([f$vddlZddlmZddlmZddlmZdZeje Z GddZ d Z dS) N)jwt) JoseError)InvalidClientErrorz6urn:ietf:params:oauth:client-assertion-type:jwt-bearercLeZdZdZeZdZd dZdZdZ dZ dZ d Z d Z d Zd S)JWTBearerClientAssertionz]Implementation of Using JWTs for Client Authentication, which is defined by RFC7523. client_assertion_jwtTc"||_||_dS)N) token_url _validate_jti)selfr validate_jtis Q/var/www/piapp/venv/lib/python3.11/site-packages/authlib/oauth2/rfc7523/client.py__init__z!JWTBearerClientAssertion.__init__s")cN|j}|d}|d}|tkrH|rF|||}|||||jStd|j dS)Nclient_assertion_typeclient_assertionzAuthenticate via %r failed) formgetASSERTION_TYPEcreate_resolve_key_funcprocess_assertion_claimsauthenticate_clientclientlogdebugCLIENT_AUTH_METHOD)r query_clientrequestdataassertion_type assertion resolve_keys r__call__z!JWTBearerClientAssertion.__call__s|"9::HH/00 ^ + + +66|WMMK  ) ))[ A A A++GN;; ; .0GHHHHHrcddtdddid|jdddid}|jr d|jd|d<|S)zCreate a claims_options for verify JWT payload claims. Developers MAY overwrite this method to create a more strict options.T) essentialvalidater')r'value)isssubaudexpjti) _validate_issr r r)r optionss rcreate_claims_optionsz.JWTBearerClientAssertion.create_claims_options!s_ "&=AA&!%??&      P+/T=NOOGENrc tj|||}|n;#t$r.}t d|td}~wwxYw|S)aaExtract JWT payload claims from request "assertion", per `Section 3.1`_. :param assertion: assertion string value in the request :param resolve_key: function to resolve the sign key :return: JWTClaims :raise: InvalidClientError .. _`Section 3.1`: https://tools.ietf.org/html/rfc7523#section-3.1 )claims_optionszAssertion Error: %rN)rdecoder1r(rrrr)r r#r$claimses rrz1JWTBearerClientAssertion.process_assertion_claims0s 'Z;#99;;F OO     ' ' ' II+Q / / /$&& & ' s=A A8 )A33A8cX||jdr|St)Ntoken)check_endpoint_auth_methodrr)r rs rrz,JWTBearerClientAssertion.authenticate_clientFs.  , ,T-Dg N N M """rcfd}|S)Nc|d}|}|st|_||SNr+)rrresolve_client_public_key)headerspayload client_idrrr r s rr$zEJWTBearerClientAssertion.create_resolve_key_func..resolve_keyLsN I!\),,F +(***#GN11&'BB Br)r rr r$s``` rrz0JWTBearerClientAssertion.create_resolve_key_funcKs7 C C C C C C Crct)afValidate if the given ``jti`` value is used before. Developers MUST implement this method:: def validate_jti(self, claims, jti): key = 'jti:{}-{}'.format(claims['sub'], jti) if redis.get(key): return False redis.set(key, 1, ex=3600) return True NotImplementedError)r r5r.s rrz%JWTBearerClientAssertion.validate_jtiXs"###rct)aNResolve the client public key for verifying the JWT signature. A client may have many public keys, in this case, we can retrieve it via ``kid`` value in headers. Developers MUST implement this method:: def resolve_client_public_key(self, client, headers): return client.public_key rC)r rr>s rr=z2JWTBearerClientAssertion.resolve_client_public_keyes"###rN)T)__name__ __module__ __qualname____doc__rCLIENT_ASSERTION_TYPErrr%r1rrrrr=rArrrr s+/****III   ,###    $ $ $$$$$$rrc|d|kSr<rA)r5r*s rr/r/ps %=C r) logging authlib.joserauthlib.jose.errorsrrfc6749rr getLoggerrFrrr/rArrrQs))))))((((((Ig!!c$c$c$c$c$c$c$c$L     r