diff options
| author | Danny Hermes <daniel.j.hermes@gmail.com> | 2015-08-25 17:11:39 -0700 |
|---|---|---|
| committer | Danny Hermes <daniel.j.hermes@gmail.com> | 2015-09-01 09:58:33 -0700 |
| commit | fc2d063e25be4d342206c477280b7b9b160e45b0 (patch) | |
| tree | 8dced168346966512de48b7ffc1a2df548183310 /oauth2client/crypt.py | |
| parent | 56957e11953a11b411c63d54939764edf105f1cd (diff) | |
| download | oauth2client-fc2d063e25be4d342206c477280b7b9b160e45b0.tar.gz | |
Using more descriptive names for JWT parts.
Previous variables in verify_signed_jwt_with_certs did
not illustrate the actual use of each part.
Diffstat (limited to 'oauth2client/crypt.py')
| -rw-r--r-- | oauth2client/crypt.py | 40 |
1 files changed, 21 insertions, 19 deletions
diff --git a/oauth2client/crypt.py b/oauth2client/crypt.py index 321a097..0105b88 100644 --- a/oauth2client/crypt.py +++ b/oauth2client/crypt.py @@ -147,44 +147,46 @@ def verify_signed_jwt_with_certs(jwt, certs, audience): signature = _urlsafe_b64decode(signature) # Parse token. - json_body = _urlsafe_b64decode(payload) + payload_bytes = _urlsafe_b64decode(payload) try: - parsed = json.loads(_from_bytes(json_body)) + payload_dict = json.loads(_from_bytes(payload_bytes)) except: - raise AppIdentityError('Can\'t parse token: %s' % json_body) + raise AppIdentityError('Can\'t parse token: %s' % (payload_bytes,)) # Check signature. _verify_signature(message_to_sign, signature, certs) # Check creation timestamp. - iat = parsed.get('iat') - if iat is None: - raise AppIdentityError('No iat field in token: %s' % json_body) - earliest = iat - CLOCK_SKEW_SECS + issued_at = payload_dict.get('iat') + if issued_at is None: + raise AppIdentityError('No iat field in token: %s' % (payload_bytes,)) + earliest = issued_at - CLOCK_SKEW_SECS # Check expiration timestamp. now = int(time.time()) - exp = parsed.get('exp') - if exp is None: - raise AppIdentityError('No exp field in token: %s' % json_body) - if exp >= now + MAX_TOKEN_LIFETIME_SECS: - raise AppIdentityError('exp field too far in future: %s' % json_body) - latest = exp + CLOCK_SKEW_SECS + expiration = payload_dict.get('exp') + if expiration is None: + raise AppIdentityError('No exp field in token: %s' % (payload_bytes,)) + if expiration >= now + MAX_TOKEN_LIFETIME_SECS: + raise AppIdentityError('exp field too far in future: %s' % + (payload_bytes,)) + latest = expiration + CLOCK_SKEW_SECS if now < earliest: raise AppIdentityError('Token used too early, %d < %d: %s' % - (now, earliest, json_body)) + (now, earliest, payload_bytes)) if now > latest: raise AppIdentityError('Token used too late, %d > %d: %s' % - (now, latest, json_body)) + (now, latest, payload_bytes)) # Check audience. if audience is not None: - aud = parsed.get('aud') + aud = payload_dict.get('aud') if aud is None: - raise AppIdentityError('No aud field in token: %s' % json_body) + raise AppIdentityError('No aud field in token: %s' % + (payload_bytes,)) if aud != audience: raise AppIdentityError('Wrong recipient, %s != %s: %s' % - (aud, audience, json_body)) + (aud, audience, payload_bytes)) - return parsed + return payload_dict |