Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token handling #38

Merged
merged 8 commits into from
Feb 26, 2021
Merged

Token handling #38

merged 8 commits into from
Feb 26, 2021

Conversation

tsibley
Copy link

@tsibley tsibley commented Feb 25, 2021

Please see the commit messages for details.

@tsibley tsibley mentioned this pull request Feb 25, 2021
Closed
2 tasks
pvizeli
pvizeli reviewed Feb 26, 2021
View reviewed changes
Copy link
Member

@pvizeli pvizeli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just a small style change, after that we can merge it 👍

pycognito/__init__.py Outdated Show resolved Hide resolved
pycognito/__init__.py Outdated Show resolved Hide resolved
pycognito/__init__.py Outdated Show resolved Hide resolved
pycognito/__init__.py Outdated Show resolved Hide resolved
pycognito/__init__.py Outdated Show resolved Hide resolved
@tsibley
Format exception descriptions which contained unformatted interpolations
87070b1
@tsibley
Refactor out user pool base URL templating
8e66d23 
…so it can be reused by token verification.
@tsibley
Fix several weaknesses in token verification
cccc7a3 
JWTs are made of footguns.  Follow the recommendations in Cognito's
developer guide and avoid some pitfalls with the defaults of the JWT
library in use (jose).

  • Actually verify audience and issuer claims against expected values
    instead of comparing the values to themselves.

  • Require audience, issuer, and expiration claims to be present, as
    otherwise the JWT library in use will silently skip verification.

  • Check token_use claim matches after claim verification to avoid
    using unverified claims at all.
@tsibley
Consistently set and verify tokens across assignment codepaths
45e5c09 
Ensures that the token attributes are accessible, up-to-date, and valid.
@tsibley
Add verify_tokens() method to manually (re-)check current tokens
745a716 
It can be useful to call this method after creating a Cognito instance
where you've provided externally-remembered token values.
@tsibley
Save the verified claims for the id and access token
2b28249 
Very handy to have these available so you can use the default claims
like "cognito:groups" and any custom claims.

Resolves NabuCasa#19.
@tsibley
README: Correct two typos
33ad7b8
@tsibley @pvizeli
Switch to f-strings for interpolation
aa22fdb 
As requested during review. I avoided using f-strings initially because
I did not see them used elsewhere in the codebase.

Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
pvizeli
pvizeli approved these changes Feb 26, 2021
View reviewed changes
Copy link
Member

@pvizeli pvizeli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@tsibley
Copy link
Author

tsibley commented Feb 26, 2021

Thanks! Repushed with change to f-strings.

@pvizeli pvizeli merged commit c71d931 into NabuCasa:master Feb 26, 2021
@tsibley tsibley mentioned this pull request Feb 26, 2021
Closed
@tsibley tsibley deleted the token-handling branch February 26, 2021 19:45
mdecuir pushed a commit to MDmetrix/pycognito that referenced this pull request Jun 30, 2021
@tsibley @pvizeli
Token handling (NabuCasa#38)
bc92e0e 
* Format exception descriptions which contained unformatted interpolations

* Refactor out user pool base URL templating

…so it can be reused by token verification.

* Fix several weaknesses in token verification

JWTs are made of footguns.  Follow the recommendations in Cognito's
developer guide and avoid some pitfalls with the defaults of the JWT
library in use (jose).

  • Actually verify audience and issuer claims against expected values
    instead of comparing the values to themselves.

  • Require audience, issuer, and expiration claims to be present, as
    otherwise the JWT library in use will silently skip verification.

  • Check token_use claim matches after claim verification to avoid
    using unverified claims at all.

* Consistently set and verify tokens across assignment codepaths

Ensures that the token attributes are accessible, up-to-date, and valid.

* Add verify_tokens() method to manually (re-)check current tokens

It can be useful to call this method after creating a Cognito instance
where you've provided externally-remembered token values.

* Save the verified claims for the id and access token

Very handy to have these available so you can use the default claims
like "cognito:groups" and any custom claims.

Resolves NabuCasa#19.

* README: Correct two typos

* Switch to f-strings for interpolation

As requested during review. I avoided using f-strings initially because
I did not see them used elsewhere in the codebase.

Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>

Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pvizeli pvizeli pvizeli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tsibley @pvizeli