A subset of RFC 7519 for working with JWTs minted by Okta API Access Management.
Project description
oktajwt
This is a simple JWT package built to work specifically with Okta's API Access Management product (API AM). It was inspried in part by jpadilla's PyJWT package. This is not meant to be a full implementation of RFC 7519, but rather a subset of JWT operations specific to working with Okta.
Requirements
- Python >= 3.7
Installing
Install with pip:
$ pip install OktaJWT
Usage
This module has a command line interface:
usage:
Decodes and verifies JWTs from an Okta authorization server.
oktajwt [options] <JWT>
positional arguments:
JWT The base64 encoded JWT to decode and verify
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
-i ISSUER, --issuer ISSUER
The expected issuer of the token
-a AUDIENCE, --audience AUDIENCE
The expected audience of the token
-c CLIENT_ID, --client_id CLIENT_ID
The OIDC client ID
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
The OIDC client secret (not required if using PKCE)
However, it's much more likely that this package will be used inside something like an API server, so the usage would look something more like this:
import json
from oktajwt import JwtVerifier
issuer = "your OAuth issuer"
client_id = "OIDC client ID"
client_secret = "OIDC client secret or None if using PKCE"
expectedAudience = "expected audience"
accessToken = "your base64 encoded JWT, pulled out of the HTTP Authorization header bearer token"
jwtVerifier = JwtVerifier(issuer, client_id, client_secret)
# just check for validity, this includes checks on standard claims:
# * signature is valid
# * iss, aud, exp and iat claims are all present
# * iat is <= "now"
# * exp is >= "now"
# * iss matches the expexted issuer
# * aud matches the expected audience
if jwtVerifier.isTokenValid(accessToken, expectedAudience):
print("Token is valid")
else:
print("Token is not valid")
# check for validity and get verified claims
try:
claims = jwtVerifier.verifyAccessToken(accessToken, expectedAudience)
print("Verified claims: {0}".format(json.dumps(claims, indent=4, sort_keys=True)))
except Exception as e:
print("There was a problem verifying the token: ", e)
Okta Configuration
Okta Org You need to have an Okta org with API Access management available. You can get a free developer account at https://developer.okta.com.
NOTE:, this package will NOT work with the "stock" organization authorization server as access tokens minted by that server are opaque (and no public key is published).
Create an OIDC Application Create a new OIDC application in Okta. This is where you'll get the client ID and client secret values. If you create an app that uses PKCE, a client secret value is not necessary and will not be generated.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for OktaJWT-0.1.2-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8c9a972bf21ade61d8d1c8053dba64c79b69fb2ed8ebfc29f7a2e07c31905fdb |
|
MD5 | f4c755b6165d25b96a0cd7d7b4b6f97c |
|
BLAKE2b-256 | e5863e180a4abe8d99f5103237576a09fac101f380a56508768421161567260d |