def validate(self,
now: float = None,
leeway: float = 0) -> None: # noqa: C901
"""
Overloaded implementation of the 'validate' method in the AuthLib default 'JWTClaims' class.
Differences include:
- removing the default 'JWT ID' claim validator (see class comments)
- adding the custom 'Azure client application' claim validator (see class comments)
- wrapping calls to validator methods to catch exceptions as API errors, which will be returned to the client
When validating, options defined __init__ will be used, i.e. allowed audience claim values etc.
Note: linting tools flag this method as being too complex (complexity score 18, normal limit 10). In this case
we are overriding a method from Authlib, so I don't think it's appropriate to deviate too much from their
implementation, and therefore the complexity should be maintained.
:type now: float
:param now: current time, in the form of seconds past the Unix Epoch
:type leeway: float
:param leeway: a time delta in seconds to allow for clock skew between servers (i.e. a margin of error)
"""
try:
self._validate_essential_claims()
except MissingClaimError as e:
auth_error_token_missing_claim(exception=e,
claims=self.claim_details)
if now is None:
now = int(time.time())
try:
self.validate_iss()
except InvalidClaimError:
auth_error_token_untrusted_claim_issuer()
try:
self.validate_aud()
except InvalidClaimError:
auth_error_token_invalid_claim_audience()
try:
self.validate_sub()
except InvalidClaimError:
raise NotImplementedError() from None
try:
self.validate_iat(now, leeway)
except (InvalidClaimError, InvalidTokenError):
auth_error_token_invalid_claim_issued_at()
try:
self.validate_nbf(now, leeway)
except (InvalidClaimError, InvalidTokenError):
auth_error_token_invalid_claim_not_before()
try:
self.validate_exp(now, leeway)
except (InvalidClaimError, ExpiredTokenError):
auth_error_token_invalid_claim_expiry()
try:
self.validate_azp()
except InvalidClaimError:
auth_error_token_invalid_claim_client_application()
def validate(self, now: float = None, leeway: float = 0) -> None:
"""
Overloaded implementation of the 'validate' method in the AuthLib default 'JWTClaims' class.
Differences include:
- removing the default 'JWT ID' claim validator (see class comments)
- adding the custom 'Azure client application' claim validator (see class comments)
- wrapping calls to validator methods to catch exceptions as API errors, which will be returned to the client
When validating, options defined __init__ will be used, i.e. allowed audience claim values etc.
:type now: float
:param now: current time, in the form of seconds past the Unix Epoch
:type leeway: float
:param leeway: a time delta in seconds to allow for clock skew between servers (i.e. a margin of error)
"""
try:
self._validate_essential_claims()
except MissingClaimError as e:
auth_error_token_missing_claim(exception=e,
claims=self.claim_details)
if now is None:
now = int(time.time())
try:
self.validate_iss()
except InvalidClaimError:
auth_error_token_untrusted_claim_issuer()
try:
self.validate_aud()
except InvalidClaimError:
auth_error_token_invalid_claim_audience()
try:
self.validate_sub()
except InvalidClaimError:
raise NotImplementedError()
try:
self.validate_iat(now, leeway)
except (InvalidClaimError, InvalidTokenError):
auth_error_token_invalid_claim_issued_at()
try:
self.validate_nbf(now, leeway)
except (InvalidClaimError, InvalidTokenError):
auth_error_token_invalid_claim_not_before()
try:
self.validate_exp(now, leeway)
except (InvalidClaimError, ExpiredTokenError):
auth_error_token_invalid_claim_expiry()
try:
self.validate_azp()
except InvalidClaimError:
auth_error_token_invalid_claim_client_application()
def token_expired(self, token: AzureToken) -> bool:
"""
Determines whether a token is still valid for authentication purposes
I.e. whether the token has expired and no longer valid.
This method overloads the default method in the 'BearerTokenValidator' class to make it compatible with our
custom Token class, and to catch exceptions as API errors returned to the client.
:type token: AzureToken
:param token: JSON Web Token as an Azure Token object
:rtype bool
:return: True if the token has expired, False if ok
"""
try:
token.claims.validate_exp()
return False
except (InvalidClaimError, ExpiredTokenError):
auth_error_token_invalid_claim_expiry()