pypomes-iam 0.8.6__tar.gz → 0.9.3__tar.gz

{pypomes_iam-0.8.6 → pypomes_iam-0.9.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.8.6
+Version: 0.9.3
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues
@@ -13,5 +13,5 @@ Requires-Python: >=3.12
 Requires-Dist: flask>=3.1.2
 Requires-Dist: pyjwt>=2.10.1
 Requires-Dist: pypomes-core>=2.8.6
-Requires-Dist: pypomes-crypto>=0.4.8
+Requires-Dist: pypomes-crypto>=0.5.0
 Requires-Dist: requests>=2.32.5

{pypomes_iam-0.8.6 → pypomes_iam-0.9.3}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pypomes_iam"
-version = "0.8.6"
+version = "0.9.3"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]
@@ -22,7 +22,7 @@ dependencies = [
     "Flask>=3.1.2",
     "PyJWT>=2.10.1",
     "pypomes-core>=2.8.6",
-    "pypomes-crypto>=0.4.8",
+    "pypomes-crypto>=0.5.0",
     "requests>=2.32.5"
 ]
 

{pypomes_iam-0.8.6 → pypomes_iam-0.9.3}/src/pypomes_iam/__init__.py

@@ -19,9 +19,6 @@ from .provider_pomes import (
     service_get_token, provider_get_token,
     iam_setup_provider, provider_setup_endpoint, provider_setup_logger
 )
-from .token_pomes import (
-    token_get_claims, token_get_values, token_validate
-)
 
 __all__ = [
     # iam_actions
@@ -40,8 +37,6 @@ __all__ = [
     "IamProvider", "ProviderParam",
     "service_get_token", "provider_get_token",
     "iam_setup_provider", "provider_setup_endpoint", "provider_setup_logger",
-    # token_pomes
-    "token_get_claims", "token_get_values", "token_validate"
 ]
 
 from importlib.metadata import version

{pypomes_iam-0.8.6 → pypomes_iam-0.9.3}/src/pypomes_iam/iam_actions.py

@@ -6,6 +6,7 @@ import sys
 from datetime import datetime
 from logging import Logger
 from pypomes_core import TZ_LOCAL, exc_format
+from pypomes_crypto import jwt_get_values, jwt_validate
 from typing import Any
 
 from .iam_common import (
@@ -13,7 +14,6 @@ from .iam_common import (
     _get_iam_users, _get_iam_registry, _get_public_key,
     _get_login_timeout, _get_user_data, _iam_server_from_issuer
 )
-from .token_pomes import token_get_values, token_validate
 
 
 def iam_login(iam_server: IamServer,
@@ -56,7 +56,7 @@ def iam_login(iam_server: IamServer,
     # ('oauth_state' is a randomly-generated string, thus 'user_data' is always a new entry)
     oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
     if target_idp:
-        oauth_state += f"#idp={target_idp}"
+        oauth_state += f"_{target_idp}"
 
     with _iam_lock:
         # retrieve the user data from the IAM server's registry
@@ -322,8 +322,8 @@ def iam_callback(iam_server: IamServer,
             if int(datetime.now(tz=TZ_LOCAL).timestamp()) > expiration:
                 errors.append("Operation timeout")
             else:
-                pos: int = oauth_state.rfind("#idp=")
-                target_idp: str = oauth_state[pos+4:] if pos > 0 else None
+                pos: int = oauth_state.rfind("_")
+                target_idp: str = oauth_state[pos+1:] if pos > 0 else None
                 target_iam: IamServer = IamServer(target_idp) if target_idp in IamServer else None
                 target_data: dict[str, Any] = user_data.copy() if target_iam else None
                 users.pop(oauth_state)
@@ -421,10 +421,10 @@ def iam_exchange(iam_server: IamServer,
 
     # obtain the token to be exchanged
     token: str = args.get("access-token") if user_id else None
-    token_issuer: tuple[str] = token_get_values(token=token,
-                                                keys=("iss",),
-                                                errors=errors,
-                                                logger=logger)
+    token_issuer: tuple[str] = jwt_get_values(token=token,
+                                              keys=("iss",),
+                                              errors=errors,
+                                              logger=logger)
     if not errors:
         with _iam_lock:
             # retrieve the IAM server's registry
@@ -604,10 +604,10 @@ def __assert_link(iam_server: IamServer,
                         break
                 if no_link:
                     # link the identities
-                    token_sub: tuple[str] = token_get_values(token=token,
-                                                             keys=("sub",),
-                                                             errors=errors,
-                                                             logger=logger)
+                    token_sub: tuple[str] = jwt_get_values(token=token,
+                                                           keys=("sub",),
+                                                           errors=errors,
+                                                           logger=logger)
                     if token_sub:
                         if logger:
                             logger.debug(msg="Creating an association between identifications "
@@ -1023,13 +1023,13 @@ def __validate_and_store(iam_server: IamServer,
             recipient_attr = registry[ServerParam.RECIPIENT_ATTR]
             login_id = user_data.pop("login-id", None)
             base_url: str = f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
-            claims: dict[str, dict[str, Any]] = token_validate(token=token,
-                                                               issuer=base_url,
-                                                               recipient_id=login_id,
-                                                               recipient_attr=recipient_attr,
-                                                               public_key=public_key,
-                                                               errors=errors,
-                                                               logger=logger)
+            claims: dict[str, dict[str, Any]] = jwt_validate(token=token,
+                                                             issuer=base_url,
+                                                             recipient_id=login_id,
+                                                             recipient_attr=recipient_attr,
+                                                             public_key=public_key,
+                                                             errors=errors,
+                                                             logger=logger)
             if claims:
                 users: dict[str, dict[str, Any]] = _get_iam_users(iam_server=iam_server,
                                                                   errors=errors,

{pypomes_iam-0.8.6 → pypomes_iam-0.9.3}/src/pypomes_iam/iam_common.py

@@ -1,13 +1,12 @@
-import requests
 import sys
 from datetime import datetime
 from enum import StrEnum
 from logging import Logger
 from pypomes_core import (
-    APP_PREFIX, TZ_LOCAL, exc_format,
+    APP_PREFIX, TZ_LOCAL,
     env_get_int, env_get_str, env_get_strs
 )
-from pypomes_crypto import crypto_jwk_convert
+from pypomes_crypto import jwt_get_public_key
 from threading import RLock
 from typing import Any, Final
 
@@ -203,7 +202,7 @@ def _iam_server_from_issuer(issuer: str,
     for iam_server, registry in _IAM_SERVERS.items():
         base_url: str = f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
         if base_url == issuer:
-            result = type(IamServer)(iam_server)
+            result = IamServer(iam_server)
             break
 
     if not result:
@@ -222,34 +221,7 @@ def _get_public_key(iam_server: IamServer,
     """
     Obtain the public key used by *iam_server* to sign the authentication tokens.
 
-    This is accomplished by requesting the token issuer for its *JWKS* (JSON Web Key Set),
-    containing the public keys used for various purposes, as indicated in the attribute *use*:
-        - *enc*: the key is intended for encryption
-        - *sig*: the key is intended for digital signature
-        - *wrap*: the key is intended for key wrapping
-
-    A typical JWKS set has the following format (for simplicity, 'n' and 'x5c' are truncated):
-        {
-            "keys": [
-                {
-                    "kid": "X2QEcSQ4Tg2M2EK6s2nhRHZH_GwD_zxZtiWVwP4S0tg",
-                    "kty": "RSA",
-                    "alg": "RSA256",
-                    "use": "sig",
-                    "n": "tQmDmyM3tMFt5FMVMbqbQYpaDPf6A5l4e_kTVDBiHrK_bRlGfkk8hYm5SNzNzCZ...",
-                    "e": "AQAB",
-                    "x5c": [
-                        "MIIClzCCAX8CBgGZY0bqrTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARpanVk..."
-                    ],
-                    "x5t": "MHfVp4kBjEZuYOtiaaGsfLCL15Q",
-                    "x5t#S256": "QADezSLgD8emuonBz8hn8ghTnxo7AHX4NVNkr4luEhk"
-                },
-                ...
-            ]
-        }
-
-    Once the signature key is obtained, it is converted from its original *JWK* (JSON Web Key) format
-    to *PEM* (Privacy-Enhanced Mail) format. The public key is saved in *iam_server*'s registry.
+    The signaature is obtained and stored in *PEM* (Privacy-Enhanced Mail) format.
 
     :param iam_server: the reference registered *IAM* server
     :param errors: incidental error messages
@@ -265,57 +237,17 @@ def _get_public_key(iam_server: IamServer,
     if registry:
         now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
         if now > registry[ServerParam.PK_EXPIRATION]:
-            # obtain the JWKS (JSON Web Key Set) from the token issuer
-            base_url: str = f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
-            url: str = f"{base_url}/protocol/openid-connect/certs"
-            if logger:
-                logger.debug(msg=f"Obtaining signature public key used by IAM server '{iam_server}'")
-                logger.debug(msg=f"GET {url}")
-            try:
-                response: requests.Response = requests.get(url=url)
-                if response.status_code == 200:
-                    # request succeeded
-                    if logger:
-                        logger.debug(msg=f"GET success, status {response.status_code}")
-                    # select the appropriate JWK
-                    reply: dict[str, list[dict[str, str]]] = response.json()
-                    jwk: dict[str, str] | None = None
-                    for key in reply["keys"]:
-                        if key.get("use") == "sig":
-                            jwk = key
-                            break
-                    if jwk:
-                        # convert from 'JWK' to 'PEM' and save it for further use
-                        result = crypto_jwk_convert(jwk=jwk,
-                                                    fmt="PEM")
-                        registry[ServerParam.PUBLIC_KEY] = result
-                        lifetime: int = registry[ServerParam.PK_LIFETIME] or 0
-                        registry[ServerParam.PK_EXPIRATION] = now + lifetime if lifetime else sys.maxsize
-                        if logger:
-                            logger.debug("Public key obtained and saved")
-                    else:
-                        msg = "Signature public key missing from the token issuer's JWKS"
-                        if logger:
-                            logger.error(msg=msg)
-                        if isinstance(errors, list):
-                            errors.append(msg)
-                elif logger:
-                    msg: str = f"GET failure, status {response.status_code}, reason {response.reason}"
-                    if hasattr(response, "content") and response.content:
-                        msg += f", content {response.content}"
-                    logger.error(msg=msg)
-                    if isinstance(errors, list):
-                        errors.append(msg)
-            except Exception as e:
-                # the operation raised an exception
-                msg = exc_format(exc=e,
-                                 exc_info=sys.exc_info())
-                if logger:
-                    logger.error(msg=msg)
-                if isinstance(errors, list):
-                    errors.append(msg)
-        else:
-            result = registry[ServerParam.PUBLIC_KEY]
+            # obtain the public key from the token issuer
+            issuer: str = f"{registry[ServerParam.URL_BASE]}/realms/{registry[ServerParam.CLIENT_REALM]}"
+            registry[ServerParam.PUBLIC_KEY] = jwt_get_public_key(issuer=issuer,
+                                                                  fmt="PEM",
+                                                                  errors=errors,
+                                                                  logger=logger)
+            lifetime: int = registry[ServerParam.PK_LIFETIME] or 0
+            registry[ServerParam.PK_EXPIRATION] = now + lifetime if lifetime else sys.maxsize
+
+    if not errors:
+        result = registry[ServerParam.PUBLIC_KEY]
 
     return result
 

{pypomes_iam-0.8.6 → pypomes_iam-0.9.3}/src/pypomes_iam/iam_pomes.py

@@ -131,7 +131,7 @@ def iam_setup_endpoints(flask_app: Flask,
     if "callback_exchange_endpoint" in defaulted_params:
         callback_exchange_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_CALLBACK_EXCHANGE")
     if "exchange_endpoint" in defaulted_params:
-        callback_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_EXCHANGE")
+        exchange_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_EXCHANGE")
     if "login_endpoint" in defaulted_params:
         login_endpoint = env_get_str(key=f"{APP_PREFIX}_{prefix}_ENDPOINT_LOGIN")
     if "logout_endpoint" in defaulted_params:

{pypomes_iam-0.8.6 → pypomes_iam-0.9.3}/src/pypomes_iam/iam_services.py

@@ -1,5 +1,6 @@
 import json
 from flask import Request, Response, request, jsonify
+from pypomes_crypto import jwt_get_values, jwt_validate
 from logging import Logger
 from typing import Any
 
@@ -12,7 +13,6 @@ from .iam_actions import (
     iam_login, iam_logout, iam_callback,
     iam_exchange, iam_get_token, iam_userinfo
 )
-from .token_pomes import token_get_claims, token_validate
 
 # the logger for IAM service operations
 # (used exclusively at the HTTP endpoints - all other functions receive the logger as parameter)
@@ -56,36 +56,38 @@ def __request_validate(request: Request) -> Response:
     bad_token: bool = True
     token: str = __get_bearer_token(request=request)
     if token:
+        # errors list for error loging, only
+        errors: list[str] = []
         # extract token claims
-        claims: dict[str, Any] = token_get_claims(token=token)
-        if claims:
-            issuer: str = claims["payload"].get("iss")
-            public_key: str | None = None
-            recipient_attr: str | None = None
-            recipient_id: str = request.values.get("user-id") or request.values.get("login")
-            with _iam_lock:
-                iam_server: IamServer = _iam_server_from_issuer(issuer=issuer,
-                                                                errors=None,
-                                                                logger=__IAM_LOGGER)
-                if iam_server:
-                    # validate the token's recipient only if a user identification is provided
-                    if recipient_id:
-                        registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
-                                                                     errors=None,
-                                                                     logger=__IAM_LOGGER)
-                        if registry:
-                            recipient_attr = registry[ServerParam.RECIPIENT_ATTR]
-                    public_key = _get_public_key(iam_server=iam_server,
-                                                 errors=None,
-                                                 logger=__IAM_LOGGER)
-            # validate the token (log errors, only)
-            errors: list[str] = []
-            if token_validate(token=token,
-                              issuer=issuer,
-                              recipient_id=recipient_id,
-                              recipient_attr=recipient_attr,
-                              public_key=public_key,
-                              errors=errors):
+        (issuer,) = jwt_get_values(token=token,
+                                   keys=("iss",))
+        public_key: str | None = None
+        recipient_attr: str | None = None
+        recipient_id: str = (request.values.get("user-id") or request.values.get("login") or
+                             (request.get_json(silent=True) or {}).get("user-id") or
+                             (request.get_json(silent=True) or {}).get("login"))
+        with _iam_lock:
+            iam_server: IamServer = _iam_server_from_issuer(issuer=issuer,
+                                                            errors=None,
+                                                            logger=__IAM_LOGGER)
+            if iam_server:
+                # validate the token's recipient only if a user identification is provided
+                if recipient_id:
+                    registry: dict[str, Any] = _get_iam_registry(iam_server=iam_server,
+                                                                 errors=None,
+                                                                 logger=__IAM_LOGGER)
+                    if registry:
+                        recipient_attr = registry[ServerParam.RECIPIENT_ATTR]
+                public_key = _get_public_key(iam_server=iam_server,
+                                             errors=None,
+                                             logger=__IAM_LOGGER)
+            # validate the token
+            if jwt_validate(token=token,
+                            issuer=issuer,
+                            recipient_id=recipient_id,
+                            recipient_attr=recipient_attr,
+                            public_key=public_key,
+                            errors=errors):
                 # token is valid
                 bad_token = False
             elif __IAM_LOGGER:
@@ -163,7 +165,7 @@ def service_setup_server() -> Response:
     :return: *Response OK*
     """
     # retrieve the request arguments
-    args: dict[str, Any] = (dict(request.json) if request.is_json else dict(request.form)) or {}
+    args: dict[str, Any] = dict(request.get_json(silent=True) or request.form or {})
 
     # log the request
     if __IAM_LOGGER:
@@ -209,7 +211,7 @@ def service_login() -> Response:
     result: Response | None = None
 
     # retrieve the request arguments
-    args: dict[str, Any] = dict(request.args) or {}
+    args: dict[str, Any] = dict(request.args or {})
 
     # log the request
     if __IAM_LOGGER:
@@ -251,7 +253,7 @@ def service_logout() -> Response:
     the name of the *IAM* server in charge of handling this service. This prefixing is done automatically
     if the endpoint is established with a call to *iam_setup_endpoints()*.
 
-    The user is identified by the attribute *user-id* or "login", provided as a request parameter.
+    The user is identified by the attribute *user-id* or "login", provided in the body's *JSON*.
     If successful, remove all data relating to the user from the *IAM* server's registry.
     Otherwise, this operation fails silently, unless an error has ocurred.
 
@@ -261,7 +263,7 @@ def service_logout() -> Response:
     result: Response | None
 
     # retrieve the request arguments
-    args: dict[str, Any] = dict(request.args) or {}
+    args: dict[str, Any] = dict(request.get_json(silent=True) or request.form or {})
 
     # log the request
     if __IAM_LOGGER:
@@ -293,7 +295,7 @@ def service_logout() -> Response:
 
 
 # @flask_app.route(rule=<callback_endpoint>,
-#                  methods=["GET", "POST"])
+#                  methods=["GET"])
 def service_callback() -> Response:
     """
     Entry point for the callback from the *IAM* server on authentication operation.
@@ -319,7 +321,7 @@ def service_callback() -> Response:
     :return: *Response* containing the reference user identification and the token, or *BAD REQUEST*
     """
     # retrieve the request arguments
-    args: dict[str, Any] = dict(request.args) or {}
+    args: dict[str, Any] = dict(request.args or {})
 
     # log the request
     if __IAM_LOGGER:
@@ -365,7 +367,7 @@ def service_exchange() -> Response:
     If the exchange is successful, the token data is stored in the *IAM* server's registry, and returned.
     Otherwise, *errors* will contain the appropriate error message.
 
-    The expected request parameters are:
+    The expected request parameters, to be found in the body *JSON*, are:
         - user-id: identification for the reference user (alias: 'login')
         - access-token: the token to be exchanged
 
@@ -378,7 +380,7 @@ def service_exchange() -> Response:
     :return: *Response* containing the reference user identification and the token, or *BAD REQUEST*
     """
     # retrieve the request arguments
-    args: dict[str, Any] = dict(request.args) or {}
+    args: dict[str, Any] = dict(request.get_json(silent=True) or request.form or {})
 
     # log the request
     if __IAM_LOGGER:
@@ -446,7 +448,7 @@ def service_callback_exchange() -> Response:
     result: Response | None = None
 
     # retrieve the request arguments
-    args: dict[str, Any] = dict(request.args) or {}
+    args: dict[str, Any] = dict(request.args or {})
 
     # log the request
     if __IAM_LOGGER:

pypomes_iam-0.8.6/src/pypomes_iam/token_pomes.py

@@ -1,183 +0,0 @@
-import jwt
-import sys
-from jwt import PyJWK
-from jwt.algorithms import RSAPublicKey
-from logging import Logger
-from pypomes_core import exc_format
-from typing import Any
-
-
-def token_get_claims(token: str,
-                     errors: list[str] = None,
-                     logger: Logger = None) -> dict[str, dict[str, Any]] | None:
-    """
-    Retrieve the claims set of a JWT *token*.
-
-    Any well-constructed JWT token may be provided in *token*.
-    Note that neither the token's signature nor its expiration is verified.
-
-    :param token: the refrence token
-    :param errors: incidental error messages
-    :param logger: optional logger
-    :return: the token's claimset, or *None* if error
-    """
-    # initialize the return variable
-    result: dict[str, dict[str, Any]] | None = None
-
-    if logger:
-        logger.debug(msg="Retrieve claims for token")
-
-    try:
-        header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
-        payload: dict[str, Any] = jwt.decode(jwt=token,
-                                             options={"verify_signature": False})
-        result = {
-            "header": header,
-            "payload": payload
-        }
-    except Exception as e:
-        exc_err: str = exc_format(exc=e,
-                                  exc_info=sys.exc_info())
-        if logger:
-            logger.error(msg=f"Error retrieving the token's claims: {exc_err}")
-        if isinstance(errors, list):
-            errors.append(exc_err)
-
-    return result
-
-
-def token_get_values(token: str,
-                     keys: tuple[str, ...],
-                     errors: list[str] = None,
-                     logger: Logger = None) -> tuple:
-    """
-    Retrieve the values of *keys* in the token's payload.
-
-    Ther values are returned in the same order as requested in *keys*.
-    For a claim not found, *None* is returned in its position.
-
-    :param token: the reference token
-    :param keys: the names of the claims whose values are to be returned
-    :param errors: incidental errors
-    :param logger: optiona logger
-    :return: a tuple containing the respective values of *claims* in *token*.
-    """
-    token_claims: dict[str, dict[str, Any]] = token_get_claims(token=token,
-                                                               errors=errors,
-                                                               logger=logger)
-    payload: dict[str, Any] = token_claims["payload"]
-    values: list[Any] = []
-    for key in keys:
-        values.append(payload.get(key))
-
-    return tuple(values)
-
-
-def token_validate(token: str,
-                   issuer: str = None,
-                   recipient_id: str = None,
-                   recipient_attr: str = None,
-                   public_key: str | bytes | PyJWK | RSAPublicKey = None,
-                   errors: list[str] = None,
-                   logger: Logger = None) -> dict[str, dict[str, Any]] | None:
-    """
-    Verify whether *token* is a valid JWT token, and return its claims (sections *header* and *payload*).
-
-    The supported public key types are:
-        - *DER*: Distinguished Encoding Rules (bytes)
-        - *PEM*: Privacy-Enhanced Mail (str)
-        - *PyJWK*: a formar from the *PyJWT* package
-        - *RSAPublicKey*: a format from the *PyJWT* package
-
-    If an asymmetric algorithm was used to sign the token and *public_key* is provided, then
-    the token is validated, by using the data in its *signature* section.
-
-    The parameters *recipient_id* and *recipient_attr* refer the token's expected subject, respectively,
-    the subject's identification and the attribute in the token's payload data identifying its subject.
-    If both are provided, *recipient_id* is validated.
-
-    On failure, *errors* will contain the reason(s) for rejecting *token*.
-    On success, return the token's claims (*header* and *payload*).
-
-    :param token: the token to be validated
-    :param public_key: optional public key used to sign the token, in *PEM* format
-    :param issuer: optional value to compare with the token's *iss* (issuer) attribute in its *payload*
-    :param recipient_id: identification of the expected token subject
-    :param recipient_attr: attribute in the token's payload holding the expected subject's identification
-    :param errors: incidental error messages
-    :param logger: optional logger
-    :return: The token's claims (*header* and *payload*), or *None* if error
-    """
-    # initialize the return variable
-    result: dict[str, dict[str, Any]] | None = None
-
-    if logger:
-        logger.debug(msg="Validate JWT token")
-
-    # make sure to have an errors list
-    if not isinstance(errors, list):
-        errors = []
-
-    # extract needed data from token header
-    token_header: dict[str, Any] | None = None
-    try:
-        token_header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
-    except Exception as e:
-        exc_err: str = exc_format(exc=e,
-                                  exc_info=sys.exc_info())
-        if logger:
-            logger.error(msg=f"Error retrieving the token's header: {exc_err}")
-        errors.append(exc_err)
-
-    # validate the token
-    if not errors:
-        token_alg: str = token_header.get("alg")
-        require: list[str] = ["exp", "iat"]
-        if issuer:
-            require.append("iss")
-        options: dict[str, Any] = {
-            "require": require,
-            "verify_aud": False,
-            "verify_exp": True,
-            "verify_iat": True,
-            "verify_iss": issuer is not None,
-            "verify_nbf": False,
-            "verify_signature": token_alg in ["RS256", "RS512"] and public_key is not None
-        }
-        try:
-            # raises:
-            #   InvalidTokenError: token is invalid
-            #   InvalidKeyError: authentication key is not in the proper format
-            #   ExpiredSignatureError: token and refresh period have expired
-            #   InvalidSignatureError: signature does not match the one provided as part of the token
-            #   ImmatureSignatureError: 'nbf' or 'iat' claim represents a timestamp in the future
-            #   InvalidAlgorithmError: the specified algorithm is not recognized
-            #   InvalidIssuedAtError: 'iat' claim is non-numeric
-            #   MissingRequiredClaimError: a required claim is not contained in the claimset
-            payload: dict[str, Any] = jwt.decode(jwt=token,
-                                                 key=public_key,
-                                                 algorithms=[token_alg],
-                                                 options=options,
-                                                 issuer=issuer)
-            if recipient_id and recipient_attr and \
-                    payload.get(recipient_attr) and recipient_id != payload.get(recipient_attr):
-                msg: str = f"Token was issued to '{payload.get(recipient_attr)}', not to '{recipient_id}'"
-                if logger:
-                    logger.error(msg=msg)
-                errors.append(msg)
-            else:
-                result = {
-                    "header": token_header,
-                    "payload": payload
-                }
-        except Exception as e:
-            exc_err: str = exc_format(exc=e,
-                                      exc_info=sys.exc_info())
-            if logger:
-                logger.error(msg=f"Error decoding the token: {exc_err}")
-            errors.append(exc_err)
-
-    if not errors and logger:
-        logger.debug(msg="Token is valid")
-
-    return result