Merge pull request #49 from SilvrGroup/use-pyjwt

Use PyJWT instead of python-jose

Author: robert-mings

intuitlib/utils.py

@@ -16,20 +16,19 @@
 """
 
 import json
-from base64 import b64encode, b64decode, urlsafe_b64decode
-from datetime import datetime
+import jwt
 import random
-import string
-from jose import jwk
 import requests
-from requests.sessions import Session
 import six
-from requests_oauthlib import OAuth1
-
+import string
+from base64 import b64encode, b64decode, urlsafe_b64decode
+from datetime import datetime
+from requests.sessions import Session
 
+from intuitlib.config import DISCOVERY_URL, ACCEPT_HEADER
 from intuitlib.enums import Scopes
 from intuitlib.exceptions import AuthClientError
-from intuitlib.config import DISCOVERY_URL, ACCEPT_HEADER
+
 
 def get_discovery_doc(environment, session=None):
     """Gets discovery doc based on environment specified.
@@ -153,7 +152,6 @@ def validate_id_token(id_token, client_id, intuit_issuer, jwk_uri):
 
     id_token_header = json.loads(b64decode(_correct_padding(id_token_parts[0])).decode('ascii'))
     id_token_payload = json.loads(b64decode(_correct_padding(id_token_parts[1])).decode('ascii'))
-    id_token_signature = urlsafe_b64decode(((_correct_padding(id_token_parts[2])).encode('ascii')))
 
     if id_token_payload['iss'] != intuit_issuer:
         return False
@@ -164,12 +162,12 @@ def validate_id_token(id_token, client_id, intuit_issuer, jwk_uri):
     if id_token_payload['exp'] < current_time:
         return False
 
-    message = id_token_parts[0] + '.' + id_token_parts[1]
-    keys_dict = get_jwk(id_token_header['kid'], jwk_uri)
-
-    public_key = jwk.construct(keys_dict)
-    is_signature_valid = public_key.verify(message.encode('utf-8'), id_token_signature)
-    return is_signature_valid
+    public_key = get_jwk(id_token_header['kid'], jwk_uri).key
+    try:
+        jwt.decode(id_token, public_key, audience=client_id, algorithms=['RS256'])
+        return True
+    except jwt.PyJWTError:
+        return False
 
 def get_jwk(kid, jwk_uri):
     """Get JWK for public key information
@@ -178,15 +176,14 @@ def get_jwk(kid, jwk_uri):
     :param jwk_uri: JWK URI
 
     :raises HTTPError: if response status != 200
-    :return: dict containing keys
+    :return: Algorithm with the key loaded.
     """
 
     response = requests.get(jwk_uri)
     if response.status_code != 200:
         raise AuthClientError(response)
     data = response.json()
-    keys = next(key for key in data["keys"] if key['kid'] == kid)
-    return keys
+    return jwt.PyJWKSet.from_dict(data)[kid]
 
 def _correct_padding(val):
     """Correct padding for JWT

requirements.txt

@@ -1,4 +1,3 @@
-python_jose>=2.0.2
 requests>=2.13.0
 mock>=2.0.0
 requests_oauthlib>=1.0.0
@@ -8,3 +7,4 @@ pytest>=3.8.0
 pytest-cov==2.5.0
 six>=1.10.0
 enum-compat
+pyjwt[crypto]>=2.0.0

setup.py

@@ -30,7 +30,7 @@
     packages=find_packages(exclude=('tests*',)),
     namespace_packages=('intuitlib',),
     install_requires=[
-        'python_jose>=2.0.2',
+        'pyjwt[crypto]>=2.0.0',
         'requests>=2.13.0',
         'requests_oauthlib>=1.0.0',
         'six>=1.10.0',