def test_userinfo_request(self): aresp = AuthorizationResponse(code="code", state="state000") tresp = AccessTokenResponse( access_token="access_token", token_type="Bearer", expires_in=600, refresh_token="refresh", scope=["openid"], ) self.client.parse_response( AuthorizationResponse, aresp.to_urlencoded(), sformat="urlencoded", state="state0", ) self.client.parse_response(AccessTokenResponse, tresp.to_json(), state="state0") path, body, method, h_args = self.client.user_info_request( state="state0") assert path == "http://example.com/userinfo" assert method == "GET" assert body is None assert h_args == {"headers": {"Authorization": "Bearer access_token"}}
def test_userinfo_request_post(self): aresp = AuthorizationResponse(code="code", state="state000") tresp = AccessTokenResponse( access_token="access_token", token_type="bearer", expires_in=600, refresh_token="refresh", scope=["openid"], ) self.client.parse_response( AuthorizationResponse, aresp.to_urlencoded(), sformat="urlencoded", state="state0", ) self.client.parse_response(AccessTokenResponse, tresp.to_json(), state="state0") path, body, method, h_args = self.client.user_info_request( method="POST", state="state0") assert path == "http://example.com/userinfo" assert method == "POST" assert body == "access_token=access_token" assert h_args == { "headers": { "Content-Type": "application/x-www-form-urlencoded" } }
def token_endpoint(self, data): if "grant_type=refresh_token" in data: req = self.parse_refresh_token_request(body=data) _info = self.sdb.refresh_token(req["refresh_token"]) elif "grant_type=authorization_code": req = self.parse_token_request(body=data) _info = self.sdb.upgrade_to_token(req["code"]) else: response = TokenErrorResponse(error="unsupported_grant_type") return response, "" resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) response = Response() response.headers = {"content-type": "application/json"} response.text = resp.to_json() return response
def token_endpoint(self, data): if "grant_type=refresh_token" in data: req = self.parse_refresh_token_request(body=data) _info = self.sdb.refresh_token(req["refresh_token"]) elif "grant_type=authorization_code": req = self.parse_token_request(body=data) _info = self.sdb.upgrade_to_token(req["code"]) else: response = TokenErrorResponse(error="unsupported_grant_type") return response, "" resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) response = Response() response.headers = {"content-type": "application/json"} response.text = resp.to_json() return response
def test_parse_access_token_response(): client = Client() at = AccessTokenResponse(access_token="SlAV32hkKG", token_type="Bearer", refresh_token="8xLOxBtZp8", expires_in=3600) atj = at.to_json() ATR = AccessTokenResponse atr = client.parse_response(ATR, info=atj) assert _eq(atr.keys(), ['access_token', 'token_type', 'expires_in', 'refresh_token']) uec = at.to_urlencoded() raises(ValueError, 'client.parse_response(ATR, info=uec)') uatr = client.parse_response(ATR, info=uec, sformat="urlencoded") assert _eq(uatr.keys(), ['access_token', 'token_type', 'expires_in', 'refresh_token']) huec = "%s?%s" % ("https://example.com/token", uec) uatr = client.parse_response(ATR, info=huec, sformat="urlencoded") assert _eq(uatr.keys(), ['access_token', 'token_type', 'expires_in', 'refresh_token']) err = ErrorResponse(error="invalid_request", error_description="Something was missing", error_uri="http://example.com/error_message.html") jerr = err.to_json() uerr = err.to_urlencoded() _ = client.parse_response(ATR, info=jerr) _ = client.parse_response(ATR, info=uerr, sformat="urlencoded") raises(Exception, 'client.parse_response(ATR, info=jerr, sformat="urlencoded")') raises(Exception, "client.parse_response(ATR, info=uerr)") raises(Exception, 'client.parse_response(ATR, info=jerr, sformat="focus")')
def test_userinfo_request(self): aresp = AuthorizationResponse(code="code", state="state000") tresp = AccessTokenResponse(access_token="access_token", token_type="Bearer", expires_in=600, refresh_token="refresh", scope=["openid"]) self.client.parse_response(AuthorizationResponse, aresp.to_urlencoded(), sformat="urlencoded", state="state0") self.client.parse_response(AccessTokenResponse, tresp.to_json(), state="state0") path, body, method, h_args = self.client.user_info_request( state="state0") assert path == "http://example.com/userinfo" assert method == "GET" assert body is None assert h_args == {'headers': {'Authorization': 'Bearer access_token'}}
def test_parse_access_token_response(): client = Client() at = AccessTokenResponse(access_token="SlAV32hkKG", token_type="Bearer", refresh_token="8xLOxBtZp8", expires_in=3600) atj = at.to_json() ATR = AccessTokenResponse atr = client.parse_response(ATR, info=atj) assert _eq(atr.keys(), ['access_token', 'token_type', 'expires_in', 'refresh_token']) uec = at.to_urlencoded() raises(ValueError, 'client.parse_response(ATR, info=uec)') uatr = client.parse_response(ATR, info=uec, sformat="urlencoded") assert _eq(uatr.keys(), ['access_token', 'token_type', 'expires_in', 'refresh_token']) huec = "%s?%s" % ("https://example.com/token", uec) uatr = client.parse_response(ATR, info=huec, sformat="urlencoded") assert _eq(uatr.keys(), ['access_token', 'token_type', 'expires_in', 'refresh_token']) err = ErrorResponse(error="invalid_request", error_description="Something was missing", error_uri="http://example.com/error_message.html") jerr = err.to_json() uerr = err.to_urlencoded() _ = client.parse_response(ATR, info=jerr) _ = client.parse_response(ATR, info=uerr, sformat="urlencoded") raises(Exception, 'client.parse_response(ATR, info=jerr, sformat="urlencoded")') raises(Exception, "client.parse_response(ATR, info=uerr)") raises(Exception, 'client.parse_response(ATR, info=jerr, sformat="focus")')
def test_userinfo_request_post(self): aresp = AuthorizationResponse(code="code", state="state000") tresp = AccessTokenResponse(access_token="access_token", token_type="bearer", expires_in=600, refresh_token="refresh", scope=["openid"]) self.client.parse_response(AuthorizationResponse, aresp.to_urlencoded(), sformat="urlencoded", state="state0") self.client.parse_response(AccessTokenResponse, tresp.to_json(), state="state0") path, body, method, h_args = self.client.user_info_request( method="POST", state="state0") assert path == "http://example.com/userinfo" assert method == "POST" assert body == "access_token=access_token" assert h_args == {'headers': { 'Content-Type': 'application/x-www-form-urlencoded'}}
def token_endpoint(self, data): if "grant_type=refresh_token" in data: req = self.parse_refresh_token_request(body=data) _info = self.sdb.refresh_token(req["refresh_token"], req['client_id']) elif "grant_type=authorization_code" in data: req = self.parse_token_request(body=data) if 'offline_access' in self.sdb[req['code']]['scope']: _info = self.sdb.upgrade_to_token(req["code"], issue_refresh=True) else: _info = self.sdb.upgrade_to_token(req["code"]) else: response = TokenErrorResponse(error="unsupported_grant_type") return response, "" resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) response2 = Response() response2.headers = {"content-type": "application/json"} response2.text = resp.to_json() return response2
def _refresh_access_token_endpoint(self, req, **kwargs): _sdb = self.sdb _log_debug = logger.debug client_info = self.cdb[req["client_id"]] assert req["grant_type"] == "refresh_token" rtoken = req["refresh_token"] _info = _sdb.refresh_token(rtoken) if "openid" in _info["scope"]: userinfo = self.userinfo_in_id_token_claims(_info) _idtoken = self.sign_encrypt_id_token(_info, client_info, req, user_info=userinfo) sid = _sdb.token.get_key(rtoken) _sdb.update(sid, "id_token", _idtoken) _log_debug("_info: %s" % _info) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) _log_debug("access_token_response: %s" % atr.to_dict()) return Response(atr.to_json(), content="application/json")
try: _idtoken = self._id_token(_info) except AccessDenied: return self._error(environ, start_response, error="access_denied") _sdb.update_by_token(_access_code, "id_token", _idtoken) _log_debug("_tinfo: %s" % _tinfo) atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo)) if self.test_mode: _log_info("access_token_response: %s" % atr.to_dict()) resp = Response(atr.to_json(), content="application/json") return resp(environ, start_response) def _bearer_auth(self, environ): #'HTTP_AUTHORIZATION': 'Bearer pC7efiVgbI8UASlolltdh76DrTZ2BQJQXFhVvwWlKekFvWCcdMTmNCI/BCSCxQiG' try: authn = environ["HTTP_AUTHORIZATION"] try: assert authn[:6].lower() == "bearer" _token = authn[7:] except AssertionError: raise AuthnFailure("AuthZ type I don't know") except KeyError: raise AuthnFailure return _token
def __call__(self, request): data = request.body req = self.provider.parse_token_request(body=data) if 'grant_type' not in req: return (400, {}, 'Missing grant_type') if req['grant_type'] == 'authorization_code': authz_code = req['code'] authz_info = self.provider.authz_codes[authz_code] auth_req = authz_info['auth_req'] client_id = auth_req['client_id'] if authz_info['used']: raise Exception('code already used') return (400, {}, 'Invalid authorization code') if authz_info['exp'] < time.time(): raise Exception('code expired') return (400, {}, 'Invalid authorization code') authz_info['used'] = True access_token = { 'value': rndstr(), 'expires_in': self.provider.access_token_lifetime, 'type': 'Bearer' } at_value = access_token['value'] self.provider.access_tokens[at_value] = { 'iat': time.time(), 'exp': time.time() + self.provider.access_token_lifetime, 'sub': 'test-sub', 'client_id': client_id, 'aud': [client_id], 'scope': authz_info['granted_scope'], 'granted_scope': authz_info['granted_scope'], 'token_type': access_token['type'], 'auth_req': auth_req } resp = AccessTokenResponse() resp['access_token'] = at_value resp['token_type'] = access_token['type'] resp['expires_in'] = access_token['expires_in'] resp['refresh_token'] = None args = { 'c_hash': jws.left_hash(authz_code.encode('utf-8'), 'HS256'), 'at_hash': jws.left_hash(at_value.encode('utf-8'), 'HS256'), } id_token = IdToken(iss=self.config['issuer'], sub='test-sub', aud=client_id, iat=time.time(), exp=time.time() + self.provider.id_token_lifetime, **args) if 'nonce' in auth_req: id_token['nonce'] = auth_req['nonce'] resp['id_token'] = id_token.to_jwt([self.provider.signing_key], 'RS256') json_data = resp.to_json() return (200, { 'Content-Type': 'application/json', 'Cache-Control': 'no-store', 'Pragma': 'no-cache', }, json_data) return (400, {}, 'Unsupported grant_type')
def __call__(self, request): data = request.body req = self.provider.parse_token_request(body=data) if 'grant_type' not in req: return (400, {}, 'Missing grant_type') if req['grant_type'] == 'authorization_code': authz_code = req['code'] authz_info = self.provider.authz_codes[authz_code] auth_req = authz_info['auth_req'] client_id = auth_req['client_id'] if authz_info['used']: raise Exception('code already used') return (400, {}, 'Invalid authorization code') if authz_info['exp'] < time.time(): raise Exception('code expired') return (400, {}, 'Invalid authorization code') authz_info['used'] = True access_token = { 'value': rndstr(), 'expires_in': self.provider.access_token_lifetime, 'type': 'Bearer' } at_value = access_token['value'] self.provider.access_tokens[at_value] = { 'iat': time.time(), 'exp': time.time() + self.provider.access_token_lifetime, 'sub': 'test-sub', 'client_id': client_id, 'aud': [client_id], 'scope': authz_info['granted_scope'], 'granted_scope': authz_info['granted_scope'], 'token_type': access_token['type'], 'auth_req': auth_req } resp = AccessTokenResponse() resp['access_token'] = at_value resp['token_type'] = access_token['type'] resp['expires_in'] = access_token['expires_in'] resp['refresh_token'] = None args = { 'c_hash': jws.left_hash(authz_code.encode('utf-8'), 'HS256'), 'at_hash': jws.left_hash(at_value.encode('utf-8'), 'HS256'), } id_token = IdToken( iss=self.config['issuer'], sub='test-sub', aud=client_id, iat=time.time(), exp=time.time() + self.provider.id_token_lifetime, **args) if 'nonce' in auth_req: id_token['nonce'] = auth_req['nonce'] resp['id_token'] = id_token.to_jwt( [self.provider.signing_key], 'RS256') json_data = resp.to_json() return ( 200, { 'Content-Type': 'application/json', 'Cache-Control': 'no-store', 'Pragma': 'no-cache', }, json_data ) return (400, {}, 'Unsupported grant_type')