def test_jwt_pack_and_unpack():
srv = JWT(keyjar, iss=issuer)
payload = {'sub': 'sub'}
_jwt = srv.pack(payload=payload)
info = srv.unpack(_jwt)
assert set(info.keys()) == {'jti', 'iat', 'iss', 'sub', 'kid'}
def test_jwt_pack_and_unpack_with_lifetime():
srv = JWT(keyjar, iss=issuer, lifetime=600)
payload = {'sub': 'sub'}
_jwt = srv.pack(payload=payload)
info = srv.unpack(_jwt)
assert set(info.keys()) == {'jti', 'iat', 'iss', 'sub', 'kid', 'exp'}
def test_jwt_pack_unpack_sym():
kj = KeyJar()
kj.add_symmetric(owner='', key='client_secret', usage=['sig'])
kj['https://fedop.example.org'] = kj['']
srv = JWT(kj, iss=issuer, sign_alg="HS256")
payload = {'sub': 'sub2'}
_jwt = srv.pack(payload=payload)
info = srv.unpack(_jwt)
assert info
def test_jwt_pack_encrypt():
srv = JWT(keyjar, iss=issuer)
payload = {'sub': 'sub', 'aud': receiver}
_jwt = srv.pack(payload=payload, encrypt=True)
info = srv.unpack(_jwt)
assert isinstance(info, JsonWebToken)
assert set(info.keys()) == {'jti', 'iat', 'iss', 'sub', 'kid', 'aud'}
def verify_signed_bundle(signed_bundle, ver_keys):
"""
Verify the signature of a signed JWT.
:param signed_bundle: A signed JWT where the body is a JWKS bundle
:param ver_keys: Keys that can be used to verify signatures of the
signed_bundle.
:type ver_keys: oic.utils.KeyJar instance
:return: The bundle or None
"""
_jwt = JWT(ver_keys)
return _jwt.unpack(signed_bundle)
def create_signed_bundle(self, sign_alg='RS256', iss_list=None):
"""
Create a signed JWT containing a dictionary with Issuer IDs as keys
and JWKSs as values. If iss_list is empty all then all issuers are
included.
:param sign_alg: Which algorithm to use when signing the JWT
:param iss_list: A list of issuer IDs who's keys should be included in
the signed bundle.
:return: A signed JWT
"""
data = self.dict(iss_list)
_jwt = JWT(self.sign_keys, iss=self.iss, sign_alg=sign_alg)
return _jwt.pack({'bundle': data})
def self_sign_jwks(keyjar, iss, kid='', lifetime=3600):
"""
Create a signed JWT containing a JWKS. The JWT is signed by one of the
keys in the JWKS.
:param keyjar: A KeyJar instance with at least one private signing key
:param iss: issuer of the JWT, should be the owner of the keys
:param kid: A key ID if a special key should be used otherwise one
is picked at random.
:param lifetime: The lifetime of the signed JWT
:return: A signed JWT
"""
# _json = json.dumps(jwks)
_jwt = JWT(keyjar, iss=iss, lifetime=lifetime)
jwks = keyjar.export_jwks(issuer=iss)
return _jwt.pack(payload={'jwks': jwks}, owner=iss, kid=kid)
def pack_metadata_statement(self, metadata, keyjar=None, iss=None, alg='',
jwt_args=None, lifetime=-1, **kwargs):
"""
Given a MetadataStatement instance create a signed JWT.
:param metadata: Original metadata statement as a MetadataStatement
instance
:param keyjar: KeyJar in which the necessary signing keys should reside
:param iss: Issuer ID
:param alg: Which signing algorithm to use
:param jwt_args: Additional JWT attribute values
:param lifetime: Lifetime of the signed JWT
:param kwargs: Additional metadata statement attribute values
:return: A JWT
"""
if iss is None:
iss = self.iss
if keyjar is None:
keyjar = self.keyjar
if lifetime == -1:
lifetime = self.lifetime
# Own copy
_metadata = copy.deepcopy(metadata)
_metadata.update(kwargs)
_jwt = JWT(keyjar, iss=iss, msg_cls=_metadata.__class__,
lifetime=lifetime)
if alg:
_jwt.sign_alg = alg
if iss in keyjar.owners():
owner = iss
else:
owner = ''
if jwt_args:
return _jwt.pack(payload=_metadata.to_dict(), owner=owner, **jwt_args)
else:
return _jwt.pack(payload=_metadata.to_dict(), owner=owner)
def request_signed_by_signing_keys(keyjar, msreq, iss, lifetime, kid=''):
"""
A metadata statement signing request with 'signing_keys' signed by one
of the keys in 'signing_keys'.
:param keyjar: A KeyJar instance with the private signing key
:param msreq: Metadata statement signing request. A MetadataStatement
instance.
:param iss: Issuer of the signing request also the owner of the signing
keys.
:return: Signed JWT where the body is the metadata statement
"""
try:
jwks_to_keyjar(msreq['signing_keys'], iss)
except KeyError:
jwks = keyjar.export_jwks(issuer=iss)
msreq['signing_keys'] = jwks
_jwt = JWT(keyjar, iss=iss, lifetime=lifetime)
return _jwt.pack(owner=iss, kid=kid, payload=msreq.to_dict())
def create(self, req, **kwargs):
"""
:param req: Original metadata statement as a
:py:class:`MetadataStatement` instance
:param keyjar: KeyJar in which the necessary keys should reside
:param iss: Issuer ID
:param alg: Which signing algorithm to use
:param kwargs: Additional metadata statement attribute values
:return: A dictionary with a signed JWT as value with the key 'sms'
"""
iss = self.iss
keyjar = self.signing_keys
# Own copy
_metadata = copy.deepcopy(req)
if self.add_ons:
_metadata.update(self.add_ons)
_jwt = JWT(keyjar,
iss=iss,
msg_cls=_metadata.__class__,
lifetime=self.lifetime)
_jwt.sign_alg = self.alg
if iss in keyjar.issuer_keys:
owner = iss
else:
owner = ''
if kwargs:
sms = _jwt.pack(payload=_metadata.to_dict(), owner=owner, **kwargs)
else:
sms = _jwt.pack(payload=_metadata.to_dict(), owner=owner)
return {'sms': sms}
def test_unpack_aggregated_response(self):
claims = {
"address": {
"street_address": "1234 Hollywood Blvd.",
"locality": "Los Angeles",
"region": "CA",
"postal_code": "90210",
"country": "US"
},
"phone_number": "+1 (555) 123-4567"
}
_keyjar = build_keyjar(KEYSPEC)[1]
srv = JWT(_keyjar, iss='https://example.org/op/', sign_alg='ES256')
_jwt = srv.pack(payload=claims)
resp = OpenIDSchema(sub='diana',
given_name='Diana',
family_name='krall',
_claim_names={
'address': 'src1',
'phone_number': 'src1'
},
_claim_sources={'src1': {
'JWT': _jwt
}})
public_keys_keyjar(_keyjar, '', self.cli_info.keyjar,
'https://example.org/op/')
_resp = self.req.parse_response(resp.to_json(), self.cli_info)
assert set(_resp.keys()) == {
'sub', 'given_name', 'family_name', '_claim_names',
'_claim_sources', 'address', 'phone_number'
}
def test_jwt_pack():
_jwt = JWT(keyjar, lifetime=3600, iss=issuer).pack()
assert _jwt
assert len(_jwt.split('.')) == 3