1. import jwt # For decoding JWTs
  2. import datetime # For handling timestamps
  3. import logging # For logging anomalies
  5. # Configure logging
  6. logging.basicConfig(level=logging.WARNING, format='%(asctime)s - %(levelname)s - %(message)s')
  8. def validate_token(token, expected_iss, expected_aud, expiry_window_hours=24):
  9. """
  10. Validates an authentication token and flags anomalies.
  12. Args:
  13. token (str): The authentication token to validate.
  14. expected_iss (str): The expected issuer of the token.
  15. expected_aud (str): The expected audience of the token.
  16. expiry_window_hours (int): How many hours after expiry to flag.
  18. Returns:
  19. bool: True if the token is valid, False otherwise.
  20. """
  21. try:
  22. # Decode the token
  23. decoded_token = jwt.decode(token, options={"verify_signature": True})
  25. # Check if token is expired
  26. if decoded_token['exp'] < datetime.datetime.utcnow():
  27. logging.warning(f"Token expired: {token}")
  28. return False
  30. # Check issuer
  31. if decoded_token['iss'] != expected_iss:
  32. logging.warning(f"Incorrect issuer: {decoded_token['iss']} != {expected_iss} in token: {token}")
  33. return False
  35. # Check audience
  36. if decoded_token['aud'] != expected_aud:
  37. logging.warning(f"Incorrect audience: {decoded_token['aud']} != {expected_aud} in token: {token}")
  38. return False
  40. # Check for unusual expiry time (e.g., very far in the future)
  41. if decoded_token['exp'] > datetime.datetime.utcnow() + datetime.timedelta(hours=expiry_window_hours):
  42. logging.warning(f"Unusually long expiry time: {decoded_token['exp']} in token: {token}")
  43. return False
  45. return True # Token is valid
  47. except jwt.ExpiredSignatureError:
  48. logging.warning(f"Token expired: {token}")
  49. return False
  50. except jwt.InvalidTokenError:
  51. logging.warning(f"Invalid token: {token}")
  52. return False
  53. except Exception as e:
  54. logging.error(f"Error validating token: {e} in token: {token}")
  55. return False
  58. if __name__ == '__main__':
  59. # Example usage
  60. valid_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNjI3ODg2MDQ4fQ.EXAMPLE_SIGNATURE"
  61. expired_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNjI3ODg2MDQ4fQ.ANOTHER_SIGNATURE"
  62. invalid_issuer_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNjI3ODg2MDQ4fQ.A_DIFFERENT_SIGNATURE"
  65. print(f"Valid token: {validate_token(valid_token, 'my_iss', 'my_aud')}")
  66. print(f"Expired token: {validate_token(expired_token, 'my_iss', 'my_aud')}")
  67. print(f"Invalid issuer token: {validate_token(invalid_issuer_token, 'my_iss', 'my_aud')}")

Add your comment