async def test_issue_token(tmp_path: Path, factory: ComponentFactory) -> None:
config = await configure(tmp_path, "oidc")
factory.reconfigure(config)
issuer = factory.create_token_issuer()
token_data = await create_session_token(factory)
oidc_token = issuer.issue_token(token_data, jti="new-jti", scope="openid")
assert oidc_token.claims == {
"aud": config.issuer.aud,
"exp": ANY,
"iat": ANY,
"iss": config.issuer.iss,
"jti": "new-jti",
"name": token_data.name,
"preferred_username": token_data.username,
"scope": "openid",
"sub": token_data.username,
config.issuer.username_claim: token_data.username,
config.issuer.uid_claim: token_data.uid,
}
now = time.time()
assert now - 5 <= oidc_token.claims["iat"] <= now + 5
expected_exp = now + config.issuer.exp_minutes * 60
assert expected_exp - 5 <= oidc_token.claims["exp"] <= expected_exp + 5
async def test_userinfo(client: AsyncClient,
factory: ComponentFactory) -> None:
token_data = await create_session_token(factory)
issuer = factory.create_token_issuer()
oidc_token = issuer.issue_token(token_data, jti="some-jti")
r = await client.get(
"/auth/userinfo",
headers={"Authorization": f"Bearer {oidc_token.encoded}"},
)
assert r.status_code == 200
assert r.json() == oidc_token.claims
async def test_invalid(
client: AsyncClient,
config: Config,
factory: ComponentFactory,
caplog: LogCaptureFixture,
) -> None:
token_data = await create_session_token(factory)
issuer = factory.create_token_issuer()
oidc_token = issuer.issue_token(token_data, jti="some-jti")
caplog.clear()
r = await client.get(
"/auth/userinfo",
headers={"Authorization": f"token {oidc_token.encoded}"},
)
assert r.status_code == 400
authenticate = parse_www_authenticate(r.headers["WWW-Authenticate"])
assert isinstance(authenticate, AuthErrorChallenge)
assert authenticate.auth_type == AuthType.Bearer
assert authenticate.realm == config.realm
assert authenticate.error == AuthError.invalid_request
assert authenticate.error_description == "Unknown Authorization type token"
assert parse_log(caplog) == [{
"error": "Unknown Authorization type token",
"event": "Invalid request",
"httpRequest": {
"requestMethod": "GET",
"requestUrl": f"https://{TEST_HOSTNAME}/auth/userinfo",
"remoteIp": "127.0.0.1",
},
"severity": "warning",
}]
r = await client.get(
"/auth/userinfo",
headers={"Authorization": f"bearer{oidc_token.encoded}"},
)
assert r.status_code == 400
authenticate = parse_www_authenticate(r.headers["WWW-Authenticate"])
assert isinstance(authenticate, AuthErrorChallenge)
assert authenticate.auth_type == AuthType.Bearer
assert authenticate.realm == config.realm
assert authenticate.error == AuthError.invalid_request
assert authenticate.error_description == "Malformed Authorization header"
caplog.clear()
r = await client.get(
"/auth/userinfo",
headers={"Authorization": f"bearer XXX{oidc_token.encoded}"},
)
assert r.status_code == 401
authenticate = parse_www_authenticate(r.headers["WWW-Authenticate"])
assert isinstance(authenticate, AuthErrorChallenge)
assert authenticate.auth_type == AuthType.Bearer
assert authenticate.realm == config.realm
assert authenticate.error == AuthError.invalid_token
assert authenticate.error_description
assert parse_log(caplog) == [{
"error": ANY,
"event": "Invalid token",
"httpRequest": {
"requestMethod": "GET",
"requestUrl": f"https://{TEST_HOSTNAME}/auth/userinfo",
"remoteIp": "127.0.0.1",
},
"severity": "warning",
"token_source": "bearer",
}]