Merge pull request #10 from Annyv2/oidc

OIDC Updates

Author: chenkie

00-Starter-Seed/.env.example

@@ -1,2 +1,2 @@
-AUTH0_CLIENT_ID={CLIENT_ID}
-AUTH0_CLIENT_SECRET={CLIENT_SECRET}
+AUTH0_DOMAIN={AUTH0_DOMAIN}
+API_ID={API_AUDIENCE}

00-Starter-Seed/README.md

@@ -1,17 +1,17 @@
 # Auth0 + Python + Flask API Seed
-This is the seed project you need to use if you're going to create a Python + Flask API. You'll mostly use this API either for a SPA or a Mobile app. If you just want to create a Regular Python WebApp, please check [this other seed project](https://github.com/auth0-samples/auth0-python-web-app/tree/master/00-Starter-Seed)
+This is the seed project you need to use if you're going to create a Python + Flask API. If you just want to create a Regular Python WebApp, please check [this other seed project](https://github.com/auth0-samples/auth0-python-web-app/tree/master/00-Starter-Seed)
 
 # Running the example
 In order to run the example you need to have `python` and `pip` installed.
 
-You also need to set the client secret and ID of your Auth0 app as environment variables with the following names respectively: `AUTH0_CLIENT_SECRET` and `AUTH0_CLIENT_ID`.
+You also need to set your Auth0 Domain and the API's audience as environment variables with the following names respectively: `AUTH0_DOMAIN` and `API_ID`, which is the audience of your API. You can find an example in the `env.example` file.
 
 For that, if you just create a file named `.env` in the directory and set the values like the following, the app will just work:
 
 ```bash
 # .env file
-AUTH0_CLIENT_SECRET=YOUR_CLIENT_SECRET
-AUTH0_CLIENT_ID=YOUR_CLIENT_ID
+AUTH0_DOMAIN=example.auth0.com
+API_ID=YOUR_API_AUDIENCE
 ```
 
 Once you've set those 2 enviroment variables:
@@ -20,4 +20,4 @@ Once you've set those 2 enviroment variables:
 2. Start the server with `python server.py`
 3. Try calling [http://localhost:3001/ping](http://localhost:3001/ping)
 
-You can then try to do a GET to [http://localhost:3001/secured/ping](http://localhost:3001/secured/ping) which will throw an error if you don't send the JWT signed using HMAC-SHA256 in the header.
+You can then try to do a GET to [http://localhost:3001/secured/ping](http://localhost:3001/secured/ping) which will throw an error if you don't send an access token signed with RS256 with the appropriate issuer and audience in the Authorization header 

00-Starter-Seed/requirements.txt

@@ -1,4 +1,4 @@
 flask
 python-dotenv
-PyJWT
+python-jose
 flask-cors

00-Starter-Seed/server.py

@@ -1,14 +1,16 @@
-import jwt
-
+import json
 from os import environ as env, path
+import urllib
+
 from dotenv import load_dotenv
 from functools import wraps
 from flask import Flask, request, jsonify, _app_ctx_stack
 from flask_cors import cross_origin
+from jose import jwt
 
 load_dotenv(path.join(path.dirname(__file__), '.env'))
-client_id = env["AUTH0_CLIENT_ID"]
-client_secret = env["AUTH0_CLIENT_SECRET"]
+auth0_domain = env['AUTH0_DOMAIN']
+api_audience = env['API_ID']
 
 app = Flask(__name__)
 
@@ -45,31 +47,43 @@ def decorated(*args, **kwargs):
                                  'Bearer + \s + token'}, 401)
 
         token = parts[1]
-        try:
-            payload = jwt.decode(
-                token,
-                client_secret,
-                audience=client_id
-            )
-        except jwt.ExpiredSignatureError:
-            return handle_error({'code': 'token_expired',
-                                'description': 'token is expired'}, 401)
-        except jwt.InvalidAudienceError:
-            return handle_error({'code': 'invalid_audience',
-                                'description': 'incorrect audience, expected: '
-                                 + client_id}, 401)
-        except jwt.DecodeError:
-            return handle_error({'code': 'token_invalid_signature',
-                                'description':
-                                    'token signature is invalid'}, 401)
-        except Exception:
-            return handle_error({'code': 'invalid_header',
-                                'description': 'Unable to parse authentication'
-                                 ' token.'}, 400)
-
-        _app_ctx_stack.top.current_user = payload
-        return f(*args, **kwargs)
-
+        jsonurl = urllib.urlopen('https://'+auth0_domain+'/.well-known/jwks.json')
+        jwks = json.loads(jsonurl.read())
+        unverified_header = jwt.get_unverified_header(token)
+        rsa_key = {}
+        for key in jwks['keys']:
+            if key['kid'] == unverified_header['kid']:
+                rsa_key = {
+                    'kty': key['kty'],
+                    'kid': key['kid'],
+                    'use': key['use'],
+                    'n': key['n'],
+                    'e': key['e']
+                }
+        if rsa_key:
+            try:
+                payload = jwt.decode(
+                    token,
+                    rsa_key,
+                    algorithms=unverified_header['alg'],
+                    audience=api_audience,
+                    issuer='https://'+auth0_domain+'/'
+                )
+            except jwt.ExpiredSignatureError:
+                return handle_error({'code': 'token_expired',
+                                    'description': 'token is expired'}, 401)
+            except jwt.JWTClaimsError:
+                return handle_error({'code': 'invalid_claims',
+                                    'description': 'incorrect claims, please check the audience and issuer'}, 401)
+            except Exception:
+                return handle_error({'code': 'invalid_header',
+                                    'description': 'Unable to parse authentication'
+                                    ' token.'}, 400)
+
+            _app_ctx_stack.top.current_user = payload
+            return f(*args, **kwargs)
+        return handle_error({'code': 'invalid_header',
+                             'description': 'Unable to find appropriate key'}, 400)    
     return decorated