In [1]:
%load_ext autoreload
%autoreload 2

In [2]:
import requests
import time

In [3]:
from package.keypair_management import KeyPairManagement
from package.jwt_management import ClientJWTManagement, ServerJWTManagement

In [4]:
BASE_URL = "http://localhost:8000"

In [5]:
km = KeyPairManagement(directory='./client_keypair')
km.generate_keypairs()

Directory './client_keypair' already exists.


# Scenarios

In [6]:
def sing_signature(dpop_life_time, method, url, data):
    client = ClientJWTManagement(dpop_lifetime=dpop_life_time)
    headers = client.create_headers(public_key=km.load_public_key_from_pem())
    # data = {
    #     "client_id": "5555"
    # }
    payload = client.create_payload(method=method, uri=url, data=data)
    client_signature = client.sign_by_client(headers=headers, payload=payload, private_key=km.load_private_key_from_pem())
    return client_signature

def pack_headers(client_signature, access_token=None):
    headers = {
        "DPoP": client_signature
    }
    if access_token is not None:
        headers.update({"Authorization": f"DPoP {access_token}"})
    return headers

def test_get_endpoint(url, client_signature, access_token=None):
    headers = pack_headers(client_signature, access_token)
    response = requests.get(url, headers=headers)
    response = response.json()
    return response

def test_post_endpoint(url, payload, client_signature, access_token=None):
    headers = pack_headers(client_signature, access_token)
    response = requests.post(url, headers=headers, json=payload)
    response = response.json()
    return response

## Happy Path

In [7]:
signature = sing_signature(dpop_life_time=60*5, method="GET", url=f"{BASE_URL}/authorizer/token", data={"client_id": "5555"})
response = test_get_endpoint(url=f"{BASE_URL}/authorizer/token", client_signature=signature, access_token=None)
access_token = response['access_token']
refresh_token = response['refresh_token']
response

{'access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzIzODgxOTUsImV4cCI6MTczMjM4ODc5NSwiY2xpZW50X2lkIjoiNTU1NSIsImNuZiI6eyJqa3QiOiJIWEMwS1FtTkx4T2ZsdEhSU3k3Y25NRVVwbGpfUC1XdEJ2RjBDaEdJVmNRIn19.WsvAWOlyY1BbK4U4hsa3J-L8o1Fc3-wnVpwSHG91efCZ7nIenGYDvvYl8mSSAAX9qfVzcWOIMnMHQ7yyCw2xfKKsCW5uhTCKszvKeidn2QbTl-uLAgCt67Tky_WM7JyFkn4I3hGvTUZTgMzSTVUgQ2Y1X6FTGgxrVpv4DVEGFD9bpex2c7JU1SCZUq39HFUcYQslbMJ96LnrEg6mXBPufMOhrHEJjtaDNj53nnLJwq714zutKcZFJ-SFDBy3JrontMddHH1XS6WoZ29DacG63TJ0arknce5RwbaZC4FEypQGf0Wu2IGtG9e3lwEoF7e1FZYj0TF-YWKchCvpRIP7EA',
 'token_type': 'DPoP',
 'expires_in': 600,
 'refresh_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzIzODgxOTUsImV4cCI6MTczMjQ3NDU5NSwiY2xpZW50X2lkIjoiNTU1NSJ9.Vzvck7hazCLWd1OzbgXPMcM6C3XR1wx6mXAL32-in-hIGZN0fFN3ErvhslajA5PyJcdQO0vbPxBJAidWwt_ZSB67E_Iq_lJ_J0lDKtG_SRASDiGtgcdhbl4QAKGtFzVQN2qgDXa1xYMt9UeWzjTscJq66tb9An3lxi2ohTNzZe5LfGIusLgwPDiMUOoDZr2fjeWdEt-7P_fwK-bQa-xA5A9uz4zBbwevq2CvOD9hbiLlDgsYpy7mXD7PFrAzNYxIrI8J9KsIdTZP-CE1HVn

In [8]:
signature = sing_signature(dpop_life_time=60*5, method="GET", url=f"{BASE_URL}/resource/history", data={"client_id": "5555"})
response = test_get_endpoint(url=f"{BASE_URL}/resource/history", client_signature=signature, access_token=access_token)
response

{'response': 'you now get history'}

## DPoP expire

In [9]:
signature = sing_signature(dpop_life_time=1, method="GET", url=f"{BASE_URL}/authorizer/token", data={"client_id": "5555"})
time.sleep(2)
response = test_get_endpoint(url=f"{BASE_URL}/authorizer/token", client_signature=signature, access_token=None)
response

{'detail': 'Error: The JWT has expired. Signature has expired.'}

## DPoP tampered

In [10]:
signature = sing_signature(dpop_life_time=60*5, method="GET", url=f"{BASE_URL}/authorizer/token", data={"client_id": "5555"})

In [11]:
tampered_signature = sing_signature(dpop_life_time=60*5, method="GET", url=f"{BASE_URL}/authorizer/token", data={"client_id": "6666"})

In [12]:
headers, payload, signature = signature.split(".")
_, tampered_payload, _ = tampered_signature.split(".")

In [13]:
response = test_get_endpoint(url=f"{BASE_URL}/authorizer/token", client_signature=".".join([headers, tampered_payload, signature]), access_token=None)
response

{'detail': 'Error: General JWT verification issue. Signature verification failed.'}

## Invalid claims: method and url

In [14]:
signature = sing_signature(dpop_life_time=60*5, method="GET", url=f"{BASE_URL}/authorizer/token", data={"client_id": "5555"})
response = test_get_endpoint(url=f"{BASE_URL}/authorizer/token", client_signature=signature, access_token=None)
access_token = response['access_token']
refresh_token = response['refresh_token']
response

{'access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzIzODgyMDgsImV4cCI6MTczMjM4ODgwOCwiY2xpZW50X2lkIjoiNTU1NSIsImNuZiI6eyJqa3QiOiJIWEMwS1FtTkx4T2ZsdEhSU3k3Y25NRVVwbGpfUC1XdEJ2RjBDaEdJVmNRIn19.rswsRKh2eKm0i-1IE0Tiq2HVdox7TWeIat370RYNAX7RC6xkkEKcXmpZNyFgeWLbT0bP61d2fLGJLqk48MC8LadodfAutBZFEDBHYQuewksT0IbPTdiBEmNGhGMDX2h0EHgpijF6SUZKdO2kvfY7j4LO8SN4-TLN6SMarw5oxwPKLiluMiauHNr-F9RjbifT9NG0dyx9Yg0T-ItsetR0msIvAmK6R0Nwjm5xlENFTORMxo4ChRhGdyA5MQzRuwXTDe0zBnv3duN5L0M7Q_8LK2uXUx7d6JWCORSEqbbg1qrNOg3B89WSai6pICwo2e6Bt51c2yL0WCV9NdloY_gN4A',
 'token_type': 'DPoP',
 'expires_in': 600,
 'refresh_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzIzODgyMDgsImV4cCI6MTczMjQ3NDYwOCwiY2xpZW50X2lkIjoiNTU1NSJ9.kavecGChY-ctZAni-Ieiu2r3kTNa5PI_IzEvE4gCULXzf--KKlGOAMRuhYn4jbPmIRCxk4p0a1u5vYRZNEckciK_OUom2NkHPwEjkZCn5-4tbqVtPKGAOPkcgPd43sVbV7XD_ZmBNgtccbczwuLCDGv2Pj8evgkKmNv9EQI8AFTZMNewla5VUfaD9EAf408RjaIhP89wL8XClParGTzJ2dW69E77D8v-b5npicfFFvF_J4-H-si9viyLsLrhr7f0A0Mg4s1GX0qmuSr8bOI

In [15]:
signature = sing_signature(dpop_life_time=60*5, method="POST", url=f"{BASE_URL}/resource/history1", data={"client_id": "5555"})
response = test_get_endpoint(url=f"{BASE_URL}/resource/history", client_signature=signature, access_token=access_token)
response

{'detail': 'Invalid claim'}

## Invalid claims: method

In [16]:
signature = sing_signature(dpop_life_time=60*5, method="GET", url=f"{BASE_URL}/authorizer/token", data={"client_id": "5555"})
response = test_get_endpoint(url=f"{BASE_URL}/authorizer/token", client_signature=signature, access_token=None)
access_token = response['access_token']
refresh_token = response['refresh_token']
response

{'access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzIzODgyMTUsImV4cCI6MTczMjM4ODgxNSwiY2xpZW50X2lkIjoiNTU1NSIsImNuZiI6eyJqa3QiOiJIWEMwS1FtTkx4T2ZsdEhSU3k3Y25NRVVwbGpfUC1XdEJ2RjBDaEdJVmNRIn19.NcNtyW0hkVbX8RhS-2zX39D0gnU114MZ15pLkhu1qAm-lyJ_eXwvrP98oUDV9JEzdlj0jm-UG_-iqFKglZ7thySiHvCB4sOaIMwhg-matLM54rpLbuhD4Tf6NmII6cmFvdJIaeWsbf5qLRqOGSAOkbpGmULg7EsuSzoDjA5EcZA7Cfr4FvtdmtdCHEFN6oUjqBOTlpzETo8xOtKN1i6dy3RvrsSkB6GtSpc5yX4uXIkjTemlRjO095dHF-PCppCCDxokZVZlkgHlk8qcolqWBI-6yDPcjEIQyxHcYZNqf4uFChXIc2hPYSGxxfMO7xWVNGyk1bLafChYZGwd93z-hA',
 'token_type': 'DPoP',
 'expires_in': 600,
 'refresh_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzIzODgyMTUsImV4cCI6MTczMjQ3NDYxNSwiY2xpZW50X2lkIjoiNTU1NSJ9.MJZy-fBMqDPe-Nx21pqF-_a3Rg0hUoAGL08jGHuVaUbtRO4liXwkJ-AtKayB8HJWIXMjQPG0fR6W6CbkhsVvpNnukzIJG2q6qO2i16skDVpddrjbAKdI-GAZoZhLWqJFkUVo-vWpfmDIwmS_k_Qzxz--CFVqg32uapDIePStuVJ2Yar4ra55mCjQKqBJsVhXjDIMEBB3IPSAj8H18FXXmMR0DilTU0wN4NNTCR_JoytB2YdWwCU1bZ-iXpl4VqAXCWGsKmV_C3is96oTnEu

In [17]:
signature = sing_signature(dpop_life_time=60*5, method="POST", url=f"{BASE_URL}/resource/history", data={"client_id": "5555"})
response = test_get_endpoint(url=f"{BASE_URL}/resource/history", client_signature=signature, access_token=access_token)
response

{'detail': 'Invalid claim: method mismatched.'}

## Invalid claims: url

In [18]:
signature = sing_signature(dpop_life_time=60*5, method="GET", url=f"{BASE_URL}/authorizer/token", data={"client_id": "5555"})
response = test_get_endpoint(url=f"{BASE_URL}/authorizer/token", client_signature=signature, access_token=None)
access_token = response['access_token']
refresh_token = response['refresh_token']
response

{'access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzIzODgyMjEsImV4cCI6MTczMjM4ODgyMSwiY2xpZW50X2lkIjoiNTU1NSIsImNuZiI6eyJqa3QiOiJIWEMwS1FtTkx4T2ZsdEhSU3k3Y25NRVVwbGpfUC1XdEJ2RjBDaEdJVmNRIn19.K3rczR1qpCNoYPWUojMZPsSqWypa2kgx7TR4_txWbJKtbMf2UdTkmT3NVoQjQcB7VEALRHDlf44lc4bkzPGEEajS0jro0kPVVQKF7J-838Fr0U3-7NfQdaxtit2ZFm7AqGPV53gBR2h4UahwLaa72SfzCgPZoKZo7PSRzF0s2NAjlX_asBC_S5PWJ08LnUe9m9boKR5ZodE9rouuvNYbrF9lCn1C-0ZV4LFseK3KriQId2ETMEYWW_-olJ2Px1WV5ReoHoAionNZ4bJ6H66NR_2O14bMb9aQdMFzeu66fjluoqUb3w2in4Y-Iy9c4UP_g7Mc7v8HrZeXDkooHVkZZg',
 'token_type': 'DPoP',
 'expires_in': 600,
 'refresh_token': 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MzIzODgyMjEsImV4cCI6MTczMjQ3NDYyMSwiY2xpZW50X2lkIjoiNTU1NSJ9.UXH9v4cFJk1K3v3h-VZwzFmtZNhGjOwvMZ129KlDK0l-Nfo8-o0c6qVxzcpHkMDm90M6XDcu7QSoAbIeZqABnziQjigvbDcUXtmwvzps_EVrFQCVHDiB55vwMCu5qJt_a78BcRlRzpEJI_uG_aMm9GK00KU2jzE_nXYeJZdAVybUKxT_yDvF0R8lx4LpXXjNHr2feLg5d0NR0m33uFmU8pVL28uv2-W9qq82ALm4YECDinmbRyclRQ4Zj4N_ZyoSu-TZPrh9UPboycuIIR1

In [19]:
signature = sing_signature(dpop_life_time=60*5, method="GET", url=f"{BASE_URL}/resource/history1", data={"client_id": "5555"})
response = test_get_endpoint(url=f"{BASE_URL}/resource/history", client_signature=signature, access_token=access_token)
response

{'detail': 'Invalid claim: url mismatched.'}