Skip to content

Commit 79ab5cf

Browse files
stveitstveit
committed
Reduce settings
1 parent 36b6df6 commit 79ab5cf

File tree

2 files changed

+29
-13
lines changed

2 files changed

+29
-13
lines changed

src/argus/auth/authentication.py

+28-10
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
from datetime import timedelta
22
from urllib.request import urlopen
3+
from urllib.parse import urljoin
34
import json
45
import jwt
56

@@ -27,6 +28,7 @@ def authenticate_credentials(self, key):
2728
class JWTAuthentication(BaseAuthentication):
2829
REQUIRED_CLAIMS = ["exp", "nbf", "aud", "iss", "sub"]
2930
SUPPORTED_ALGORITHMS = ["RS256", "RS384", "RS512"]
31+
AUTH_SCHEME = "Bearer"
3032

3133
def authenticate(self, request):
3234
try:
@@ -37,8 +39,8 @@ def authenticate(self, request):
3739
return self.get_user(validated_token), validated_token
3840

3941
def get_public_key(self, kid):
40-
response = urlopen(settings.JWK_ENDPOINT)
41-
jwks = json.loads(response.read())
42+
r = urlopen(self.get_jwk_endpoint())
43+
jwks = json.loads(r.read())
4244
for jwk in jwks.get("keys"):
4345
if jwk["kid"] == kid:
4446
return jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk))
@@ -53,24 +55,20 @@ def get_raw_token(self, request):
5355
scheme, token = auth_header.split()
5456
except ValueError as e:
5557
raise ValueError(f"Failed to parse Authorization header: {e}")
56-
if scheme != settings.JWT_AUTH_SCHEME:
58+
if scheme != self.AUTH_SCHEME:
5759
raise ValueError(f"Invalid Authorization scheme '{scheme}'")
5860
return token
5961

6062
def decode_token(self, raw_token):
61-
header = jwt.get_unverified_header(raw_token)
62-
kid = header.get("kid")
63-
if not kid:
64-
raise AuthenticationFailed("Token must include the 'kid' header")
65-
public_key = self.get_public_key(kid)
63+
kid = self.get_kid(raw_token)
6664
try:
6765
validated_token = jwt.decode(
6866
jwt=raw_token,
6967
algorithms=self.SUPPORTED_ALGORITHMS,
70-
key=public_key,
68+
key=self.get_public_key(kid),
7169
options={"require": self.REQUIRED_CLAIMS},
7270
audience=settings.JWT_AUDIENCE,
73-
issuer=settings.JWT_ISSUER,
71+
issuer=self.get_openid_issuer(),
7472
)
7573
return validated_token
7674
except jwt.exceptions.PyJWTError as e:
@@ -82,3 +80,23 @@ def get_user(self, token):
8280
return User.objects.get(username=username)
8381
except User.DoesNotExist:
8482
raise AuthenticationFailed(f"No user found for username '{username}'")
83+
84+
def get_openid_config(self):
85+
url = urljoin(settings.OIDC_ENDPOINT, ".well-known/openid-configuration")
86+
r = urlopen(url)
87+
return json.loads(r.read())
88+
89+
def get_jwk_endpoint(self):
90+
openid_config = self.get_openid_config()
91+
return openid_config["jwks_uri"]
92+
93+
def get_openid_issuer(self):
94+
openid_config = self.get_openid_config()
95+
return openid_config["issuer"]
96+
97+
def get_kid(self, token):
98+
header = jwt.get_unverified_header(token)
99+
kid = header.get("kid")
100+
if not kid:
101+
raise AuthenticationFailed("Token must include the 'kid' header")
102+
return kid

src/argus/site/settings/base.py

+1-3
Original file line numberDiff line numberDiff line change
@@ -303,7 +303,5 @@
303303
# SOCIAL_AUTH_DATAPORTEN_FEIDE_KEY = SOCIAL_AUTH_DATAPORTEN_KEY
304304
# SOCIAL_AUTH_DATAPORTEN_FEIDE_SECRET = SOCIAL_AUTH_DATAPORTEN_SECRET
305305

306-
JWK_ENDPOINT = get_str_env("JWK_ENDPOINT")
307-
JWT_ISSUER = get_str_env("JWT_ISSUER")
306+
OIDC_ENDPOINT = get_str_env("OIDC_ENDPOINT")
308307
JWT_AUDIENCE = get_str_env("JWT_AUDIENCE")
309-
JWT_AUTH_SCHEME = get_str_env("JWT_AUTH_SCHEME")

0 commit comments

Comments
 (0)