in fxa/oauth.py [0:0]
def _verify_jwt_token(self, key, token):
pubkey = jwt.algorithms.RSAAlgorithm.from_jwk(key)
# The FxA OAuth ecosystem currently doesn't make good use of aud, and
# instead relies on scope for restricting which services can accept
# which tokens. So there's no value in checking it here, and in fact if
# we check it here, it fails because the right audience isn't being
# requested.
decoded = jwt.decode(
token, pubkey, algorithms=['RS256'], options={'verify_aud': False}
)
# Ref https://tools.ietf.org/html/rfc7515#section-4.1.9 the `typ` header
# is lowercase and has an implicit default `application/` prefix.
typ = jwt.get_unverified_header(token).get('typ', '')
if '/' not in typ:
typ = 'application/' + typ
if typ.lower() != 'application/at+jwt':
raise TrustError
return {
'user': decoded.get('sub'),
'client_id': decoded.get('client_id'),
'scope': decoded.get('scope', '').split(),
'generation': decoded.get('fxa-generation'),
'profile_changed_at': decoded.get('fxa-profileChangedAt')
}