Created
September 29, 2016 15:17
-
-
Save dholth/65e1d645c2449540b2f194ff3fd60d32 to your computer and use it in GitHub Desktop.
twisted cred for jwt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @implementer(IIDToken) | |
| class IDTokenCredentials(object): | |
| def __init__(self, id_token): | |
| self.id_token = id_token | |
| self.payload = None | |
| @implementer(ICredentialsChecker) | |
| class IDTokenChecker(object): | |
| credentialInterfaces = (IIDToken,) | |
| def __init__(self, aud, jwks): | |
| """ | |
| aud: OpenID Connect audience string | |
| jwks: a jwk key set, already decoded from json | |
| """ | |
| self.aud = aud | |
| self.jwks = jwks | |
| self.payload = None | |
| def requestAvatarId(self, credentials, time=lambda: time.time(), slack=0): | |
| # what to do with the user profile? local avatar registry? | |
| # try/catch to return Failure on bad signature... | |
| payload = rsalette.verify_jwt(credentials.id_token, self.jwks) | |
| credentials.payload = payload | |
| # now check the timestamps and audience | |
| now = time() | |
| log.debug(payload) | |
| if payload['aud'] != self.aud: | |
| return failure.Failure(UnauthorizedLogin("Bad audience: %s" % payload['aud'])) | |
| # typically with slack '300 seconds' added to allow for clock skew | |
| if payload['iat'] > (now - slack): | |
| return failure.Failure(UnauthorizedLogin("Token is not yet valid")) | |
| if payload['exp'] < (now + slack): | |
| return failure.Failure(UnauthorizedLogin("Token has expired")) | |
| return payload['sub'].encode('utf-8') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment