def test_create_token_response_without_refresh_token(self):
# self.auth.refresh_token = False so we don't generate a refresh token
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator, refresh_token=False)
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
# ensure no refresh token is generated
self.assertNotIn('refresh_token', token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(
self.request)
# fail client authentication
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
# mock client_authentication_required() returning False then fail
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
class ResourceOwnerPasswordCredentialsGrantTest(TestCase):
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = "mocked user"
self.request = Request("http://a.b/path")
self.request.grant_type = "password"
self.request.username = "******"
self.request.password = "******"
self.request.client = mock_client
self.request.scopes = ("mocked", "scopes")
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(request_validator=self.mock_validator)
def test_create_token_response(self):
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(self.request, bearer)
token = json.loads(body)
self.assertIn("access_token", token)
self.assertIn("token_type", token)
self.assertIn("expires_in", token)
self.assertIn("refresh_token", token)
def test_error_response(self):
pass
def test_scopes(self):
pass
class ResourceOwnerPasswordCredentialsGrantTest(TestCase):
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
def test_create_token_response(self):
bearer = BearerToken(self.mock_validator)
uri, headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
self.assertIn('refresh_token', token)
def test_error_response(self):
pass
def test_scopes(self):
pass
class ResourceOwnerPasswordCredentialsGrantTest(TestCase):
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
def test_create_token_response(self):
bearer = BearerToken(self.mock_validator)
uri, headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
self.assertIn('refresh_token', token)
def test_error_response(self):
pass
def test_scopes(self):
pass
def setUp(self):
def set_user(request):
request.user = mock.MagicMock()
request.client = mock.MagicMock()
request.client.client_id = 'mocked_client_id'
return True
self.mock_validator = mock.MagicMock()
self.mock_validator.authenticate_client.side_effect = set_user
self.addCleanup(setattr, self, 'mock_validator', mock.MagicMock())
auth_code = AuthorizationCodeGrant(
request_validator=self.mock_validator)
password = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
client = ClientCredentialsGrant(request_validator=self.mock_validator)
supported_types = {
'authorization_code': auth_code,
'password': password,
'client_credentials': client,
}
self.expires_in = 1800
token = tokens.BearerToken(self.mock_validator,
expires_in=self.expires_in)
self.endpoint = TokenEndpoint('authorization_code',
default_token_type=token,
grant_types=supported_types)
def test_create_token_response_without_refresh_token(self):
# self.auth.refresh_token = False so we don't generate a refresh token
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator, refresh_token=False)
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertEqual(self.mock_validator.save_token.call_count, 1)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
# ensure no refresh token is generated
self.assertNotIn('refresh_token', token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(self.request)
# fail client authentication
self.mock_validator.reset_mock()
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
# mock client_authentication_required() returning False then fail
self.mock_validator.reset_mock()
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
def __init__(self,
request_validator,
token_generator=None,
token_expires_in=None,
refresh_token_generator=None,
**kwargs):
"""Construct a new web application server.
:param request_validator: An implementation of
oauthlib.oauth2.RequestValidator.
:param token_expires_in: An int or a function to generate a token
expiration offset (in seconds) given a
oauthlib.common.Request object.
:param token_generator: A function to generate a token from a request.
:param refresh_token_generator: A function to generate a token from a
request for the refresh token.
:param kwargs: Extra parameters to pass to authorization-,
token-, resource-, and revocation-endpoint constructors.
"""
implicit_grant = ImplicitGrant(request_validator)
auth_grant = AuthorizationCodeGrant(request_validator)
refresh_grant = RefreshTokenGrant(request_validator)
openid_connect_auth = OpenIDConnectAuthCode(request_validator)
resource_owner_password_credentials_grant = ResourceOwnerPasswordCredentialsGrant(
request_validator)
bearer = BearerToken(request_validator, token_generator,
token_expires_in, refresh_token_generator)
AuthorizationEndpoint.__init__(self,
default_response_type='code',
response_types={
'code': auth_grant,
'code+token': openid_connect_auth,
'code+id_token':
openid_connect_auth,
'code+token+id_token':
openid_connect_auth,
'code token': openid_connect_auth,
'code id_token':
openid_connect_auth,
'code token id_token':
openid_connect_auth,
'token': implicit_grant
},
default_token_type=bearer)
TokenEndpoint.__init__(self,
default_grant_type='authorization_code',
grant_types={
'authorization_code':
auth_grant,
'refresh_token':
refresh_grant,
'password':
resource_owner_password_credentials_grant
},
default_token_type=bearer)
ResourceEndpoint.__init__(self,
default_token='Bearer',
token_types={'Bearer': bearer})
RevocationEndpoint.__init__(self, request_validator)
def test_custom_auth_validators_unsupported(self):
authval1, authval2 = mock.Mock(), mock.Mock()
expected = ('ResourceOwnerPasswordCredentialsGrant does not '
'support authorization validators. Use token '
'validators instead.')
with self.assertRaises(ValueError) as caught:
ResourceOwnerPasswordCredentialsGrant(self.mock_validator,
pre_auth=[authval1])
self.assertEqual(caught.exception.args[0], expected)
with self.assertRaises(ValueError) as caught:
ResourceOwnerPasswordCredentialsGrant(self.mock_validator,
post_auth=[authval2])
self.assertEqual(caught.exception.args[0], expected)
with self.assertRaises(AttributeError):
self.auth.custom_validators.pre_auth.append(authval1)
with self.assertRaises(AttributeError):
self.auth.custom_validators.pre_auth.append(authval2)
def __init__(self,
request_validator,
token_expires_in=None,
token_generator=None,
refresh_token_generator=None,
*args,
**kwargs):
auth_grant_ex = OAuth2AuthorizationCodeGrantEx(request_validator)
implicit_grant = OAuth2ImplicitGrant(request_validator)
password_grant = ResourceOwnerPasswordCredentialsGrant(
request_validator)
credentials_grant = ClientCredentialsGrant(request_validator)
refresh_grant = RefreshTokenGrantEx(request_validator)
openid_connect_auth_ex = AuthorizationCodeGrantEx(request_validator)
openid_connect_implicit = ImplicitGrant(request_validator)
openid_connect_hybrid_ex = HybridGrantEx(request_validator)
bearer = tokens.BearerToken(request_validator, token_generator,
token_expires_in, refresh_token_generator)
auth_grant_choice = AuthorizationCodeGrantDispatcher(
default_grant=auth_grant_ex, oidc_grant=openid_connect_auth_ex)
implicit_grant_choice = ImplicitTokenGrantDispatcher(
default_grant=implicit_grant, oidc_grant=openid_connect_implicit)
AuthorizationEndpoint.__init__(self,
default_response_type='code',
response_types={
'code': auth_grant_choice,
'token': implicit_grant_choice,
'id_token': openid_connect_implicit,
'id_token token':
openid_connect_implicit,
'code token':
openid_connect_hybrid_ex,
'code id_token':
openid_connect_hybrid_ex,
'code id_token token':
openid_connect_hybrid_ex,
'none': auth_grant_ex
},
default_token_type=bearer)
token_grant_choice = AuthorizationTokenGrantDispatcher(
request_validator,
default_grant=auth_grant_ex,
oidc_grant=openid_connect_auth_ex)
TokenEndpoint.__init__(self,
default_grant_type='authorization_code',
grant_types={
'authorization_code': token_grant_choice,
'password': password_grant,
'client_credentials': credentials_grant,
'refresh_token': refresh_grant,
},
default_token_type=bearer)
RevocationEndpoint.__init__(self, request_validator)
IntrospectEndpoint.__init__(self, request_validator)
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = "mocked user"
self.request = Request("http://a.b/path")
self.request.grant_type = "password"
self.request.username = "******"
self.request.password = "******"
self.request.client = mock_client
self.request.scopes = ("mocked", "scopes")
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(request_validator=self.mock_validator)
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
class ResourceOwnerPasswordCredentialsGrantTest(TestCase):
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
def set_client(self, request, *args, **kwargs):
request.client = mock.MagicMock()
request.client.client_id = 'mocked'
return True
def test_create_token_response(self):
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
self.assertIn('refresh_token', token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(
self.request)
# fail client authentication
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 400)
# mock client_authentication_required() returning False then fail
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 400)
def test_error_response(self):
pass
def test_scopes(self):
pass
def test_invalid_request_missing_params(self):
del self.request.grant_type
self.assertRaises(errors.InvalidRequestError,
self.auth.validate_token_request, self.request)
def test_invalid_request_duplicates(self):
request = mock.MagicMock(wraps=self.request)
request.duplicate_params = ['scope']
self.assertRaises(errors.InvalidRequestError,
self.auth.validate_token_request, request)
def test_invalid_grant_type(self):
self.request.grant_type = 'foo'
self.assertRaises(errors.UnsupportedGrantTypeError,
self.auth.validate_token_request, self.request)
def test_invalid_user(self):
self.mock_validator.validate_user.return_value = False
self.assertRaises(errors.InvalidGrantError,
self.auth.validate_token_request, self.request)
def test_client_id_missing(self):
del self.request.client.client_id
self.assertRaises(NotImplementedError,
self.auth.validate_token_request, self.request)
def test_valid_token_request(self):
self.mock_validator.validate_grant_type.return_value = True
self.auth.validate_token_request(self.request)
class ResourceOwnerPasswordCredentialsGrantTest(TestCase):
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
def set_client(self, request, *args, **kwargs):
request.client = mock.MagicMock()
request.client.client_id = 'mocked'
return True
def test_create_token_response(self):
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertEqual(self.mock_validator.save_token.call_count, 1)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
self.assertIn('refresh_token', token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(self.request)
# fail client authentication
self.mock_validator.reset_mock()
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
# mock client_authentication_required() returning False then fail
self.mock_validator.reset_mock()
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
def test_create_token_response_without_refresh_token(self):
# self.auth.refresh_token = False so we don't generate a refresh token
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator, refresh_token=False)
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertEqual(self.mock_validator.save_token.call_count, 1)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
# ensure no refresh token is generated
self.assertNotIn('refresh_token', token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(self.request)
# fail client authentication
self.mock_validator.reset_mock()
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
# mock client_authentication_required() returning False then fail
self.mock_validator.reset_mock()
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
def test_custom_auth_validators_unsupported(self):
authval1, authval2 = mock.Mock(), mock.Mock()
expected = ('ResourceOwnerPasswordCredentialsGrant does not '
'support authorization validators. Use token '
'validators instead.')
with self.assertRaises(ValueError) as caught:
ResourceOwnerPasswordCredentialsGrant(self.mock_validator,
pre_auth=[authval1])
self.assertEqual(caught.exception.args[0], expected)
with self.assertRaises(ValueError) as caught:
ResourceOwnerPasswordCredentialsGrant(self.mock_validator,
post_auth=[authval2])
self.assertEqual(caught.exception.args[0], expected)
with self.assertRaises(AttributeError):
self.auth.custom_validators.pre_auth.append(authval1)
with self.assertRaises(AttributeError):
self.auth.custom_validators.pre_auth.append(authval2)
def test_custom_token_validators(self):
tknval1, tknval2 = mock.Mock(), mock.Mock()
self.auth.custom_validators.pre_token.append(tknval1)
self.auth.custom_validators.post_token.append(tknval2)
bearer = BearerToken(self.mock_validator)
self.auth.create_token_response(self.request, bearer)
self.assertTrue(tknval1.called)
self.assertTrue(tknval2.called)
def test_error_response(self):
pass
def test_scopes(self):
pass
def test_invalid_request_missing_params(self):
del self.request.grant_type
self.assertRaises(errors.InvalidRequestError, self.auth.validate_token_request,
self.request)
def test_invalid_request_duplicates(self):
request = mock.MagicMock(wraps=self.request)
request.duplicate_params = ['scope']
self.assertRaises(errors.InvalidRequestError, self.auth.validate_token_request,
request)
def test_invalid_grant_type(self):
self.request.grant_type = 'foo'
self.assertRaises(errors.UnsupportedGrantTypeError,
self.auth.validate_token_request, self.request)
def test_invalid_user(self):
self.mock_validator.validate_user.return_value = False
self.assertRaises(errors.InvalidGrantError, self.auth.validate_token_request,
self.request)
def test_client_id_missing(self):
del self.request.client.client_id
self.assertRaises(NotImplementedError, self.auth.validate_token_request,
self.request)
def test_valid_token_request(self):
self.mock_validator.validate_grant_type.return_value = True
self.auth.validate_token_request(self.request)
def __init__(self,
request_validator,
token_expires_in=None,
token_generator=None,
refresh_token_generator=None,
*args,
**kwargs):
"""Construct a new all-grants-in-one server.
:param request_validator: An implementation of
oauthlib.oauth2.RequestValidator.
:param token_expires_in: An int or a function to generate a token
expiration offset (in seconds) given a
oauthlib.common.Request object.
:param token_generator: A function to generate a token from a request.
:param refresh_token_generator: A function to generate a token from a
request for the refresh token.
:param kwargs: Extra parameters to pass to authorization-,
token-, resource-, and revocation-endpoint constructors.
"""
self.auth_grant = OAuth2AuthorizationCodeGrant(request_validator)
self.implicit_grant = OAuth2ImplicitGrant(request_validator)
self.password_grant = ResourceOwnerPasswordCredentialsGrant(
request_validator)
self.credentials_grant = ClientCredentialsGrant(request_validator)
self.refresh_grant = RefreshTokenGrant(request_validator)
self.openid_connect_auth = AuthorizationCodeGrant(request_validator)
self.openid_connect_implicit = ImplicitGrant(request_validator)
self.openid_connect_hybrid = HybridGrant(request_validator)
self.bearer = BearerToken(request_validator, token_generator,
token_expires_in, refresh_token_generator)
self.jwt = JWTToken(request_validator, token_generator,
token_expires_in, refresh_token_generator)
self.auth_grant_choice = AuthorizationCodeGrantDispatcher(
default_grant=self.auth_grant, oidc_grant=self.openid_connect_auth)
self.implicit_grant_choice = ImplicitTokenGrantDispatcher(
default_grant=self.implicit_grant,
oidc_grant=self.openid_connect_implicit)
# See http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations for valid combinations
# internally our AuthorizationEndpoint will ensure they can appear in any order for any valid combination
AuthorizationEndpoint.__init__(
self,
default_response_type='code',
response_types={
'code': self.auth_grant_choice,
'token': self.implicit_grant_choice,
'id_token': self.openid_connect_implicit,
'id_token token': self.openid_connect_implicit,
'code token': self.openid_connect_hybrid,
'code id_token': self.openid_connect_hybrid,
'code id_token token': self.openid_connect_hybrid,
'none': self.auth_grant
},
default_token_type=self.bearer)
self.token_grant_choice = AuthorizationTokenGrantDispatcher(
request_validator,
default_grant=self.auth_grant,
oidc_grant=self.openid_connect_auth)
TokenEndpoint.__init__(self,
default_grant_type='authorization_code',
grant_types={
'authorization_code':
self.token_grant_choice,
'password': self.password_grant,
'client_credentials':
self.credentials_grant,
'refresh_token': self.refresh_grant,
},
default_token_type=self.bearer)
ResourceEndpoint.__init__(self,
default_token='Bearer',
token_types={
'Bearer': self.bearer,
'JWT': self.jwt
})
RevocationEndpoint.__init__(self, request_validator)
IntrospectEndpoint.__init__(self, request_validator)
UserInfoEndpoint.__init__(self, request_validator)
def __init__(self,
request_validator,
token_expires_in=None,
token_generator=None,
refresh_token_generator=None,
*args,
**kwargs):
"""Construct a new all-grants-in-one server.
:param request_validator: An implementation of
oauthlib.oauth2.RequestValidator.
:param token_expires_in: An int or a function to generate a token
expiration offset (in seconds) given a
oauthlib.common.Request object.
:param token_generator: A function to generate a token from a request.
:param refresh_token_generator: A function to generate a token from a
request for the refresh token.
:param kwargs: Extra parameters to pass to authorization-,
token-, resource-, and revocation-endpoint constructors.
"""
auth_grant = OAuth2AuthorizationCodeGrant(request_validator)
implicit_grant = OAuth2ImplicitGrant(request_validator)
password_grant = ResourceOwnerPasswordCredentialsGrant(
request_validator)
credentials_grant = ClientCredentialsGrant(request_validator)
refresh_grant = RefreshTokenGrant(request_validator)
openid_connect_auth = AuthorizationCodeGrant(request_validator)
openid_connect_implicit = ImplicitGrant(request_validator)
openid_connect_hybrid = HybridGrant(request_validator)
bearer = BearerToken(
request_validator,
token_generator,
token_expires_in,
refresh_token_generator,
)
jwt = JWTToken(
request_validator,
token_generator,
token_expires_in,
refresh_token_generator,
)
auth_grant_choice = AuthorizationCodeGrantDispatcher(
default_grant=auth_grant, oidc_grant=openid_connect_auth)
implicit_grant_choice = ImplicitTokenGrantDispatcher(
default_grant=implicit_grant, oidc_grant=openid_connect_implicit)
# See http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations for valid combinations
# internally our AuthorizationEndpoint will ensure they can appear in any order for any valid combination
AuthorizationEndpoint.__init__(
self,
default_response_type="code",
response_types={
"code": auth_grant_choice,
"token": implicit_grant_choice,
"id_token": openid_connect_implicit,
"id_token token": openid_connect_implicit,
"code token": openid_connect_hybrid,
"code id_token": openid_connect_hybrid,
"code id_token token": openid_connect_hybrid,
"none": auth_grant,
},
default_token_type=bearer,
)
token_grant_choice = AuthorizationTokenGrantDispatcher(
request_validator,
default_grant=auth_grant,
oidc_grant=openid_connect_auth)
TokenEndpoint.__init__(
self,
default_grant_type="authorization_code",
grant_types={
"authorization_code": token_grant_choice,
"password": password_grant,
"client_credentials": credentials_grant,
"refresh_token": refresh_grant,
},
default_token_type=bearer,
)
ResourceEndpoint.__init__(self,
default_token="Bearer",
token_types={
"Bearer": bearer,
"JWT": jwt
})
RevocationEndpoint.__init__(self, request_validator)
IntrospectEndpoint.__init__(self, request_validator)
UserInfoEndpoint.__init__(self, request_validator)
class ResourceOwnerPasswordCredentialsGrantTest(TestCase):
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = "mocked user"
self.request = Request("http://a.b/path")
self.request.grant_type = "password"
self.request.username = "******"
self.request.password = "******"
self.request.client = mock_client
self.request.scopes = ("mocked", "scopes")
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(request_validator=self.mock_validator)
def set_client(self, request, *args, **kwargs):
request.client = mock.MagicMock()
request.client.client_id = "mocked"
return True
def test_create_token_response(self):
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(self.request, bearer)
token = json.loads(body)
self.assertIn("access_token", token)
self.assertIn("token_type", token)
self.assertIn("expires_in", token)
self.assertIn("refresh_token", token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(self.request)
# fail client authentication
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
# mock client_authentication_required() returning False then fail
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
def test_create_token_response_without_refresh_token(self):
# self.auth.refresh_token = False so we don't generate a refresh token
self.auth = ResourceOwnerPasswordCredentialsGrant(request_validator=self.mock_validator, refresh_token=False)
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(self.request, bearer)
token = json.loads(body)
self.assertIn("access_token", token)
self.assertIn("token_type", token)
self.assertIn("expires_in", token)
# ensure no refresh token is generated
self.assertNotIn("refresh_token", token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(self.request)
# fail client authentication
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
# mock client_authentication_required() returning False then fail
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
def test_error_response(self):
pass
def test_scopes(self):
pass
def test_invalid_request_missing_params(self):
del self.request.grant_type
self.assertRaises(errors.InvalidRequestError, self.auth.validate_token_request, self.request)
def test_invalid_request_duplicates(self):
request = mock.MagicMock(wraps=self.request)
request.duplicate_params = ["scope"]
self.assertRaises(errors.InvalidRequestError, self.auth.validate_token_request, request)
def test_invalid_grant_type(self):
self.request.grant_type = "foo"
self.assertRaises(errors.UnsupportedGrantTypeError, self.auth.validate_token_request, self.request)
def test_invalid_user(self):
self.mock_validator.validate_user.return_value = False
self.assertRaises(errors.InvalidGrantError, self.auth.validate_token_request, self.request)
def test_client_id_missing(self):
del self.request.client.client_id
self.assertRaises(NotImplementedError, self.auth.validate_token_request, self.request)
def test_valid_token_request(self):
self.mock_validator.validate_grant_type.return_value = True
self.auth.validate_token_request(self.request)
def __init__(self, request_validator, token_expires_in=None,
token_generator=None, refresh_token_generator=None,
*args, **kwargs):
"""Construct a new all-grants-in-one server.
:param request_validator: An implementation of
oauthlib.oauth2.RequestValidator.
:param token_expires_in: An int or a function to generate a token
expiration offset (in seconds) given a
oauthlib.common.Request object.
:param token_generator: A function to generate a token from a request.
:param refresh_token_generator: A function to generate a token from a
request for the refresh token.
:param kwargs: Extra parameters to pass to authorization-,
token-, resource-, and revocation-endpoint constructors.
"""
auth_grant = AuthorizationCodeGrant(request_validator)
implicit_grant = ImplicitGrant(request_validator)
password_grant = ResourceOwnerPasswordCredentialsGrant(
request_validator)
credentials_grant = ClientCredentialsGrant(request_validator)
refresh_grant = RefreshTokenGrant(request_validator)
openid_connect_auth = OpenIDConnectAuthCode(request_validator)
openid_connect_implicit = OpenIDConnectImplicit(request_validator)
bearer = BearerToken(request_validator, token_generator,
token_expires_in, refresh_token_generator)
auth_grant_choice = AuthCodeGrantDispatcher(
default_auth_grant=auth_grant,
oidc_auth_grant=openid_connect_auth)
# See http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations for valid combinations # noqa
# internally our AuthorizationEndpoint will ensure they can appear in any order for any valid combination # noqa
AuthorizationEndpoint.__init__(
self,
default_response_type='code',
response_types={
'code': auth_grant_choice,
'token': implicit_grant,
'id_token': openid_connect_implicit,
'id_token token': openid_connect_implicit,
'code token': openid_connect_auth,
'code id_token': openid_connect_auth,
'code token id_token': openid_connect_auth,
'none': auth_grant
},
default_token_type=bearer)
TokenEndpoint.__init__(
self,
default_grant_type='authorization_code',
grant_types={
'authorization_code': openid_connect_auth,
'password': password_grant,
'client_credentials': credentials_grant,
'refresh_token': refresh_grant,
'openid': openid_connect_auth
},
default_token_type=bearer)
ResourceEndpoint.__init__(
self,
default_token='Bearer',
token_types={'Bearer': bearer})
RevocationEndpoint.__init__(self, request_validator)
class ResourceOwnerPasswordCredentialsGrantTest(TestCase):
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
def set_client(self, request, *args, **kwargs):
request.client = mock.MagicMock()
request.client.client_id = 'mocked'
return True
def test_create_token_response(self):
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
self.assertIn('refresh_token', token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(self.request)
# fail client authentication
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 400)
# mock client_authentication_required() returning False then fail
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 400)
def test_error_response(self):
pass
def test_scopes(self):
pass
def test_invalid_request_missing_params(self):
del self.request.grant_type
self.assertRaises(errors.InvalidRequestError, self.auth.validate_token_request,
self.request)
def test_invalid_request_duplicates(self):
request = mock.MagicMock(wraps=self.request)
request.duplicate_params = ['scope']
self.assertRaises(errors.InvalidRequestError, self.auth.validate_token_request,
request)
def test_invalid_grant_type(self):
self.request.grant_type = 'foo'
self.assertRaises(errors.UnsupportedGrantTypeError,
self.auth.validate_token_request, self.request)
def test_invalid_user(self):
self.mock_validator.validate_user.return_value = False
self.assertRaises(errors.InvalidGrantError, self.auth.validate_token_request,
self.request)
def test_client_id_missing(self):
del self.request.client.client_id
self.assertRaises(NotImplementedError, self.auth.validate_token_request,
self.request)
def test_valid_token_request(self):
self.mock_validator.validate_grant_type.return_value = True
self.auth.validate_token_request(self.request)
class ResourceOwnerPasswordCredentialsGrantTest(TestCase):
def setUp(self):
mock_client = mock.MagicMock()
mock_client.user.return_value = 'mocked user'
self.request = Request('http://a.b/path')
self.request.grant_type = 'password'
self.request.username = '******'
self.request.password = '******'
self.request.client = mock_client
self.request.scopes = ('mocked', 'scopes')
self.mock_validator = mock.MagicMock()
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator)
def set_client(self, request, *args, **kwargs):
request.client = mock.MagicMock()
request.client.client_id = 'mocked'
return True
def test_create_token_response(self):
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertEqual(self.mock_validator.save_token.call_count, 1)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
self.assertIn('refresh_token', token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(self.request)
# fail client authentication
self.mock_validator.reset_mock()
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
# mock client_authentication_required() returning False then fail
self.mock_validator.reset_mock()
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
def test_create_token_response_without_refresh_token(self):
# self.auth.refresh_token = False so we don't generate a refresh token
self.auth = ResourceOwnerPasswordCredentialsGrant(
request_validator=self.mock_validator, refresh_token=False)
bearer = BearerToken(self.mock_validator)
headers, body, status_code = self.auth.create_token_response(
self.request, bearer)
token = json.loads(body)
self.assertEqual(self.mock_validator.save_token.call_count, 1)
self.assertIn('access_token', token)
self.assertIn('token_type', token)
self.assertIn('expires_in', token)
# ensure no refresh token is generated
self.assertNotIn('refresh_token', token)
# ensure client_authentication_required() is properly called
self.mock_validator.client_authentication_required.assert_called_once_with(self.request)
# fail client authentication
self.mock_validator.reset_mock()
self.mock_validator.validate_user.return_value = True
self.mock_validator.authenticate_client.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
# mock client_authentication_required() returning False then fail
self.mock_validator.reset_mock()
self.mock_validator.client_authentication_required.return_value = False
self.mock_validator.authenticate_client_id.return_value = False
status_code = self.auth.create_token_response(self.request, bearer)[2]
self.assertEqual(status_code, 401)
self.assertEqual(self.mock_validator.save_token.call_count, 0)
def test_custom_auth_validators_unsupported(self):
authval1, authval2 = mock.Mock(), mock.Mock()
expected = ('ResourceOwnerPasswordCredentialsGrant does not '
'support authorization validators. Use token '
'validators instead.')
with self.assertRaises(ValueError) as caught:
ResourceOwnerPasswordCredentialsGrant(self.mock_validator,
pre_auth=[authval1])
self.assertEqual(caught.exception.args[0], expected)
with self.assertRaises(ValueError) as caught:
ResourceOwnerPasswordCredentialsGrant(self.mock_validator,
post_auth=[authval2])
self.assertEqual(caught.exception.args[0], expected)
with self.assertRaises(AttributeError):
self.auth.custom_validators.pre_auth.append(authval1)
with self.assertRaises(AttributeError):
self.auth.custom_validators.pre_auth.append(authval2)
def test_custom_token_validators(self):
tknval1, tknval2 = mock.Mock(), mock.Mock()
self.auth.custom_validators.pre_token.append(tknval1)
self.auth.custom_validators.post_token.append(tknval2)
bearer = BearerToken(self.mock_validator)
self.auth.create_token_response(self.request, bearer)
self.assertTrue(tknval1.called)
self.assertTrue(tknval2.called)
def test_error_response(self):
pass
def test_scopes(self):
pass
def test_invalid_request_missing_params(self):
del self.request.grant_type
self.assertRaises(errors.InvalidRequestError, self.auth.validate_token_request,
self.request)
def test_invalid_request_duplicates(self):
request = mock.MagicMock(wraps=self.request)
request.duplicate_params = ['scope']
self.assertRaises(errors.InvalidRequestError, self.auth.validate_token_request,
request)
def test_invalid_grant_type(self):
self.request.grant_type = 'foo'
self.assertRaises(errors.UnsupportedGrantTypeError,
self.auth.validate_token_request, self.request)
def test_invalid_user(self):
self.mock_validator.validate_user.return_value = False
self.assertRaises(errors.InvalidGrantError, self.auth.validate_token_request,
self.request)
def test_client_id_missing(self):
del self.request.client.client_id
self.assertRaises(NotImplementedError, self.auth.validate_token_request,
self.request)
def test_valid_token_request(self):
self.mock_validator.validate_grant_type.return_value = True
self.auth.validate_token_request(self.request)
