def testUnauthorizedClient(self):
"""
Test the rejection of a request with a client that is
not authorized to use the authorization code grant type.
"""
client = getTestPasswordClient('unauthorizedCodeGrantClient',
authorizedGrantTypes=[])
code = 'unauthorizedClientCode'
self._addAuthorizationToStorage(code, client, ['scope'],
client.redirectUris[0])
request = self.generateValidTokenRequest(arguments={
'grant_type':
'authorization_code',
'code':
code,
'redirect_uri':
client.redirectUris[0],
},
authentication=client)
self._CLIENT_STORAGE.addClient(client)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request,
result,
UnauthorizedClientError('authorization_code'),
msg=
'Expected the resource token to reject an authorization_code request '
'with a client that is not authorized to use that grant type.')
def testCustomResponseTypeUnauthorizedClient(self):
"""
Test that a request with a custom response type is rejected
if the client is not authorized to use that response type.
"""
responseType = 'myCustomResponseType'
state = b'state\xFF\xFF'
client = PasswordClient('customResponseTypeClientUnauthorized',
['https://redirect.noexistent'], [],
'clientSecret')
redirectUri = client.redirectUris[0]
parameters = {
'response_type': responseType,
'client_id': client.id,
'redirect_uri': redirectUri,
'scope': 'All',
'state': state
}
request = self.createAuthRequest(arguments=parameters)
self._CLIENT_STORAGE.addClient(client)
authResource = self.TestOAuth2Resource(
self._TOKEN_FACTORY,
self._PERSISTENT_STORAGE,
self._CLIENT_STORAGE,
authTokenStorage=self._TOKEN_STORAGE,
grantTypes=[responseType])
result = authResource.render_GET(request)
self.assertFailedRequest(
request,
result,
UnauthorizedClientError(responseType, state),
redirectUri=redirectUri,
msg=
'Expected the authorization token resource to reject a request with a '
'custom response type that the client is not allowed to use.')
def testWithUnauthorizedClient(self):
"""
Test the rejection of a request with a client
that is not allowed to use the response type.
"""
state = b'state\xFF\xFF'
client = getTestPasswordClient(authorizedGrantTypes=[])
redirectUri = client.redirectUris[0]
request = self.createAuthRequest(
arguments={
'response_type': self._RESPONSE_TYPE,
'client_id': client.id,
'redirect_uri': redirectUri,
'scope': 'All',
'state': state
})
self._CLIENT_STORAGE.addClient(client)
result = self._AUTH_RESOURCE.render_GET(request)
self.assertFailedRequest(
request,
result,
UnauthorizedClientError(self._RESPONSE_TYPE, state=state),
msg=
'Expected the auth resource to reject a request for a client that is not '
'authorized to request an authorization using the '
'{type} method.'.format(type=self._RESPONSE_TYPE),
redirectUri=redirectUri)
def testUnauthorizedClient(self):
"""
Test the rejection of a client that is not authorized
to use the Resource Owner Password Credentials Grant.
"""
client = getTestPasswordClient(
'unauthorizedResourceOwnerPasswordCredentialsGrantClient',
authorizedGrantTypes=[])
request = self.generateValidTokenRequest(arguments={
'grant_type':
'password',
'scope':
' '.join(self._VALID_SCOPE),
'username':
b'someUser',
'password':
b'somePassword',
},
authentication=client)
self._CLIENT_STORAGE.addClient(client)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request,
result,
UnauthorizedClientError('password'),
msg='Expected the resource token to reject a password request '
'with a client that is not authorized to use that grant type.')
def testUnauthorizedGrantTypeClient(self):
""" Test the rejection of a valid request for an unauthorized client. """
client = getTestPasswordClient(clientId='unauthorizedClient', authorizedGrantTypes=[])
request = self.generateValidTokenRequest(arguments={
'grant_type': 'refresh_token',
'client_id': client.id,
'client_secret': client.secret,
'refresh_token': self._VALID_REFRESH_TOKEN,
})
self._CLIENT_STORAGE.addClient(client)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request, result, UnauthorizedClientError('refresh_token'),
msg='Expected the token resource to reject a refresh_token request '
'for the client that is not authorized to use that grant type.')
def testPublicClient(self):
""" Test the rejection of a request with a public client. """
client = PublicClient('unauthorizedClientCredentialsGrantClient',
['https://return.nonexistent'],
['client_credentials'])
request = self.generateValidTokenRequest(
arguments={
'grant_type': 'client_credentials',
'scope': ' '.join(self._VALID_SCOPE),
'client_id': client.id
})
self._CLIENT_STORAGE.addClient(client)
result = self._TOKEN_RESOURCE.render_POST(request)
self.assertFailedTokenRequest(
request,
result,
UnauthorizedClientError('client_credentials'),
msg='Expected the resource token to reject a '
'client_credentials request with a public client.')