TokenIssuer¶

class gafaelfawr.issuer.TokenIssuer(config: IssuerConfig)¶

Bases: object

Issuing new JWTs.

This class is responsible for either reissuing internal JWTs based on external ones, creating new long-lived JWTs at user request, or minting new JWTs from non-JWT authentication sources.

Parameters:	config (`gafaelfawr.config.IssuerConfig`) – Configuration parameters for the issuer.

Methods Summary

`issue_token`(claims, Any])	Issue a token containing the provided claims.
`issue_user_token`(token, *, scope, jti)	Issue a new user-issued token.
`reissue_token`(token, *, jti, scope, internal)	Reissue a token.

Methods Documentation

issue_token(claims: Mapping[str, Any]) → VerifiedToken¶

Issue a token containing the provided claims.

A scope claim will be added based on any groups in an isMemberOf claim, if a scope claim was not already present.

Parameters:	claims (Mapping[`str`, Any]) – Claims to include in the token.
Returns:	token – The newly-issued token.
Return type:	`gafaelfawr.tokens.VerifiedToken`

issue_user_token(token: gafaelfawr.tokens.VerifiedToken, *, scope: str, jti: str) → gafaelfawr.tokens.VerifiedToken¶

Issue a new user-issued token.

Issues a long-lived token intended for programmatic use. The claims of this token will be based on the user’s authentication token, but only selective claims will be copied over.

Parameters:	token (`gafaelfawr.tokens.VerifiedToken`) – The user’s authentication token. scope (str) – The scope of the new token. jti (str) – The jti (JWT ID) claim for the new token.
Returns:	user_token – The new user-issued token.
Return type:	`gafaelfawr.tokens.VerifiedToken`

reissue_token(token: VerifiedToken, *, jti: str, scope: Optional[str] = None, internal: bool = False) → VerifiedToken¶

Reissue a token.

This makes a copy of the token, sets the audience, expiration, issuer, and issue time as appropriate, and then returns the token in encoded form. The scope claim of the new token will be based on the provided scope, if there is one, and otherwise on the group membership in the token. The upstream scope claim will be discarded.

Parameters:	token (`gafaelfawr.tokens.VerifiedToken`) – The token to reissue. jti (Optional[`str`], optional) – The jti to use for the new token. scope (Optional[`str`], optional) – If provided, set the scope claim of the reissued token to this. internal (`bool`, optional) – If set to True, issue the token with the internal audience instead of the external audience.
Returns:	new_token – The new token.
Return type:	`gafaelfawr.tokens.VerifiedToken`

Navigation

TokenIssuer¶