def test_oauth2_client_credential_and_multiple_authentication_can_be_combined(
token_cache, httpx_mock: HTTPXMock):
resource_owner_password_auth = httpx_auth.OAuth2ClientCredentials(
"http://provide_access_token",
client_id="test_user",
client_secret="test_pwd")
httpx_mock.add_response(
method="POST",
url="http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
api_key_auth = httpx_auth.HeaderApiKey("my_provided_api_key")
api_key_auth2 = httpx_auth.HeaderApiKey("my_provided_api_key2",
header_name="X-Api-Key2")
header = get_header(
httpx_mock,
resource_owner_password_auth + (api_key_auth + api_key_auth2))
assert header.get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA"
assert header.get("X-Api-Key") == "my_provided_api_key"
assert header.get("X-Api-Key2") == "my_provided_api_key2"
def test_oauth2_authorization_code_and_api_key_authentication_can_be_combined(
token_cache, httpx_mock: HTTPXMock, browser_mock: BrowserMock):
authorization_code_auth = httpx_auth.OAuth2AuthorizationCode(
"http://provide_code", "http://provide_access_token")
tab = browser_mock.add_response(
opened_url=
"http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url=
"http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de",
)
httpx_mock.add_response(
method="POST",
url="http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
api_key_auth = httpx_auth.HeaderApiKey("my_provided_api_key")
header = get_header(httpx_mock, authorization_code_auth + api_key_auth)
assert header.get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA"
assert header.get("X-Api-Key") == "my_provided_api_key"
tab.assert_success(
"You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab."
)
def test_basic_and_api_key_authentication_can_be_combined(
httpx_mock: HTTPXMock):
basic_auth = httpx_auth.Basic("test_user", "test_pwd")
api_key_auth = httpx_auth.HeaderApiKey("my_provided_api_key")
header = get_header(httpx_mock, basic_auth + api_key_auth)
assert header.get("Authorization") == "Basic dGVzdF91c2VyOnRlc3RfcHdk"
assert header.get("X-Api-Key") == "my_provided_api_key"
def test_refresh_token(token_cache, responses: RequestsMock):
auth = requests_auth.OAuth2ResourceOwnerPasswordCredentials(
"http://provide_access_token",
username="******",
password="******")
# response for password grant
responses.add(
responses.POST,
"http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in":
"0", # let the token expire immediately after the first request
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
match=[
urlencoded_params_matcher({
"grant_type": "password",
"username": "******",
"password": "******",
})
],
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
assert (get_request(responses, "http://provide_access_token/").body ==
"grant_type=password&username=test_user&password=test_pwd")
# response for refresh token grant
responses.add(
responses.POST,
"http://provide_access_token",
json={
"access_token": "rVR7Syg5bjZtZYjbZIW",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
match=[
urlencoded_params_matcher({
"grant_type":
"refresh_token",
"refresh_token":
"tGzv3JOkF0XG5Qx2TlKWIA",
})
],
)
response = requests.get("http://authorized_only", auth=auth)
assert response.request.headers.get(
"Authorization") == "Bearer rVR7Syg5bjZtZYjbZIW"
assert (get_request(responses, "http://provide_access_token/").body ==
"grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA")
def test_requests_negotiate_sspi_is_used_when_nothing_is_provided(
monkeypatch, responses):
# load requests_negociate_sspi from the file in tests/success_ntlm folder
monkeypatch.syspath_prepend(
os.path.join(os.path.abspath(os.path.dirname(__file__)),
"success_ntlm"))
assert (get_header(
responses,
requests_auth.NTLM()).get("Authorization") == "HttpNegotiateAuth fake")
def test_requests_ntlm_is_used_when_user_and_pass_provided(
monkeypatch, responses):
# load requests_ntlm from the file in tests/success_ntlm folder
monkeypatch.syspath_prepend(
os.path.join(os.path.abspath(os.path.dirname(__file__)),
"success_ntlm"))
assert (get_header(responses,
requests_auth.NTLM("fake_user",
"fake_pwd")).get("Authorization") ==
"HttpNtlmAuth fake fake_user / fake_pwd")
def test_state_change(token_cache, httpx_mock: HTTPXMock, browser_mock: BrowserMock):
auth = httpx_auth.OAuth2Implicit("http://provide_token")
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url="http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=f"access_token={token}&state=123456",
)
assert get_header(httpx_mock, auth).get("Authorization") == f"Bearer {token}"
tab.assert_success("You are now authenticated on 123456. You may close this tab.")
def test_basic_and_multiple_authentication_can_be_combined(
token_cache, httpx_mock: HTTPXMock):
basic_auth = httpx_auth.Basic("test_user", "test_pwd")
api_key_auth2 = httpx_auth.HeaderApiKey("my_provided_api_key2",
header_name="X-Api-Key2")
api_key_auth3 = httpx_auth.HeaderApiKey("my_provided_api_key3",
header_name="X-Api-Key3")
header = get_header(httpx_mock,
basic_auth & (api_key_auth2 & api_key_auth3))
assert header.get("Authorization") == "Basic dGVzdF91c2VyOnRlc3RfcHdk"
assert header.get("X-Api-Key2") == "my_provided_api_key2"
assert header.get("X-Api-Key3") == "my_provided_api_key3"
def test_multiple_auth_and_header_api_key_can_be_combined(
token_cache, httpx_mock: HTTPXMock):
api_key_auth = httpx_auth.HeaderApiKey("my_provided_api_key")
api_key_auth2 = httpx_auth.HeaderApiKey("my_provided_api_key2",
header_name="X-Api-Key2")
api_key_auth3 = httpx_auth.HeaderApiKey("my_provided_api_key3",
header_name="X-Api-Key3")
header = get_header(httpx_mock,
(api_key_auth & api_key_auth2) & api_key_auth3)
assert header.get("X-Api-Key") == "my_provided_api_key"
assert header.get("X-Api-Key2") == "my_provided_api_key2"
assert header.get("X-Api-Key3") == "my_provided_api_key3"
def test_multiple_auth_and_header_api_key_can_be_combined(
token_cache, responses: RequestsMock):
api_key_auth = requests_auth.HeaderApiKey("my_provided_api_key")
api_key_auth2 = requests_auth.HeaderApiKey("my_provided_api_key2",
header_name="X-Api-Key2")
api_key_auth3 = requests_auth.HeaderApiKey("my_provided_api_key3",
header_name="X-Api-Key3")
header = get_header(responses,
(api_key_auth + api_key_auth2) + api_key_auth3)
assert header.get("X-Api-Key") == "my_provided_api_key"
assert header.get("X-Api-Key2") == "my_provided_api_key2"
assert header.get("X-Api-Key3") == "my_provided_api_key3"
def test_basic_and_multiple_authentication_can_be_combined(
token_cache, responses: RequestsMock):
basic_auth = requests_auth.Basic("test_user", "test_pwd")
api_key_auth2 = requests_auth.HeaderApiKey("my_provided_api_key2",
header_name="X-Api-Key2")
api_key_auth3 = requests_auth.HeaderApiKey("my_provided_api_key3",
header_name="X-Api-Key3")
header = get_header(responses,
basic_auth + (api_key_auth2 + api_key_auth3))
assert header.get("Authorization") == "Basic dGVzdF91c2VyOnRlc3RfcHdk"
assert header.get("X-Api-Key2") == "my_provided_api_key2"
assert header.get("X-Api-Key3") == "my_provided_api_key3"
def test_oauth2_implicit_flow_token_custom_expiry(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
auth = requests_auth.OAuth2Implicit("http://provide_token", early_expiry=28)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
expiry_in_29_seconds = datetime.datetime.utcnow() + datetime.timedelta(seconds=29)
token_cache._add_token(
key="42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
token=create_token(expiry_in_29_seconds),
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
token = create_token(expiry_in_29_seconds)
assert get_header(responses, auth).get("Authorization") == f"Bearer {token}"
def test_oauth2_implicit_flow_expects_token_in_id_token_if_response_type_in_url_is_id_token(
token_cache, httpx_mock: HTTPXMock, browser_mock: BrowserMock
):
auth = httpx_auth.OAuth2Implicit("http://provide_token?response_type=id_token")
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url="http://provide_token?response_type=id_token&state=87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=f"id_token={token}&state=87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a",
)
assert get_header(httpx_mock, auth).get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a. You may close this tab."
)
def test_refresh_token_access_token_not_expired(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
auth = requests_auth.OAuth2AuthorizationCode(
"http://provide_code", "http://provide_access_token"
)
tab = browser_mock.add_response(
opened_url="http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de",
)
responses.add(
responses.POST,
"http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
match=[
urlencoded_params_matcher(
{
"grant_type": "authorization_code",
"redirect_uri": "http://localhost:5000/",
"response_type": "code",
"code": "SplxlOBeZQQYbYS6WxSbIA",
}
)
],
)
assert (
get_header(responses, auth).get("Authorization")
== "Bearer 2YotnFZFEjr1zCsicMWpAA"
)
assert (
get_request(responses, "http://provide_access_token/").body
== "grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&response_type=code&code=SplxlOBeZQQYbYS6WxSbIA"
)
tab.assert_success(
"You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab."
)
# expect Bearer token to remain the same
response = requests.get("http://authorized_only", auth=auth)
assert (
response.request.headers.get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA"
)
def test_okta_client_credentials_flow_token_custom_expiry(
token_cache, httpx_mock: HTTPXMock):
auth = httpx_auth.OktaClientCredentials("test_okta",
client_id="test_user",
client_secret="test_pwd",
early_expiry=28)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"f0d25aa4e496c6615328e776bb981dabe53fa77768a0a58eaf6d54215c598d80e57ffc7926fd96ec6a6a872942cb684a473e36233b593fb760d3eb6dc22ae550",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=httpx_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
httpx_mock,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_oauth2_implicit_flow_token_is_sent_in_requested_field(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
auth = requests_auth.OAuth2Implicit(
"http://provide_token", header_name="Bearer", header_value="{token}"
)
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url="http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=f"access_token={token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
assert get_header(responses, auth).get("Bearer") == token
tab.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)
def test_oauth2_authorization_code_flow_get_code_custom_expiry(
token_cache, httpx_mock: HTTPXMock, browser_mock: BrowserMock):
auth = httpx_auth.OktaAuthorizationCode(
"testserver.okta-emea.com",
"54239d18-c68c-4c47-8bdd-ce71ea1d50cd",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=httpx_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
httpx_mock,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_oauth2_implicit_flow_token_is_not_reused_if_a_url_parameter_is_changing(
token_cache, httpx_mock: HTTPXMock, browser_mock: BrowserMock):
auth1 = httpx_auth.OAuth2Implicit(
"http://provide_token?response_type=custom_token&fake_param=1",
token_field_name="custom_token",
)
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
first_token = create_token(expiry_in_1_hour)
tab1 = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=custom_token&fake_param=1&state=5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"custom_token={first_token}&state=5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe",
)
assert get_header(httpx_mock,
auth1).get("Authorization") == f"Bearer {first_token}"
# Ensure that the new token is different than previous one
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(
hours=1, seconds=1)
auth2 = httpx_auth.OAuth2Implicit(
"http://provide_token?response_type=custom_token&fake_param=2",
token_field_name="custom_token",
)
second_token = create_token(expiry_in_1_hour)
tab2 = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=custom_token&fake_param=2&state=5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"custom_token={second_token}&state=5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9",
)
response = httpx.get("http://authorized_only", auth=auth2)
# Return headers received on this dummy URL
assert response.request.headers.get(
"Authorization") == f"Bearer {second_token}"
tab1.assert_success(
"You are now authenticated on 5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe. You may close this tab."
)
tab2.assert_success(
"You are now authenticated on 5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9. You may close this tab."
)
def test_oauth2_password_credentials_flow_token_custom_expiry(
token_cache, httpx_mock: HTTPXMock):
auth = httpx_auth.OAuth2ResourceOwnerPasswordCredentials(
"http://provide_access_token",
username="******",
password="******",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"db2be9203dd2718c7285319dde1270056808482fbf7fffa6a9362d092d1cf799b393dd15140ea13e4d76d1603e56390a6222ff7063736a1b686d317706b2c001",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=httpx_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
httpx_mock,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_expires_in_sent_as_str(token_cache, responses: RequestsMock):
auth = requests_auth.OktaClientCredentials("test_okta",
client_id="test_user",
client_secret="test_pwd")
responses.add(
responses.POST,
"https://test_okta/oauth2/default/v1/token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": "3600",
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_oauth2_client_credentials_flow_token_custom_expiry(
token_cache, httpx_mock: HTTPXMock):
auth = httpx_auth.OAuth2ClientCredentials(
"http://provide_access_token",
client_id="test_user",
client_secret="test_pwd",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"a8a1c17ded24b3710524306819084310b08f97e151c79f4f1979202c541f3e8506c93176f7ee816bfcd2b2f6de9c5c3e16aaff220f1ad8f08d31ee086e8618da",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=httpx_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
httpx_mock,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_expires_in_sent_as_str(token_cache, httpx_mock: HTTPXMock):
auth = httpx_auth.OAuth2ClientCredentials("http://provide_access_token",
client_id="test_user",
client_secret="test_pwd")
httpx_mock.add_response(
method="POST",
url="http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": "3600",
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
httpx_mock,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_oauth2_implicit_and_api_key_authentication_can_be_combined(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
implicit_auth = requests_auth.OAuth2Implicit("http://provide_token")
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url="http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=f"access_token={token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
api_key_auth = requests_auth.HeaderApiKey("my_provided_api_key")
header = get_header(responses, implicit_auth & api_key_auth)
assert header.get("Authorization") == f"Bearer {token}"
assert header.get("X-Api-Key") == "my_provided_api_key"
tab.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)
def test_oauth2_client_credentials_flow_token_custom_expiry(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
auth = requests_auth.OAuth2AuthorizationCode(
"http://provide_code",
"http://provide_access_token",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key="163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (
get_header(responses, auth).get("Authorization")
== "Bearer 2YotnFZFEjr1zCsicMWpAA"
)
def test_oauth2_pkce_flow_get_code_custom_expiry(token_cache,
httpx_mock: HTTPXMock,
monkeypatch,
browser_mock: BrowserMock):
monkeypatch.setattr(httpx_auth.authentication.os, "urandom",
lambda x: b"1" * 63)
auth = httpx_auth.OAuth2AuthorizationCodePKCE(
"http://provide_code", "http://provide_access_token", early_expiry=28)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=httpx_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
httpx_mock,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_okta_pkce_flow_token_is_expired_after_30_seconds_by_default(
token_cache, responses: RequestsMock, monkeypatch,
browser_mock: BrowserMock):
monkeypatch.setattr(requests_auth.authentication.os, "urandom",
lambda x: b"1" * 63)
auth = requests_auth.OktaAuthorizationCodePKCE(
"testserver.okta-emea.com", "54239d18-c68c-4c47-8bdd-ce71ea1d50cd")
tab = browser_mock.add_response(
opened_url=
"https://testserver.okta-emea.com/oauth2/default/v1/authorize?client_id=54239d18-c68c-4c47-8bdd-ce71ea1d50cd&scope=openid&response_type=code&state=5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&code_challenge=5C_ph_KZ3DstYUc965SiqmKAA-ShvKF4Ut7daKd3fjc&code_challenge_method=S256",
reply_url=
"http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b",
)
# Add a token that expires in 29 seconds, so should be considered as expired when issuing the request
token_cache._add_token(
key=
"5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
# Meaning a new one will be requested
responses.add(
responses.POST,
"https://testserver.okta-emea.com/oauth2/default/v1/token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
assert (
get_request(
responses,
"https://testserver.okta-emea.com/oauth2/default/v1/token").body ==
"code_verifier=MTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTEx&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&client_id=54239d18-c68c-4c47-8bdd-ce71ea1d50cd&scope=openid&response_type=code&code=SplxlOBeZQQYbYS6WxSbIA"
)
tab.assert_success(
"You are now authenticated on 5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b. You may close this tab."
)
def test_oauth2_pkce_flow_uses_provided_session(token_cache,
responses: RequestsMock,
monkeypatch,
browser_mock: BrowserMock):
session = requests.Session()
session.headers.update({"x-test": "Test value"})
monkeypatch.setattr(requests_auth.authentication.os, "urandom",
lambda x: b"1" * 63)
auth = requests_auth.OktaAuthorizationCodePKCE(
"testserver.okta-emea.com",
"54239d18-c68c-4c47-8bdd-ce71ea1d50cd",
session=session,
)
tab = browser_mock.add_response(
opened_url=
"https://testserver.okta-emea.com/oauth2/default/v1/authorize?client_id=54239d18-c68c-4c47-8bdd-ce71ea1d50cd&scope=openid&response_type=code&state=5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&code_challenge=5C_ph_KZ3DstYUc965SiqmKAA-ShvKF4Ut7daKd3fjc&code_challenge_method=S256",
reply_url=
"http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b",
)
responses.add(
responses.POST,
"https://testserver.okta-emea.com/oauth2/default/v1/token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
request = get_request(
responses, "https://testserver.okta-emea.com/oauth2/default/v1/token")
assert (
request.body ==
"code_verifier=MTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTEx&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&client_id=54239d18-c68c-4c47-8bdd-ce71ea1d50cd&scope=openid&response_type=code&code=SplxlOBeZQQYbYS6WxSbIA"
)
assert request.headers["x-test"] == "Test value"
tab.assert_success(
"You are now authenticated on 5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b. You may close this tab."
)
def test_oauth2_client_credentials_flow_token_is_sent_in_authorization_header_by_default(
token_cache, responses: RequestsMock):
auth = requests_auth.OAuth2ClientCredentials("http://provide_access_token",
client_id="test_user",
client_secret="test_pwd")
responses.add(
responses.POST,
"http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_oauth2_implicit_flow_token_can_be_requested_on_a_custom_server_port(
token_cache, httpx_mock: HTTPXMock, browser_mock: BrowserMock
):
# TODO Should use a method to retrieve a free port instead
available_port = 5002
auth = httpx_auth.OAuth2Implicit(
"http://provide_token", redirect_uri_port=available_port
)
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url="http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5002%2F",
reply_url="http://localhost:5002",
data=f"access_token={token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
assert get_header(httpx_mock, auth).get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)
def test_okta_client_credentials_flow_token_is_sent_in_authorization_header_by_default(
token_cache, httpx_mock: HTTPXMock):
auth = httpx_auth.OktaClientCredentials("test_okta",
client_id="test_user",
client_secret="test_pwd")
httpx_mock.add_response(
method="POST",
url="https://test_okta/oauth2/default/v1/token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
httpx_mock,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
