diff options
author | Frederick Muriuki Muriithi | 2024-05-02 16:44:06 +0300 |
---|---|---|
committer | Frederick Muriuki Muriithi | 2024-05-02 16:44:06 +0300 |
commit | 51e3a545d7380e5b1983b0a1e8b5088a88efe522 (patch) | |
tree | f61a282466ac03b10c30884e011efcdbf3b4713f /gn_auth | |
parent | 2af73069f74d68837d83d2032ea85c6dbe7c19c0 (diff) | |
download | gn-auth-51e3a545d7380e5b1983b0a1e8b5088a88efe522.tar.gz |
Include refresh tokens with generated JWT
This shim enables us to have a refresh token with the JWT. This might
not be the way to refresh JWTs - this is because the
`authlib.oauth2.rfc7523.token.JWTBearerTokenGenerator.__call__(…)`
method has a comment that states:
# there is absolutely no refresh token in JWT format
Searching on the internet, however, seems to indicate that JWTs can be
used in conjunction with refresh tokens... We need to verify this and
fix this if necessary.
Diffstat (limited to 'gn_auth')
-rw-r--r-- | gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py index 895acb7..8e2f082 100644 --- a/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py +++ b/gn_auth/auth/authentication/oauth2/grants/jwt_bearer_grant.py @@ -1,6 +1,7 @@ """JWT as Authorisation Grant""" from flask import current_app as app +from authlib.common.security import generate_token from authlib.oauth2.rfc7523.jwt_bearer import JWTBearerGrant as _JWTBearerGrant from authlib.oauth2.rfc7523.token import ( JWTBearerTokenGenerator as _JWTBearerTokenGenerator) @@ -30,6 +31,25 @@ class JWTBearerTokenGenerator(_JWTBearerTokenGenerator): "sub": str(tokendata["sub"])} + def __call__(self, grant_type, client, user=None, scope=None, + expires_in=None, include_refresh_token=True): + # there is absolutely no refresh token in JWT format + """ + The default generator does not provide refresh tokens with JWT. It goes + so far as to state "there is absolutely no refresh token in JWT format". + + This shim allows us to have a refresh token. We should probably look for + a supported way of using JWTs with refresh capability. + """ + token = self.generate(grant_type, client, user, scope, expires_in) + if include_refresh_token: + return { + **token, + "refresh_token": generate_token(length=42) + } + return token + + class JWTBearerGrant(_JWTBearerGrant): """Implement JWT as Authorisation Grant.""" @@ -57,3 +77,17 @@ class JWTBearerGrant(_JWTBearerGrant): Check if the client has permission to access the given user's resource. """ return True # TODO: Check this!!! + + def create_token_response(self): + """If valid and authorized, the authorization server issues an access + token. + """ + token = self.generate_token( + scope=self.request.scope, + user=self.request.user, + include_refresh_token=self.request.client.check_grant_type( + "refresh_token") + ) + app.logger.debug('Issue token %r to %r', token, self.request.client) + self.save_token(token) + return 200, token, self.TOKEN_RESPONSE_HEADER |