Forms reference¶
-
class
lizard_auth_server.forms.
JWTDecryptForm
(data=None, files=None, auto_id='id_%s', prefix=None, initial=None, error_class=<class 'django.forms.utils.ErrorList'>, label_suffix=None, empty_permitted=False, field_order=None)[source]¶ Form for decoding and validating JWT messages
The form is different from regular django forms. There are two incoming form fields, but the message payload is used as the outgoing
cleaned_data
.Note: there is no form validation on the actual message contents.
The “incoming” form fields:
- key
- ID identifying the portal. In lizard-auth-client this is the
SSO_KEY
setting. - message
- The JWT message containing the payload and the JWT signature.
The
clean()
method does the actual JWT decoding and validation.-
clean
()[source]¶ Verify the JWT signature and return the JWT payload
The
key
field is used to look up the relevant portal. That site’ssso_secret
is used to validate the signature on the JWT payload. This way we can be sure that the payload has been really send by the portal we think send it and that the payload has not been tampered with.The payload MUST contain a value for
iss
that matches thekey
form field: this is needed to verify that the payload has not been tampered with.iss
is a standard fieldname in the jwt standard: it means “issuer”.Returns: The JWT payload is returned instead of the original form data. So the JWT payload ends up in the form’s cleaned_data
attribute instead of the original key+message fields!Raises: ValidationError
– When the JWT is malformed or expired or when the signature does not match. A portal should be found that matcheskey
. Likewise,iss
in the payload should match thekey
form field.