def test_should_detect_mismatching_subject(self, client_mock):
client_mock.exchange_authorization_code.return_value = AccessTokenResponse(**self.TOKEN_RESPONSE)
client_mock.userinfo_request.return_value = OpenIDSchema(**{'sub': 'other_sub'})
with pytest.raises(AuthResponseMismatchingSubjectError):
AuthResponseHandler(client_mock).process_auth_response(AuthorizationResponse(**self.AUTH_RESPONSE),
self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
def test_should_handle_token_error_response(self, client_mock):
client_mock.exchange_authorization_code.return_value = TokenErrorResponse(
**self.ERROR_RESPONSE)
with pytest.raises(AuthResponseErrorResponseError) as exc:
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE), self.AUTH_REQUEST)
assert exc.value.error_response == self.ERROR_RESPONSE
def test_should_detect_state_mismatch(self, client_mock):
auth_request = {
'state': 'other_state',
'nonce': self.AUTH_REQUEST['nonce']
}
with pytest.raises(AuthResponseUnexpectedStateError):
AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, auth_request)
def test_should_handle_token_response_without_id_token(self, client_mock):
token_response = {'access_token': 'test_token'}
client_mock.exchange_authorization_code.return_value = AccessTokenResponse(
**token_response)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE), self.AUTH_REQUEST)
assert result.access_token == 'test_token'
assert result.id_token_claims is None
def test_should_handle_token_response_without_id_token(self, client_mock):
token_response = {'access_token': 'test_token'}
client_mock.token_request.return_value = AccessTokenResponse(
**token_response)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE),
self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
assert result.access_token == 'test_token'
assert result.id_token_claims is None
def test_should_handle_no_token_response(self, client_mock):
client_mock.exchange_authorization_code.return_value = None
client_mock.userinfo_request.return_value = None
hybrid_auth_response = self.AUTH_RESPONSE.copy()
hybrid_auth_response.update(self.TOKEN_RESPONSE)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**hybrid_auth_response), self.AUTH_REQUEST)
assert result.access_token == 'test_token'
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
def test_should_handle_auth_response_with_authorization_code(
self, client_mock):
client_mock.token_request.return_value = self.TOKEN_RESPONSE
client_mock.userinfo_request.return_value = self.USERINFO_RESPONSE
result = AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
assert result.access_token == 'test_token'
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
assert result.userinfo_claims == self.USERINFO_RESPONSE.to_dict()
def test_should_handle_auth_response_without_authorization_code(self, client_mock):
auth_response = AuthorizationResponse(**self.TOKEN_RESPONSE)
auth_response['state'] = 'test_state'
client_mock.userinfo_request.return_value = self.USERINFO_RESPONSE
result = AuthResponseHandler(client_mock).process_auth_response(auth_response, 'test_state')
assert not client_mock.exchange_authorization_code.called
assert result.access_token == 'test_token'
assert result.expires_in == self.TOKEN_RESPONSE['expires_in']
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
assert result.id_token_claims == self.TOKEN_RESPONSE['id_token'].to_dict()
assert result.userinfo_claims == self.USERINFO_RESPONSE.to_dict()
assert result.refresh_token == None
def test_should_detect_nonce_mismatch(self, client_mock):
client = PyoidcFacade(
ProviderConfiguration(
provider_metadata=ProviderMetadata(issuer=self.ISSUER),
client_metadata=ClientMetadata(client_id=self.CLIENT_ID)),
redirect_uri='https://client.example.com/redirect')
client.exchange_authorization_code = MagicMock(
return_value=self.TOKEN_RESPONSE)
auth_request = {
'state': self.AUTH_RESPONSE['state'],
'nonce': 'other_nonce'
}
with pytest.raises(InvalidIdTokenError):
AuthResponseHandler(client).process_auth_response(
self.AUTH_RESPONSE, auth_request)
def test_should_handle_auth_error_response(self, client_mock):
with pytest.raises(AuthResponseErrorResponseError) as exc:
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationErrorResponse(**self.ERROR_RESPONSE),
self.AUTH_RESPONSE['state'])
assert exc.value.error_response == self.ERROR_RESPONSE
def test_should_detect_nonce_mismatch(self, client_mock):
client_mock.token_request.return_value = self.TOKEN_RESPONSE
with pytest.raises(AuthResponseUnexpectedNonceError):
AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, self.AUTH_RESPONSE['state'], 'other_nonce')
def test_should_detect_state_mismatch(self, client_mock):
with pytest.raises(AuthResponseUnexpectedStateError):
AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, 'other_state')