Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ServiceApplicationClient: Add extra_jwt_headers #865

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ServiceApplicationClient: Add extra_jwt_headers #865

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 7 additions & 2 deletions oauthlib/oauth2/rfc6749/clients/service_application.py
View file
Open in desktop
Expand Up @@ -68,6 +68,7 @@ def prepare_request_body(self,
audience=None,
expires_at=None,
issued_at=None,
extra_jwt_headers=None,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it needed for any specific specification or for a particular API/use case only?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Standard header parameters are defined in RFC 7515. In this document, "kid" is defined, but also other parameters that may be meaningfully used here.

extra_claims=None,
body='',
scope=None,
Expand Down Expand Up @@ -96,7 +97,11 @@ def prepare_request_body(self,
:param issued_at: A unix timestamp of when the JWT was created.
Defaults to now, i.e. ``time.time()``.

:param extra_claims: A dict of additional claims to include in the JWT.
:param extra_jwt_headers: A dict of additional headers to include
in the JWT header.

:param extra_claims: A dict of additional claims to include
in the JWT payload.

:param body: Existing request body (URL encoded string) to embed parameters
into. This may contain extra parameters. Default ''.
Expand Down Expand Up @@ -176,7 +181,7 @@ def prepare_request_body(self,

claim.update(extra_claims or {})

assertion = jwt.encode(claim, key, 'RS256')
assertion = jwt.encode(claim, key, 'RS256', extra_jwt_headers)
assertion = to_unicode(assertion)

kwargs['client_id'] = self.client_id
Expand Down
11 changes: 10 additions & 1 deletion tests/oauth2/rfc6749/clients/test_service_application.py
View file
Open in desktop
Expand Up @@ -114,18 +114,24 @@ def test_request_body(self, t):
# Optional kwargs
not_before = time() - 3600
jwt_id = '8zd15df4s35f43sd'
extra_jwt_headers = {'extra': 'header'}
extra_claims = {'extra': 'claim'}
body = client.prepare_request_body(issuer=self.issuer,
subject=self.subject,
audience=self.audience,
body=self.body,
not_before=not_before,
extra_jwt_headers=extra_jwt_headers,
extra_claims=extra_claims,
jwt_id=jwt_id)

r = Request('https://a.b', body=body)
self.assertEqual(r.isnot, 'empty')
self.assertEqual(r.grant_type, ServiceApplicationClient.grant_type)

claim = jwt.decode(r.assertion, self.public_key, audience=self.audience, algorithms=['RS256'])
token = jwt.api_jwt.decode_complete(r.assertion, self.public_key, audience=self.audience, algorithms=['RS256'])
header = token['header']
claim = token['payload']

self.assertEqual(claim['iss'], self.issuer)
# audience verification is handled during decode now
Expand All @@ -134,6 +140,9 @@ def test_request_body(self, t):
self.assertEqual(claim['nbf'], not_before)
self.assertEqual(claim['jti'], jwt_id)

self.assertLessEqual(extra_jwt_headers.items(), header.items())
self.assertLessEqual(extra_claims.items(), claim.items())

@patch('time.time')
def test_request_body_no_initial_private_key(self, t):
t.return_value = time()
Expand Down