-
Notifications
You must be signed in to change notification settings - Fork 161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improved OIDC compliance #213
Conversation
|
||
|
||
class SignatureVerifier(): | ||
DISABLE_JWT_CHECKS = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These need to be disabled here in order to only validate the signature of the token
|
||
def __init__(self, algorithm): | ||
if not algorithm or type(algorithm) != str: | ||
raise ValueError("algorithm must be specified.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a small safety check for this instance to have an "expected algorithm" defined
self._algorithm = algorithm | ||
|
||
def _fetch_key(self, key_id=None): | ||
raise NotImplementedError |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will be implemented by the subclasses, providing "keys" AKA shared secrets or public certificates
|
||
class SymmetricSignatureVerifier(SignatureVerifier): | ||
|
||
def __init__(self, shared_secret, algorithm="HS256"): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if the algorithm should be exposed here or kept hardcoded in the internals. I don't see any use case for auth0. Applies to the AsymmetricSignatureVerifier
as well
# Verify claims | ||
# Issuer | ||
|
||
if 'iss' not in payload or type(payload['iss']) != str: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check 4, claims presence/value
raise TokenValidationError('Audience (aud) claim mismatch in the ID token; expected "{}" but found "{}"'.format(opt['aud'], payload['aud'])) | ||
|
||
# --Time validation (epoch)-- | ||
now = opt['_clock'] or time.time() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not assigning this default value at construction time since I don't want to "fix" the value of the clock to whatever returns time.time()
def verify_signature(self, token): | ||
try: | ||
header = jwt.get_unverified_header(token) | ||
except jwt.exceptions.DecodeError: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all these try/catches are required to launch our custom exception messages
@@ -1,3 +1,4 @@ | |||
requests>=2.14.0 | |||
mock==1.3.0 | |||
pre-commit | |||
pyjwt[crypto]>=1.7.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the recommended way of requiring this dependency, since it includes "crypto" and is easier to tell both are used "together"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good stuff 👏
Co-authored-by: José Padilla <jpadilla@webapplicate.com>
Changes
This update improves the SDK support for OpenID Connect. In particular, it modifies the sign in verification phase by adding on top of the backchannel checks the option to perform id_token validation.
TODO
Testing
Checklist