def _oauth_validation(cls):
cert_url = config.get("connect_token_cert")
if request.httprequest.method == "GET":
mode = "read"
if request.httprequest.method == "POST":
mode = "write"
# Get public certificate of issuer for token validation
try:
token_data = request.httprequest.headers.get("Authorization")
access_token = token_data.split()[1]
_logger.info("Received access token: %s", access_token)
cert = requests.get(cert_url)
key_json = cert.json()["keys"][0]
except (ValueError, AttributeError):
# If any error occurs during token and certificate retrieval,
# we put a wrong certificate, and jwt library will fail
# to decrypt the token, leading to unauthorized error.
key_json = {}
public_key = jwk.RSAJWK.from_dict(key_json)
jwt_decoded = JWT().decode(
access_token, key=public_key, algorithms=["RS256"], do_verify=True
)
# validation
# is scope read or write in scopes ?
scope = jwt_decoded.get("scope")
if scope and mode not in scope:
raise Unauthorized()
client_id = jwt_decoded.get("client_id") or jwt_decoded.get("ClientID")
_logger.info("TOKEN CLIENT IS -----------------> " + client_id)
return client_id
def _oauth_validation(cls):
cert_url = config.get("connect_token_cert")
if request.httprequest.method == "GET":
mode = "read"
elif request.httprequest.method == "POST":
mode = "write"
else:
mode = None
# We iterate over the various certificates provider
found_right_certificate = False
jwt_decoded = None
for one_cert_url in cert_url.split(','):
one_cert_url = one_cert_url.strip()
access_token = None
# Get public certificate of issuer for token validation
try:
token_data = request.httprequest.headers.get("Authorization")
access_token = token_data.split()[1]
cert = requests.get(one_cert_url)
keys_json = cert.json()["keys"]
except (ValueError, AttributeError):
# If any error occurs during token and certificate retrieval,
# we put a wrong certificate, and jwt library will fail
# to decrypt the token, leading to unauthorized error.
keys_json = []
for key_json in keys_json:
try:
public_key = jwk.RSAJWK.from_dict(key_json)
jwt_decoded = JWT().decode(
access_token, key=public_key, algorithms={"RS256"}, do_verify=True
)
except JWTDecodeError:
continue
# If we did not encounter an error before, it means the certificate allowed to correctly decode the
# access token so we hopefully found a matching certificate
if jwt_decoded:
found_right_certificate = True
break
if found_right_certificate:
break
if not found_right_certificate:
raise Unauthorized()
# validation
# is scope read or write in scopes ?
scope = jwt_decoded.get("scope")
if scope and mode not in scope:
raise Unauthorized()
client_id = jwt_decoded.get("client_id") or jwt_decoded.get("ClientID")
return client_id
