Skip to content

Instantly share code, notes, and snippets.

@dholth
Created September 29, 2016 15:17
Show Gist options
  • Save dholth/65e1d645c2449540b2f194ff3fd60d32 to your computer and use it in GitHub Desktop.
Save dholth/65e1d645c2449540b2f194ff3fd60d32 to your computer and use it in GitHub Desktop.
twisted cred for jwt
@implementer(IIDToken)
class IDTokenCredentials(object):
def __init__(self, id_token):
self.id_token = id_token
self.payload = None
@implementer(ICredentialsChecker)
class IDTokenChecker(object):
credentialInterfaces = (IIDToken,)
def __init__(self, aud, jwks):
"""
aud: OpenID Connect audience string
jwks: a jwk key set, already decoded from json
"""
self.aud = aud
self.jwks = jwks
self.payload = None
def requestAvatarId(self, credentials, time=lambda: time.time(), slack=0):
# what to do with the user profile? local avatar registry?
# try/catch to return Failure on bad signature...
payload = rsalette.verify_jwt(credentials.id_token, self.jwks)
credentials.payload = payload
# now check the timestamps and audience
now = time()
log.debug(payload)
if payload['aud'] != self.aud:
return failure.Failure(UnauthorizedLogin("Bad audience: %s" % payload['aud']))
# typically with slack '300 seconds' added to allow for clock skew
if payload['iat'] > (now - slack):
return failure.Failure(UnauthorizedLogin("Token is not yet valid"))
if payload['exp'] < (now + slack):
return failure.Failure(UnauthorizedLogin("Token has expired"))
return payload['sub'].encode('utf-8')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment