time())
if auth_time is None:
auth_time = now
config = self.server.config
payload = {
'iss': config['jwt_iss'],
'aud': [request.client.client_id],
'iat': now,
'exp': now + token['expires_in'],
'auth_time': auth_time,
}
if nonce:
payload['nonce'] = nonce
# calculate at_hash
alg = config.get('jwt_alg', 'HS256')
access_token = token.get('access_token')
if access_token:
at_hash = to_unicode(create_half_hash(access_token, alg))
payload['at_hash'] = at_hash
# calculate c_hash
if code:
payload['c_hash'] = to_unicode(create_half_hash(code, alg))
payload.update(user_info)
jwt = JWT(algorithms=alg)
header = {'alg': alg}
key = config['jwt_key']
id_token = jwt.encode(header, payload, key)
return to_unicode(id_token)
from authlib.specs.rfc7519 import JWT
from authlib.deprecate import deprecate
from .claims import get_claim_cls_by_response_type
jwt = JWT()
def parse_id_token(id_token, key):
deprecate('"parse_id_token" is deprecated, use JWT instead.', 0.8)
claims = jwt.decode(id_token, key)
return claims, claims.header
def verify_id_token(response,
key,
response_type='code',
issuers=None,
client_id=None,
nonce=None,
max_age=None,
now=None):
deprecate('"verify_id_token" is deprecated, use JWT instead.', 0.8)
if 'id_token' not in response:
raise ValueError('Invalid OpenID response')
claims_cls = get_claim_cls_by_response_type(response_type)
claims_request = {
'access_token': response.get('access_token'),
'client_id': client_id,
'nonce': nonce,
'max_age': max_age