aboutsummaryrefslogtreecommitdiff
path: root/gn_auth/auth/authentication
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-05-06 07:31:42 +0300
committerFrederick Muriuki Muriithi2024-05-06 07:31:42 +0300
commitab04428463518d05594491ca159f5ab0d7575721 (patch)
treef541a058e057320f4065e189b315cc9e0b2952dd /gn_auth/auth/authentication
parent51e3a545d7380e5b1983b0a1e8b5088a88efe522 (diff)
downloadgn-auth-ab04428463518d05594491ca159f5ab0d7575721.tar.gz
Add `jti` claim
Have each JWT token have a `jti` claim (JWT ID) to help with tracking refreshes, and therefore validity of the JWTs. If a refresh token is used more than once, then that refresh token, and all its progeny/descendants are considered invalid, since that token could have been stolen.
Diffstat (limited to 'gn_auth/auth/authentication')
-rw-r--r--gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py10
1 files changed, 9 insertions, 1 deletions
diff --git a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py
index 8e2f082..5e12575 100644
--- a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py
+++ b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py
@@ -1,4 +1,6 @@
"""JWT as Authorisation Grant"""
+import uuid
+
from flask import current_app as app
from authlib.common.security import generate_token
@@ -28,7 +30,9 @@ class JWTBearerTokenGenerator(_JWTBearerTokenGenerator):
key: str(value) if key.endswith("_id") else value
for key, value in tokendata.items()
},
- "sub": str(tokendata["sub"])}
+ "sub": str(tokendata["sub"]),
+ "jti": str(uuid.uuid4())
+ }
def __call__(self, grant_type, client, user=None, scope=None,
@@ -54,6 +58,10 @@ class JWTBearerGrant(_JWTBearerGrant):
"""Implement JWT as Authorisation Grant."""
TOKEN_ENDPOINT_AUTH_METHODS = ["client_secret_post", "client_secret_jwt"]
+ CLAIMS_OPTIONS = {
+ **_JWTBearerGrant.CLAIMS_OPTIONS,
+ "jti": {"essential": True}
+ }
def resolve_issuer_client(self, issuer):