def _jwt_encode(alg, payload, key):
jwt = JWT(algorithms=alg)
header = {'alg': alg}
if isinstance(key, dict):
# JWK set format
if 'keys' in key:
key = random.choice(key['keys'])
header['kid'] = key['kid']
elif 'kid' in key:
header['kid'] = key['kid']
return to_native(jwt.encode(header, payload, key))
def generate_id_token(self,
token,
request,
nonce=None,
auth_time=None,
code=None):
scopes = scope_to_list(token['scope'])
if not scopes or scopes[0] != 'openid':
return None
# TODO: merge scopes and claims
user_info = self.generate_user_info(request.user, scopes)
now = int(time.time())
if auth_time is None:
auth_time = now
config = self.server.config
payload = {
'iss': config['jwt_iss'],
'aud': [request.client.client_id],
'iat': now,
'exp': now + config['jwt_exp'],
'auth_time': auth_time,
}
if nonce:
payload['nonce'] = nonce
# calculate at_hash
alg = config['jwt_alg']
access_token = token.get('access_token')
if access_token:
payload['at_hash'] = to_native(create_half_hash(access_token, alg))
# calculate c_hash
if code:
payload['c_hash'] = to_native(create_half_hash(code, alg))
payload.update(user_info)
jwt = JWT(algorithms=alg)
header = {'alg': alg}
key = config['jwt_key']
if isinstance(key, dict):
# JWK set format
if 'keys' in key:
key = random.choice(key['keys'])
header['kid'] = key['kid']
elif 'kid' in key:
header['kid'] = key['kid']
return to_native(jwt.encode(header, payload, key))
def generate_id_token(self,
token,
request,
nonce=None,
auth_time=None,
code=None):
scopes = scope_to_list(token['scope'])
if not scopes or scopes[0] != 'openid':
return None
# TODO: merge scopes and claims
user_info = self.generate_user_info(request.user, scopes)
now = int(time.time())
if auth_time is None:
auth_time = now
config = self.server.config
payload = {
'iss': config['jwt_iss'],
'aud': [request.client.client_id],
'iat': now,
'exp': now + token['expires_in'],
'auth_time': auth_time,
}
if nonce:
payload['nonce'] = nonce
# calculate at_hash
alg = config.get('jwt_alg', 'HS256')
access_token = token.get('access_token')
if access_token:
at_hash = to_unicode(create_half_hash(access_token, alg))
payload['at_hash'] = at_hash
# calculate c_hash
if code:
payload['c_hash'] = to_unicode(create_half_hash(code, alg))
payload.update(user_info)
jwt = JWT(algorithms=alg)
header = {'alg': alg}
key = config['jwt_key']
id_token = jwt.encode(header, payload, key)
return to_unicode(id_token)