def validate_claims(self, id_token, params):
jwt = JWT()
claims = jwt.decode(id_token,
'secret',
claims_cls=HybridIDToken,
claims_params=params)
claims.validate()
def validate_claims(self, id_token, params):
jwt = JWT(['HS256'])
claims = jwt.decode(id_token,
'secret',
claims_cls=ImplicitIDToken,
claims_params=params)
claims.validate()
def _jwt_encode(alg, payload, key):
jwt = JWT(algorithms=alg)
header = {'alg': alg}
if isinstance(key, dict):
# JWK set format
if 'keys' in key:
key = random.choice(key['keys'])
header['kid'] = key['kid']
elif 'kid' in key:
header['kid'] = key['kid']
return to_native(jwt.encode(header, payload, key))
def test_init_algorithms(self):
_jwt = JWT(['RS256'])
self.assertRaises(
UnsupportedAlgorithmError,
_jwt.encode, {'alg': 'HS256'}, {}, 'k'
)
_jwt = JWT('RS256')
self.assertRaises(
UnsupportedAlgorithmError,
_jwt.encode, {'alg': 'HS256'}, {}, 'k'
)
class TestJwt:
"""
Class to create JSON Web Tokens (JWTs) for testing purposes
Supports generating tokens with a set of requested scopes (as either Azure 'roles' or 'scp's) using a testing
signing key generated by the TestJwk class. Values for the `aud`, `iss` and `azp` claims in the payload come from
the current Flask application.
"""
_jwt = JWT()
def __init__(self, *, app: App, roles: list = None, scps: list = None):
"""
:type app: App
:type app: Flask application
:type roles: list
:param scps: Optional scopes to include in the token (as a 'roles' claim) for testing authorisation
:type roles: list
:param scps: Optional scopes to include in the token (as a 'scp' claim) for testing authorisation
"""
self.signing_key = app.config["TEST_JWKS"]
self.header = {
"alg": self.signing_key.algorithm,
"kid": self.signing_key.kid()
}
self.payload = {
"aud":
app.config["AZURE_OAUTH_APPLICATION_ID"] or "testing",
"exp":
int(time.time() + 10000),
"iat":
int(time.time()),
"iss":
f"https://login.microsoftonline.com/{ app.config['AZURE_OAUTH_TENANCY'] or 'testing' }/v2.0",
"nbf":
int(time.time()),
"sub":
None,
"azp":
app.config["AZURE_OAUTH_CLIENT_APPLICATION_IDS"][0] or "testing",
}
self.scopes = set()
if roles is not None:
self.scopes.update(set(roles))
self.payload["roles"] = " ".join(roles)
if scps is not None:
self.scopes.update(set(scps))
self.payload["scp"] = " ".join(scps)
def dumps(self) -> str:
"""
Returns a signed/issued JWT encoded as a string for exchange
:rtype str
:return: Signed JWT
"""
return self._jwt.encode(self.header, self.payload,
self.signing_key.private_key_pem()).decode()
def test_authorize_token(self):
# generate refresh token
self.prepare_data()
rv = self.client.post('/oauth/authorize',
data={
'response_type': 'code',
'client_id': 'code-client',
'state': 'bar',
'scope': 'openid profile',
'redirect_uri': 'https://a.b',
'user_id': '1'
})
self.assertIn('code=', rv.location)
params = dict(url_decode(urlparse.urlparse(rv.location).query))
self.assertEqual(params['state'], 'bar')
code = params['code']
headers = self.create_basic_header('code-client', 'code-secret')
rv = self.client.post('/oauth/token',
data={
'grant_type': 'authorization_code',
'redirect_uri': 'https://a.b',
'code': code,
},
headers=headers)
resp = json.loads(rv.data)
self.assertIn('access_token', resp)
self.assertIn('id_token', resp)
jwt = JWT()
claims = jwt.decode(resp['id_token'],
self.get_validate_key(),
claims_cls=CodeIDToken,
claims_options={'iss': {
'value': 'Authlib'
}})
claims.validate()
class TestJwt:
"""
Class to create JSON Web Tokens (JWTs) for testing purposes
Supports generating tokens with a set of requested scopes using a testing signing key generated by the TestJwk
class. Values for the `aud`, `iss` and `azp` claims in the payment will values from the current Flask application.
"""
_jwt = JWT()
def __init__(self, *, app: App, scopes: list = None):
"""
:type app: App
:type app: Flask application
:type scopes: list
:param scopes: Optional scopes to include in the token (as a 'roles' claim) for testing authorisation
"""
self.signing_key = app.config['TEST_JWKS']
self.header = {
'alg': self.signing_key.algorithm,
'kid': self.signing_key.kid()
}
self.payload = {
'aud': app.config['AZURE_OAUTH_APPLICATION_ID'] or 'testing',
'exp': int(time.time() + 10000),
'iat': int(time.time()),
'iss':
f"https://login.microsoftonline.com/{ app.config['AZURE_OAUTH_TENANCY'] or 'testing' }/v2.0",
'nbf': int(time.time()),
'sub': None,
'azp': app.config['AZURE_OAUTH_CLIENT_APPLICATION_IDS'][0]
or 'testing'
}
if scopes is not None:
self.payload['roles'] = ' '.join(scopes)
def dumps(self) -> str:
"""
Returns a signed/issued JWT encoded as a string for exchange
:rtype str
:return: Signed JWT
"""
return self._jwt.encode(self.header, self.payload,
self.signing_key.private_key_pem()).decode()
