o ^[2h!@sXddlZddlmZddlmZddlmZddlmZddlm Z Gddde Z dS) N)Optional)Uniongenerate_token)jwt)BearerTokenGeneratorcseZdZdZ   dfdd ZddZdd Zd eee effd d Z d e efd dZ d e e fddZd e e efddZd efddZddZZS)JWTBearerTokenGeneratoraA JWT formatted access token generator. :param issuer: The issuer identifier. Will appear in the JWT ``iss`` claim. :param \\*\\*kwargs: Other parameters are inherited from :class:`~authlib.oauth2.rfc6750.token.BearerTokenGenerator`. This token generator can be registered into the authorization server:: class MyJWTBearerTokenGenerator(JWTBearerTokenGenerator): def get_jwks(self): ... def get_extra_claims(self, client, grant_type, user, scope): ... authorization_server.register_token_generator( "default", MyJWTBearerTokenGenerator( issuer="https://authorization-server.example.org" ), ) RS256Ncs"t|j||||_||_dS)N)super__init__access_token_generatorissueralg)selfr rrefresh_token_generatorexpires_generator __class__m/home/skpark/git/infrasmart_work/infrasmart/venv/lib/python3.10/site-packages/authlib/oauth2/rfc9068/token.pyr "s  z JWTBearerTokenGenerator.__init__cCst)zReturn the JWKs that will be used to sign the JWT access token. Developers MUST re-implement this method:: def get_jwks(self): return load_jwks("jwks.json") )NotImplementedError)rrrrget_jwks/sz JWTBearerTokenGenerator.get_jwkscCsiS)aYReturn extra claims to add in the JWT access token. Developers MAY re-implement this method to add identity claims like the ones in :ref:`specs/oidc` ID Token, or any other arbitrary claims:: def get_extra_claims(self, client, grant_type, user, scope): return generate_user_info(user, scope) rrclient grant_typeuserscoperrrget_extra_claims8sz(JWTBearerTokenGenerator.get_extra_claimsreturncCs|S)ajReturn the audience for the token. By default this simply returns the client ID. Developers MAY re-implement this method to add extra audiences:: def get_audiences(self, client, user, scope): return [ client.get_client_id(), resource_server.get_id(), ] ) get_client_id)rrrrrrr get_audiencesBs z%JWTBearerTokenGenerator.get_audiencescCdS)aAuthentication Context Class Reference. Returns a user-defined case sensitive string indicating the class of authentication the used performed. Token audience may refuse to give access to some resources if some ACR criteria are not met. :ref:`specs/oidc` defines one special value: ``0`` means that the user authentication did not respect `ISO29115`_ level 1, and will be refused monetary operations. Developers MAY re-implement this method:: def get_acr(self, user): if user.insecure_session(): return "0" return "urn:mace:incommon:iap:silver" .. _ISO29115: https://www.iso.org/standard/45138.html Nrrrrrrget_acrOszJWTBearerTokenGenerator.get_acrcCr!)a}User authentication time. Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. Developers MAY re-implement this method:: def get_auth_time(self, user): return datetime.timestamp(user.get_auth_time()) Nrr"rrr get_auth_timea z%JWTBearerTokenGenerator.get_auth_timecCr!)a{Authentication Methods References. Defined by :ref:`specs/oidc` as an option list of user-defined case-sensitive strings indication which authentication methods have been used to authenticate the user. Developers MAY re-implement this method:: def get_amr(self, user): return ["2FA"] if user.has_2fa_enabled() else [] Nrr"rrrget_amrlr%zJWTBearerTokenGenerator.get_amrcCstdS)zJWT ID. Create an unique identifier for the token. Developers MAY re-implement this method:: def get_jti(self, client, grant_type, user scope): return generate_random_string(16) rrrrrget_jtiwszJWTBearerTokenGenerator.get_jtic Cstt}||||}|j|||||||||d}|r)||d<n||d< |||||d<||}rD||d<| |} rO| |d<| |} rZ| |d<| | |||||j dd } tj| ||dd } | S) N)issexp client_idiatjtirsubFaud auth_timeacramrzat+jwt)rtyp)keycheck)inttime_get_expires_inr rr( get_user_idr r$r#r&updaterrrencoderdecode) rrrrrnow expires_in token_datar0r1r2header access_tokenrrrr s:     z.JWTBearerTokenGenerator.access_token_generator)r NN)__name__ __module__ __qualname____doc__r rrrstrlistr rr#r6r$r&r(r __classcell__rrrrr s       r) r7typingrrauthlib.common.securityr authlib.joserauthlib.oauth2.rfc6750.tokenrrrrrrs