def verify_token(self, token, **kwargs):
"""Validate the token signature."""
nonce = kwargs.get('nonce')
if self.OIDC_RP_SIGN_ALGO.startswith('RS'):
key = self.OIDC_RP_IDP_SIGN_KEY
else:
key = self.OIDC_RP_CLIENT_SECRET
# Verify the token
verified_token = self._verify_jws(
force_bytes(token),
# Use smart_bytes here since the key string comes from settings.
smart_bytes(key),
)
# The 'verified_token' will always be a byte string since it's
# the result of base64.urlsafe_b64decode().
# The payload is always the result of base64.urlsafe_b64decode().
# In Python 3 and 2, that's always a byte string.
# In Python3.6, the json.loads() function can accept a byte string
# as it will automagically decode it to a unicode string before
# deserializing https://bugs.python.org/issue17909
token_nonce = json.loads(verified_token.decode('utf-8')).get('nonce')
if import_from_settings('OIDC_USE_NONCE', True) and nonce != token_nonce:
msg = 'JWT Nonce verification failed.'
raise SuspiciousOperation(msg)
return True
评论列表
文章目录