def get_jwks_keys(self):
keys = KEYS()
keys.load_from_url(self.jwks_uri())
# Add client secret as oct key so it can be used for HMAC signatures
client_id, client_secret = self.get_key_and_secret()
keys.add({'key': client_secret, 'kty': 'oct'})
return keys
def _get_jwks_keys(shared_key):
""" Returns JWKS keys used to decrypt id_token values. """
# The OpenID Connect Provider (OP) uses RSA keys to sign/enrypt ID tokens and generate public
# keys allowing to decrypt them. These public keys are exposed through the 'jwks_uri' and should
# be used to decrypt the JWS - JSON Web Signature.
jwks_keys = KEYS()
jwks_keys.load_from_url(oidc_rp_settings.PROVIDER_JWKS_ENDPOINT)
# Adds the shared key (which can correspond to the client_secret) as an oct key so it can be
# used for HMAC signatures.
jwks_keys.add({'key': smart_bytes(shared_key), 'kty': 'oct'})
return jwks_keys
def setUp(self):
self.user = User.objects.create(username='******')
mock_get = self.patch('requests.get')
mock_get.return_value.json.return_value = {"jwks_uri": "http://example.com/jwks",
"issuer": "http://example.com"}
keys = KEYS()
keys.add({'key': key, 'kty': 'RSA'})
self.patch('jwkest.jwk.request', return_value=Mock(status_code=200,
text=keys.dump_jwks()))
api_settings.OIDC_ENDPOINT = 'http://example.com'
api_settings.OIDC_AUDIENCE = 'you'
def setUp(self):
self.user = User.objects.create(username='******')
self.responder = FakeRequests()
self.responder.set_response("http://example.com/.well-known/openid-configuration",
{"jwks_uri": "http://example.com/jwks",
"issuer": "http://example.com",
"userinfo_endpoint": "http://example.com/userinfo"})
self.mock_get = self.patch('requests.get')
self.mock_get.side_effect = self.responder.get
keys = KEYS()
keys.add({'key': key, 'kty': 'RSA', 'kid': key.kid})
self.patch('oidc_auth.authentication.request', return_value=Mock(status_code=200,
text=keys.dump_jwks()))
def setUp(self):
self.user = User.objects.create(username='******')
self.responder = FakeRequests()
self.responder.set_response("http://example.com/.well-known/openid-configuration",
{"jwks_uri": "http://example.com/jwks",
"issuer": "http://example.com",
"userinfo_endpoint": "http://example.com/userinfo"})
self.mock_get = self.patch('requests.get')
self.mock_get.side_effect = self.responder.get
keys = KEYS()
keys.add({'key': key, 'kty': 'RSA', 'kid': key.kid})
self.patch('jwkest.jwk.request', return_value=Mock(status_code=200,
text=keys.dump_jwks()))
def get_jwks_keys(self):
""" Returns the keys used to decode the ID token.
Note:
edX uses symmetric keys, so bypass the parent class's calls to an external
server and return the key from settings.
"""
keys = KEYS()
keys.add({
'key': self.setting('ID_TOKEN_DECRYPTION_KEY'),
'kty': 'oct'
})
return keys
def get_jwks_keys(self):
"""
Returns the keys used by the IdP.
Merges client secret into JWK set from server
Response is cached for 24 hours.
"""
keys = KEYS()
keys.load_from_url(self.JWKS_URI)
# Add client secret as oct key so it can be used for HMAC signatures
_client_id, client_secret = self.get_key_and_secret()
keys.add({'key': client_secret, 'kty': 'oct'})
return keys
def get_jwks_keys(self):
"""
Returns the keys used by the IdP.
Merges client secret into JWK set from server
Response is cached for 24 hours.
"""
keys = KEYS()
keys.load_from_url(self.JWKS_URI)
# Add client secret as oct key so it can be used for HMAC signatures
_client_id, client_secret = self.get_key_and_secret()
keys.add({'key': client_secret, 'kty': 'oct'})
return keys
def encode(self, payload):
"""Encode the provided payload."""
keys = KEYS()
if self.asymmetric:
keys.add(RSAKey(key=RSA.importKey(settings.JWT_PRIVATE_SIGNING_KEY)))
algorithm = 'RS512'
else:
key = self.secret if self.secret else self.jwt_auth['JWT_SECRET_KEY']
keys.add({'key': key, 'kty': 'oct'})
algorithm = self.jwt_auth['JWT_ALGORITHM']
data = json.dumps(payload)
jws = JWS(data, alg=algorithm)
return jws.sign_compact(keys=keys)
def _get_signing_jwk_key_set(jwt_issuer):
"""
Returns a JWK Keyset containing all active keys that are configured
for verifying signatures.
"""
key_set = KEYS()
# asymmetric keys
signing_jwk_set = settings.JWT_AUTH.get('JWT_PUBLIC_SIGNING_JWK_SET')
if signing_jwk_set:
key_set.load_jwks(signing_jwk_set)
# symmetric key
key_set.add({'key': jwt_issuer['SECRET_KEY'], 'kty': 'oct'})
return key_set
def _get_jwks_keys(shared_key):
""" Returns JWKS keys used to decrypt id_token values. """
# The OpenID Connect Provider (OP) uses RSA keys to sign/enrypt ID tokens and generate public
# keys allowing to decrypt them. These public keys are exposed through the 'jwks_uri' and should
# be used to decrypt the JWS - JSON Web Signature.
log_prompt = "Get jwks keys: {}"
logger.debug(log_prompt.format('Start'))
jwks_keys = KEYS()
logger.debug(log_prompt.format('Load from provider jwks endpoint'))
jwks_keys.load_from_url(settings.AUTH_OPENID_PROVIDER_JWKS_ENDPOINT)
# Adds the shared key (which can correspond to the client_secret) as an oct key so it can be
# used for HMAC signatures.
logger.debug(log_prompt.format('Add key'))
jwks_keys.add({'key': smart_bytes(shared_key), 'kty': 'oct'})
logger.debug(log_prompt.format('End'))
return jwks_keys
def _get_signing_jwk_key_set(jwt_issuer):
"""
Returns a JWK Keyset containing all active keys that are configured
for verifying signatures.
"""
key_set = KEYS()
# asymmetric keys
signing_jwk_set = settings.JWT_AUTH.get('JWT_PUBLIC_SIGNING_JWK_SET')
if signing_jwk_set:
key_set.load_jwks(signing_jwk_set)
# symmetric key
key_set.add({'key': jwt_issuer['SECRET_KEY'], 'kty': 'oct'})
return key_set
def encode(self, payload):
"""Encode the provided payload."""
keys = KEYS()
if self.asymmetric:
keys.add(
RSAKey(key=RSA.importKey(settings.JWT_PRIVATE_SIGNING_KEY)))
algorithm = 'RS512'
else:
key = self.secret if self.secret else self.jwt_auth[
'JWT_SECRET_KEY']
keys.add({'key': key, 'kty': 'oct'})
algorithm = self.jwt_auth['JWT_ALGORITHM']
data = json.dumps(payload)
jws = JWS(data, alg=algorithm)
return jws.sign_compact(keys=keys)
def _decode_jwt(verify_expiration):
"""
Helper method to decode a JWT with the ability to
verify the expiration of said token
"""
keys = KEYS()
if should_be_asymmetric_key:
keys.load_jwks(settings.JWT_AUTH['JWT_PUBLIC_SIGNING_JWK_SET'])
else:
keys.add({'key': secret_key, 'kty': 'oct'})
_ = JWS().verify_compact(access_token.encode('utf-8'), keys)
return jwt.decode(
access_token,
secret_key,
algorithms=[settings.JWT_AUTH['JWT_ALGORITHM']],
audience=audience,
issuer=issuer,
verify_expiration=verify_expiration,
options={'verify_signature': False},
)
def _decode_jwt(verify_expiration):
"""
Helper method to decode a JWT with the ability to
verify the expiration of said token
"""
keys = KEYS()
if should_be_asymmetric_key:
keys.load_jwks(settings.JWT_AUTH['JWT_PUBLIC_SIGNING_JWK_SET'])
else:
keys.add({'key': secret_key, 'kty': 'oct'})
_ = JWS().verify_compact(access_token.encode('utf-8'), keys)
return jwt.decode(
access_token,
secret_key,
algorithms=[settings.JWT_AUTH['JWT_ALGORITHM']],
audience=audience,
issuer=issuer,
verify_expiration=verify_expiration,
options={'verify_signature': False},
)
def jwks(_request, _uri, headers): # noqa: E306
ks = KEYS()
ks.add(self.key.serialize())
return 200, headers, ks.dump_jwks()
def jwks(_request, _uri, headers):
ks = KEYS()
ks.add(self.key.serialize())
return 200, headers, ks.dump_jwks()
