Python SWT¶
To use this module, simply implement and use your own algorithm specific SWT class.
More [1] info about Simple Web Tokens can be found at Microsoft who originated the spec. back in 2009.
[1] | Although not a lot |
Using RSA SHA256¶
Create your own token class that extends from SWT_RSA_SHA256
, and implement
the key locators you need.
If you only want to verify tokens, then you can skip implementing the
get_private_key()
method.
class MySWT(SWT_RSA_SHA256):
def get_public_key(self):
return Path(f'/keys/{self.issuer}-public.pem').read_text()
def get_private_key(self):
return Path(f'/keys/{self.issuer}-private.pem').read_text()
Creating token objects from existing token strings, e.g. directly from http headers or similar.
# You can pass a full bearer token value directly from the request header
# no need to strip out the Bearer part first
token = MySWT(http_header_value)
if token.is_valid:
# Token has both a valid signature and is not expired
if token.is_signed:
# Token has a valid signature
if token.is_expired:
# Token is signed and expired, or token is not signed
# We only trust data in the token if it is signed
Creating and signing new tokens
# Create token
token = MySWT()
# Set issuer, you must have a key locator that can find the private key based
# upon the issuer
token.issuer = 'my-issuer'
# Set time to live
token.ttl = 3600
# Set claims
token.set_claim('sub', 42)
token.set_claim('foo', 'bar')
# Sign token with private key, and get serialized token back
token_str = token.sign()
# You can also get the serialized token from the token objectt by accessing
# the token_str property
token_str = token.token_str
As a convenience, if you use the token object in string or boolean context it will do the right thing™.
# Token in string context gives you the serialized token
token_str = str(token)
# Token in boolean context gives you the validity of the token
is_valid = bool(token)
# Parse token from string, and do stuff with it, if it is valid
token = MySWT(http_header_value)
if token:
# Do stuff with the valid token
API Reference¶
-
class
swt.
SWT
(token_str: Optional[str] = None)¶ Simple Web Token base class
To use this library, you must choose which algorithm you want to use, and extend the algorithm specific sub class. Currently only RSA SHA256 is implemented.
-
algorithm
¶ The algorithm used for the SWT
-
get_private_key
() → str¶ Implement this in your own subclass to find and load the private key by issuer
-
get_public_key
() → str¶ Implement this in your own subclass to find and load the public key by issuer
-
is_expired
¶ Check if the SWT is expired
Returns: is expired Return type: bool
-
is_signed
¶ Algorithm specific is_signed() property
Returns: signed status Return type: bool
-
is_valid
¶ Check if the SWT is both sign and not expired
Returns: token validity Return type: bool
-
issuer
¶ Issuer of token
-
sign
() → str¶ Algorithm specific sign() method
Returns: signed token Return type: str
-
token_str
¶ Token as serialized string
-
ttl
¶ Time to live in seconds
-
-
class
swt.
SWT_HMAC_SHA256
(token_str: Optional[str] = None)¶ Not yet implemented
-
algorithm
¶ The algorithm used for the SWT
-
is_signed
¶ Algorithm specific is_signed() property
Returns: signed status Return type: bool
-
sign
()¶ Algorithm specific sign() method
Returns: signed token Return type: str
-
-
class
swt.
SWT_RSA_SHA256
(token_str: Optional[str] = None)¶ SWT using RSA and SHA256
Extend this class and implement the key locater methods
-
algorithm
¶ The algorithm used for the SWT
-
is_signed
¶ Algorithm specific is_signed() property
Returns: signed status Return type: bool
-
sign
() → str¶ Algorithm specific sign() method
Returns: signed token Return type: str
-