From ac67d4df8cf9eade1b5c05d928e027fedac7aa6d Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Tue, 21 Jan 2020 13:05:39 +0100 Subject: [PATCH] auth_oidc: use simple strings in exceptions (#39136) --- src/authentic2_auth_oidc/utils.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/src/authentic2_auth_oidc/utils.py b/src/authentic2_auth_oidc/utils.py index ecf797bd..26ef4570 100644 --- a/src/authentic2_auth_oidc/utils.py +++ b/src/authentic2_auth_oidc/utils.py @@ -27,7 +27,7 @@ from authentic2.decorators import GlobalCache from authentic2.models import Attribute from authentic2.a2_rbac.utils import get_default_ou -from jwcrypto.jwt import JWT, JWTMissingKey +from jwcrypto.jwt import JWT, JWTMissingKey, JWTMissingKeyID from jwcrypto.jwk import JWK from jwcrypto.common import (JWException, InvalidJWAAlgorithm, json_decode, base64url_encode) @@ -74,18 +74,19 @@ def parse_id_token(encoded, provider): jwt.deserialize(encoded, None) header = jwt.token.jose_header - if header['alg'] in ('RS256', 'RS384', 'RS512'): - key = provider.jwkset.get_key(kid=header.get('kid')) + alg = header.get('alg') + + if alg in ('RS256', 'RS384', 'RS512'): + kid = header.get('kid') + if not kid: + raise JWTMissingKeyID() + key = provider.jwkset.get_key(kid=kid) if not key: - raise JWTMissingKey( - _('Unknown RSA key identifier %(kid)s for provider %(provider)s') % - {'kid': header.get('kid'), 'provider': provider}) - elif header['alg'] in ('HS256', 'HS384', 'HS512'): - key = JWK(kty='oct', k=base64url_encode( - provider.client_secret.encode('utf-8'))) + raise JWTMissingKey('Key ID %r not in key set' % kid) + elif alg in ('HS256', 'HS384', 'HS512'): + key = JWK(kty='oct', k=base64url_encode(provider.client_secret.encode('utf-8'))) else: - raise InvalidJWAAlgorithm( - _('Unsupported %s signature algorithm') % header['alg']) + raise InvalidJWAAlgorithm(repr(alg)) jwt = JWT() jwt.deserialize(encoded, key) -- 2.24.0