Skip to main content

JWT authentication plugin for Bottle

Project description

JwtEncoder

JwtEncoder provides abstracted JWT token generation (using PyJWT and validation with a dictionary configuration ment to simply creation and deployment.

Installation

# pip install JwtEncoder

Usage

Token creator:

from JwtEncoder import JwtEncoder
from config import jwt_config

jenc = JwtEncoder(jwt_config)

tok = jenc.encode({'hello': 'world', 'aud': 'xyz'})

Token consumer:

from JwtEncoder import JwtEncoder
from config import jwt_config

jenc = JwtEncoder(jwt_config)

payload = jenc.decode(tok, audience='xyz')

print(payload['hello'])  # 'world'

Signature

jenc = JwtEncoder(jwt_config=config)

jwt_config A python dict used to configure a JWT Authorizor.

  • The makeup of this dict is discussed below in more detail.
  • By default a symmetric key is generated and tokens are signed using the HS256 signing algorithm.

JwtEncoder Methods

tok = jenc.encode(payload, **kwargs)

  • Returns a JWT token tok from the dict payload with a signature and options described in jwt_config.
  • Additional options (kwargs) can be included as specified in the PyJWT documentation

pay = jenc.decode(tok, **kwargs)

  • Validates the JWT token tok and returns decoded payload pay using the signature algorithm, signing keys, and issuer specified in jwt_config.
  • Additional options (kwargs) can be provided as specified in PyJWT documentation

unverpay = jenc.decode_noverify(tok)

  • Returns contents of the payload unverpay, without verifying the signature or other jwt elements.
  • The token should be verified with jenc.decode() before any contents are used for authorization or authentication.

hdrs = jenc.header(tok)

  • Returns JWT header options.
  • The tok should be validated first with jenc.decode()

jwt_config configuration details

JwtEncoder uses the PyJWT module to implement both encoding and decoding of JWT's. The jwt_config python dict permits JwtEncoder to support a various different JWT signing methods. These include:

  • shared key signing (symmetric key)
  • public and private key (asymmetric key)
  • providing an X509 RSA certificate (asymmetric key)
  • JWKS url (asymmetric key)

The choice determines which options and which signing algorithms are valid.

shared key (symmetric key)

To use a symmetric key jwt_config is of the form:

jwt_config = {
    'key': 'mysecretkey',
    'alg': 'HS256'  # any valid JWT HS type
    'iss': 'urn:myissuer',
    'ttl': 3600 
}
  • key the value of this is the shared binary signing key, and key indicates this JwtEncoder will use symmetric key signing.
  • alg specifies the algorithm. For a symmentric key the default signing algorithm is HS256.

public/private key (asymmetric key)

pubkey and privkey (either or both) in jwt_config* indicates the JwtEncoder will use asymmetric keys for signing:

jwt_config = {
    'pubkey': b'------BEGIN PUBLIC KEY....',
    'privkey': b'------BEGIN PRIVATE KEY...',
    'alg': 'RS256',
    'iss': 'urn:myissuer'
}
  • pubkey and privkey are binary, PEM encoded keys.
  • Asymmetric signing can include RSA or elliptic curve key pairs (with the appropriate alg choice.)
  • The default algorithm (alg) is RS256 unless specified otherwise.
  • If only the pubkey is provided the JwtEncoder can only decode tokens.
  • If only the privkey is provided the JwtEncoder can only encode tokens.

X509 certificate (asymmetric key)

A binary X509 certificate indicates the JwtEncoder will use asymmetric RSA signing keys:

jwt_config = {
    'cert' : b`----BEGIN CERTIFICATE---....',
    'alg': 'RS256',
    'iss': 'urn:xyz'
}
  • cert provides only a public key, and hence only token decoding - unless a privkey is also provided in the jwt_config.
  • No validation of the X509 certificate authenticity is made.
  • The default alg is RS256

JWKS retrieval

Retrieves JASON Web Key Sets (JWKS) signing keys from the specified URL:

jst_config = {
    'jwks_url': 'https://.....',
    'iss': 'api://myapi'
}
  • This retrieves JWKS keys (for example, from an OIDC provider) The retrival specifies the algorithms used.
  • Any number of keys can be provided by the jwks_url and the decoder will use the algorithm and signing key identifier (kid) specified in the jwt header.
  • You can only decode tokens using the jwks_url method.

Additional Options

alg - algorithm

  • alg specifies the signing algorithm used.
  • For symmetric signing the default is HS256; for asymmetric signing, RS256
  • There are various signing algorithms outlined in the JWT specifications, and in the PyJWT documentation.

ttl - time to live

  • time to live is the length of time the tokens the JwtEncoder generates will be valid.
  • If ttl is not specified, 3600 Seconds is used by default.
  • The token exp value is set to the current epoch time + ttl; the token will also include nbf and iat set to the current time.
  • If ttl is explicitly set to None, the iat, nbf, and exp elements are not added to token encoding - the tokens do not expire.
  • Decoding an expired token raises an exception.

iss - issuer

  • The issuer is added as iss to the payload for encoding tokens, and is verified when tokens are decoded.
  • An alternate issuer can be specified by adding iss to the payload before calling encode({'iss': 'xyz'}), and can be verified by passing the kwarg issuer on decode (e.g. decode(token,issuer='xyz'))
  • decoding a token where the token iss doesn't match the issuer generates an exception.

Audience Validation

If a jwt has an aud (audience) element specified when encoded, then audience kwarg must be specified when decoding for the token to validate.

tok = jenc.encode({'aud': 'db21', 'scp': ['table.write']})
...
pay = jenc.decode(tok, audience=['db21', 'db22'])
  • audience can be a list, as in the example, containing multiple options. The token need only match one of them.
  • decoding a token without the matching audience generates an exception.

Generating Signing Keys

For reference only:

Generating Eliptic Curve key pairs using Openssl:

# openssl ecparam -name prime256v1 -genkey -noout -out private.pem
# openssl ec -in private.pem -pubout -out public.pem

Generating RSA key pairs using Openssl:

# openssl genrsa  -out rsaprivate.pem 2048
# openssl rsa -in rsaprivate.pem -pubout -out rsapublic.pem

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

JwtEncoder-21.8.30.tar.gz (7.3 kB view details)

Uploaded Source

Built Distribution

JwtEncoder-21.8.30-py3-none-any.whl (7.6 kB view details)

Uploaded Python 3

File details

Details for the file JwtEncoder-21.8.30.tar.gz.

File metadata

  • Download URL: JwtEncoder-21.8.30.tar.gz
  • Upload date:
  • Size: 7.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.6.3 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.0 CPython/3.9.6

File hashes

Hashes for JwtEncoder-21.8.30.tar.gz
Algorithm Hash digest
SHA256 8d189b442113bea88465f97e6e6ac15f8ef7552b704f1b757df889f4bcc5033f
MD5 98604d66e5e2b64b0d89b58931eedbfe
BLAKE2b-256 ff26fd387e8b085d509f55f3f966fcdf7a5982c63ae203e33d014f10a0d71e1c

See more details on using hashes here.

File details

Details for the file JwtEncoder-21.8.30-py3-none-any.whl.

File metadata

  • Download URL: JwtEncoder-21.8.30-py3-none-any.whl
  • Upload date:
  • Size: 7.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.2 importlib_metadata/4.6.3 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.0 CPython/3.9.6

File hashes

Hashes for JwtEncoder-21.8.30-py3-none-any.whl
Algorithm Hash digest
SHA256 783f5929e19b303048ce1b765b6c3508ed59d6db7628992261e489379c1494f5
MD5 66898cd23ca63eee242c2d19a7b153a9
BLAKE2b-256 2ee9da3a9b04d9936abeda1780a9f86cf56f53b925a69ff0decaad88c1d2d908

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page