Forms reference

class lizard_auth_server.forms.JWTDecryptForm(data=None, files=None, auto_id='id_%s', prefix=None, initial=None, error_class=<class 'django.forms.utils.ErrorList'>, label_suffix=None, empty_permitted=False, field_order=None)[source]

Form for decoding and validating JWT messages

The form is different from regular django forms. There are two incoming form fields, but the message payload is used as the outgoing cleaned_data.

Note: there is no form validation on the actual message contents.

The “incoming” form fields:

key
ID identifying the portal. In lizard-auth-client this is the SSO_KEY setting.
message
The JWT message containing the payload and the JWT signature.

The clean() method does the actual JWT decoding and validation.

clean()[source]

Verify the JWT signature and return the JWT payload

The key field is used to look up the relevant portal. That site’s sso_secret is used to validate the signature on the JWT payload. This way we can be sure that the payload has been really send by the portal we think send it and that the payload has not been tampered with.

The payload MUST contain a value for iss that matches the key form field: this is needed to verify that the payload has not been tampered with. iss is a standard fieldname in the jwt standard: it means “issuer”.

Returns:The JWT payload is returned instead of the original form data. So the JWT payload ends up in the form’s cleaned_data attribute instead of the original key+message fields!
Raises:ValidationError – When the JWT is malformed or expired or when the signature does not match. A portal should be found that matches key. Likewise, iss in the payload should match the key form field.