oneid.jwts

Provides useful functions for dealing with JWTs and JWSs

Based on the JWT and JWS IETF RFCs.

oneid.jwts.make_jwt(raw_claims, keypair, json_encoder=<function dumps>)[source]

Convert claims into JWT

Parameters:
  • raw_claims (dict) – payload data that will be converted to json
  • keypairKeypair to sign the request
  • json_encoder – a function to encode a dict into JSON. Defaults to json.dumps
Returns:

JWT

oneid.jwts.verify_jwt(jwt, keypair=None, json_decoder=<function loads>)[source]

Convert a JWT back to it’s claims, if validated by the Keypair

Parameters:
  • jwt (str or bytes) – JWT to verify and convert
  • keypair (Keypair) – Keypair to verify the JWT
  • json_decoder – a function to decode JSON into a dict. Defaults to json.loads
Returns:

claims

Return type:

dict

Raises:

InvalidFormatError if not a valid JWT

Raises:

InvalidAlgorithmError if unsupported algorithm specified

Raises:

InvalidClaimsError if missing or invalid claims, including expiration, re-used nonce, etc.

Raises:

InvalidSignatureError if signature is not valid

oneid.jwts.make_jws(raw_claims, ordered_keypairs, multiple_sig_headers=None, json_encoder=<function dumps>)[source]

Convert claims into JWS format (compact or JSON)

Parameters:
  • raw_claims (dict) – payload data that will be converted to json
  • ordered_keypairs (list) – Keypairs to sign the request with (in signing order, with ordered_keypairs[0] the first the sign the JWS)
  • json_encoder – a function to encode a dict into JSON. Defaults to json.dumps
  • multiple_sig_headers (list) – optional list of headers for associated keypairs with the same list index
Returns:

JWS

oneid.jwts.extend_jws_signatures(jws, ordered_keypairs, default_jwt_kid=None, multiple_sig_headers=None, json_encoder=<function dumps>, json_decoder=<function loads>)[source]

Add signatures to an existing JWS (or JWT)

Parameters:
  • jws (str) – existing JWS (Compact or JSON) or JWT
  • ordered_keypairs (list) – Keypairs to sign the request with (in signing order, with ordered_keypairs[0] the first the sign the JWS)
  • default_jwt_kid (str) – (optional) value for ‘kid’ header field if passing a JWT without one
  • json_encoder – a function to encode a dict into JSON. Defaults to json.dumps
  • json_decoder – a function to decode JSON into a dict. Defaults to json.loads
  • multiple_sig_headers (list) – optional list of headers for associated keypairs with the same list index
Returns:

JWS

oneid.jwts.remove_jws_signatures(jws, kids_to_remove, json_encoder=<function dumps>, json_decoder=<function loads>)[source]

Remove signatures from an existing JWS

Parameters:
  • jws (str) – existing JWS (JSON format only)
  • kids_to_remove (list) – Keypair identities to remove
  • json_encoder – a function to encode a dict into JSON. Defaults to json.dumps
  • json_decoder – a function to decode JSON into a dict. Defaults to json.loads
Returns:

JWS (may have empty signature list if last one removed)

oneid.jwts.get_jws_key_ids(jws, default_kid=None, json_decoder=<function loads>, ordered=False)[source]

Extract the IDs of the keys used to sign a given JWS

Parameters:
  • jws (str or bytes) – JWS to get key IDs from
  • default_kid (str) – Value to use for looking up keypair if no kid found in a given signature header, as may happen when extending a JWT
  • json_decoder – a function to decode JSON into a dict. Defaults to json.loads
  • ordered – Bool if the key IDs should be returned in the order they signed the JWS. If this cannot be resolved, an exception is thrown.
Returns:

key IDs

Return type:

list

Raises:

InvalidFormatError: if not a valid JWS

oneid.jwts.verify_jws(jws, keypairs=None, verify_all=True, default_kid=None, json_decoder=<function loads>)[source]

Convert a JWS back to it’s claims, if validated by a set of required Keypairs

Parameters:
  • jws (str or bytes) – JWS to verify and convert
  • keypairs (list) – Keypairs to verify the JWS with. Must include one for each specified in the JWS headers’ kid values.
  • verify_all (bool) – If True (default), all keypairs must validate a signature. If False, only one needs to. If any fail to validate, the JWS is still not validated. This allows the caller to send multiple keys that _might_ have corresponding signatures, without requiring that _all_ do.
  • default_kid (str) – Value to use for looking up keypair if no kid found in a given signature header, as may happen when extending a JWT
  • json_decoder – a function to decode JSON into a dict. Defaults to json.loads
Returns:

claims

Return type:

dict

Raises:

InvalidFormatError: if not a valid JWS

Raises:

InvalidAlgorithmError: if unsupported algorithm specified

Raises:

InvalidClaimsError: if missing or invalid claims, including expiration, re-used nonce, etc.

Raises:

InvalidSignatureError: if any relevant signature is not valid

oneid.jwts.get_jws_headers(jws, json_decoder=<function loads>)[source]

Extract the headers of the signatures used to sign a given JWS

Parameters:
  • jws (str or bytes) – JWS to get headers from
  • json_decoder – a function to decode JSON into a dict. Defaults to json.loads
Returns:

headers

Return type:

list

Raises:

InvalidFormatError: if not a valid JWS