def get_service_jwt(service_credentials, group: str = None, email=True, email_claim=False, audience=None): iat = time.time() exp = iat + 3600 payload = {'iss': service_credentials["client_email"], 'sub': service_credentials["client_email"], 'aud': audience or Config.get_audience(), 'iat': iat, 'exp': exp, 'scope': ['email', 'openid', 'offline_access'] } if group: payload[Config.get_OIDC_group_claim()] = group if email: payload['email'] = service_credentials["client_email"] if email_claim: payload[Config.get_OIDC_email_claim()] = service_credentials["client_email"] additional_headers = {'kid': service_credentials["private_key_id"]} signed_jwt = jwt.encode(payload, service_credentials["private_key"], headers=additional_headers, algorithm='RS256').decode() return signed_jwt
def assert_authorized_group(group: typing.List[str], token: dict) -> None: if token.get(Config.get_OIDC_group_claim()) in group: return logger.info(f"User not in authorized group: {group}, {token}") raise DSSForbiddenException()