Skip to content

Commit

Permalink
YleTunnus: Verify incoming JWT token
Browse files Browse the repository at this point in the history
  • Loading branch information
@juyrjola
juyrjola committed Jun 13, 2018
1 parent a474265 commit 20e8275
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 4 deletions.
5 changes: 4 additions & 1 deletion yletunnus/backends.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,8 @@ def get_user_details(self, response):
}

def user_data(self, access_token, *args, **kwargs):
data = jwt.decode(access_token, secret=self.setting('SECRET'), verify=False)
data = jwt.decode(
access_token, key=self.setting('SECRET'), algorithms=('HS256', 'HS512'),
verify=True, issuer='https://auth.api.yle.fi', audience=self.setting('KEY')
)
return data
6 changes: 3 additions & 3 deletions yletunnus/tests/test_backend.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@


class YleTunnusOAuth2Test(OAuth2Test):
client_key = 'a-key'
client_key = 'a-client-id'
client_secret = 'a-secret-key'

backend_path = 'yletunnus.backends.YleTunnusOAuth2'
Expand Down Expand Up @@ -69,8 +69,8 @@ def prepare_access_token_body(self, client_key=None, tamper_message=False,
timegm(issue_datetime.utctimetuple())
)

key = SYMKey(key=self.client_key, alg='HS512')
body['access_token'] = JWS(id_token, jwk=key, alg='HS512').sign_compact()
key = SYMKey(key=self.client_secret, alg='HS256')
body['access_token'] = JWS(id_token, jwk=key, alg='HS256').sign_compact()
if tamper_message:
header, msg, sig = body['id_token'].split('.')
id_token['sub'] = '1235'
Expand Down

0 comments on commit 20e8275

Please sign in to comment.