def test_userinfo_endpoint():
server = provider_init
_session_db = {}
cons = Consumer(_session_db,
CONSUMER_CONFIG,
CLIENT_CONFIG,
server_info=SERVER_INFO)
cons.debug = True
cons.client_secret = "drickyoughurt"
cons.config["response_type"] = ["token"]
cons.config["request_method"] = "parameter"
cons.keyjar[""] = KC_RSA
state, location = cons.begin("openid",
"token",
path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
line = resp.message
path, query = line.split("#")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp3 = server.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def test_faulty_idtoken_from_accesstoken_endpoint():
consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
consumer.keyjar = CLIKEYS
mfos = MITMServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
_state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
consumer.config["response_type"] = ["id_token"]
args = {
"client_id": consumer.client_id,
"response_type": consumer.config["response_type"],
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=_state, request_args=args)
consumer._backup("state0")
assert result.status_code == 302
# assert result.location.startswith(consumer.redirect_uri[0])
_, query = result.headers["location"].split("?")
print query
try:
consumer.parse_authz(query=query)
except BadSignature:
pass
else:
assert False
def test_complete_secret_auth():
consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG, SERVER_INFO)
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
consumer.state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
del consumer.config["password"]
args = {
"client_id": consumer.client_id,
"response_type": "code",
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=consumer.state,
request_args=args)
assert result.status_code == 302
assert result.headers["location"].startswith(consumer.redirect_uris[0])
_, query = result.headers["location"].split("?")
consumer.parse_response(AuthorizationResponse, info=query,
sformat="urlencoded")
resp = consumer.complete()
print resp
assert resp.type() == "AccessTokenResponse"
print resp.keys()
assert _eq(resp.keys(), ['token_type', 'state', 'access_token',
'scope', 'expires_in', 'refresh_token'])
assert resp["state"] == consumer.state
def test_userinfo_endpoint():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO)
cons.debug = True
cons.client_secret = "drickyoughurt"
cons.config["response_type"] = ["token"]
cons.config["request_method"] = "parameter"
cons.keyjar[""] = KC_RSA
location = cons.begin("openid", "token", path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
line = resp.message
path, query = line.split("?")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp3 = server.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
assert ident["sub"] == USERDB["username"]["sub"]
def setup_userinfo_endpoint(self):
cons = Consumer({}, CONSUMER_CONFIG, {"client_id": CLIENT_ID},
server_info=SERVER_INFO, )
cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
cons.keyjar[""] = KC_RSA
cons.client_secret = "drickyoughurt"
state, location = cons.begin("openid", "token",
path=TestConfiguration.get_instance().rp_base)
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(
urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
responses.add(
responses.POST,
self.op_base + "userinfo",
body=resp.message,
status=200,
content_type='application/json')
def test_userinfo():
consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG, SERVER_INFO)
mfos = MyFakeOICServer(SRVKEYS, "http://localhost:8088")
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
consumer.state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
args = {
"client_id": consumer.client_id,
"response_type": "code",
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=consumer.state,
request_args=args)
assert result.status_code == 302
assert result.headers["location"].startswith(consumer.redirect_uris[0])
_, query = result.headers["location"].split("?")
consumer.parse_response(AuthorizationResponse, info=query,
format="urlencoded")
consumer.complete()
result = consumer.get_user_info()
print result
assert result.type() == "OpenIDSchema"
assert _eq(result.keys(), ['name', 'email', 'verified', 'nickname'])
def test_complete_secret_auth():
consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG, SERVER_INFO)
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
consumer.state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
del consumer.config["password"]
args = {
"client_id": consumer.client_id,
"response_type": "code",
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=consumer.state,
request_args=args)
assert result.status_code == 302
assert result.headers["location"].startswith(consumer.redirect_uris[0])
_, query = result.headers["location"].split("?")
consumer.parse_response(AuthorizationResponse, info=query,
sformat="urlencoded")
resp = consumer.complete()
print resp
assert resp.type() == "AccessTokenResponse"
print resp.keys()
assert _eq(resp.keys(), ['token_type', 'state', 'access_token',
'scope', 'expires_in', 'refresh_token'])
assert resp["state"] == consumer.state
def setup_userinfo_endpoint(self):
cons = Consumer(
{},
CONSUMER_CONFIG,
{"client_id": CLIENT_ID},
server_info=SERVER_INFO,
)
cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
cons.keyjar[""] = KC_RSA
cons.client_secret = "drickyoughurt"
state, location = cons.begin(
"openid", "token", path=TestConfiguration.get_instance().rp_base)
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(
urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"],
schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
responses.add(responses.POST,
self.op_base + "userinfo",
body=resp.message,
status=200,
content_type='application/json')
def test_faulty_idtoken_from_accesstoken_endpoint():
consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
consumer.keyjar = CLIKEYS
mfos = MITMServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
_state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
consumer.config["response_type"] = ["id_token"]
args = {
"client_id": consumer.client_id,
"response_type": consumer.config["response_type"],
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=_state,
request_args=args)
consumer._backup("state0")
assert result.status_code == 302
# assert result.location.startswith(consumer.redirect_uri[0])
_, query = result.headers["location"].split("?")
print query
try:
consumer.parse_authz(query=query)
except BadSignature:
pass
else:
assert False
def test_complete_auth_token_idtoken():
consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
consumer.keyjar = CLIKEYS
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
_state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
consumer.config["response_type"] = ["id_token", "token"]
consumer.registration_response = {
"id_token_signed_response_alg": "RS256",
}
consumer.provider_info = {"issuer": "http://localhost:8088/"} # abs min
consumer.authz_req = {} # Store AuthzReq with state as key
args = {
"client_id": consumer.client_id,
"response_type": consumer.config["response_type"],
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=_state, request_args=args)
# consumer._backup("state0")
assert result.status_code == 302
#assert result.location.startswith(consumer.redirect_uri[0])
_, query = result.headers["location"].split("?")
print query
part = consumer.parse_authz(query=query,
algs=consumer.sign_enc_algs("id_token"))
print part
auth = part[0]
atr = part[1]
assert part[2] is None
#print auth.dictionary()
#print acc.dictionary()
assert auth is None
assert atr.type() == "AccessTokenResponse"
assert _eq(atr.keys(), [
'access_token', 'id_token', 'expires_in', 'token_type', 'state',
'scope'
])
consumer.verify_id_token(atr["id_token"], consumer.authz_req[atr["state"]])
def test_complete_auth_token_idtoken():
consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
consumer.keyjar = CLIKEYS
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
_state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
consumer.config["response_type"] = ["id_token", "token"]
consumer.registration_response = {
"id_token_signed_response_alg": "RS256",
}
consumer.provider_info = {"issuer": "http://localhost:8088/"} # abs min
consumer.authz_req = {} # Store AuthzReq with state as key
args = {
"client_id": consumer.client_id,
"response_type": consumer.config["response_type"],
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=_state,
request_args=args)
# consumer._backup("state0")
assert result.status_code == 302
#assert result.location.startswith(consumer.redirect_uri[0])
_, query = result.headers["location"].split("?")
print query
part = consumer.parse_authz(query=query,
algs=consumer.sign_enc_algs("id_token"))
print part
auth = part[0]
atr = part[1]
assert part[2] is None
#print auth.dictionary()
#print acc.dictionary()
assert auth is None
assert atr.type() == "AccessTokenResponse"
assert _eq(atr.keys(), ['access_token', 'id_token', 'expires_in',
'token_type', 'state', 'scope'])
consumer.verify_id_token(atr["id_token"], consumer.authz_req[atr["state"]])
def test_complete_auth_token():
consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
_state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
consumer.config["response_type"] = ["code", "token"]
args = {
"client_id": consumer.client_id,
"response_type": consumer.config["response_type"],
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=_state, request_args=args)
consumer._backup("state0")
assert result.status_code == 302
# assert result.location.startswith(consumer.redirect_uri[0])
_, query = result.headers["location"].split("?")
print query
part = consumer.parse_authz(query=query)
print part
auth = part[0]
acc = part[1]
assert part[2] is None
#print auth.dictionary()
#print acc.dictionary()
assert auth.type() == "AuthorizationResponse"
assert acc.type() == "AccessTokenResponse"
print auth.keys()
assert _eq(auth.keys(), [
'code', 'access_token', 'expires_in', 'token_type', 'state', 'scope',
'refresh_token'
])
assert _eq(acc.keys(), [
'token_type', 'state', 'access_token', 'scope', 'expires_in',
'refresh_token'
])
def test_userinfo_endpoint():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO)
cons.debug = True
cons.client_secret = "drickyoughurt"
cons.config["response_type"] = ["token"]
cons.config["request_method"] = "parameter"
cons.keyjar[""] = KC_RSA
environ = BASE_ENVIRON
location = cons.begin(environ, start_response)
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = location.split("?")[1]
resp = server.authorization_endpoint(environ, start_response)
sid = resp[0][len("<form>"):-len("</form>")]
environ2 = create_return_form_env("user", "password", sid)
resp2 = server.authenticated(environ2, start_response)
line = resp2[0]
start = line.index("<title>")
start += len("<title>Redirecting to ")
stop = line.index("</title>")
path, query = line[start:stop].split("?")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = uir.to_urlencoded()
resp3 = server.userinfo_endpoint(environ, start_response)
ident = OpenIDSchema().deserialize(resp3[0], "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
assert ident["sub"] == USERDB["user"]["sub"]
def test_complete_auth_token():
consumer = Consumer(SessionDB(), CONFIG, CLIENT_CONFIG, SERVER_INFO)
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
consumer.state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
consumer.config["response_type"] = ["code", "token"]
args = {
"client_id": consumer.client_id,
"response_type": consumer.config["response_type"],
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=consumer.state,
request_args=args)
consumer._backup("state0")
assert result.status_code == 302
#assert result.location.startswith(consumer.redirect_uri[0])
_, query = result.headers["location"].split("?")
print query
environ = redirect_environment(query)
part = consumer.parse_authz(environ, start_response)
print part
auth = part[0]
acc = part[1]
assert part[2] is None
#print auth.dictionary()
#print acc.dictionary()
assert auth.type() == "AuthorizationResponse"
assert acc.type() == "AccessTokenResponse"
print auth.keys()
assert _eq(auth.keys(), ['nonce', 'code', 'access_token', 'expires_in',
'token_type', 'state', 'scope', 'refresh_token'])
assert _eq(acc.keys(), ['token_type', 'state', 'access_token', 'scope',
'expires_in', 'refresh_token'])
def test_sso_db_dict(self):
client_config = {
"client_id": CLIENT_ID,
"client_authn_method": CLIENT_AUTHN_METHOD,
}
_consumer = Consumer({}, CONFIG, client_config, SERVER_INFO, sso_db={})
_consumer.keyjar = CLIKEYS
_consumer.redirect_uris = ["https://example.com/authz"]
_consumer.client_secret = "hemlig"
_consumer.secret_type = "basic"
_consumer.issuer = ISSUER_ID
# Simulate an authorization
sid, request_location = _consumer.begin("openid",
"code",
path="https://example.com")
resp = self.provider.authorization_endpoint(request=request_location)
part = _consumer.parse_authz(resp.message)
assert isinstance(part, tuple)
aresp = part[0]
assert aresp
assert _consumer.sdb[sid]["issuer"] == self.provider.baseurl
# Simulate an accesstoken request
areq = AccessTokenRequest(
code=aresp["code"],
client_id=CLIENT_ID,
redirect_uri="http://example.com/authz",
client_secret=_consumer.client_secret,
grant_type="authorization_code",
)
token_resp = self.provider.code_grant_type(areq)
tresp = _consumer.parse_response(AccessTokenResponse,
token_resp.message,
sformat="json")
# Now, for the backchannel logout. This happens on the OP
logout_info = {
"sub": tresp["id_token"]["sub"],
"events": {
BACK_CHANNEL_LOGOUT_EVENT: {}
},
}
alg = "RS256"
_jws = JWT(
self.provider.keyjar,
iss=self.provider.baseurl,
lifetime=86400,
sign_alg=alg,
)
logout_token = _jws.pack(aud=CLIENT_ID, **logout_info)
# The logout request that gets sent to the RP
request = BackChannelLogoutRequest(logout_token=logout_token)
# The RP evaluates the request. If everything is OK a session ID (== original state
# value) is returned.
_sid = _consumer.backchannel_logout(request_args=request.to_dict())
assert _sid == sid