def test_jwt_pack_and_unpack(): srv = JWT(keyjar, iss=issuer) payload = {'sub': 'sub'} _jwt = srv.pack(payload=payload) info = srv.unpack(_jwt) assert set(info.keys()) == {'jti', 'iat', 'iss', 'sub', 'kid'}
def test_jwt_pack_and_unpack_with_lifetime(): srv = JWT(keyjar, iss=issuer, lifetime=600) payload = {'sub': 'sub'} _jwt = srv.pack(payload=payload) info = srv.unpack(_jwt) assert set(info.keys()) == {'jti', 'iat', 'iss', 'sub', 'kid', 'exp'}
def test_jwt_pack_unpack_sym(): kj = KeyJar() kj.add_symmetric(owner='', key='client_secret', usage=['sig']) kj['https://fedop.example.org'] = kj[''] srv = JWT(kj, iss=issuer, sign_alg="HS256") payload = {'sub': 'sub2'} _jwt = srv.pack(payload=payload) info = srv.unpack(_jwt) assert info
def test_jwt_pack_encrypt(): srv = JWT(keyjar, iss=issuer) payload = {'sub': 'sub', 'aud': receiver} _jwt = srv.pack(payload=payload, encrypt=True) info = srv.unpack(_jwt) assert isinstance(info, JsonWebToken) assert set(info.keys()) == {'jti', 'iat', 'iss', 'sub', 'kid', 'aud'}
def verify_signed_bundle(signed_bundle, ver_keys): """ Verify the signature of a signed JWT. :param signed_bundle: A signed JWT where the body is a JWKS bundle :param ver_keys: Keys that can be used to verify signatures of the signed_bundle. :type ver_keys: oic.utils.KeyJar instance :return: The bundle or None """ _jwt = JWT(ver_keys) return _jwt.unpack(signed_bundle)
def create_signed_bundle(self, sign_alg='RS256', iss_list=None): """ Create a signed JWT containing a dictionary with Issuer IDs as keys and JWKSs as values. If iss_list is empty all then all issuers are included. :param sign_alg: Which algorithm to use when signing the JWT :param iss_list: A list of issuer IDs who's keys should be included in the signed bundle. :return: A signed JWT """ data = self.dict(iss_list) _jwt = JWT(self.sign_keys, iss=self.iss, sign_alg=sign_alg) return _jwt.pack({'bundle': data})
def self_sign_jwks(keyjar, iss, kid='', lifetime=3600): """ Create a signed JWT containing a JWKS. The JWT is signed by one of the keys in the JWKS. :param keyjar: A KeyJar instance with at least one private signing key :param iss: issuer of the JWT, should be the owner of the keys :param kid: A key ID if a special key should be used otherwise one is picked at random. :param lifetime: The lifetime of the signed JWT :return: A signed JWT """ # _json = json.dumps(jwks) _jwt = JWT(keyjar, iss=iss, lifetime=lifetime) jwks = keyjar.export_jwks(issuer=iss) return _jwt.pack(payload={'jwks': jwks}, owner=iss, kid=kid)
def pack_metadata_statement(self, metadata, keyjar=None, iss=None, alg='', jwt_args=None, lifetime=-1, **kwargs): """ Given a MetadataStatement instance create a signed JWT. :param metadata: Original metadata statement as a MetadataStatement instance :param keyjar: KeyJar in which the necessary signing keys should reside :param iss: Issuer ID :param alg: Which signing algorithm to use :param jwt_args: Additional JWT attribute values :param lifetime: Lifetime of the signed JWT :param kwargs: Additional metadata statement attribute values :return: A JWT """ if iss is None: iss = self.iss if keyjar is None: keyjar = self.keyjar if lifetime == -1: lifetime = self.lifetime # Own copy _metadata = copy.deepcopy(metadata) _metadata.update(kwargs) _jwt = JWT(keyjar, iss=iss, msg_cls=_metadata.__class__, lifetime=lifetime) if alg: _jwt.sign_alg = alg if iss in keyjar.owners(): owner = iss else: owner = '' if jwt_args: return _jwt.pack(payload=_metadata.to_dict(), owner=owner, **jwt_args) else: return _jwt.pack(payload=_metadata.to_dict(), owner=owner)
def request_signed_by_signing_keys(keyjar, msreq, iss, lifetime, kid=''): """ A metadata statement signing request with 'signing_keys' signed by one of the keys in 'signing_keys'. :param keyjar: A KeyJar instance with the private signing key :param msreq: Metadata statement signing request. A MetadataStatement instance. :param iss: Issuer of the signing request also the owner of the signing keys. :return: Signed JWT where the body is the metadata statement """ try: jwks_to_keyjar(msreq['signing_keys'], iss) except KeyError: jwks = keyjar.export_jwks(issuer=iss) msreq['signing_keys'] = jwks _jwt = JWT(keyjar, iss=iss, lifetime=lifetime) return _jwt.pack(owner=iss, kid=kid, payload=msreq.to_dict())
def create(self, req, **kwargs): """ :param req: Original metadata statement as a :py:class:`MetadataStatement` instance :param keyjar: KeyJar in which the necessary keys should reside :param iss: Issuer ID :param alg: Which signing algorithm to use :param kwargs: Additional metadata statement attribute values :return: A dictionary with a signed JWT as value with the key 'sms' """ iss = self.iss keyjar = self.signing_keys # Own copy _metadata = copy.deepcopy(req) if self.add_ons: _metadata.update(self.add_ons) _jwt = JWT(keyjar, iss=iss, msg_cls=_metadata.__class__, lifetime=self.lifetime) _jwt.sign_alg = self.alg if iss in keyjar.issuer_keys: owner = iss else: owner = '' if kwargs: sms = _jwt.pack(payload=_metadata.to_dict(), owner=owner, **kwargs) else: sms = _jwt.pack(payload=_metadata.to_dict(), owner=owner) return {'sms': sms}
def test_unpack_aggregated_response(self): claims = { "address": { "street_address": "1234 Hollywood Blvd.", "locality": "Los Angeles", "region": "CA", "postal_code": "90210", "country": "US" }, "phone_number": "+1 (555) 123-4567" } _keyjar = build_keyjar(KEYSPEC)[1] srv = JWT(_keyjar, iss='https://example.org/op/', sign_alg='ES256') _jwt = srv.pack(payload=claims) resp = OpenIDSchema(sub='diana', given_name='Diana', family_name='krall', _claim_names={ 'address': 'src1', 'phone_number': 'src1' }, _claim_sources={'src1': { 'JWT': _jwt }}) public_keys_keyjar(_keyjar, '', self.cli_info.keyjar, 'https://example.org/op/') _resp = self.req.parse_response(resp.to_json(), self.cli_info) assert set(_resp.keys()) == { 'sub', 'given_name', 'family_name', '_claim_names', '_claim_sources', 'address', 'phone_number' }
def test_jwt_pack(): _jwt = JWT(keyjar, lifetime=3600, iss=issuer).pack() assert _jwt assert len(_jwt.split('.')) == 3