27 |
27 |
from authentic2.models import Attribute
|
28 |
28 |
from authentic2.a2_rbac.utils import get_default_ou
|
29 |
29 |
|
30 |
|
from jwcrypto.jwt import JWT, JWTMissingKey
|
|
30 |
from jwcrypto.jwt import JWT, JWTMissingKey, JWTMissingKeyID
|
31 |
31 |
from jwcrypto.jwk import JWK
|
32 |
32 |
from jwcrypto.common import (JWException, InvalidJWAAlgorithm, json_decode,
|
33 |
33 |
base64url_encode)
|
... | ... | |
74 |
74 |
jwt.deserialize(encoded, None)
|
75 |
75 |
header = jwt.token.jose_header
|
76 |
76 |
|
77 |
|
if header['alg'] in ('RS256', 'RS384', 'RS512'):
|
78 |
|
key = provider.jwkset.get_key(kid=header.get('kid'))
|
|
77 |
alg = header.get('alg')
|
|
78 |
|
|
79 |
if alg in ('RS256', 'RS384', 'RS512'):
|
|
80 |
kid = header.get('kid')
|
|
81 |
if not kid:
|
|
82 |
raise JWTMissingKeyID()
|
|
83 |
key = provider.jwkset.get_key(kid=kid)
|
79 |
84 |
if not key:
|
80 |
|
raise JWTMissingKey(
|
81 |
|
_('Unknown RSA key identifier %(kid)s for provider %(provider)s') %
|
82 |
|
{'kid': header.get('kid'), 'provider': provider})
|
83 |
|
elif header['alg'] in ('HS256', 'HS384', 'HS512'):
|
84 |
|
key = JWK(kty='oct', k=base64url_encode(
|
85 |
|
provider.client_secret.encode('utf-8')))
|
|
85 |
raise JWTMissingKey('Key ID %r not in key set' % kid)
|
|
86 |
elif alg in ('HS256', 'HS384', 'HS512'):
|
|
87 |
key = JWK(kty='oct', k=base64url_encode(provider.client_secret.encode('utf-8')))
|
86 |
88 |
else:
|
87 |
|
raise InvalidJWAAlgorithm(
|
88 |
|
_('Unsupported %s signature algorithm') % header['alg'])
|
|
89 |
raise InvalidJWAAlgorithm(repr(alg))
|
89 |
90 |
|
90 |
91 |
jwt = JWT()
|
91 |
92 |
jwt.deserialize(encoded, key)
|
92 |
|
-
|