def test_end_session_endpoint_with_wrong_post_logout_redirect_uri(self):
self._code_auth("1234567")
self._code_auth2("abcdefg")
id_token = self._auth_with_id_token("1234567")
_sdb = self.session_endpoint.endpoint_context.sdb
_sid = self._get_sid()
cookie = self._create_cookie("diana", _sid, "1234567", "client_1")
post_logout_redirect_uri = "https://demo.example.com/log_out"
msg = Message(id_token=id_token)
verify_id_token(msg, keyjar=self.session_endpoint.endpoint_context.keyjar)
with pytest.raises(RedirectURIError):
self.session_endpoint.process_request(
{
"post_logout_redirect_uri": post_logout_redirect_uri,
"state": "abcde",
"id_token_hint": id_token,
verified_claim_name("id_token_hint"): msg[
verified_claim_name("id_token")
],
},
cookie=cookie,
)
def test_end_session_endpoint_with_wrong_post_logout_redirect_uri(self):
_resp = self._code_auth("1234567")
self._code_auth2("abcdefg")
resp_args, _session_id = self._auth_with_id_token("1234567")
id_token = resp_args["id_token"]
cookie = self._create_cookie(_session_id)
http_info = {"cookie": [cookie]}
post_logout_redirect_uri = "https://demo.example.com/log_out"
msg = Message(id_token=id_token)
verify_id_token(
msg,
keyjar=self.session_endpoint.server_get("endpoint_context").keyjar)
with pytest.raises(RedirectURIError):
self.session_endpoint.process_request(
{
"post_logout_redirect_uri":
post_logout_redirect_uri,
"state":
"abcde",
"id_token_hint":
id_token,
verified_claim_name("id_token_hint"):
msg[verified_claim_name("id_token")],
},
http_info=http_info,
)
def test_end_session_endpoint_with_cookie_wrong_user(self):
# Need cookie and ID Token to figure this out
id_token = self._auth_with_id_token("1234567")
cookie = self._create_cookie("diggins", "_sid_", "1234567", "client_1")
msg = Message(id_token=id_token)
verify_id_token(msg, keyjar=self.session_endpoint.endpoint_context.keyjar)
msg2 = Message(id_token_hint=id_token)
msg2[verified_claim_name("id_token_hint")] = msg[
verified_claim_name("id_token")
]
with pytest.raises(ValueError):
self.session_endpoint.process_request(msg2, cookie=cookie)
def test_end_session_endpoint_with_cookie_id_token_and_unknown_sid(self):
# Need cookie and ID Token to figure this out
resp_args, _session_id = self._auth_with_id_token("1234567")
id_token = resp_args["id_token"]
_uid, _cid, _gid = self.session_manager.decrypt_session_id(_session_id)
cookie = self._create_cookie(
self.session_manager.session_key(_uid, "client_66", _gid))
http_info = {"cookie": [cookie]}
msg = Message(id_token=id_token)
verify_id_token(
msg,
keyjar=self.session_endpoint.server_get("endpoint_context").keyjar)
msg2 = Message(id_token_hint=id_token)
msg2[verified_claim_name("id_token_hint")] = msg[verified_claim_name(
"id_token")]
with pytest.raises(ValueError):
self.session_endpoint.process_request(msg2, http_info=http_info)
def test_id_token_claims(self):
_req = AUTH_REQ_DICT.copy()
_req["claims"] = CLAIMS
_req["response_type"] = "code id_token token"
_req["nonce"] = "rnd_nonce"
_pr_resp = self.endpoint.parse_request(_req)
_resp = self.endpoint.process_request(_pr_resp)
idt = verify_id_token(_resp["response_args"],
keyjar=self.endpoint.endpoint_context.keyjar)
assert idt
# from claims
assert "given_name" in _resp["response_args"]["__verified_id_token"]
# from config
assert "email" in _resp["response_args"]["__verified_id_token"]
def test_id_token_acr(self):
_req = AUTH_REQ_DICT.copy()
_req["claims"] = {
"id_token": {"acr": {"value": "http://www.swamid.se/policy/assurance/al1"}}
}
_req["response_type"] = "code id_token token"
_req["nonce"] = "rnd_nonce"
_pr_resp = self.endpoint.parse_request(_req)
_resp = self.endpoint.process_request(_pr_resp)
res = verify_id_token(
_resp["response_args"], keyjar=self.endpoint.endpoint_context.keyjar
)
assert res
res = _resp["response_args"][verified_claim_name("id_token")]
assert res["acr"] == "http://www.swamid.se/policy/assurance/al1"
def test_id_token_claims(self):
_req = AUTH_REQ_DICT.copy()
_req["claims"] = CLAIMS
_req["response_type"] = "code id_token token"
_req["nonce"] = "rnd_nonce"
_pr_resp = self.endpoint.parse_request(_req)
_resp = self.endpoint.process_request(_pr_resp)
idt = verify_id_token(
_resp["response_args"], keyjar=self.endpoint.server_get("endpoint_context").keyjar,
)
assert idt
# from config
assert "given_name" in _resp["response_args"]["__verified_id_token"]
assert "nickname" in _resp["response_args"]["__verified_id_token"]
# Could have gotten email but didn't ask for it
assert "email" in _resp["response_args"]["__verified_id_token"]