def verify(self, **kwargs): """Authorization Request parameters that are OPTIONAL in the OAuth 2.0 specification MAY be included in the OpenID Request Object without also passing them as OAuth 2.0 Authorization Request parameters, with one exception: The scope parameter MUST always be present in OAuth 2.0 Authorization Request parameters. All parameter values that are present both in the OAuth 2.0 Authorization Request and in the OpenID Request Object MUST exactly match.""" super(AuthorizationRequest, self).verify(**kwargs) args = {} for arg in ["key", "keyjar", "opponent_id", "sender"]: try: args[arg] = kwargs[arg] except KeyError: pass if "opponent_id" not in kwargs: args["opponent_id"] = self["client_id"] if "request" in self: if isinstance(self["request"], six.string_types): # Try to decode the JWT, checks the signature oidr = OpenIDRequest().from_jwt(str(self["request"]), **args) # verify that nothing is change in the original message for key, val in oidr.items(): if key in self: assert self[key] == val # replace the JWT with the parsed and verified instance self["request"] = oidr if "id_token_hint" in self: if isinstance(self["id_token_hint"], six.string_types): idt = IdToken().from_jwt(str(self["id_token_hint"]), **args) self["id_token_hint"] = idt if "response_type" not in self: raise MissingRequiredAttribute("response_type missing", self) _rt = self["response_type"] if "token" in _rt or "id_token" in _rt: if "nonce" not in self: raise MissingRequiredAttribute("Nonce missing", self) if "openid" not in self.get("scope", []): raise MissingRequiredValue("openid not in scope", self) if "offline_access" in self.get("scope", []): if "prompt" not in self or "consent" not in self["prompt"]: raise MissingRequiredValue("consent in prompt", self) if "prompt" in self: if "none" in self["prompt"] and len(self["prompt"]) > 1: raise InvalidRequest("prompt none combined with other value", self) return True
def verify(self, **kwargs): super(IdToken, self).verify(**kwargs) if "aud" in self: if "client_id" in kwargs: # check that I'm among the recipients if kwargs["client_id"] not in self["aud"]: raise NotForMe( "{} not in aud:{}".format(kwargs["client_id"], self["aud"]), self) # Then azp has to be present and be one of the aud values if len(self["aud"]) > 1: try: assert "azp" in self except AssertionError: raise VerificationError("azp missing", self) else: try: assert self["azp"] in self["aud"] except AssertionError: raise VerificationError( "Mismatch between azp and aud claims", self) if "azp" in self: if "client_id" in kwargs: if kwargs["client_id"] != self["azp"]: raise NotForMe( "{} != azp:{}".format(kwargs["client_id"], self["azp"]), self) _now = time_util.utc_time_sans_frac() try: _skew = kwargs['skew'] except KeyError: _skew = 0 try: _exp = self['exp'] except KeyError: raise MissingRequiredAttribute('exp') else: if (_now - _skew) > _exp: raise EXPError('Invalid expiration time') try: _storage_time = kwargs['nonce_storage_time'] except KeyError: _storage_time = NONCE_STORAGE_TIME try: _iat = self['iat'] except KeyError: raise MissingRequiredAttribute('iat') else: if (_iat + _storage_time) < (_now - _skew): raise IATError('Issued too long ago') return True
def verify_id_token(instance, check_hash=False, **kwargs): # Try to decode the JWT, checks the signature args = {} for arg in TOKEN_VERIFY_ARGS: try: args[arg] = kwargs[arg] except KeyError: pass _jws = str(instance["id_token"]) # It can be encrypted, so try to decrypt first _jwe = JWE_factory(_jws) if _jwe is not None: try: _jws = _jwe.decrypt(keys=kwargs["keyjar"].get_decrypt_key()) except JWEException as err: raise VerificationError("Could not decrypt id_token", err) _packer = JWT() _body = _packer.unpack(_jws).payload() if "keyjar" in kwargs: try: if _body["iss"] not in kwargs["keyjar"]: raise ValueError("Unknown issuer") except KeyError: raise MissingRequiredAttribute("iss") if _jwe is not None: # Use the original encrypted token to set correct headers idt = IdToken().from_jwt(str(instance["id_token"]), **args) else: idt = IdToken().from_jwt(_jws, **args) if not idt.verify(**kwargs): raise VerificationError("Could not verify id_token", idt) if check_hash: _alg = idt.jws_header["alg"] if _alg != "none": hfunc = "HS" + _alg[-3:] else: # This is allowed only for `code` and it needs to be checked by a Client hfunc = None if "access_token" in instance and hfunc is not None: if "at_hash" not in idt: raise MissingRequiredAttribute("Missing at_hash property", idt) if idt["at_hash"] != jws.left_hash(instance["access_token"], hfunc): raise AtHashError("Failed to verify access_token hash", idt) if "code" in instance and hfunc is not None: if "c_hash" not in idt: raise MissingRequiredAttribute("Missing c_hash property", idt) if idt["c_hash"] != jws.left_hash(instance["code"], hfunc): raise CHashError("Failed to verify code hash", idt) return idt
def verify_id_token(instance, check_hash=False, **kwargs): # Try to decode the JWT, checks the signature args = {} for arg in ["key", "keyjar", "algs", "sender"]: try: args[arg] = kwargs[arg] except KeyError: pass _jws = str(instance["id_token"]) # It can be encrypted, so try to decrypt first _jwe = JWE_factory(_jws) if _jwe is not None: try: _jws = _jwe.decrypt(keys=kwargs['keyjar'].get_decrypt_key()) except JWEException as err: raise VerificationError("Could not decrypt id_token", err) _packer = JWT() _body = _packer.unpack(_jws).payload() if 'keyjar' in kwargs: try: if _body['iss'] not in kwargs['keyjar']: raise ValueError('Unknown issuer') except KeyError: raise MissingRequiredAttribute('iss') if _jwe is not None: # Use the original encrypted token to set correct headers idt = IdToken().from_jwt(str(instance['id_token']), **args) else: idt = IdToken().from_jwt(_jws, **args) if not idt.verify(**kwargs): raise VerificationError("Could not verify id_token", idt) if check_hash: _alg = idt.jws_header["alg"] # What if _alg == 'none' hfunc = "HS" + _alg[-3:] if "access_token" in instance: if "at_hash" not in idt: raise MissingRequiredAttribute("Missing at_hash property", idt) if idt["at_hash"] != jws.left_hash(instance["access_token"], hfunc): raise AtHashError("Failed to verify access_token hash", idt) if "code" in instance: if "c_hash" not in idt: raise MissingRequiredAttribute("Missing c_hash property", idt) if idt["c_hash"] != jws.left_hash(instance["code"], hfunc): raise CHashError("Failed to verify code hash", idt) return idt
def verify(self, **kwargs): super(AuthorizationResponse, self).verify(**kwargs) if "aud" in self: if "client_id" in kwargs: # check that it's for me if kwargs["client_id"] not in self["aud"]: return False if "id_token" in self: # Try to decode the JWT, checks the signature args = {} for arg in ["key", "keyjar", "algs", "sender"]: try: args[arg] = kwargs[arg] except KeyError: pass idt = IdToken().from_jwt(str(self["id_token"]), **args) if not idt.verify(**kwargs): raise VerificationError("Could not verify id_token", idt) _alg = idt.jws_header["alg"] # What if _alg == 'none' hfunc = "HS" + _alg[-3:] if "access_token" in self: try: assert "at_hash" in idt except AssertionError: raise MissingRequiredAttribute("Missing at_hash property", idt) try: assert idt["at_hash"] == jws.left_hash( self["access_token"], hfunc) except AssertionError: raise AtHashError("Failed to verify access_token hash", idt) if "code" in self: try: assert "c_hash" in idt except AssertionError: raise MissingRequiredAttribute("Missing c_hash property", idt) try: assert idt["c_hash"] == jws.left_hash(self["code"], hfunc) except AssertionError: raise CHashError("Failed to verify code hash", idt) self["id_token"] = idt return True
def federated_client_registration_request(self, **kwargs): """ Constructs a client registration request to be used by a client in a federation. :param kwargs: A set of claims that should be part of the registration. :return: A :py:class:`ClientMetadataStatement` """ req = ClientMetadataStatement() try: req['redirect_uris'] = kwargs['redirect_uris'] except KeyError: try: req["redirect_uris"] = self.redirect_uris except AttributeError: raise MissingRequiredAttribute("redirect_uris", kwargs) else: del kwargs['redirect_uris'] req.update(kwargs) if self.federation: return self.federation_entity.update_request( req, federation=self.federation) elif self.provider_federations: return self.federation_entity.update_request( req, loes=self.provider_federations)
def verify(self, **kwargs): super(ProviderConfigurationResponse, self).verify(**kwargs) if "scopes_supported" in self: assert "openid" in self["scopes_supported"] for scope in self["scopes_supported"]: check_char_set(scope, SCOPE_CHARSET) parts = urlparse(self["issuer"]) if parts.scheme != "https": raise SchemeError("Not HTTPS") assert not parts.query and not parts.fragment if any("code" in rt for rt in self["response_types_supported"] ) and "token_endpoint" not in self: raise MissingRequiredAttribute("token_endpoint") return True
def verify(self, **kwargs): super().verify(**kwargs) if "scopes_supported" in self: if "openid" not in self["scopes_supported"]: raise AssertionError() for scope in self["scopes_supported"]: check_char_set(scope, SCOPE_CHARSET) parts = urlparse(self["issuer"]) if parts.scheme != "https": raise SchemeError("Not HTTPS") if parts.query or parts.fragment: raise AssertionError() if (any("code" in rt for rt in self["response_types_supported"]) and "token_endpoint" not in self): raise MissingRequiredAttribute("token_endpoint") return True
def verify(self, **kwargs): super(IdToken, self).verify(**kwargs) try: if kwargs["iss"] != self["iss"]: raise IssuerMismatch("{} != {}".format(kwargs["iss"], self["iss"])) except KeyError: pass if "aud" in self: if "client_id" in kwargs: # check that I'm among the recipients if kwargs["client_id"] not in self["aud"]: raise NotForMe( "{} not in aud:{}".format(kwargs["client_id"], self["aud"]), self, ) # Then azp has to be present and be one of the aud values if len(self["aud"]) > 1: if "azp" not in self: raise VerificationError("azp missing", self) if self["azp"] not in self["aud"]: raise VerificationError( "Mismatch between azp and aud claims", self) if "azp" in self: if "client_id" in kwargs: if kwargs["client_id"] != self["azp"]: raise NotForMe( "{} != azp:{}".format(kwargs["client_id"], self["azp"]), self) _now = time_util.utc_time_sans_frac() try: _skew = kwargs["skew"] except KeyError: _skew = 0 try: _exp = self["exp"] except KeyError: raise MissingRequiredAttribute("exp") else: if (_now - _skew) > _exp: raise EXPError("Invalid expiration time") try: _storage_time = kwargs["nonce_storage_time"] except KeyError: _storage_time = NONCE_STORAGE_TIME try: _iat = self["iat"] except KeyError: raise MissingRequiredAttribute("iat") else: if (_iat + _storage_time) < (_now - _skew): raise IATError("Issued too long ago") if _now < (_iat - _skew): raise IATError("Issued in the future") if _exp < _iat: raise EXPError("Invalid expiration time") return True