def test_extra(self):
atr = AccessTokenRequest(grant_type="authorization_code",
code="SplxlOBeZQQYbYS6WxSbIA",
redirect_uri="https://client.example.com/cb",
extra="foo")
query = atr.to_urlencoded()
assert query_string_compare(query,
"code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb&"
"grant_type=authorization_code&extra=foo")
atr2 = AccessTokenRequest().deserialize(query, "urlencoded")
assert atr == atr2
def test_construct(self, entity):
token_service = entity.client_get("service", 'accesstoken')
kb_rsa = KeyBundle(source='file://{}'.format(
os.path.join(BASE_PATH, "data/keys/rsa.key")),
fileformat='der')
for key in kb_rsa:
key.add_kid()
_context = token_service.client_get("service_context")
_context.keyjar.add_kb('', kb_rsa)
_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_context.registration_response = {
'token_endpoint_auth_signing_alg': 'RS256'
}
token_service.endpoint = "https://example.com/token"
request = AccessTokenRequest()
pkj = PrivateKeyJWT()
http_args = pkj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
assert http_args == {}
cas = request["client_assertion"]
_kj = KeyJar()
_kj.add_kb(_context.client_id, kb_rsa)
jso = JWT(key_jar=_kj).unpack(cas)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
# assert _jwt.headers == {'alg': 'RS256'}
assert jso['aud'] == [_context.provider_info['token_endpoint']]
def test_client_secret_jwt(self, services):
_service_context = services['accesstoken'].service_context
_service_context.token_endpoint = "https://example.com/token"
_service_context.set(
'provider_info', {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
})
csj = ClientSecretJWT()
request = AccessTokenRequest()
csj.construct(request,
service=services['accesstoken'],
algorithm="HS256",
authn_endpoint='userinfo')
assert request["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in request
cas = request["client_assertion"]
_kj = KeyJar()
_kj.add_symmetric(_service_context.get('client_id'),
_service_context.get('client_secret'),
usage=['sig'])
jso = JWT(key_jar=_kj, sign_alg='HS256').unpack(cas)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
_rj = JWS(alg='HS256')
info = _rj.verify_compact(
cas,
_kj.get_signing_key(issuer_id=_service_context.get('client_id')))
assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
assert info['aud'] == [_service_context.get('provider_info')['issuer']]
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
entity = Entity(config=client_config)
token_service = entity.client_get("service", 'accesstoken')
_state_interface = token_service.client_get("service_context").state
_state_val = _state_interface.create_state(
token_service.client_get("service_context").issuer)
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state=_state_val)
_state_interface.store_item(auth_request, "auth_request", _state_val)
auth_response = AuthorizationResponse(code='access_code')
_state_interface.store_item(auth_response, "auth_response", _state_val)
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
token_service.endpoint = 'https://example.com/authorize'
_info = token_service.get_request_parameters(request_args=req_args,
state=_state_val)
assert _info
msg = AccessTokenRequest().from_urlencoded(_info['body'])
# client_secret_basic by default
assert 'client_secret' not in msg
def test_construct(self, services):
_service = services['accesstoken']
kb_rsa = KeyBundle(source='file://{}'.format(
os.path.join(BASE_PATH, "data/keys/rsa.key")),
fileformat='der')
for key in kb_rsa:
key.add_kid()
_service.service_context.keyjar.add_kb('', kb_rsa)
_service.service_context.set(
'provider_info', {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
})
services['accesstoken'].endpoint = "https://example.com/token"
request = AccessTokenRequest()
pkj = PrivateKeyJWT()
http_args = pkj.construct(request,
service=_service,
algorithm="RS256",
authn_endpoint='token_endpoint')
assert http_args == {}
cas = request["client_assertion"]
_kj = KeyJar()
_kj.add_kb(_service.service_context.get('client_id'), kb_rsa)
jso = JWT(key_jar=_kj).unpack(cas)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
# assert _jwt.headers == {'alg': 'RS256'}
assert jso['aud'] == [
_service.service_context.get('provider_info')['token_endpoint']
]
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
_state = State(auth_request=auth_request.to_json(),
auth_response=auth_response.to_json())
db.set('state', _state.to_json())
service = service_factory(
'AccessToken', ['oauth2'],
state_db=db,
service_context=service_context,
conf={'default_authn_method': 'client_secret_post'})
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
service.endpoint = 'https://example.com/authorize'
_info = service.get_request_parameters(request_args=req_args,
state='state')
assert _info
msg = AccessTokenRequest().from_urlencoded(
service.get_urlinfo(_info['body']))
assert 'client_secret' in msg
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
service = service_factory(
'AccessToken', ['oauth2'],
service_context=service_context,
conf={'default_authn_method': 'client_secret_post'})
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
service.store_item(auth_request, "auth_request", 'state')
service.store_item(auth_response, "auth_response", 'state')
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
service.endpoint = 'https://example.com/authorize'
_info = service.get_request_parameters(request_args=req_args,
state='state')
assert _info
msg = AccessTokenRequest().from_urlencoded(
service.get_urlinfo(_info['body']))
assert 'client_secret' in msg
def test_get_key_by_kid(self, entity):
_service_context = entity.client_get("service_context")
_service_context.token_endpoint = "https://example.com/token"
_service_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_service_context.registration_response = {
'token_endpoint_auth_signing_alg': "HS256"
}
csj = ClientSecretJWT()
request = AccessTokenRequest()
# get a kid
_keys = _service_context.keyjar.get_issuer_keys("")
kid = _keys[0].kid
token_service = entity.client_get("service", 'accesstoken')
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint',
kid=kid)
assert "client_assertion" in request
def test_does_not_remove_padding(self):
request = AccessTokenRequest(code="foo",
redirect_uri="http://example.com")
csb = ClientSecretBasic()
http_args = csb.construct(request, user="******", password="******")
assert http_args["headers"]["Authorization"].endswith("==")
def test_request_init(self):
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
self.service.endpoint = 'https://example.com/authorize'
_info = self.service.get_request_parameters(request_args=req_args,
state='state')
assert set(_info.keys()) == {'body', 'url', 'headers', 'method'}
assert _info['url'] == 'https://example.com/authorize'
msg = AccessTokenRequest().from_urlencoded(
self.service.get_urlinfo(_info['body']))
assert msg.to_dict() == {
'client_id': 'client_id', 'code': 'access_code',
'grant_type': 'authorization_code', 'state': 'state',
'redirect_uri': 'https://example.com/cli/authz_cb'
}
def test_get_http_body_json():
values = {
'redirect_uri':
'https://localhost:8666/919D3F697FDAAF138124B83E09ECB0B7',
'code': 'Je1iKfPN1vCiN7L43GiXAuAWGAnm0mzA7QIjl'
'/YLBBZDB9wefNExQlLDUIIDM2rT'
'2t+gwuoRoapEXJyY2wrvg9cWTW2vxsZU+SuWzZlMDXc=',
'grant_type': 'authorization_code'}
request = AccessTokenRequest(**values)
body = util.get_http_body(request, JSON_ENCODED)
_req = json.loads(body)
assert set(_req.keys()) == {'code', 'grant_type', 'redirect_uri'}
def test_construct_client_assertion(self, services):
_service = services['accesstoken']
kb_rsa = KeyBundle(source='file://{}'.format(
os.path.join(BASE_PATH, "data/keys/rsa.key")),
fileformat='der')
request = AccessTokenRequest()
pkj = PrivateKeyJWT()
_ca = assertion_jwt(_service.service_context.get('client_id'),
kb_rsa.get('RSA'), "https://example.com/token",
'RS256')
http_args = pkj.construct(request, client_assertion=_ca)
assert http_args == {}
assert request['client_assertion'] == _ca
assert request['client_assertion_type'] == JWT_BEARER
def test_construct(self, services):
token_service = services['accesstoken']
request = token_service.construct(redirect_uri="http://example.com",
state='ABCDE')
csp = ClientSecretPost()
http_args = csp.construct(request, service=token_service)
assert request["client_id"] == "A"
assert request["client_secret"] == "white boarding pass"
assert http_args is None
request = AccessTokenRequest(code="foo",
redirect_uri="http://example.com")
http_args = csp.construct(request,
service=token_service,
client_secret="another")
assert request["client_id"] == "A"
assert request["client_secret"] == "another"
assert http_args is None
def test_client_secret_jwt(self, entity):
_service_context = entity.client_get("service_context")
_service_context.token_endpoint = "https://example.com/token"
_service_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_service_context.registration_response = {
'token_endpoint_auth_signing_alg': "HS256"
}
csj = ClientSecretJWT()
request = AccessTokenRequest()
csj.construct(request,
service=entity.client_get("service", 'accesstoken'),
authn_endpoint='token_endpoint')
assert request["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in request
cas = request["client_assertion"]
_kj = KeyJar()
_kj.add_symmetric(_service_context.client_id,
_service_context.client_secret, ['sig'])
jso = JWT(key_jar=_kj, sign_alg='HS256').unpack(cas)
assert _eq(jso.keys(), ["aud", "iss", "sub", "exp", "iat", 'jti'])
_rj = JWS(alg='HS256')
info = _rj.verify_compact(
cas, _kj.get_signing_key(issuer_id=_service_context.client_id))
assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
assert info['aud'] == [
_service_context.provider_info['token_endpoint']
]
def test_get_key_by_kid_fail(self, entity):
token_service = entity.client_get("service", 'accesstoken')
_service_context = token_service.client_get("service_context")
_service_context.token_endpoint = "https://example.com/token"
_service_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_service_context.registration_response = {
'token_endpoint_auth_signing_alg': "HS256"
}
csj = ClientSecretJWT()
request = AccessTokenRequest()
# get a kid
kid = "abcdefgh"
with pytest.raises(MissingKey):
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint',
kid=kid)
"request_parameter_supported": True,
"request_uri_parameter_supported": True,
}
AUTH_REQ = AuthorizationRequest(
client_id="client_1",
redirect_uri="https://example.com/cb",
scope=["openid"],
state="STATE",
response_type="code",
)
TOKEN_REQ = AccessTokenRequest(
client_id="client_1",
redirect_uri="https://example.com/cb",
state="STATE",
grant_type="authorization_code",
client_secret="hemligt",
)
BASEDIR = os.path.abspath(os.path.dirname(__file__))
class TestEndpoint(object):
@pytest.fixture(autouse=True)
def create_endpoint(self):
conf = {
"issuer": ISSUER,
"password": "******",
"verify_ssl": False,
"capabilities": CAPABILITIES,
def test_set_default():
ar = AccessTokenRequest(set_defaults=False)
assert list(ar.keys()) == []
ar.set_defaults()
assert "grant_type" in ar
def test_get_audience_and_algorithm_default_alg(self, entity):
_service_context = entity.client_get("service_context")
_service_context.token_endpoint = "https://example.com/token"
_service_context.provider_info = {
'issuer': 'https://example.com/',
'token_endpoint': "https://example.com/token"
}
_service_context.registration_response = {
'token_endpoint_auth_signing_alg': "HS256"
}
csj = ClientSecretJWT()
request = AccessTokenRequest()
_service_context.registration_response = {}
token_service = entity.client_get("service", 'accesstoken')
# Add a RSA key to be able to handle default
_kb = KeyBundle()
_rsa_key = new_rsa_key()
_kb.append(_rsa_key)
_service_context.keyjar.add_kb("", _kb)
# Since I have a RSA key this doesn't fail
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
assert _jws.jwt.headers["alg"] == "RS256"
assert _jws.jwt.headers["kid"] == _rsa_key.kid
# By client preferences
request = AccessTokenRequest()
_service_context.client_preferences = {
"token_endpoint_auth_signing_alg": "RS512"
}
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
assert _jws.jwt.headers["alg"] == "RS512"
assert _jws.jwt.headers["kid"] == _rsa_key.kid
# Use provider information is everything else fails
request = AccessTokenRequest()
_service_context.client_preferences = {}
_service_context.provider_info[
"token_endpoint_auth_signing_alg_values_supported"] = [
"ES256", "RS256"
]
csj.construct(request,
service=token_service,
authn_endpoint='token_endpoint')
_jws = factory(request["client_assertion"])
# Should be RS256 since I have no key for ES256
assert _jws.jwt.headers["alg"] == "RS256"
assert _jws.jwt.headers["kid"] == _rsa_key.kid