Merge pull request #820 from uc-cdis/chore/add-client-id

Add Client_ID to Audiences
uc-cdis · Aug 19, 2020 · 1eaa204 · 1eaa204
2 parents 894bc39 + 27ba2f9
commit 1eaa204
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 2 deletions.
diff --git a/fence/jwt/token.py b/fence/jwt/token.py
@@ -27,7 +27,7 @@
     "google_credentials": "Receive temporary Google credentials to access data on Google.",
     "google_service_account": "Allow registration of external Google service accounts to access data.",
     "admin": "View and update user authorizations.",
-    "ga4gh_passport_v1": "Retrieve ga4gh passports and visas",
+    "ga4gh_passport_v1": "Retrieve GA4GH Passports and Visas",
 }
 
 
@@ -377,10 +377,16 @@ def generate_signed_access_token(
                 "must provide value for `iss` (issuer) field if"
                 " running outside of flask application"
             )
+    audiences = []
+    if client_id:
+        audiences.append(client_id)
+    # append scopes for backwards compatibility
+    # eventual goal is to remove scopes from `aud`
+    audiences = audiences + scopes
 
     claims = {
         "pur": "access",
-        "aud": scopes,
+        "aud": audiences,
         "sub": sub,
         "iss": iss,
         "iat": iat,

diff --git a/tests/jwt/test_tokens.py b/tests/jwt/test_tokens.py
@@ -0,0 +1,38 @@
+import pytest
+import random
+import string
+import jwt
+
+from tests.utils import iat_and_exp
+
+from fence.jwt.token import generate_signed_access_token, generate_signed_session_token
+from fence.jwt.errors import JWTSizeError
+
+
+def test_passport_access_token(app, kid, rsa_private_key, test_user_a):
+    """
+    Test that generate_signed_access_token is a valid GA4GH Passport Access Token
+    as specified: https://github.com/ga4gh/data-security/blob/master/AAI/AAIConnectProfile.md#ga4gh-jwt-format
+
+    The scopes argument is ["openid", "user", "ga4gh_passport_v1"] because there is currently no fixture for scopes in /tests/conftest.py,
+    but default_claims() in /tests/utils/__init__.py sets aud = ["openid", "user"].
+    """
+    _, exp = iat_and_exp()
+    jwt_token = generate_signed_access_token(
+        kid,
+        rsa_private_key,
+        test_user_a,
+        exp,
+        ["openid", "user", "ga4gh_passport_v1"],
+        client_id="client_a",
+    )
+    payload = jwt.decode(jwt_token.token, verify=False)
+    # assert required fields exist
+    assert payload["iss"] is not None or ""
+    assert payload["sub"] is not None or ""
+    assert payload["iat"] is not None
+    assert payload["exp"] == payload["iat"] + exp
+    assert payload["scope"] == ["openid", "user", "ga4gh_passport_v1"]
+    assert isinstance(payload["aud"], list)
+    # assert client_id in audiences
+    assert "client_a" in payload["aud"]