1*e7b1675dSTing-Kang Chang# Copyright 2021 Google LLC 2*e7b1675dSTing-Kang Chang# 3*e7b1675dSTing-Kang Chang# Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang# you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang# You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang# 7*e7b1675dSTing-Kang Chang# http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang# 9*e7b1675dSTing-Kang Chang# Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang# distributed under the License is distributed on an "AS-IS" BASIS, 11*e7b1675dSTing-Kang Chang# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang# See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang# limitations under the License. 14*e7b1675dSTing-Kang Chang 15*e7b1675dSTing-Kang Chang# [START python-jwt-sign-example] 16*e7b1675dSTing-Kang Chang"""A utility for creating and signing JSON Web Tokens (JWT). 17*e7b1675dSTing-Kang Chang 18*e7b1675dSTing-Kang ChangIt loads cleartext keys from disk - this is not recommended! 19*e7b1675dSTing-Kang Chang""" 20*e7b1675dSTing-Kang Chang 21*e7b1675dSTing-Kang Changimport datetime 22*e7b1675dSTing-Kang Chang 23*e7b1675dSTing-Kang Changfrom absl import app 24*e7b1675dSTing-Kang Changfrom absl import flags 25*e7b1675dSTing-Kang Changfrom absl import logging 26*e7b1675dSTing-Kang Changimport tink 27*e7b1675dSTing-Kang Changfrom tink import cleartext_keyset_handle 28*e7b1675dSTing-Kang Changfrom tink import jwt 29*e7b1675dSTing-Kang Chang 30*e7b1675dSTing-Kang Chang 31*e7b1675dSTing-Kang Chang_PRIVATE_KEYSET_PATH = flags.DEFINE_string( 32*e7b1675dSTing-Kang Chang 'private_keyset_path', None, 33*e7b1675dSTing-Kang Chang 'Path to the keyset used for the JWT signature operation.') 34*e7b1675dSTing-Kang Chang_AUDIENCE = flags.DEFINE_string('audience', None, 35*e7b1675dSTing-Kang Chang 'Audience to be used in the token') 36*e7b1675dSTing-Kang Chang_TOKEN_PATH = flags.DEFINE_string('token_path', None, 'Path to the token file.') 37*e7b1675dSTing-Kang Chang 38*e7b1675dSTing-Kang Chang 39*e7b1675dSTing-Kang Changdef main(argv): 40*e7b1675dSTing-Kang Chang del argv # Unused. 41*e7b1675dSTing-Kang Chang 42*e7b1675dSTing-Kang Chang # Initialise Tink 43*e7b1675dSTing-Kang Chang jwt.register_jwt_signature() 44*e7b1675dSTing-Kang Chang 45*e7b1675dSTing-Kang Chang # Read the keyset into a KeysetHandle 46*e7b1675dSTing-Kang Chang with open(_PRIVATE_KEYSET_PATH.value, 'rt') as keyset_file: 47*e7b1675dSTing-Kang Chang try: 48*e7b1675dSTing-Kang Chang text = keyset_file.read() 49*e7b1675dSTing-Kang Chang keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) 50*e7b1675dSTing-Kang Chang except tink.TinkError as e: 51*e7b1675dSTing-Kang Chang logging.exception('Error reading keyset: %s', e) 52*e7b1675dSTing-Kang Chang return 1 53*e7b1675dSTing-Kang Chang 54*e7b1675dSTing-Kang Chang now = datetime.datetime.now(tz=datetime.timezone.utc) 55*e7b1675dSTing-Kang Chang 56*e7b1675dSTing-Kang Chang # Get the JwtPublicKeySign primitive 57*e7b1675dSTing-Kang Chang try: 58*e7b1675dSTing-Kang Chang jwt_sign = keyset_handle.primitive(jwt.JwtPublicKeySign) 59*e7b1675dSTing-Kang Chang except tink.TinkError as e: 60*e7b1675dSTing-Kang Chang logging.exception('Error creating JwtPublicKeySign: %s', e) 61*e7b1675dSTing-Kang Chang return 1 62*e7b1675dSTing-Kang Chang 63*e7b1675dSTing-Kang Chang # Create token 64*e7b1675dSTing-Kang Chang raw_jwt = jwt.new_raw_jwt( 65*e7b1675dSTing-Kang Chang audiences=[_AUDIENCE.value], 66*e7b1675dSTing-Kang Chang expiration=now + datetime.timedelta(seconds=100)) 67*e7b1675dSTing-Kang Chang token = jwt_sign.sign_and_encode(raw_jwt) 68*e7b1675dSTing-Kang Chang with open(_TOKEN_PATH.value, 'wt') as token_file: 69*e7b1675dSTing-Kang Chang token_file.write(token) 70*e7b1675dSTing-Kang Chang logging.info('Token has been written to %s', _TOKEN_PATH.value) 71*e7b1675dSTing-Kang Chang 72*e7b1675dSTing-Kang Chang 73*e7b1675dSTing-Kang Changif __name__ == '__main__': 74*e7b1675dSTing-Kang Chang flags.mark_flags_as_required( 75*e7b1675dSTing-Kang Chang ['private_keyset_path', 'audience', 'token_path']) 76*e7b1675dSTing-Kang Chang app.run(main) 77*e7b1675dSTing-Kang Chang 78*e7b1675dSTing-Kang Chang# [END python-jwt-sign-example] 79