def get_jwt_token(self, user):
now = int(time())
rand = ''.join([choice(string.ascii_letters) for _ in range(10)])
rands = f'{rand}.{now}'
jws = JsonWebSignature(algorithms=JWS_ALGORITHMS)
headers = {'alg': 'HS256'}
payload = json.dumps({'email': user.email})
secret = bytes(self.app.config['SECRET_KEY'], 'utf-8')
return jws.serialize_compact(headers, payload, secret)
def json_sign(msg: Union[dict, str], privKey: str) -> dict:
msg: dict = json.loads(msg) if isinstance(msg, str) else msg
if not privKey:
raise ValueError("privKey was not passed as a param")
header = {
"alg": "ES256",
"kid": msg.get("headers", {}).get("from", "ORIGIN")
}
sig_payload = b".".join([
base64.b64encode(canonicaljson.encode_canonical_json(header)),
base64.b64encode(canonicaljson.encode_canonical_json(msg))
])
jws = JsonWebSignature()
key = Path(privKey).read_bytes()
sig = jws.serialize_compact(header, sig_payload,
key).decode("utf-8").split('.')
msg["signature"] = f"{sig[0]}..{sig[2]}"
return msg
def sign_credential(credential, key):
"""
Sign credential with RSA key of the did, add the signature as linked data JSONLD
@parma credential as a dict
#param key a string PEM private RSA key
return signed credential as a dict
"""
payload = json.dumps(credential)
credential_jws = JsonWebSignature(algorithms=['RS256'])
protected = {'alg': 'RS256'}
signature = credential_jws.serialize_compact(protected, payload,
key.encode()).decode()
credential["proof"] = {
"type": "RsaSignature2018",
"created": datetime.now().strftime("%m/%d/%Y, %H:%M:%S"),
"proofPurpose": "assertionMethod",
"verificationMethod": "https://talao.readthedocs.io/en/latest/",
"jws": signature
}
return credential
def get_token(self):
"""Return a JWT token and expiration time for making API calls to Small World Community
Arguments to this function will, by default, use environmental variables if they are present (noted below)
:param community_domain: the FQDN of the community instance (SWC_AUDIENCE)
:param app_id: the the Oauth Application ID being used to connect to the community API (SWC_APP_ID)
:param user_id: The SWC User ID of the authorized user attached to this Oauth Application (SWC_USER_ID)
:return: A tuple with token to use with request calls and the time (in seconds) when the token will expire
"""
exp = int(time.time()) + TOKEN_DURATION
payload = {
"iss": self.app_id,
"iat": int(time.time()),
"aud": self.community_domain,
"exp": exp,
"sub": self.user_id,
"scope": SWC_SCOPE,
}
jws = JsonWebSignature(["HS256"])
auth_token = jws.serialize_compact(
JWT_TOKEN_HEADER,
bytearray(json.dumps(payload), "utf-8"),
bytearray(self.app_secret, "utf-8"),
)
swc_token_url = f"https://{self.community_domain}/services/4.0/token"
token_request = requests.post(
swc_token_url,
data={
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"assertion": auth_token.decode("utf-8"),
"content_type": "application/x-www-form-urlencoded",
},
)
token_request.raise_for_status()
token = token_request.json().get("access_token")
return token, exp
def test_keys():
"""Try to store/get/remove keys"""
# JWS
jws = JsonWebSignature(algorithms=["RS256"])
code_payload = {
"user_id": "user",
"scope": "scope",
"client_id": "client",
"redirect_uri": "redirect_uri",
"code_challenge": "code_challenge",
}
# Token metadata
header = {"alg": "RS256"}
payload = {
"sub": "user",
"iss": "issuer",
"scope": "scope",
"setup": "setup",
"group": "my_group"
}
# Remove all keys
result = db.removeKeys()
assert result["OK"], result["Message"]
# Check active keys
result = db.getActiveKeys()
assert result["OK"], result["Message"]
assert result["Value"] == []
# Create new one
result = db.getPrivateKey()
assert result["OK"], result["Message"]
private_key = result["Value"]
assert isinstance(private_key, RSAKey)
# Sign token
header["kid"] = private_key.thumbprint()
# Find key by KID
result = db.getPrivateKey(header["kid"])
assert result["OK"], result["Message"]
# as_dict has no arguments for authlib < 1.0.0
# for authlib >= 1.0.0:
assert result["Value"].as_dict(True) == private_key.as_dict(True)
# Sign token
token = jwt.encode(header, payload, private_key)
# Sign auth code
code = jws.serialize_compact(header, json_b64encode(code_payload),
private_key)
# Get public key set
result = db.getKeySet()
keyset = result["Value"]
assert result["OK"], result["Message"]
# as_dict has no arguments for authlib < 1.0.0
# for authlib >= 1.0.0:
assert bool([
key for key in keyset.as_dict(True)["keys"]
if key["kid"] == header["kid"]
])
# Read token
_payload = jwt.decode(token, JsonWebKey.import_key_set(keyset.as_dict()))
assert _payload == payload
# Read auth code
data = jws.deserialize_compact(code, keyset.keys[0])
_code_payload = json_loads(urlsafe_b64decode(data["payload"]))
assert _code_payload == code_payload