class TestProvider(object):
@pytest.fixture(autouse=True)
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[''] = [kb]
_sdb = SessionDB(
"https://example.com/",
db={},
code_factory=DefaultToken('supersecret', 'verybadpassword',
typ='A', lifetime=600),
token_factory=JWTToken('T', keyjar=kj,
lt_pattern={'code': 3600, 'token': 900},
iss='https://example.com/as',
sign_alg='RS256'),
refresh_token_factory=JWTToken(
'R', keyjar=kj, lt_pattern={'': 24 * 3600},
iss='https://example.com/as')
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider("as", _sdb, CDB, AUTHN_BROKER, AUTHZ,
verify_client,
baseurl='https://example.com/as')
def test_authorization_endpoint_faulty_redirect_uri(self):
bib = {"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
# faulty redirect uri
"redirect_uri": "http://localhost:8087/cb",
"response_type": ["code"],
"client_id": "a1b2c3"}
arq = AuthorizationRequest(**bib)
resp = self.provider.authorization_endpoint(request=arq.to_urlencoded())
assert resp.status == "400 Bad Request"
msg = json.loads(resp.message)
assert msg["error"] == "invalid_request"
def test_authenticated(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {
'redirect_uri': "http://localhost:8087/authz",
"state": sid, "response_type": 'code'}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, 'GET', request_args=args)
resp = self.provider.authorization_endpoint(urlparse(url).query)
assert resp.status == "303 See Other"
resp = urlparse(resp.message).query
aresp = client.parse_authz_response(resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss'])
assert _eq(client.grant[sid].keys(), ['tokens', 'code', 'exp_in',
'seed', 'id_token',
'grant_expiration_time'])
def test_authenticated_token(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {'redirect_uri': "http://localhost:8087/authz", "state": sid,
"response_type": 'token'}
url, body, ht_args, csi = client.request_info(AuthorizationRequest,
'GET', request_args=args)
QUERY_STRING = url.split("?")[1]
resp = self.provider.authorization_endpoint(QUERY_STRING)
auth_resp = parse_qs(urlparse(resp.message).fragment)
assert "access_token" in auth_resp
assert auth_resp["token_type"][0] == "Bearer"
def test_token_endpoint(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ['access_token', 'token_type'])
def test_token_endpoint_no_cache(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
assert resp.headers == [('Pragma', 'no-cache'), ('Cache-Control', 'no-store'),
('Content-type', 'application/json')]
def test_token_endpoint_unauth(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1",
response_type='code')
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client2",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ['error_description', 'error'])
def test_token_introspection(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenIntrospectionRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json')
assert ti_resp['active'] is True
def test_token_revocation_and_introspection(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenRevocationRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.revocation_endpoint(request=req.to_urlencoded())
assert resp.status == '200 OK'
req = TokenIntrospectionRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json')
assert ti_resp['active'] is False
class TestProvider(object):
@pytest.fixture(autouse=True)
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[''] = [kb]
_sdb = SessionDB(
"https://example.com/",
token_factory=JWTToken('T', keyjar=kj,
lt_pattern={'code': 3600, 'token': 900},
iss='https://example.com/as',
sign_alg='RS256'),
refresh_token_factory=JWTToken(
'R', keyjar=kj, lt_pattern={'': 24 * 3600},
iss='https://example.com/as')
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider("as", _sdb, CDB, AUTHN_BROKER, AUTHZ,
verify_client,
baseurl='https://example.com/as')
def test_authorization_endpoint_faulty_redirect_uri(self):
bib = {"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
# faulty redirect uri
"redirect_uri": "http://localhost:8087/cb",
"response_type": ["code"],
"client_id": "a1b2c3"}
arq = AuthorizationRequest(**bib)
resp = self.provider.authorization_endpoint(request=arq.to_urlencoded())
assert resp.status == "400 Bad Request"
msg = json.loads(resp.message)
assert msg["error"] == "invalid_request"
def test_authenticated(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {
'redirect_uri': "http://localhost:8087/authz",
"state": sid, "response_type": 'code'}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, 'GET', request_args=args)
resp = self.provider.authorization_endpoint(urlparse(url).query)
assert resp.status == "303 See Other"
resp = urlparse(resp.message).query
aresp = client.parse_authz_response(resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss'])
assert _eq(client.grant[sid].keys(), ['tokens', 'code', 'exp_in',
'seed', 'id_token',
'grant_expiration_time'])
def test_authenticated_token(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {'redirect_uri': "http://localhost:8087/authz", "state": sid,
"response_type": 'token'}
url, body, ht_args, csi = client.request_info(AuthorizationRequest,
'GET', request_args=args)
QUERY_STRING = url.split("?")[1]
resp = self.provider.authorization_endpoint(QUERY_STRING)
auth_resp = parse_qs(urlparse(resp.message).fragment)
assert "access_token" in auth_resp
assert auth_resp["token_type"][0] == "Bearer"
def test_token_endpoint(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ['access_token', 'token_type'])
def test_token_endpoint_unauth(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1",
response_type='code')
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client2",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ['error_description', 'error'])
def test_token_introspection(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenIntrospectionRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json')
assert ti_resp['active'] is True
def test_token_revocation_and_introspection(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenRevocationRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.revocation_endpoint(request=req.to_urlencoded())
assert resp.status == '200 OK'
req = TokenIntrospectionRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json')
assert ti_resp['active'] is False
class TestProvider(object):
@pytest.fixture(autouse=True)
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[""] = [kb]
_sdb = SessionDB(
"https://example.com/",
db={},
code_factory=DefaultToken(
"supersecret", "verybadpassword", typ="A", lifetime=600
),
token_factory=JWTToken(
"T",
keyjar=kj,
lt_pattern={"code": 3600, "token": 900},
iss="https://example.com/as",
sign_alg="RS256",
),
refresh_token_factory=JWTToken(
"R",
keyjar=kj,
lt_pattern={"": 24 * 3600},
iss="https://example.com/as",
token_storage={},
),
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider(
"as",
_sdb,
CDB,
AUTHN_BROKER,
AUTHZ,
verify_client,
baseurl="https://example.com/as",
)
def test_authorization_endpoint_faulty_redirect_uri(self):
bib = {
"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
# faulty redirect uri
"redirect_uri": "http://localhost:8087/cb",
"response_type": ["code"],
"client_id": "a1b2c3",
}
arq = AuthorizationRequest(**bib)
resp = self.provider.authorization_endpoint(request=arq.to_urlencoded())
assert resp.status_code == 400
msg = json.loads(resp.message)
assert msg["error"] == "invalid_request"
def test_authenticated(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = "https://example.com/as"
sid = rndstr(8)
args = {
"redirect_uri": "http://localhost:8087/authz",
"state": sid,
"response_type": "code",
}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, "GET", request_args=args
)
resp = self.provider.authorization_endpoint(urlparse(url).query)
assert resp.status_code == 303
resp = urlparse(resp.message).query
aresp = client.parse_authz_response(resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ["state", "code", "client_id", "iss"])
assert _eq(
client.grant[sid].keys(),
["tokens", "code", "exp_in", "seed", "id_token", "grant_expiration_time"],
)
def test_authenticated_token(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = "https://example.com/as"
sid = rndstr(8)
args = {
"redirect_uri": "http://localhost:8087/authz",
"state": sid,
"response_type": "token",
}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, "GET", request_args=args
)
QUERY_STRING = url.split("?")[1]
resp = self.provider.authorization_endpoint(QUERY_STRING)
auth_resp = parse_qs(urlparse(resp.message).fragment)
assert "access_token" in auth_resp
assert auth_resp["token_type"][0] == "Bearer"
def test_token_endpoint(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client1"
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ["access_token", "token_type"])
def test_token_endpoint_no_cache(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client1"
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
assert resp.headers == [
("Pragma", "no-cache"),
("Cache-Control", "no-store"),
("Content-type", "application/json"),
]
def test_token_endpoint_unauth(self):
authreq = AuthorizationRequest(
state="state",
redirect_uri="http://example.com/authz",
client_id="client1",
response_type="code",
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client2",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ["error_description", "error"])
def test_token_introspection(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client1"
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenIntrospectionRequest(
token=atr["access_token"],
client_id="client1",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["active"] is True
def test_token_introspection_bad_access_token(self):
req = TokenIntrospectionRequest(
token="access_token",
client_id="client1",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["active"] is False
def test_token_introspection_bad_token_no_hint(self):
req = TokenIntrospectionRequest(
token="access_token", client_id="client1", client_secret="hemlighet"
)
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["active"] is False
def test_token_introspection_missing(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client2"
)
_sdb = self.provider.sdb
self.provider.cdb["client2"] = {
"client_secret": "hemlighet",
"redirect_uris": [("http://localhost:8087/authz", None)],
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token"],
}
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client2",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client2",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
# Delete the client
del self.provider.cdb["client2"]
req = TokenIntrospectionRequest(
token=atr["access_token"],
client_id="client2",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["error"] == "unauthorized_client"
def test_token_revocation_and_introspection(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client1"
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenRevocationRequest(
token=atr["access_token"],
client_id="client1",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.revocation_endpoint(request=req.to_urlencoded())
assert resp.status_code == 200
req2 = TokenIntrospectionRequest(
token=atr["access_token"],
client_id="client1",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.introspection_endpoint(request=req2.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["active"] is False
def test_password_grant_type_ok(self):
# Set a not so dummy Authn method and token policy
self.provider.authn_broker = AUTHN_BROKER2
self.provider.set_token_policy("client1", {"grant_type": ["password"]})
areq = ROPCAccessTokenRequest(
grant_type="password", username="******", password="******"
)
areq[
"client_id"
] = "client1" # Token endpoint would fill that in based on client_authn
resp = self.provider.password_grant_type(areq)
atr = AccessTokenResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ["access_token", "token_type", "refresh_token"])
def test_password_grant_type_no_authn(self):
# Set a blank AuthnBroker
self.provider.authn_broker = AuthnBroker()
self.provider.set_token_policy("client1", {"grant_type": ["password"]})
areq = ROPCAccessTokenRequest(
grant_type="password", username="******", password="******"
)
areq[
"client_id"
] = "client1" # Token endpoint would fill that in based on client_authn
resp = self.provider.password_grant_type(areq)
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert atr["error"] == "invalid_grant"
def test_password_grant_type_bad(self):
# Set a not so dummy Authn method and token policy
self.provider.authn_broker = AUTHN_BROKER2
self.provider.set_token_policy("client1", {"grant_type": ["password"]})
areq = ROPCAccessTokenRequest(
grant_type="password", username="******", password="******"
)
areq[
"client_id"
] = "client1" # Token endpoint would fill that in based on client_authn
resp = self.provider.password_grant_type(areq)
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert atr["error"] == "invalid_grant"