From c716960e97caf0ed6637d955ceee0c6c569f00dd Mon Sep 17 00:00:00 2001 From: kriss Date: Mon, 24 Jun 2024 08:45:08 +0200 Subject: [PATCH] access token verification on API endpoint --- app.py | 14 +++++++++++--- requirements.txt | 1 + 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/app.py b/app.py index 8d4266d..90024cc 100644 --- a/app.py +++ b/app.py @@ -1,10 +1,12 @@ import requests +import jwt from authlib.integrations.base_client import OAuthError from authlib.integrations.flask_client import OAuth from flask import Flask, request, redirect, session, render_template, url_for, make_response + app = Flask(__name__) app.config['SECRET_KEY'] = 'onelogindemopytoolkit' @@ -33,7 +35,11 @@ def api(): # it is not OK to use ID token to check API authorization on server side if 'accessToken' in request.args: access_token = request.args['accessToken'] - #claims = oidcclient.validate_jwt(access_token) + jwks_uri = f"{issuer}/protocol/openid-connect/certs" + jwks_client = jwt.PyJWKClient(jwks_uri) + key = jwks_client.get_signing_key_from_jwt(access_token) + data = jwt.decode(access_token, key.key, algorithms=["RS256"], audience='client-oidc', options={'verify_signature': True, 'verify_aud': True}) + print(data) not_auth_warn = False # TODO verify token and check role return render_template( @@ -88,8 +94,10 @@ def index(): response.set_cookie('accessToken', '', expires=0) response.set_cookie('refreshToken', '', expires=0) response.set_cookie('idToken', '', expires=0) - del session['name'] - del session['email'] + if 'name' in session: + del session['name'] + if 'email' in session: + del session['email'] return response elif 'error' in request.args: not_auth_warn = True diff --git a/requirements.txt b/requirements.txt index f315456..4967fef 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,3 @@ authlib flask +PyJWT