def test_decode_id_token(monkeypatch, bearer_auth): """Test that id_token-decoding logic works""" error_msg = "test error text" monkeypatch.setattr( "jose.jwt.decode", make_raiser(jwt.ExpiredSignatureError(error_msg)) ) with pytest.raises(Unauthorized, match=error_msg) as e: bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY) monkeypatch.setattr("jose.jwt.decode", make_raiser(jwt.JWTClaimsError(error_msg))) with pytest.raises(Unauthorized, match=error_msg): bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY) monkeypatch.setattr("jose.jwt.decode", make_raiser(jwt.JWTError(error_msg))) with pytest.raises(Unauthorized, match=error_msg): bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY) def no_email(*args, **kwargs): return {} monkeypatch.setattr("jose.jwt.decode", no_email) with pytest.raises(Unauthorized): bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY) def correct_email(*args, **kwargs): return PAYLOAD monkeypatch.setattr("jose.jwt.decode", correct_email) assert bearer_auth.decode_id_token(TOKEN, PUBLIC_KEY) == PAYLOAD
def decorated(*args, **kwargs): token = get_bearer_token() if not token: return jsonify({'message': 'Token is missing!'}), 401 try: data = jwt.decode(token, current_app.config['SECRET_KEY']) current_user = User.objects(public_id=data['public_id']).first() if current_user is None: raise jwt.JWTError() except jwt.JWTError as e: return jsonify({ 'message': 'Token is invalid!', 'error': str(e) }), 401 return f(current_user, *args, **kwargs)
def process_response(self, response, *args, **kwargs): jwttoken = request.cookies.get('jwt', None) if jwttoken is not None: try: public_key = get_jwt_public_key() jwt_decoded = jwt.get_unverified_claims( jwttoken) if public_key is '' else jwt.decode( jwttoken, public_key) iat = jwt_decoded['iat'] exp = jwt_decoded['exp'] now = time.time() if iat + 1200 < now <= exp: email = jwt_decoded.get('email', None) resp = requests.post( settings.REMOTE_JWT_REFRESH_PROVIDER, headers={ 'Authorization': 'Bearer ' + jwttoken }, data={'email': email}) if resp.status_code < 300 and resp.data.get( 'jwt', None) is not None: response.set_cookie('jwt', resp.data['jwt'], secure=True, httponly=True) elif resp.status_code == 401: raise jwt.JWTError( 'The authentication refresh service has denied a refresh, a login is likely in order.' ) elif now > exp: raise jwt.JWTClaimsError( 'The asserted expiration claim has passed.') except (jwt.ExpiredSignatureError, jwt.JWTClaimsError, jwt.JWTError) as e: return redirect( settings.REMOTE_JWT_EXPIRED_ENDPOINT + urllib.quote_plus(request.referrer or settings.ROOT_UI_URL)) return super(JwtFlask, self).process_response(response, *args, **kwargs)
def decode_token(self, token): url = f'https://{self.domain}/.well-known/jwks.json' resp = requests.get(url) jwks = resp.json() try: unverified_header = jwt.get_unverified_header(token) if unverified_header['alg'] == 'HS256': raise jwt.JWTError() except jwt.JWTError: return custom_response(401, 'Use an RS256 signed JWT Access Token.') rsa_key = {} for key in jwks['keys']: if key['kid'] == unverified_header['kid']: rsa_key = { 'kty': key['kty'], 'kid': key['kid'], 'use': key['use'], 'n': key['n'], 'e': key['e'] } try: payload = jwt.decode(token, rsa_key, algorithms=algorithms, audience=client_id, issuer=f'https://{self.domain}/') except jwt.ExpiredSignatureError: return custom_response(401, 'Token expired.') except jwt.JWTClaimsError: return custom_response(401, 'Invalid Claims') else: return payload
def decorated(*args, **kwargs): token = get_token_auth_header() jsonurl = urlopen('https://' + AUTH0_DOMAIN + '/.well-known/jwks.json') jwks = json.loads(jsonurl.read()) try: unverified_header = jwt.get_unverified_header(token) if unverified_header['alg'] == 'HS256': raise jwt.JWTError() except jwt.JWTError: raise AuthError( { 'code': 'invalid_header', 'description': 'Invalid header. Use an RS256 signed JWT Access Token' }, 401) rsa_key = {} for key in jwks['keys']: if key['kid'] == unverified_header['kid']: rsa_key = { 'kty': key['kty'], 'kid': key['kid'], 'use': key['use'], 'n': key['n'], 'e': key['e'] } if rsa_key: try: payload = jwt.decode(token, rsa_key, algorithms=ALGORITHMS, audience=AUTH0_AUDIENCE, issuer='https://' + AUTH0_DOMAIN + '/') except jwt.ExpiredSignatureError: raise AuthError( { 'code': 'token_expired', 'description': 'token is expired' }, 401) except jwt.JWTClaimsError: raise AuthError( { 'code': 'invalid_claims', 'description': ('incorrect claims, please check the ' 'audience and issuer') }, 401) except Exception: raise AuthError( { 'code': 'invalid_header', 'description': 'Unable to parse authentication token.' }, 401) _request_ctx_stack.top.current_user = payload return f(*args, **kwargs) raise AuthError( { 'code': 'invalid_header', 'description': 'UNable to find appropriate key' }, 401)
def get_unverified_header_error(token): raise jwt.JWTError(error_str)