o ^[2h)@sddlmZddlmZddlmZddlmZddlmZddlm Z ddl m Z dd l m Z d d l mZd d l mZd d l mZd dl mZGdddZdS))jwt) JoseError)AuthorizationServer) ClientMixin)InvalidRequestError)_validate_client)BasicOAuth2Payload) OAuth2Request)InvalidRequestObjectError)InvalidRequestUriError)RequestNotSupportedError)RequestUriNotSupportedErrorc@seZdZdZd dedefddZdefdd Zded efd d Z ded ed e defddZ ded ede fddZ d e de fddZde fddZd e fddZdefddZd e defddZdS)!JWTAuthenticationRequestaAuthorization server extension implementing the support for JWT secured authentication request, as defined in :rfc:`RFC9101 <9101>`. :param support_request: Whether to enable support for the ``request`` parameter. :param support_request_uri: Whether to enable support for the ``request_uri`` parameter. This extension is intended to be inherited and registered into the authorization server:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def resolve_client_public_key(self, client: ClientMixin): return get_jwks_for_client(client) def get_request_object(self, request_uri: str): try: return requests.get(request_uri).text except requests.Exception: return None def get_server_metadata(self): return { "issuer": ..., "authorization_endpoint": ..., "require_signed_request_object": ..., } def get_client_require_signed_request_object(self, client: ClientMixin): return client.require_signed_request_object authorization_server.register_extension(JWTAuthenticationRequest()) Tsupport_requestsupport_request_uricCs||_||_dSN)rr)selfrrr|/home/skpark/git/infrasmart_work/infrasmart/venv/lib/python3.10/site-packages/authlib/oauth2/rfc9101/authorization_server.py__init__1s z!JWTAuthenticationRequest.__init__authorization_servercCs|d|jdS)Nbefore_get_authorization_grant) register_hookparse_authorization_request)rrrrr__call__5sz!JWTAuthenticationRequest.__call__requestcCsNt|j|jj}||||sdS|||}||||}t|}||_dSr)r query_clientpayload client_id"_shoud_proceed_with_request_object_get_raw_request_object_decode_request_objectr )rrrclientraw_request_objectrequest_objectrrrrr:s   z4JWTAuthenticationRequest.parse_authorization_requestr$returncCsd|jjvrd|jjvrtd|jjdd|jjvr&|js$t|jjddSd|jjvr8|js6t|jjddS||rEtd|jjd| }|rY| ddrYtd |jjddS) Nr request_urizBThe 'request' and 'request_uri' parameters are mutually exclusive.stateTGAuthorization requests for this client must use signed request objects.require_signed_request_objectFGAuthorization requests for this server must use signed request objects.) rdatarr*rrrr(get_client_require_signed_request_objectget_server_metadataget)rrrr$metadatarrrr!Ls2   z;JWTAuthenticationRequest._shoud_proceed_with_request_objectcCsDd|jjvr||jjd}|st|jjd|S|jjd}|S)Nr(r)r)rr.get_request_objectr r*)rrrr%rrrr"ws   z0JWTAuthenticationRequest._get_raw_request_objectr%c Cs||}z t||}|Wnty*}z t|jptj|jjd|d}~ww| |r?|j ddkr?t d|jjd| }|rZ| ddrZ|j ddkrZt d|jjd|d |jjkrjt d |jjdd |vsrd |vrzt d |jjd|S)N) descriptionr*algnoner+r)r,Fr-r z\The 'client_id' claim from the request parameters and the request object claims don't match.rr(zVThe 'request' and 'request_uri' parameters must not be included in the request object.)resolve_client_public_keyrdecodevalidaterr r4rr*r/headerrr0r1r )rrr$r%jwksr&errorr2rrrr#sR       z/JWTAuthenticationRequest._decode_request_objectr(cCt)aDownload the request object at ``request_uri``. This method must be implemented if the ``request_uri`` parameter is supported:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def get_request_object(self, request_uri: str): try: return requests.get(request_uri).text except requests.Exception: return None NotImplementedError)rr(rrrr3 z+JWTAuthenticationRequest.get_request_objectcCr=)aResolve the client public key for verifying the JWT signature. A client may have many public keys, in this case, we can retrieve it via ``kid`` value in headers. Developers MUST implement this method:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def resolve_client_public_key(self, client): if client.jwks_uri: return requests.get(client.jwks_uri).json return client.jwks r>rr$rrrresolve_client_public_keysr@z3JWTAuthenticationRequest.resolve_client_public_keyscCsiS)aReturn server metadata which includes supported grant types, response types and etc. When the ``require_signed_request_object`` claim is :data:`True`, all clients require that authorization requests use request objects, and an error will be returned when the authorization request payload is passed in the request body or query string:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def get_server_metadata(self): return { "issuer": ..., "authorization_endpoint": ..., "require_signed_request_object": ..., } r)rrrrr0sz,JWTAuthenticationRequest.get_server_metadatacCsdS)aIReturn the 'require_signed_request_object' client metadata. When :data:`True`, the client requires that authorization requests use request objects, and an error will be returned when the authorization request payload is passed in the request body or query string:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def get_client_require_signed_request_object(self, client): return client.require_signed_request_object If not implemented, the value is considered as :data:`False`. FrrArrrr/s zAJWTAuthenticationRequest.get_client_require_signed_request_objectN)TT)__name__ __module__ __qualname____doc__boolrrrr rrr!strr"r#r3rBdictr0r/rrrrrsD   +  <rN) authlib.joserauthlib.jose.errorsrrfc6749rrrrfc6749.authenticate_clientrrfc6749.requestsr r errorsr r rrrrrrrs