In [1]:
# Install a pip package in the current Jupyter kernel
import sys
!{sys.executable} -m pip install python-jose

Collecting python-jose
  Using cached python_jose-3.1.0-py2.py3-none-any.whl (26 kB)
Collecting pyasn1
  Using cached pyasn1-0.4.8-py2.py3-none-any.whl (77 kB)
Collecting ecdsa<1.0
  Using cached ecdsa-0.15-py2.py3-none-any.whl (100 kB)
Collecting rsa
  Using cached rsa-4.6-py3-none-any.whl (47 kB)
Installing collected packages: pyasn1, ecdsa, rsa, python-jose
Successfully installed ecdsa-0.15 pyasn1-0.4.8 python-jose-3.1.0 rsa-4.6


In [3]:
import json
from jose import jwt
from urllib.request import urlopen

In [15]:
# Configuration
AUTH0_DOMAIN = 'dev-ouhaic19.us.auth0.com'
ALGORITHMS = ['RS256']
API_AUDIENCE = 'image'

In [16]:
'''
AuthError Exception
A standardized way to communicate auth failure modes
'''
class AuthError(Exception):
    def __init__(self, error, status_code):
        self.error = error
        self.status_code = status_code

In [17]:
## Auth Header
def verify_decode_jwt(token):
    # GET THE PUBLIC KEY FROM AUTH0
    jsonurl = urlopen(f'https://{AUTH0_DOMAIN}/.well-known/jwks.json')
    jwks = json.loads(jsonurl.read())
    
    # GET THE DATA IN THE HEADER
    unverified_header = jwt.get_unverified_header(token)
    
    # CHOOSE OUR KEY
    rsa_key = {}
    if 'kid' not in unverified_header:
        raise AuthError({
            'code': 'invalid_header',
            'description': 'Authorization malformed.'
        }, 401)

    for key in jwks['keys']:
        if key['kid'] == unverified_header['kid']:
            rsa_key = {
                'kty': key['kty'],
                'kid': key['kid'],
                'use': key['use'],
                'n': key['n'],
                'e': key['e']
            }
    
    # Finally, verify!!!
    if rsa_key:
        try:
            # USE THE KEY TO VALIDATE THE JWT
            payload = jwt.decode(
                token,
                rsa_key,
                algorithms=ALGORITHMS,
                audience=API_AUDIENCE,
                issuer='https://' + AUTH0_DOMAIN + '/'
            )

            return payload

        except jwt.ExpiredSignatureError:
            raise AuthError({
                'code': 'token_expired',
                'description': 'Token expired.'
            }, 401)

        except jwt.JWTClaimsError:
            raise AuthError({
                'code': 'invalid_claims',
                'description': 'Incorrect claims. Please, check the audience and issuer.'
            }, 401)
        except Exception:
            raise AuthError({
                'code': 'invalid_header',
                'description': 'Unable to parse authentication token.'
            }, 400)
    raise AuthError({
                'code': 'invalid_header',
                'description': 'Unable to find the appropriate key.'
            }, 400)

In [20]:
token = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik93TGh1cE1sUEIweE1BdVRZeXNiSiJ9.eyJpc3MiOiJodHRwczovL2Rldi1vdWhhaWMxOS51cy5hdXRoMC5jb20vIiwic3ViIjoiZ29vZ2xlLW9hdXRoMnwxMTAwNjcxNzAyOTQ2NjcyNzk4MTUiLCJhdWQiOlsiaW1hZ2UiLCJodHRwczovL2Rldi1vdWhhaWMxOS51cy5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNTk0MzA1NzcwLCJleHAiOjE1OTQzMTI5NzAsImF6cCI6IjZmaHFtVm1vWW12alUxOTVLSEt5aTVuR0JTRUYzSHRQIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.DUVCPctoYnU0eqnjX1f12VZuE0fkJwWLDcrRk651oE-kYnlCnZcJ3C1tchXWFHjzWFPS5YxRf9lerlj_Uap1wPOjimyXOkG70SPHs_WvXP3Z_2CvxmFNKCEGS64-4tfg469EJhzp3Rd_eCAvFY016m1RU7OSHgSnudRQzCzeri8Vdeh7qer1DHB9ZNJdloDdMFHSuaf8EKLKtg-SzpjrROuAZa-fgwSjd3czs_g5iQnZ9fh2gWEyAl9mLFh3XKKUlc1IC5d7Gux020nBIB_sZ37LHcaBU7uF-MSklSkg38-bn_4hc0qLuVkU2JqQ8az6qQ-sSuGZBWJJy3038lNdBQ'
verify_decode_jwt(token)

{'iss': 'https://dev-ouhaic19.us.auth0.com/',
 'sub': 'google-oauth2|110067170294667279815',
 'aud': ['image', 'https://dev-ouhaic19.us.auth0.com/userinfo'],
 'iat': 1594305770,
 'exp': 1594312970,
 'azp': '6fhqmVmoYmvjU195KHKyi5nGBSEF3HtP',
 'scope': 'openid profile email'}