| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add `as_dict` option to `Algorithm.to_jwt`
* Update unit tests
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* fixup! Add `as_dict` option to `Algorithm.to_jwt`
* fixup! Add `as_dict` option to `Algorithm.to_jwt`
* fixup! Update unit tests
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Fix type errors
* Fix tox test errors
* Fix typing for Python 3.7
* Add OKP jwk tests
* Add `pragma: no cover` to method overloads
* Add pragma: no cover to exclude lines
---------
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
| |
Co-authored-by: Tim Waterson <tim.waterson@risilience.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Use new style typing
* Fix type annotations to allow all keys
* Use string type annotations where required
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Remove outdated comment
* Ignore `if TYPE_CHECKING:` lines in coverage
* Remove duplicate test
* Fix mypy errors
* Update algorithms.py
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Fully switch to modern annotations
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Update `pre-commit` mypy config
* Use Python 3.11 for mypy
* Update mypy Python version in `pyproject.toml`
* Few tests mypy fixes
* fix mypy errors on tests
* Fix key imports
* Remove unused import
* Fix randomly failing test
---------
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Asif Saif Uddin <auvipy@gmail.com>
|
| |
|
|
|
|
| |
This change adds a new `PyJWKClientConnectionError` exception which
helps to differentiate connection errors from other types of failures
when calling methods such as `get_signing_key_from_jwt()`. This allows
users to do things like retry the method if there's a connection issue.
|
| |
|
|
|
|
|
|
|
| |
By default, the timeout for urlopen is socket._GLOBAL_DEFAULT_TIMEOUT
which is None (meaning that the request never times out):
https://docs.python.org/3/library/socket.html#socket.getdefaulttimeout
This change sets the timeout to 30 but also adds a timeout variable
users can set.
|
| |
|
|
|
|
|
|
|
|
|
| |
* Make `Algorithm` an abstract base class
This also removes some tests that are not relevant anymore
Raise `NotImplementedError` for `NoneAlgorithm`
* Use `hasattr` instead of `getattr`
* Only allow `dict` in `encode`
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* [pre-commit.ci] pre-commit autoupdate
updates:
- [github.com/psf/black: 22.12.0 → 23.1.0](https://github.com/psf/black/compare/22.12.0...23.1.0)
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
---------
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* Improve error messages when cryptography isn't installed
* Add test
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
|
|
| |
* Fix `_validate_iat` validation
* Add test and update changelog
|
| |
|
|
|
| |
* Differentiate between two errors
* #809 mention in the changelog
|
| |
|
|
|
|
|
| |
* Add return types in `JWKSetCache`
* Add types for hash algorithms
* Add missing type annotation in `ECAlgorithm`
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* PyJWS._verify_signature: raise early KeyError if header is missing alg
* Make Mypy configuration stricter
* Improve typing in jwt.utils
* Improve typing in jwt.help
* Improve typing in jwt.exceptions
* Improve typing in jwt.api_jwk
* Improve typing in jwt.api_jws
* Improve typing & clean up imports in jwt.algorithms
* Correct JWS.decode rettype to any (payload could be something else)
* Update typing in api_jwt
* Improve typing in jwks_client
* Improve typing in docs/conf.py
* Fix (benign) mistyping in test_advisory
* Fix misc type complaints in tests
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add `sort_headers` parameter to `api_jwt.encode`
This allows you to not sort headers, which prevents a breaking change between v2.4.0 and v2.5.0
* Add `test_sorting_headers` test
* Remove outdated comment about misordered headers
* Explicity assert sorting in `test_sorting_of_headers`
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Parametrize `test_sorting_of_headers`
* Use normal dict in `test_sorting_of_headers`
* fixup! Use normal dict in `test_sorting_of_headers`
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
|
|
| |
* Add PyJWT._decode_payload hook
* Add PyJWT._encode_payload hook
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* allow configuration of custom headers in JWKClient
* revert changes to algorithms
* document example usage of custom headers
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* black format tests
* Add a release note for optional headers arg
Co-authored-by: thundercat1 <michael.haines@recursionpharma.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
| |
Fixes #814
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
validation example (#775)
* Add compute_hash_digest to Algorithm objects
`Algorithm.compute_hash_digest` is defined as a method which inspects
the object to see that it has the requisite attributes, `hash_alg`.
If `hash_alg` is not set, then the method raises a
NotImplementedError. This applies to classes like NoneAlgorithm.
If `hash_alg` is set, then it is checked for
```
has_crypto # is cryptography available?
and isinstance(hash_alg, type)
and issubclass(hash_alg, hashes.HashAlgorithm)
```
to see which API for computing a digest is appropriate --
`hashlib` vs `cryptography.hazmat.primitives.hashes`.
These checks could be avoided at runtime if it were necessary to
optimize further (e.g. attach compute_hash_digest methods to classes
with a class decorator) but this is not clearly a worthwhile
optimization. Such perf tuning is intentionally omitted for now.
* Add doc example of OIDC login flow
The goal of this doc example is to demonstrate usage of
`get_algorithm_by_name` and `compute_hash_digest` for the purpose of
`at_hash` validation. It is not meant to be a "guaranteed correct" and
spec-compliant example.
closes #314
|
| |
|
| |
Co-authored-by: José Padilla <jpadilla@users.noreply.github.com>
|
| |
|
|
|
| |
* Handling 'ImmatureSignatureError' for issued_at time when it is a future time
* adding changelog and test cases
|
| |
|
|
|
| |
* Invalidate exp when exp == now()
* Update changelog
|
| |
|
| |
Co-authored-by: José Padilla <jpadilla@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
| |
* feat(mypy): from tox to pre-commit
* fix(mypy): apply mypy fixes
* feat(api_jws): typing
Co-authored-by: JulianMaurin <julian.maurin@backmarket.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Initial implementation of ttl jwk set cache
(cherry picked from commit 479a7c124d63113a2190bd48972cc19172215096)
* Add unit test for jwk set cache
* Fix failed unit test
* Disable cache signing key by default
* Add a negative unit test for get_jwk_set
* Add functionality to force refresh the jwk set cache when no matching signing key can be found from the cache
* Add unit test for refresh cache
* Add unit test to unset cache when the network call throws error
* fix naming typo
* Update unit test naming
* Update comment
* Add check for lifespan
* Update comments for get_signing_key
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Fix ci error
* Add type declaration to fix CI error
* Add more unit tests to improve coverage
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Try to increase test coverage to 100%
Co-authored-by: Jerry Wu <hawu@roku.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
|
|
|
|
| |
* refactor: add type hints to jwt/help.py
* refactor: include cryptography types when installing development environment
* fix: unused type: ignore on Python 3.8
|
| |
|
|
|
|
|
|
|
| |
* refacto(TestPyJWKSet): crypto_required decorator at the class level
* refacto(TestPyJWKSet): add test to validate the constructor behaviour
* fix(PyJWKSet): improve error accuracy
Co-authored-by: JulianMaurin <julian.maurin@backmarket.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* fix(api_jwt): update audience typing & type checking
* doc(api): update decode.audience typing
* feat(test_api_jwt): ensure audience as bytes raises error
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* refacto(api_jwt): precise typing
Co-authored-by: Julian Maurin <julian.maurin.perso@pm.me>
Update jwt/api_jwt.py
Co-authored-by: Julian Maurin <julian.maurin.perso@pm.me>
fix(jwt/api_jwt.py): backport future annotations
* fix: handle audience=0
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Asif Saif Uddin <auvipy@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix for headers disorder issue
Related issue #715
* Added comment with reference to issue
Needed to trigger tests once more time.
* Fix for hardcoded value in docs after adding sort to jwt/api_jws.py
* Removed unneeded comment - issue #721
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`**kwargs` usages cannot be removed without breaking backwards
compatibility. Unsupported kwargs cannot even be rejected without
breaking compatibility.
However, this does not mean that the library cannot identify and
warn when unsupported arguments are used. The warning behavior simply
has to be separated from any removal of `**kwargs`.
All legitimate `**kwargs` usages have been replaced with explicit
arguments. Any other arguments will be captured under `**kwargs` and
trigger the deprecation warnings. In the cases of
`decode() -> decode_complete()` passthrough, the passthrough has been
removed to avoid duplicate deprecation warnings on a single usage.
This makes a very subtle behavioral change to `**kwargs` *only* for
the case of a subclass of PyJWT or PyJWS. Extra arguments used by a
specialized subclass won't pass through transparently anymore. In
such a case the subclass author has multiple resolutions available,
including reimplementation of the `decode()` method to passthrough
the additional argument. Although technically backwards-incompatible
for a niche subclassing usage, this behavior is very nearly identical
and shouldn't pose an issue for the vast majority of pyjwt users.
The deprecation warning does not cover all deprecated usages. In
particular, several passthrough arguments for claim validation should
probably be made available via `options` and later removed. The
arguments in need of attention now have inline comments in the
signature definitions, but are otherwise left unmodified, leaving
current usages correct and valid.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Expose get_algorithm_by_name as new method
Looking up an algorithm by name is used internally for signature
generation. This encapsulates that functionality in a dedicated method
and adds it to the public API. No new tests are needed to exercise the
functionality.
Rationale:
1. Inside of PyJWS, this improves the code. The KeyError handler is
better scoped and the signing code reads more directly.
2. This is part of the path to supporting OIDC at_hash validation as a
use-case (see: #295, #296, #314).
This is arguably sufficient to consider that use-case supported and
close it. However, it is an improvement and step in the right
direction in either case.
A minor change was needed to satisfy mypy, as a union-typed variable
does not narrow its type based on assignments. The easiest resolution
is to use a new name, in this case, simply `algorithm -> algorithm_`.
* Use get_algorithm_by_name in _verify_signature
Rather than catching the KeyError from a dict lookup, catch the
NotImplementedError raised by get_algorithm_by_name. This changes the
exception seen in the cause under exception chaining but otherwise has
no public-facing impact.
|
| |
|
|
|
| |
There is a small typo in jwt/algorithms.py.
Should read `isinstance` rather than `iinstance`.
|
| |
|
|
|
| |
* Fixes for pyright on strict mode
* Update CHANGELOG.rst
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Do not fail when a unusable key occurs
There may be more than keys in the store which may be (still usable).
Therefore we do not want to fail on any key that is not usable by pyjwt,
but rather skip when appending to the KeySet
* Add test cases with unusable 'alg' keys
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Add 'skip keys' to changelog
* Update CHANGELOG.rst
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add to_jwk static method to ECAlgorithm
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Add in tests for ECAlgorithm.to_jwk
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* Add to_jwk pull request to changelog
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
| |
This reverts commit 675fa10db578886ee6cfd1df688236f69560ced4.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* adding support for compressed payloads
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* adding test to cover all lines in patch
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
* addressing flake8 unused variable and cyclomatic complexity complaints
* expanding test for better coverage
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| | |
|
| |
|
| |
Co-authored-by: José Padilla <jpadilla@users.noreply.github.com>
|
| | |
|
| |
|
| |
Fixes #679
|
| |
|
|
|
|
|
| |
verify= argument (#742)
Since the arbitrary/unused `**kwargs` can't quite be dropped (as #657 would do) without
a major version bump (as reverted in #701), it's still a good idea to warn users if they
are attempting to use contradictory arguments for the security-sensitive `verify=` argument.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specifications allow to have JWS with unencoded detached payloads.
This changeset adds detached payload support for encoding and decoding
functions.
For encoding, detached payload can be enabled by setting the
"is_payload_detached" arg or having the "b64=False" inside the headers.
For decoding, the detached payload content (bytes) has to be provided
with the "detached_payload" arg and "b64=False" has to be found inside
the decoded headers.
Functionnally, when this feature is used, the signature will be computed
over the raw data bytes of the payload, without being base64 encoded and
obviously, the payload will not be provided inside the generated JWS.
So, the generated JWS will look like:
base64url(header)..base64url(signature)
Relevant specifications:
RFC 7515: "JSON Web Signature (JWS)". (Annexe F)
RFC 7797: "JSON Web Signature (JWS) Unencoded Payload Option".
|
| |
|
| |
Fix: #458
|
| |
|
|
|
|
|
| |
* api_jwk: Add PyJWKSet.__getitem__
Closes #724.
* CHANGELOG: record changes
|
| |
|
|
|
|
|
|
|
| |
* Explicit check the key for ECAlgorithm
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Turn off implicit-optional
* Change type annotations to use explicit optional
According to PEP 484, implicit Optional is no longer recommended.
* [pre-commit.ci] auto fixes from pre-commit.com hooks
for more information, see https://pre-commit.ci
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
|
| |
|
| |
Co-authored-by: José Padilla <jpadilla@users.noreply.github.com>
|
| |
|
| |
This reverts commit 5fe7f2b28ffcd27a3e520be750858944889112ef.
|
| | |
|
