o Df!@sdddlZddlmZddlmZddlmZddlmZddlmZddl m Z Gdd d e Z dS) N)List)Optional)Uniongenerate_token)jwt)BearerTokenGeneratorcseZdZdZ   dfdd ZddZdd Zd eee effd d Z d e efd dZ d e e fddZd e e efddZd efddZddZZS)JWTBearerTokenGeneratoraA JWT formatted access token generator. :param issuer: The issuer identifier. Will appear in the JWT ``iss`` claim. :param \*\*kwargs: Other parameters are inherited from :class:`~authlib.oauth2.rfc6750.token.BearerTokenGenerator`. This token generator can be registered into the authorization server:: class MyJWTBearerTokenGenerator(JWTBearerTokenGenerator): def get_jwks(self): ... def get_extra_claims(self, client, grant_type, user, scope): ... authorization_server.register_token_generator( 'default', MyJWTBearerTokenGenerator(issuer='https://authorization-server.example.org'), ) RS256Ncs"t|j||||_||_dS)N)super__init__access_token_generatorissueralg)selfrrrefresh_token_generatorexpires_generator __class__U/home/ubuntu/webapp/venv/lib/python3.10/site-packages/authlib/oauth2/rfc9068/token.pyr "s  z JWTBearerTokenGenerator.__init__cCst)zReturn the JWKs that will be used to sign the JWT access token. Developers MUST re-implement this method:: def get_jwks(self): return load_jwks("jwks.json") )NotImplementedError)rrrrget_jwks/sz JWTBearerTokenGenerator.get_jwkscCsiS)aYReturn extra claims to add in the JWT access token. Developers MAY re-implement this method to add identity claims like the ones in :ref:`specs/oidc` ID Token, or any other arbitrary claims:: def get_extra_claims(self, client, grant_type, user, scope): return generate_user_info(user, scope) rrclient grant_typeuserscoperrrget_extra_claims8sz(JWTBearerTokenGenerator.get_extra_claimsreturncCs|S)akReturn the audience for the token. By default this simply returns the client ID. Developpers MAY re-implement this method to add extra audiences:: def get_audiences(self, client, user, scope): return [ client.get_client_id(), resource_server.get_id(), ] ) get_client_id)rrrrrrr get_audiencesBs z%JWTBearerTokenGenerator.get_audiencescCdS)aAuthentication Context Class Reference. Returns a user-defined case sensitive string indicating the class of authentication the used performed. Token audience may refuse to give access to some resources if some ACR criterias are not met. :ref:`specs/oidc` defines one special value: ``0`` means that the user authentication did not respect `ISO29115`_ level 1, and will be refused monetary operations. Developers MAY re-implement this method:: def get_acr(self, user): if user.insecure_session(): return '0' return 'urn:mace:incommon:iap:silver' .. _ISO29115: https://www.iso.org/standard/45138.html Nrrrrrrget_acrOszJWTBearerTokenGenerator.get_acrcCr")a}User authentication time. Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. Developers MAY re-implement this method:: def get_auth_time(self, user): return datetime.timestamp(user.get_auth_time()) Nrr#rrr get_auth_timea z%JWTBearerTokenGenerator.get_auth_timecCr")a{Authentication Methods References. Defined by :ref:`specs/oidc` as an option list of user-defined case-sensitive strings indication which authentication methods have been used to authenticate the user. Developers MAY re-implement this method:: def get_amr(self, user): return ['2FA'] if user.has_2fa_enabled() else [] Nrr#rrrget_amrlr&zJWTBearerTokenGenerator.get_amrcCstdS)zJWT ID. Create an unique identifier for the token. Developers MAY re-implement this method:: def get_jti(self, client, grant_type, user scope): return generate_random_string(16) rrrrrget_jtiwszJWTBearerTokenGenerator.get_jtic Cstt}||||}|j|||||||||d}|r)||d<n||d< |||||d<||}rD||d<| |} rO| |d<| |} rZ| |d<| | |||||j dd } tj| ||dd } | S) N)issexp client_idiatjtirsubFaud auth_timeacramrzat+jwt)rtyp)keycheck)inttime_get_expires_inrr r) get_user_idr!r%r$r'updaterrrencoderdecode) rrrrrnow expires_in token_datar1r2r3header access_tokenrrrr s:     z.JWTBearerTokenGenerator.access_token_generator)r NN)__name__ __module__ __qualname____doc__r rrrstrrr!rr$r7r%r'r)r __classcell__rrrrr s       r ) r8typingrrrauthlib.common.securityr authlib.joserauthlib.oauth2.rfc6750.tokenrr rrrrs