pypomes-jwt 0.9.6__tar.gz → 0.9.8__tar.gz

{pypomes_jwt-0.9.6 → pypomes_jwt-0.9.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_jwt
-Version: 0.9.6
+Version: 0.9.8
 Summary: A collection of Python pomes, penyeach (JWT module)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-JWT
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-JWT/issues

{pypomes_jwt-0.9.6 → pypomes_jwt-0.9.8}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pypomes_jwt"
-version = "0.9.6"
+version = "0.9.8"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]

{pypomes_jwt-0.9.6 → pypomes_jwt-0.9.8}/src/pypomes_jwt/__init__.py

@@ -4,7 +4,7 @@ from .jwt_constants import (
     JWT_DB_TABLE, JWT_DB_COL_KID, JWT_DB_COL_ACCOUNT,
     JWT_DB_COL_ALGORITHM, JWT_DB_COL_DECODER, JWT_DB_COL_TOKEN,
     JWT_ACCOUNT_LIMIT, JWT_ENCODING_KEY, JWT_DECODING_KEY,
-    JWT_ACCESS_MAX_AGE, JWT_REFRESH_MAX_AGE
+    JWT_DEFAULT_ALGORITHM, JWT_ACCESS_MAX_AGE, JWT_REFRESH_MAX_AGE
 )
 from .jwt_pomes import (
     jwt_needed, jwt_verify_request,
@@ -20,7 +20,7 @@ __all__ = [
     "JWT_DB_TABLE", "JWT_DB_COL_KID", "JWT_DB_COL_ACCOUNT",
     "JWT_DB_COL_ALGORITHM", "JWT_DB_COL_DECODER", "JWT_DB_COL_TOKEN",
     "JWT_ACCOUNT_LIMIT", "JWT_ENCODING_KEY", "JWT_DECODING_KEY",
-    "JWT_ACCESS_MAX_AGE", "JWT_REFRESH_MAX_AGE",
+    "JWT_DEFAULT_ALGORITHM", "JWT_ACCESS_MAX_AGE", "JWT_REFRESH_MAX_AGE",
     # jwt_pomes
     "jwt_needed", "jwt_verify_request",
     "jwt_assert_account", "jwt_set_account", "jwt_remove_account",

{pypomes_jwt-0.9.6 → pypomes_jwt-0.9.8}/src/pypomes_jwt/jwt_pomes.py

@@ -5,11 +5,11 @@ from logging import Logger
 from pypomes_db import db_select, db_delete
 from typing import Any
 
-from . import JWT_DB_COL_ACCOUNT
-from .jwt_constants import (
+from . import (
     JWT_ACCESS_MAX_AGE, JWT_REFRESH_MAX_AGE,
     JWT_DEFAULT_ALGORITHM, JWT_DECODING_KEY,
-    JWT_DB_TABLE, JWT_DB_COL_KID, JWT_DB_COL_ALGORITHM, JWT_DB_COL_DECODER
+    JWT_DB_TABLE, JWT_DB_COL_KID,
+    JWT_DB_COL_ACCOUNT, JWT_DB_COL_ALGORITHM, JWT_DB_COL_DECODER
 )
 from .jwt_registry import JwtRegistry
 
@@ -85,7 +85,7 @@ def jwt_assert_account(account_id: str) -> bool:
     :param account_id: the account identification
     :return: *True* if access data exists for *account_id*, *False* otherwise
     """
-    return __jwt_registry.access_data.get(account_id) is not None
+    return __jwt_registry.access_registry.get(account_id) is not None
 
 
 def jwt_set_account(account_id: str,
@@ -93,44 +93,31 @@ def jwt_set_account(account_id: str,
                     access_max_age: int = JWT_ACCESS_MAX_AGE,
                     refresh_max_age: int = JWT_REFRESH_MAX_AGE,
                     grace_interval: int = None,
-                    request_timeout: int = None,
-                    remote_url: str = None,
                     logger: Logger = None) -> None:
     """
     Establish the data needed to obtain JWT tokens for *account_id*.
 
+    The parameter *claims* may contain account-related claims, only. Ideally, it should contain,
+    at a minimum, *iss*, *birthdate*, *email*, *gender*, *name*, and *roles*.
+    It is enforced that the parameter *refresh_max_age* should be at least 300 seconds greater
+    than *access-max-age*.
+
     :param account_id: the account identification
     :param claims: the JWT claimset, as key-value pairs
     :param access_max_age: access token duration, in seconds
     :param refresh_max_age: refresh token duration, in seconds
     :param grace_interval: optional time to wait for token to be valid, in seconds
-    :param request_timeout: timeout for the requests to the reference URL
-    :param remote_url: remote server's URL to obtain the JWT tokens from
     :param logger: optional logger
     """
     if logger:
-        logger.debug(msg=f"Register account data for '{account_id}'")
-
-    # extract the claims provided in the remote_url URL's query string
-    if remote_url:
-        pos: int = remote_url.find("?")
-        if pos > 0:
-            claims = claims or {}
-            params: list[str] = remote_url[pos+1:].split(sep="&")
-            for param in params:
-                key: str = param.split("=")[0]
-                value: str = param.split("=")[1]
-                claims[key] = value
-            remote_url = remote_url[:pos]
+        logger.debug(msg=f"Registering account data for '{account_id}'")
 
     # register the JWT service
     __jwt_registry.add_account(account_id=account_id,
                                claims=claims,
                                access_max_age=access_max_age,
-                               refresh_max_age=refresh_max_age,
+                               refresh_max_age=max(refresh_max_age, access_max_age + 300),
                                grace_interval=grace_interval,
-                               request_timeout=request_timeout,
-                               remote_url=remote_url,
                                logger=logger)
 
 
@@ -158,10 +145,12 @@ def jwt_validate_token(errors: list[str] | None,
     """
     Verify if *token* ia a valid JWT token.
 
-    Raise an appropriate exception if validation failed.
-    if *nature* is provided, verify whether *token* has been locally issued and is of a appropriate nature.
+    Raise an appropriate exception if validation failed. Attempt to validate non locally issued tokens
+    will not succeed. if *nature* is provided, validate whether *token* is of that nature.
     A token issued locally has the header claim *kid* starting with *A* (for *Access*) or *R* (for *Refresh*),
     followed by its id in the token database, or as a single letter in the range *[B-Z]*, less *R*.
+    If the *kid* claim contains such an id, then the cryptographic key needed for validation
+    will be obtained from the token database. Otherwise, the current decoding key is used.
 
     :param errors: incidental error messages
     :param token: the token to be validated
@@ -250,7 +239,7 @@ def jwt_validate_token(errors: list[str] | None,
 
 def jwt_revoke_token(errors: list[str] | None,
                      account_id: str,
-                     refresh_token: str,
+                     token: str,
                      logger: Logger = None) -> bool:
     """
     Revoke the *refresh_token* associated with *account_id*.
@@ -259,7 +248,7 @@ def jwt_revoke_token(errors: list[str] | None,
 
     :param errors: incidental error messages
     :param account_id: the account identification
-    :param refresh_token: the token to be revoked
+    :param token: the token to be revoked
     :param logger: optional logger
     :return: *True* if operation could be performed, *False* otherwise
     """
@@ -271,7 +260,7 @@ def jwt_revoke_token(errors: list[str] | None,
 
     op_errors: list[str] = []
     token_claims: dict[str, Any] = jwt_validate_token(errors=op_errors,
-                                                      token=refresh_token,
+                                                      token=token,
                                                       account_id=account_id,
                                                       logger=logger)
     if not op_errors:
@@ -362,10 +351,10 @@ def jwt_issue_tokens(errors: list[str] | None,
 
     Structure of the return data:
     {
-      "access_token": <jwt-token>,
-      "created_in": <timestamp>,
-      "expires_in": <seconds-to-expiration>,
-      "refresh_token": <jwt-token>
+      "access-token": <jwt-token>,
+      "created-in": <timestamp>,
+      "expires-in": <seconds-to-expiration>,
+      "refresh-token": <jwt-token>
     }
 
     :param errors: incidental error messages
@@ -411,10 +400,10 @@ def jwt_refresh_tokens(errors: list[str] | None,
 
     Structure of the return data:
     {
-      "access_token": <jwt-token>,
-      "created_in": <timestamp>,
-      "expires_in": <seconds-to-expiration>,
-      "refresh_token": <jwt-token>
+      "access-token": <jwt-token>,
+      "created-in": <timestamp>,
+      "expires-in": <seconds-to-expiration>,
+      "refresh-token": <jwt-token>
     }
 
     :param errors: incidental error messages
@@ -430,24 +419,26 @@ def jwt_refresh_tokens(errors: list[str] | None,
         logger.debug(msg=f"Refreshing a JWT token pair for '{account_id}'")
     op_errors: list[str] = []
 
-    # verify whether this refresh token is legitimate
+    # assert the refresh token
     if refresh_token:
-        account_claims: dict[str, Any] = (jwt_validate_token(errors=op_errors,
-                                                             token=refresh_token,
-                                                             nature="R",
-                                                             account_id=account_id,
-                                                             logger=logger) or {}).get("payload")
-        # revoke current refresh token
-        if account_claims and jwt_revoke_token(errors=errors,
+        # is the refresh token valid ?
+        account_claims = jwt_validate_token(errors=op_errors,
+                                            token=refresh_token,
+                                            nature="R",
+                                            account_id=account_id,
+                                            logger=logger)
+        # if it is, revoke current refresh token
+        if account_claims and jwt_revoke_token(errors=op_errors,
                                                account_id=account_id,
-                                               refresh_token=refresh_token,
+                                               token=refresh_token,
                                                logger=logger):
             # issue tokens
-            result = jwt_issue_tokens(errors=errors,
+            result = jwt_issue_tokens(errors=op_errors,
                                       account_id=account_id,
                                       account_claims=account_claims,
                                       logger=logger)
     else:
+        # refresh token not found
         op_errors.append("Refresh token was not provided")
 
     if op_errors:
@@ -461,17 +452,13 @@ def jwt_refresh_tokens(errors: list[str] | None,
 
 def jwt_get_claims(errors: list[str] | None,
                    token: str,
-                   validate: bool = False,
                    logger: Logger = None) -> dict[str, Any] | None:
     """
-    Obtain and return the claims set of a JWT *token*.
+    Retrieve and return the claims set of a JWT *token*.
 
-    If *validate* is set to *True*, tha following pieces of information are verified:
-      - the token was issued and signed by the local provider, and is not corrupted
-      - the claim 'exp' is present and is in the future
-      - the claim 'nbf' is present and is in the past
+    Any valid JWT token may be provided in *token*, as this operation is not restricted to locally issued tokens.
 
-    Structure of the returned data:
+    Structure of the returned data, for locally issued tokens:
       {
         "header": {
           "alg": "RS256",
@@ -485,7 +472,7 @@ def jwt_get_claims(errors: list[str] | None,
           "email": "jdoe@mail.com",
           "exp": 1516640454,
           "iat": 1516239022,
-          "iss": "https://my_id_provider/issue",
+          "iss": "my_jwt_provider.com",
           "jti": "Uhsdfgr67FGH567qwSDF33er89retert",
           "gender": "M",
           "name": "John Doe",
@@ -500,7 +487,6 @@ def jwt_get_claims(errors: list[str] | None,
 
     :param errors: incidental error messages
     :param token: the token to be inspected for claims
-    :param validate: If *True*, verifies the token's data (defaults to *False*)
     :param logger: optional logger
     :return: the token's claimset, or *None* if error
     """
@@ -511,19 +497,13 @@ def jwt_get_claims(errors: list[str] | None,
         logger.debug(msg="Retrieve claims for token")
 
     try:
-        # retrieve the token's claims
-        if validate:
-            result = jwt_validate_token(errors=errors,
-                                        token=token,
-                                        logger=logger)
-        else:
-            header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
-            payload: dict[str, Any] = jwt.decode(jwt=token,
-                                                 options={"verify_signature": False})
-            result = {
-                "header": header,
-                "payload": payload
-            }
+        header: dict[str, Any] = jwt.get_unverified_header(jwt=token)
+        payload: dict[str, Any] = jwt.decode(jwt=token,
+                                             options={"verify_signature": False})
+        result = {
+            "header": header,
+            "payload": payload
+        }
     except Exception as e:
         if logger:
             logger.error(msg=str(e))

{pypomes_jwt-0.9.6 → pypomes_jwt-0.9.8}/src/pypomes_jwt/jwt_registry.py

@@ -1,5 +1,4 @@
 import jwt
-import requests
 import string
 import sys
 from base64 import urlsafe_b64encode
@@ -7,12 +6,12 @@ from datetime import datetime, timezone
 from logging import Logger
 from pypomes_core import str_random
 from pypomes_db import db_connect, db_commit, db_update, db_delete
-from requests import Response
 from threading import Lock
 from typing import Any
 
-from .jwt_constants import (
-    JWT_DEFAULT_ALGORITHM, JWT_ACCOUNT_LIMIT, JWT_ENCODING_KEY, JWT_DECODING_KEY,
+from . import (
+    JWT_DEFAULT_ALGORITHM, JWT_ACCOUNT_LIMIT,
+    JWT_ENCODING_KEY, JWT_DECODING_KEY,
     JWT_DB_TABLE, JWT_DB_COL_KID, JWT_DB_COL_ACCOUNT,
     JWT_DB_COL_ALGORITHM, JWT_DB_COL_DECODER, JWT_DB_COL_TOKEN
 )
@@ -27,22 +26,20 @@ class JwtRegistry:
       - access_data: dictionary holding the JWT token data, organized by account id:
        {
          <account-id>: {
-           "access-max-age": <int>,      # defaults to JWT_ACCESS_MAX_AGE (in seconds)
-           "refresh-max-age": <int>,     # defaults to JWT_REFRESH_MAX_AGE (in seconds)
-           "grace-interval": <int>,      # time to wait for token to be valid, in seconds
-           "request-timeout": <int>,     # timeout for the requests to the reference URL (in seconds)
-           "remote_url": <string>,       # remote server's URL to obtain the JWT tokens from
+           "access-max-age": <int>,         # defaults to JWT_ACCESS_MAX_AGE (in seconds)
+           "refresh-max-age": <int>,        # defaults to JWT_REFRESH_MAX_AGE (in seconds)
+           "grace-interval": <int>,         # time to wait for token to be valid, in seconds
            "claims": {
-             "iss": <string>,            # token'ss issuer
-             "birthdate": <string>,      # subject's birth date
-             "email": <string>,          # subject's email
-             "gender": <string>,         # subject's gender
-             "name": <string>,           # subject's name
-             "roles": <List[str]>,       # subject roles
-             "nonce": <string>,          # used to associate a Client session with a token
+             "iss": <string>,               # token'ss issuer
+             "birthdate": <string>,         # subject's birth date
+             "email": <string>,             # subject's email
+             "gender": <string>,            # subject's gender
+             "name": <string>,              # subject's name
+             "roles": <List[str]>,          # subject roles
+             "nonce": <string>,             # used to associate a Client session with a token
              # output, only
-             "valid-from": <string>,     # token's start (<YYYY-MM-DDThh:mm:ss+00:00>)
-             "valid-until": <string>,    # token's finish (<YYYY-MM-DDThh:mm:ss+00:00>)
+             "valid-from": <string>,        # token's start (<YYYY-MM-DDThh:mm:ss+00:00>)
+             "valid-until": <string>,       # token's finish (<YYYY-MM-DDThh:mm:ss+00:00>)
              ...
            }
          },
@@ -79,8 +76,8 @@ class JwtRegistry:
 
     The token header has these items:
       "alg": <string>           the algorithm used to sign the token (one of *HS256*, *HS51*', *RSA256*, *RSA512*)
-      "typ": <string>           the token type (fixed to *JWT*
-      "kid": <string>           a reference to the token type and the key to its location in the token database
+      "typ": <string>           the token type (fixed to *JWT*)
+      "kid": <string>           a token type and key to its location in the token database
 
     If issued by the local server, "kid" holds the key to the corresponding record in the token database,
     if starting with *A* for (*Access*) or *R* (for *Refresh*), followed an integer.
@@ -90,7 +87,7 @@ class JwtRegistry:
         Initizalize the token access data.
         """
         self.access_lock: Lock = Lock()
-        self.access_data: dict[str, Any] = {}
+        self.access_registry: dict[str, Any] = {}
 
     def add_account(self,
                     account_id: str,
@@ -98,35 +95,28 @@ class JwtRegistry:
                     access_max_age: int,
                     refresh_max_age: int,
                     grace_interval: int | None,
-                    request_timeout: int | None,
-                    remote_url: str | None,
                     logger: Logger = None) -> None:
         """
         Add to storage the parameters needed to produce and validate JWT tokens for *account_id*.
 
         The parameter *claims* may contain account-related claims, only. Ideally, it should contain,
-        at a minimum, *birthdate*, *email*, *gender*, *name*, and *roles*.
-        If the token provider is local, then the token-related claims are created at token issuing time.
-        If the token provider is remote, all claims are sent to it at token request time.
+        at a minimum, *iss*, *birthdate*, *email*, *gender*, *name*, and *roles*.
+        The parameter *refresh_max_age* should be at least 300 seconds greater than *access-max-age*.
 
         :param account_id: the account identification
         :param claims: the JWT claimset, as key-value pairs
-        :param access_max_age: access token duration, in seconds
-        :param refresh_max_age: refresh token duration, in seconds
+        :param access_max_age: access token duration, in seconds (at least 60 seconds)
+        :param refresh_max_age: refresh token duration, in seconds (greater than *access_max_age*)
         :param grace_interval: time to wait for token to be valid, in seconds
-        :param request_timeout: timeout for the requests to the reference URL (in seconds)
-        :param remote_url: remote server's URL to obtain the JWT tokens from
         :param logger: optional logger
         """
         # build and store the access data for the account
         with self.access_lock:
-            if account_id not in self.access_data:
-                self.access_data[account_id] = {
+            if account_id not in self.access_registry:
+                self.access_registry[account_id] = {
                     "access-max-age": access_max_age,
                     "refresh-max-age": refresh_max_age,
                     "grace-interval": grace_interval,
-                    "request-timeout": request_timeout,
-                    "remote-url": remote_url,
                     "claims": claims or {}
                 }
                 if logger:
@@ -147,7 +137,7 @@ class JwtRegistry:
         # remove from internal storage
         account_data: dict[str, Any] | None
         with self.access_lock:
-            account_data = self.access_data.pop(account_id, None)
+            account_data = self.access_registry.pop(account_id, None)
 
         # remove from database
         db_delete(errors=None,
@@ -242,10 +232,10 @@ class JwtRegistry:
 
         Structure of the return data:
         {
-          "access_token": <jwt-token>,
-          "created_in": <timestamp>,
-          "expires_in": <seconds-to-expiration>,
-          "refresh_token": <jwt-token>
+          "access-token": <jwt-token>,
+          "created-in": <timestamp>,
+          "expires-in": <seconds-to-expiration>,
+          "refresh-token": <jwt-token>
         }
 
         :param account_id: the account identification
@@ -254,9 +244,6 @@ class JwtRegistry:
         :return: the JWT token data
         :raises RuntimeError: invalid account id, or error accessing the token database
         """
-        # initialize the return variable
-        result: dict[str, Any] | None = None
-
         # process the account data in storage
         with (self.access_lock):
             account_data: dict[str, Any] = self.__get_account_data(account_id=account_id,
@@ -269,81 +256,67 @@ class JwtRegistry:
             current_claims["sub"] = account_id
             errors: list[str] = []
 
-            # where is the JWT service provider ?
-            if account_data.get("remote-url"):
-                # JWT service is being provided by a remote server
-                result = _jwt_request_token(errors=errors,
-                                            remote_url=account_data.get("remote-url"),
-                                            claims=current_claims,
-                                            timeout=account_data.get("request-timeout"),
-                                            logger=logger)
-                if errors:
-                    raise RuntimeError("; ".join(errors))
+            just_now: int = int(datetime.now(tz=timezone.utc).timestamp())
+            current_claims["iat"] = just_now
+            grace_interval = account_data.get("grace-interval")
+            if grace_interval:
+                current_claims["nbf"] = just_now + grace_interval
+                current_claims["valid-from"] = datetime.fromtimestamp(timestamp=current_claims["nbf"],
+                                                                      tz=timezone.utc).isoformat()
             else:
-                # JWT service is being provided locally
-                just_now: int = int(datetime.now(tz=timezone.utc).timestamp())
-                current_claims["iat"] = just_now
-                grace_interval = account_data.get("grace-interval")
-                if grace_interval:
-                    current_claims["nbf"] = just_now + grace_interval
-                    current_claims["valid-from"] = datetime.fromtimestamp(timestamp=current_claims["nbf"],
-                                                                          tz=timezone.utc).isoformat()
-                else:
-                    current_claims["valid-from"] = datetime.fromtimestamp(timestamp=current_claims["iat"],
-                                                                          tz=timezone.utc).isoformat()
-                # issue a candidate refresh token first, and persist it
-                current_claims["exp"] = just_now + account_data.get("refresh-max-age")
-                current_claims["valid-until"] = datetime.fromtimestamp(timestamp=current_claims["exp"],
-                                                                       tz=timezone.utc).isoformat()
-                # may raise an exception
-                refresh_token: str = jwt.encode(payload=current_claims,
-                                                key=JWT_ENCODING_KEY,
-                                                algorithm=JWT_DEFAULT_ALGORITHM,
-                                                headers={"kid": "R0"})
-                # obtain a DB connection (may raise an exception)
-                db_conn: Any = db_connect(errors=errors,
-                                          logger=logger)
-                # persist the candidate token (may raise an exception)
-                token_id: int = _jwt_persist_token(errors=errors,
-                                                   account_id=account_id,
-                                                   jwt_token=refresh_token,
-                                                   db_conn=db_conn,
-                                                   logger=logger)
-                # issue the definitive refresh token
-                refresh_token = jwt.encode(payload=current_claims,
+                current_claims["valid-from"] = datetime.fromtimestamp(timestamp=current_claims["iat"],
+                                                                      tz=timezone.utc).isoformat()
+            # issue a candidate refresh token first, and persist it
+            current_claims["exp"] = just_now + account_data.get("refresh-max-age")
+            current_claims["valid-until"] = datetime.fromtimestamp(timestamp=current_claims["exp"],
+                                                                   tz=timezone.utc).isoformat()
+            # may raise an exception
+            refresh_token: str = jwt.encode(payload=current_claims,
+                                            key=JWT_ENCODING_KEY,
+                                            algorithm=JWT_DEFAULT_ALGORITHM,
+                                            headers={"kid": "R0"})
+            # obtain a DB connection (may raise an exception)
+            db_conn: Any = db_connect(errors=errors,
+                                      logger=logger)
+            # persist the candidate token (may raise an exception)
+            token_id: int = _jwt_persist_token(errors=errors,
+                                               account_id=account_id,
+                                               jwt_token=refresh_token,
+                                               db_conn=db_conn,
+                                               logger=logger)
+            # issue the definitive refresh token
+            refresh_token = jwt.encode(payload=current_claims,
+                                       key=JWT_ENCODING_KEY,
+                                       algorithm=JWT_DEFAULT_ALGORITHM,
+                                       headers={"kid": f"R{token_id}"})
+            # persist it
+            db_update(errors=errors,
+                      update_stmt=f"UPDATE {JWT_DB_TABLE}",
+                      update_data={JWT_DB_COL_TOKEN: refresh_token},
+                      where_data={JWT_DB_COL_KID: token_id},
+                      connection=db_conn,
+                      logger=logger)
+            # commit the transaction
+            db_commit(errors=errors,
+                      connection=db_conn,
+                      logger=logger)
+            if errors:
+                raise RuntimeError("; ".join(errors))
+
+            # issue the access token
+            current_claims["exp"] = just_now + account_data.get("access-max-age")
+            # may raise an exception
+            access_token: str = jwt.encode(payload=current_claims,
                                            key=JWT_ENCODING_KEY,
                                            algorithm=JWT_DEFAULT_ALGORITHM,
-                                           headers={"kid": f"R{token_id}"})
-                # persist it
-                db_update(errors=errors,
-                          update_stmt=f"UPDATE {JWT_DB_TABLE}",
-                          update_data={JWT_DB_COL_TOKEN: refresh_token},
-                          where_data={JWT_DB_COL_KID: token_id},
-                          connection=db_conn,
-                          logger=logger)
-                # commit the transaction
-                db_commit(errors=errors,
-                          connection=db_conn,
-                          logger=logger)
-                if errors:
-                    raise RuntimeError("; ".join(errors))
-
-                # issue the access token
-                current_claims["exp"] = just_now + account_data.get("access-max-age")
-                # may raise an exception
-                access_token: str = jwt.encode(payload=current_claims,
-                                               key=JWT_ENCODING_KEY,
-                                               algorithm=JWT_DEFAULT_ALGORITHM,
-                                               headers={"kid": f"A{token_id}"})
-                # return the token data
-                result = {
-                    "access_token": access_token,
-                    "created_in": current_claims.get("iat"),
-                    "expires_in": current_claims.get("exp"),
-                    "refresh_token": refresh_token
-                }
-
-        return result
+                                           headers={"kid": f"A{token_id}"})
+            # return the token data
+            return {
+                "access-token": access_token,
+                "created-in": current_claims.get("iat"),
+                "expires-in": current_claims.get("exp"),
+                "refresh-token": refresh_token
+            }
 
     def __get_account_data(self,
                            account_id: str,
@@ -355,7 +328,7 @@ class JwtRegistry:
         :raises RuntimeError: No JWT access data exists for *account_id*
         """
         # retrieve the access data
-        result: dict[str, Any] = self.access_data.get(account_id)
+        result: dict[str, Any] = self.access_registry.get(account_id)
         if not result:
             # JWT access data not found
             err_msg: str = f"No JWT access data found for '{account_id}'"
@@ -366,60 +339,6 @@ class JwtRegistry:
         return result
 
 
-def _jwt_request_token(errors: list[str],
-                       remote_url: str,
-                       claims: dict[str, Any],
-                       timeout: int = None,
-                       logger: Logger = None) -> dict[str, Any]:
-    """
-    Obtain and return the JWT token from *reference_url*, along with its duration.
-
-    Expected structure of the return data:
-    {
-      "access_token": <jwt-token>,
-      "created_in": <timestamp>,
-      "expires_in": <seconds-to-expiration>,
-      "refresh_token": <token>
-    }
-    It is up to the invoker to make sure that the *claims* data conform to the requirements
-    of the provider issuing the JWT token.
-
-    :param errors: incidental errors
-    :param remote_url: the reference URL for obtaining JWT tokens
-    :param claims: the JWT claimset, as expected by the issuing server
-    :param timeout: request timeout, in seconds (defaults to *None*)
-    :param logger: optional logger
-    """
-    # initialize the return variable
-    result: dict[str, Any] | None = None
-
-    # request the JWT token
-    if logger:
-        logger.debug(f"POST request JWT token to '{remote_url}'")
-    response: Response = requests.post(
-        url=remote_url,
-        json=claims,
-        timeout=timeout
-    )
-
-    # was the request successful ?
-    if response.status_code in [200, 201, 202]:
-        # yes, save the access token data returned
-        result = response.json()
-        if logger:
-            logger.debug(f"JWT token obtained: {result}")
-    else:
-        # no, report the problem
-        err_msg: str = f"POST request to '{remote_url}' failed: {response.reason}"
-        if response.text:
-            err_msg += f" - {response.text}"
-        if logger:
-            logger.error(err_msg)
-        errors.append(err_msg)
-
-    return result
-
-
 def _jwt_persist_token(errors: list[str],
                        account_id: str,
                        jwt_token: str,
@@ -468,7 +387,6 @@ def _jwt_persist_token(errors: list[str],
         token_kid: int = rec[0]
         token_claims: dict[str, Any] = jwt_get_claims(errors=errors,
                                                       token=token,
-                                                      validate=False,
                                                       logger=logger)
         if errors:
             raise RuntimeError("; ".join(errors))