forked from Azure-Samples/ms-identity-python-on-behalf-of
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauthorization.py
84 lines (75 loc) · 3.44 KB
/
authorization.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#refactored from https://github.com/Azure-Samples/ms-identity-python-webapi-azurefunctions/blob/master/Function/secureFlaskApp/__init__.py
from flask import request
from functools import wraps
from jose import jwt
import os
from helpers.requests_helper import RequestsHelper
# Error handler
class AuthError(Exception):
def __init__(self, error, status_code):
self.error = error
self.status_code = status_code
def get_token_auth_header():
"""Obtains the Access Token from the Authorization Header
"""
auth = request.headers.get("Authorization", None)
if not auth:
raise AuthError({"code": "authorization_header_missing",
"description":
"Authorization header is expected"}, 401)
parts = auth.split()
if parts[0].lower() != "bearer":
raise AuthError({"code": "invalid_header",
"description":
"Authorization header must start with"
" Bearer"}, 401)
elif len(parts) == 1:
raise AuthError({"code": "invalid_header",
"description": "Token not found"}, 401)
elif len(parts) > 2:
raise AuthError({"code": "invalid_header",
"description":
"Authorization header must be"
" Bearer token"}, 401)
token = parts[1]
return token
def requires_jwt_authorization(f):
"""Determines if the Access Token is valid
"""
@wraps(f)
def decorated(*args, **kwargs):
try:
token = get_token_auth_header()
key_url = os.environ.get("AUTHORITY") + "/discovery/v2.0/keys"
jwks = RequestsHelper.get_discovery_key_session().get(key_url).json()
unverified_header = jwt.get_unverified_header(token)
rsa_key = {}
for key in jwks["keys"]:
if key["kid"] == unverified_header["kid"]:
rsa_key = {
"kty": key["kty"],
"kid": key["kid"],
"use": key["use"],
"n": key["n"],
"e": key["e"]
}
except Exception as exc:
raise AuthError({"code": "invalid_header","description":"Unable to parse authorization"" token."}, 401) from exc
if rsa_key:
try:
payload = jwt.decode(
token,
rsa_key,
algorithms=["RS256"],
audience=os.environ.get("CLIENT_ID"),
issuer=os.environ.get("ISSUER")
)
except jwt.ExpiredSignatureError as jwt_expired_exc:
raise AuthError({"code": "token_expired","description": "token is expired"}, 401) from jwt_expired_exc
except jwt.JWTClaimsError as jwt_claims_exc:
raise AuthError({"code": "invalid_claims","description":"incorrect claims,""please check the audience and issuer"}, 401) from jwt_claims_exc
except Exception as exc:
raise AuthError({"code": "invalid_header","description":"Unable to parse authorization"" token."}, 401) from exc
return f(*args, **kwargs)
raise AuthError({"code": "invalid_header","description": "Unable to find appropriate key"}, 401) from exc
return decorated