def get_jwks():
"""Return the auth0 jwks."""
jwks_url = "https://{oidc_domain}/.well-known/jwks.json".format(
oidc_domain=current_app.config["OIDC_DOMAIN"])
cache_key = jwks_cache_key(jwks_url)
jwks = None
with cache.suppress_failure():
jwks = cache.get(cache_key)
if jwks is not None:
return jwks
try:
jwks_response = requests.get(jwks_url)
except requests.exceptions.Timeout:
raise ProblemException(
500,
"Auth0 Timeout",
"Authentication server timed out, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
except requests.exceptions.ConnectionError:
raise ProblemException(
500,
"Auth0 Connection Problem",
"Can't connect to authentication server, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
except requests.exceptions.HTTPError:
raise ProblemException(
500,
"Auth0 Response Error",
"Authentication server response was invalid, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
except requests.exceptions.RequestException:
raise ProblemException(
500,
"Auth0 Error",
"Problem communicating with Auth0, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
try:
jwks = jwks_response.json()
except ValueError:
logger.error("Auth0 jwks response was not valid json")
raise ProblemException(
500,
"Auth0 Response Error",
"Authentication server response was invalid, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
with cache.suppress_failure():
cache.set(cache_key, jwks, timeout=60)
return jwks
def get_jwks():
"""Return the auth0 jwks."""
jwks_url = current_app.config['OIDC_JWKS_URL']
cache_key = jwks_cache_key(jwks_url)
jwks = None
with cache.suppress_failure():
jwks = cache.get(cache_key)
if jwks is not None:
return jwks
try:
jwks_response = requests.get(jwks_url)
except requests.exceptions.Timeout:
raise ProblemException(
500,
'Auth0 Timeout',
'Authentication server timed out, try again later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
except requests.exceptions.ConnectionError:
raise ProblemException(
500,
'Auth0 Connection Problem',
'Can\'t connect to authentication server, try again later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
except requests.exceptions.HTTPError:
raise ProblemException(
500,
'Auth0 Response Error',
'Authentication server response was invalid, try again '
'later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
except requests.exceptions.RequestException:
raise ProblemException(
500,
'Auth0 Error',
'Problem communicating with Auth0, try again later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
try:
jwks = jwks_response.json()
except ValueError:
logger.error('Auth0 jwks response was not valid json')
raise ProblemException(
500,
'Auth0 Response Error',
'Authentication server response was invalid, try again later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
with cache.suppress_failure():
cache.set(cache_key, jwks, timeout=60)
return jwks
def get_auth0_userinfo(access_token, user_sub):
"""Return userinfo data from auth0."""
cache_key = userinfo_cache_key(access_token, user_sub)
userinfo = None
with cache.suppress_failure():
userinfo = cache.get(cache_key)
if userinfo is not None:
return userinfo
try:
resp = fetch_auth0_userinfo(access_token)
except requests.exceptions.Timeout:
raise ProblemException(
500,
"Auth0 Timeout",
"Authentication server timed out, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
except requests.exceptions.ConnectionError:
raise ProblemException(
500,
"Auth0 Connection Problem",
"Can't connect to authentication server, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
except requests.exceptions.HTTPError:
raise ProblemException(
500,
"Auth0 Response Error",
"Authentication server response was invalid, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
except requests.exceptions.RequestException:
raise ProblemException(
500,
"Auth0 Error",
"Problem communicating with Auth0, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
if resp.status_code == 429:
# We should hopefully never hit this in production, so log an error
# to make sure we investigate.
logger.error("Auth0 Rate limit hit when requesting userinfo")
raise ProblemException(
429,
"Auth0 Rate Limit",
"Authentication rate limit hit, please wait before retrying",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429",
)
if resp.status_code == 401:
raise ProblemException(
401,
"Auth0 Userinfo Unauthorized",
"Unauthorized to access userinfo, check openid scope",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401",
)
if resp.status_code != 200:
raise ProblemException(
403,
"Authorization Failure",
"You do not have permission to access this resource",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403",
)
try:
userinfo = resp.json()
except ValueError:
logger.error("Auth0 userinfo response was not valid json")
raise ProblemException(
500,
"Auth0 Response Error",
"Authentication server response was invalid, try again later",
type="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500",
)
with cache.suppress_failure():
cache.set(cache_key, userinfo, timeout=60)
return userinfo
def get_auth0_userinfo(access_token, user_sub):
"""Return userinfo data from auth0."""
cache_key = userinfo_cache_key(access_token, user_sub)
userinfo = cache.get(cache_key)
if userinfo is not None:
return userinfo
try:
resp = fetch_auth0_userinfo(access_token)
except requests.exceptions.Timeout:
raise ProblemException(
500,
'Auth0 Timeout',
'Authentication server timed out, try again later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
except requests.exceptions.ConnectionError:
raise ProblemException(
500,
'Auth0 Connection Problem',
'Can\'t connect to authentication server, try again later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
except requests.exceptions.HTTPError:
raise ProblemException(
500,
'Auth0 Response Error',
'Authentication server response was invalid, try again '
'later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
except requests.exceptions.RequestException:
raise ProblemException(
500,
'Auth0 Error',
'Problem communicating with Auth0, try again later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
if resp.status_code == 429:
# We should hopefully never hit this in production, so log an error
# to make sure we investigate.
logger.error({'msg': 'Auth0 Rate limit hit when requesting userinfo'},
'auth0.rate_limited')
raise ProblemException(
429,
'Auth0 Rate Limit',
'Authentication rate limit hit, please wait before '
'retrying',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429'
) # yapf: disable
if resp.status_code == 401:
raise ProblemException(
401,
'Auth0 Userinfo Unauthorized',
'Unauthorized to access userinfo, check openid scope',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/401'
) # yapf: disable
if resp.status_code != 200:
raise ProblemException(
403,
'Authorization Failure',
'You do not have permission to access this resource',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403'
) # yapf: disable
try:
userinfo = resp.json()
except ValueError:
logger.error({'msg': 'Auth0 userinfo response was not valid json.'},
'auth0.error')
raise ProblemException(
500,
'Auth0 Response Error',
'Authentication server response was invalid, try again later',
type='https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500'
) # yapf: disable
cache.set(cache_key, userinfo, timeout=60)
return userinfo