def assertion_jwt(cli, keys, audience, algorithm, lifetime=600): _now = utc_time_sans_frac() at = AuthnToken(iss=cli.client_id, sub=cli.client_id, aud=audience, jti=rndstr(32), exp=_now + lifetime, iat=_now) return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm): _now = utc_now() at = AuthnToken(iss = cli.client_id, sub = cli.client_id, aud = audience, jti = rndstr(8), exp = _now+600, iat = _now) return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm, lifetime=600): _now = utc_time_sans_frac() at = AuthnToken(iss=cli.client_id, sub=cli.client_id, aud=audience, jti=rndstr(32), exp=_now + lifetime, iat=_now) logger.debug('AuthnToken: {}'.format(at.to_dict())) return at.to_jwt(key=keys, algorithm=algorithm)
def assertion_jwt(cli, keys, audience, algorithm, lifetime=600): _now = utc_time_sans_frac() at = AuthnToken( iss=cli.client_id, sub=cli.client_id, aud=audience, jti=rndstr(32), exp=_now + lifetime, iat=_now, ) logger.debug("AuthnToken: {}".format(at.to_dict())) return at.to_jwt(key=keys, algorithm=algorithm)
def verify(self, areq, **kwargs): try: try: argv = {'sender': areq['client_id']} except KeyError: argv = {} bjwt = AuthnToken().from_jwt(areq["client_assertion"], keyjar=self.cli.keyjar, **argv) except (Invalid, MissingKey) as err: logger.info("%s" % sanitize(err)) raise AuthnFailure("Could not verify client_assertion.") logger.debug("authntoken: %s" % sanitize(bjwt.to_dict())) areq['parsed_client_assertion'] = bjwt # logger.debug("known clients: %s" % sanitize(self.cli.cdb.keys())) try: cid = kwargs["client_id"] except KeyError: cid = bjwt["iss"] try: # There might not be a client_id in the request assert str(cid) in self.cli.cdb # It's a client I know except KeyError: pass # aud can be a string or a list _aud = bjwt["aud"] logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl)) # figure out authn method if alg2keytype(bjwt.jws_header['alg']) == 'oct': # Symmetric key authn_method = 'client_secret_jwt' else: authn_method = 'private_key_jwt' try: if isinstance(_aud, six.string_types): assert str(_aud).startswith(self.cli.baseurl) else: for target in _aud: if target.startswith(self.cli.baseurl): return cid, authn_method raise NotForMe("Not for me!") except AssertionError: raise NotForMe("Not for me!") return cid, authn_method
def verify(self, areq, **kwargs): try: try: argv = {'sender': areq['client_id']} except KeyError: argv = {} bjwt = AuthnToken().from_jwt(areq["client_assertion"], keyjar=self.cli.keyjar, **argv) except (Invalid, MissingKey) as err: logger.info("%s" % sanitize(err)) raise AuthnFailure("Could not verify client_assertion.") logger.debug("authntoken: %s" % sanitize(bjwt.to_dict())) areq['parsed_client_assertion'] = bjwt # logger.debug("known clients: %s" % sanitize(self.cli.cdb.keys())) try: cid = kwargs["client_id"] except KeyError: cid = bjwt["iss"] try: # There might not be a client_id in the request assert str(cid) in self.cli.cdb # It's a client I know except KeyError: pass # aud can be a string or a list _aud = bjwt["aud"] logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl)) # figure out authn method if alg2keytype(bjwt.jws_header['alg']) == 'oct': # Symmetric key authn_method = 'client_secret_jwt' else: authn_method = 'private_key_jwt' if isinstance(_aud, six.string_types): if not str(_aud).startswith(self.cli.baseurl): raise NotForMe("Not for me!") else: for target in _aud: if target.startswith(self.cli.baseurl): return cid, authn_method raise NotForMe("Not for me!") return cid, authn_method
def verify(self, areq, **kwargs): try: try: argv = {"sender": areq["client_id"]} except KeyError: argv = {} bjwt = AuthnToken().from_jwt(areq["client_assertion"], keyjar=self.cli.keyjar, **argv) except (Invalid, MissingKey) as err: logger.info("%s" % sanitize(err)) raise AuthnFailure("Could not verify client_assertion.") logger.debug("authntoken: %s" % sanitize(bjwt.to_dict())) areq["parsed_client_assertion"] = bjwt try: cid = kwargs["client_id"] except KeyError: cid = bjwt["iss"] # There might not be a client_id in the request if cid not in self.cli.cdb: raise AuthnFailure("Unknown client id") # aud can be a string or a list _aud = bjwt["aud"] logger.debug("audience: %s, baseurl: %s" % (_aud, self.cli.baseurl)) # figure out authn method if alg2keytype(bjwt.jws_header["alg"]) == "oct": # Symmetric key authn_method = "client_secret_jwt" else: authn_method = "private_key_jwt" if isinstance(_aud, str): if not str(_aud).startswith(self.cli.baseurl): raise NotForMe("Not for me!") else: for target in _aud: if target.startswith(self.cli.baseurl): return cid, authn_method raise NotForMe("Not for me!") return cid, authn_method
def verify_client(environ, areq, cdb): if "client_secret" in areq: # client_secret_post identity = areq["client_id"] if identity in cdb: if cdb[identity]["client_secret"] == areq["client_secret"]: return True elif "client_assertion" in areq: # client_secret_jwt or public_key_jwt assert areq["client_assertion_type"] == JWT_BEARER secret = cdb[areq["client_id"]]["client_secret"] key_col = {"hmac": secret} bjwt = AuthnToken.deserialize(areq["client_assertion"], "jwt", key=key_col) return False
def assertion_jwt(cli, keys, audience, algorithm=OIC_DEF_SIGN_ALG): at = AuthnToken(iss = cli.client_id, prn = cli.client_id, aud = audience, jti = rndstr(8), exp = int(epoch_in_a_while(minutes=10)), iat = utc_now()) return at.to_jwt(key=keys, algorithm=algorithm)