def construct_AccessTokenRequest(self,
request=AccessTokenRequest,
request_args=None, extra_args=None,
**kwargs):
if request_args is None:
request_args = {}
if request is not ROPCAccessTokenRequest:
grant = self.get_grant(**kwargs)
if not grant.is_valid():
raise GrantExpired("Authorization Code to old %s > %s" % (
utc_time_sans_frac(),
grant.grant_expiration_time))
request_args["code"] = grant.code
try:
request_args['state'] = kwargs['state']
except KeyError:
pass
if "grant_type" not in request_args:
request_args["grant_type"] = "authorization_code"
if "client_id" not in request_args:
request_args["client_id"] = self.client_id
elif not request_args["client_id"]:
request_args["client_id"] = self.client_id
return self.construct_request(request, request_args, extra_args)
def create_new_client(self, request, restrictions):
"""
:param request: The Client registration request
:param restrictions: Restrictions on the client
:return: The client_id
"""
_cinfo = request.to_dict()
self.match_client_request(_cinfo)
# create new id and secret
_id = rndstr(12)
while _id in self.cdb:
_id = rndstr(12)
_cinfo["client_id"] = _id
_cinfo["client_secret"] = secret(self.seed, _id)
_cinfo["client_id_issued_at"] = utc_time_sans_frac()
_cinfo["client_secret_expires_at"] = utc_time_sans_frac(
) + self.secret_lifetime
# If I support client info endpoint
if ClientInfoEndpoint in self.endp:
_cinfo["registration_access_token"] = rndstr(32)
_cinfo["registration_client_uri"] = "%s%s%s?client_id=%s" % (
self.name, self.client_info_url, ClientInfoEndpoint.etype, _id)
if "redirect_uris" in request:
_cinfo["redirect_uris"] = self._uris_to_tuples(
request["redirect_uris"])
self.load_keys(request, _id, _cinfo["client_secret"])
try:
_behav = self.behavior['client_registration']
except KeyError:
pass
else:
self.verify_correct(_cinfo, _behav)
self.set_token_policy(_id, _cinfo)
self.cdb[_id] = _cinfo
return _id
def is_expired(self, token, when=None):
"""Return if token is still valid."""
if when is None:
now = utc_time_sans_frac()
else:
now = when
eat = self.expires_at(token)
return bool(now > eat)
def assertion_jwt(cli, keys, audience, algorithm, lifetime=600):
_now = utc_time_sans_frac()
at = AuthnToken(iss=cli.client_id,
sub=cli.client_id,
aud=audience,
jti=rndstr(32),
exp=_now + lifetime,
iat=_now)
logger.debug('AuthnToken: {}'.format(at.to_dict()))
return at.to_jwt(key=keys, algorithm=algorithm)
def _init_jwt(self):
kwargs = {}
for para in ['iss', 'aud', 'sub']:
_val = getattr(self, para)
if _val:
kwargs[para] = _val
_iat = utc_time_sans_frac()
kwargs['iat'] = _iat
if self.lifetime:
kwargs['exp'] = _iat + self.lifetime
if self.in_a_while:
kwargs['nbf'] = _iat + self.in_a_while
return PJWT(**kwargs)
def do_exp(self, **kwargs):
try:
lifetime = kwargs['lifetime']
except KeyError:
try:
rt = ' '.join(kwargs['response_type'])
except KeyError:
rt = ' '.join(kwargs['grant_type'])
try:
lifetime = self.lt_pattern[rt]
except KeyError:
lifetime = self.lt_pattern['']
return utc_time_sans_frac() + lifetime
def __init__(self, resp=None):
self.scope = []
self.token_expiration_time = 0
self.access_token = None
self.refresh_token = None
self.token_type = None
self.replaced = False
if resp:
for prop, val in resp.items():
setattr(self, prop, val)
try:
_expires_in = resp["expires_in"]
except KeyError:
return
if _expires_in:
_tet = utc_time_sans_frac() + int(_expires_in)
else:
_tet = 0
self.token_expiration_time = int(_tet)
def __call__(self, sid='', ttype='', **kwargs):
"""
Return a token.
:param ttype: Type of token
:param prev: Previous token, if there is one to go from
:param sid: Session id
:return:
"""
if not ttype and self.type:
ttype = self.type
else:
ttype = 'A'
tmp = ''
rnd = ''
while rnd == tmp: # Don't use the same random value again
rnd = rndstr(32) # Ultimate length multiple of 16
issued_at = "{}".format(utc_time_sans_frac())
return base64.b64encode(
self.crypt.encrypt(lv_pack(rnd, ttype, sid,
issued_at).encode())).decode("utf-8")
def valid_client_info(cinfo):
eta = cinfo.get('client_secret_expires_at', 0)
if eta != 0 and eta < utc_time_sans_frac():
return False
return True
def verify(self, **kwargs):
super(IdToken, self).verify(**kwargs)
try:
if kwargs['iss'] != self['iss']:
raise IssuerMismatch(
'{} != {}'.format(kwargs['iss'], self['iss']))
except KeyError:
pass
if "aud" in self:
if "client_id" in kwargs:
# check that I'm among the recipients
if kwargs["client_id"] not in self["aud"]:
raise NotForMe(
"{} not in aud:{}".format(kwargs["client_id"],
self["aud"]), self)
# Then azp has to be present and be one of the aud values
if len(self["aud"]) > 1:
if "azp" not in self:
raise VerificationError("azp missing", self)
if self["azp"] not in self["aud"]:
raise VerificationError("Mismatch between azp and aud claims", self)
if "azp" in self:
if "client_id" in kwargs:
if kwargs["client_id"] != self["azp"]:
raise NotForMe(
"{} != azp:{}".format(kwargs["client_id"],
self["azp"]), self)
_now = time_util.utc_time_sans_frac()
try:
_skew = kwargs['skew']
except KeyError:
_skew = 0
try:
_exp = self['exp']
except KeyError:
raise MissingRequiredAttribute('exp')
else:
if (_now - _skew) > _exp:
raise EXPError('Invalid expiration time')
try:
_storage_time = kwargs['nonce_storage_time']
except KeyError:
_storage_time = NONCE_STORAGE_TIME
try:
_iat = self['iat']
except KeyError:
raise MissingRequiredAttribute('iat')
else:
if (_iat + _storage_time) < (_now - _skew):
raise IATError('Issued too long ago')
return True
def pack_init(self):
argv = {'iss': self.iss, 'iat': utc_time_sans_frac()}
argv['exp'] = argv['iat'] + self.lifetime
return argv
def is_valid(self, info):
if info['jti'] in self.db:
if info['exp'] >= utc_time_sans_frac():
return True
return False
def is_valid(self):
if utc_time_sans_frac() > self.grant_expiration_time:
return False
else:
return True
def add_code(self, resp):
try:
self.code = resp["code"]
self.grant_expiration_time = utc_time_sans_frac() + self.exp_in
except KeyError:
pass
def is_valid(self):
if self.token_expiration_time:
if utc_time_sans_frac() > self.token_expiration_time:
return False
return True