def test_google_iss(app, valid_payload):
"""iss must be accounts.google.com or https://accounts.google.com"""
valid_payload['iss'] = 'accounts.google.com'
t = _encode_valid_token(app, valid_payload)
idinfo = verify_google_id_token(t)
logging.info('Verfied payload: %s', idinfo)
valid_payload['iss'] = 'https://accounts.google.com'
t = _encode_valid_token(app, valid_payload)
idinfo = verify_google_id_token(t)
logging.info('Verfied payload: %s', idinfo)
def test_google_verifies_signature(valid_payload):
t = _encode_invalid_token(valid_payload)
with pytest.raises(AppIdentityError):
verify_google_id_token(t)
def test_google_basic_verify(app, valid_payload):
t = _encode_valid_token(app, valid_payload)
idinfo = verify_google_id_token(t)
logging.info('Verfied payload: %s', idinfo)
def test_google_needs_valid_exp(app, valid_payload):
valid_payload['exp'] = datetime.datetime.utcnow() - datetime.timedelta(days=200)
t = _encode_valid_token(app, valid_payload)
with pytest.raises(AppIdentityError):
verify_google_id_token(t)
def test_google_needs_exp(app, valid_payload):
del valid_payload['exp']
t = _encode_valid_token(app, valid_payload)
with pytest.raises(AppIdentityError):
verify_google_id_token(t)
def test_google_needs_matching_aud(app, valid_payload):
valid_payload['aud'] += '.but.a.wrong.one'
t = _encode_valid_token(app, valid_payload)
with pytest.raises(AppIdentityError):
verify_google_id_token(t)
def test_google_needs_valid_iss(app, valid_payload):
valid_payload['iss'] = 'some.attacker.example.com'
t = _encode_valid_token(app, valid_payload)
with pytest.raises(AppIdentityError):
verify_google_id_token(t)
