blob: 2e2ff734dbb077f643070ff4f349f36cb838a87f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
import json
import urllib.request
from .api_jwk import PyJWKSet
from .api_jwt import decode_complete as decode_token
from .exceptions import PyJWKClientError
class PyJWKClient:
def __init__(self, uri):
self.uri = uri
def fetch_data(self):
with urllib.request.urlopen(self.uri) as response:
return json.load(response)
def get_jwk_set(self):
data = self.fetch_data()
return PyJWKSet.from_dict(data)
def get_signing_keys(self):
jwk_set = self.get_jwk_set()
signing_keys = []
for jwk_set_key in jwk_set.keys:
if jwk_set_key.public_key_use == "sig" and jwk_set_key.key_id:
signing_keys.append(jwk_set_key)
if len(signing_keys) == 0:
raise PyJWKClientError("The JWKS endpoint did not contain any signing keys")
return signing_keys
def get_signing_key(self, kid):
signing_keys = self.get_signing_keys()
signing_key = None
for key in signing_keys:
if key.key_id == kid:
signing_key = key
break
if not signing_key:
raise PyJWKClientError(
f'Unable to find a signing key that matches: "{kid}"'
)
return signing_key
def get_signing_key_from_jwt(self, token):
unverified = decode_token(token, options={"verify_signature": False})
header = unverified["header"]
return self.get_signing_key(header.get("kid"))
|