def test_token_by_client_credentials(self, settings, client, user):
settings.DEBUG = True
client_1 = Client(user=user, title='OClient', identifier='OClient', password='******')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
Scope(identifier='scope1').save()
# Valid token by client credentials request.
resp = client.post(
URL_TOKEN, {'grant_type': 'client_credentials', 'scope': 'scope1'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 200
assert 'access_token' in resp.content_json
assert 'refresh_token' not in resp.content_json
assert 'token_type' in resp.content_json
access_token = resp.content_json['access_token']
token = Token.objects.get(access_token=access_token)
assert user == token.user
def test_token_by_user_credentials(self):
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
# Missing params.
resp = self.client.post(URL_TOKEN, {'grant_type': 'password'}, Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_request')
# Invalid params.
resp = self.client.post(URL_TOKEN, {'grant_type': 'password', 'username': '******', 'password': '******'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_grant')
# Valid token by password request.
resp = self.client.post(URL_TOKEN, {'grant_type': 'password', 'username': '******',
'password': '******'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
self.assertTrue('expires_in' in resp.content_json)
def test_token_by_client_credentials(self):
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
Scope(identifier='scope1').save()
# Valid token by client credentials request.
resp = self.client.post(URL_TOKEN, {'grant_type': 'client_credentials', 'scope': 'scope1'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' not in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
access_token = resp.content_json['access_token']
token = Token.objects.get(access_token=access_token)
self.assertEqual(user_1, token.user)
def test_refresh_token_http_basic(self):
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
client_1.save()
client_2 = Client(user=user_1, title='OGOClient', identifier='OGOClient', password='******')
client_2.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
token_1 = Token(client=client_1, user=user_1)
token_1.save()
token_2 = Token(client=client_2, user=user_1)
token_2.save()
date_issued = token_1.date_issued
access_token = token_1.access_token
refresh_token = token_1.refresh_token
refresh_token_wrong_client = token_2.refresh_token
# Missing required params.
resp = self.client.post(URL_TOKEN, {'grant_type': 'refresh_token'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_request')
# Invalid refresh token supplied.
resp = self.client.post(URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': 'invalid'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_grant')
# Refresh token from another client is supplied.
resp = self.client.post(URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': refresh_token_wrong_client},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_grant')
# Valid request.
resp = self.client.post(URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': refresh_token},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
self.assertTrue('expires_in' not in resp.content_json)
self.assertNotEqual(access_token, resp.content_json['access_token'])
self.assertNotEqual(refresh_token, resp.content_json['refresh_token'])
token_updated = Token.objects.get(access_token=resp.content_json['access_token'])
self.assertNotEqual(date_issued, token_updated.date_issued)
def test_authorization_code_http_basic(self, settings, client, user):
def login():
return client.login(username=user.username, password='******')
settings.DEBUG = True # Bypass https requirement
client_1 = Client(user=user, title='OClient', identifier='OClient', password='******')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
# Logging the user in.
login()
Scope(identifier='scope1').save()
# Valid code request.
resp = client.get(
URL_AUTHORIZE,
{'response_type': 'code', 'scope': 'scope1', 'client_id': client_1.identifier})
assert resp.status_code == 200
# User confirms auth.
resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
assert resp.status_code == 302
params = parse_location_header(resp)
assert 'code' in params
# Auth code given.
code = params['code']
# Invalid token by code request.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'code': code, 'redirect_uri': redirect_1.uri},
Authorization='Basic Tqrqwer==')
assert resp.status_code == 401
assert 'www-authenticate' in resp._headers
assert resp._headers['www-authenticate'][1] == 'Basic'
# Valid token by code request.
# HTTP Basic data - OClient:cl012345 --> T0NsaWVudDpjbDAxMjM0NQ==
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code, 'redirect_uri': redirect_1.uri},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 200
assert 'access_token' in resp.content_json
assert 'refresh_token' in resp.content_json
assert 'token_type' in resp.content_json
def test_authorization_code_http_basic(self):
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
settings.DEBUG = True
# Logging the user in.
self.client.login(username='******', password='******')
Scope(identifier='scope1').save()
# Valid code request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'scope': 'scope1',
'client_id': client_1.identifier})
self.assertEqual(resp.status_code, 200)
# User confirms auth.
resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
self.assertEqual(resp.status_code, 302)
params = parse_location_header(resp)
self.assertIn('code', params)
# Auth code given.
code = params['code']
# Invalid token by code request.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code,
'redirect_uri': redirect_1.uri},
Authorization='Basic Tqrqwer==')
self.assertEqual(resp.status_code, 401)
self.assertIn('www-authenticate', resp._headers)
self.assertEqual(resp._headers['www-authenticate'][1], 'Basic')
# Valid token by code request.
# HTTP Basic data - OClient:cl012345 --> T0NsaWVudDpjbDAxMjM0NQ==
resp = self.client.post(
URL_TOKEN, {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code,
'redirect_uri': redirect_1.uri},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
def test_authorization_code_unsafe(self, settings, client, user):
def login():
return client.login(username=user.username, password='******')
settings.DEBUG = True # Bypass https requirement
client_1 = Client(user=user, title='OClient')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
Scope(identifier='scope1').save()
# Logging the user in.
assert login()
# Valid code request.
resp = client.get(
URL_AUTHORIZE,
{'response_type': 'code', 'scope': 'scope1', 'client_id': client_1.identifier})
assert resp.status_code == 200
# User confirms auth.
resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
assert resp.status_code == 302
params = parse_location_header(resp)
assert 'code' in params
# Auth code given.
code = params['code']
# Valid token by code request.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code,
'redirect_uri': redirect_1.uri, 'client_id': client_1.identifier, 'client_secret': client_1.password})
assert resp.status_code == 200
assert 'access_token' in resp.content_json
assert 'refresh_token' in resp.content_json
assert 'token_type' in resp.content_json
def test_authorization_code_http_basic(self):
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
# Logging the user in.
self.client.login(username='******', password='******')
# Valid code request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_1.identifier})
self.assertEqual(resp.status_code, 200)
# User confirms auth.
resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
self.assertEqual(resp.status_code, 302)
params = parse_location_header(resp)
self.assertIn('code', params)
# Auth code given.
code = params['code']
# Invalid token by code request.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code,
'redirect_uri': redirect_1.uri},
Authorization='Basic Tqrqwer==')
self.assertEqual(resp.status_code, 401)
self.assertIn('www-authenticate', resp._headers)
self.assertEqual(resp._headers['www-authenticate'][1], 'Basic')
# Valid token by code request.
# HTTP Basic data - OClient:cl012345 --> T0NsaWVudDpjbDAxMjM0NQ==
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code,
'redirect_uri': redirect_1.uri},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
def test_authorization_code_unsafe(self):
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
Scope(identifier='scope1').save()
# Logging the user in.
self.client.login(username='******', password='******')
# Valid code request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'scope': 'scope1',
'client_id': client_1.identifier})
self.assertEqual(resp.status_code, 200)
# User confirms auth.
resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
self.assertEqual(resp.status_code, 302)
params = parse_location_header(resp)
self.assertIn('code', params)
# Auth code given.
code = params['code']
# Valid token by code request.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code,
'redirect_uri': redirect_1.uri,
'client_id': client_1.identifier,
'client_secret': client_1.password})
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
def test_token_by_user_credentials(self, settings, client, user):
settings.DEBUG = True
client_1 = Client(user=user, title='OClient', identifier='OClient', password='******', token_lifetime=15)
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
Scope(identifier='scope1').save()
# Missing params.
resp = client.post(
URL_TOKEN, {'grant_type': 'password', 'scope': 'scope1'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_request'
# Invalid params.
resp = client.post(
URL_TOKEN,
{'grant_type': 'password', 'scope': 'scope1', 'username': '******', 'password': '******'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_grant'
# Valid token by password request.
resp = client.post(
URL_TOKEN, {'grant_type': 'password', 'scope': 'scope1', 'username': user.username, 'password': '******'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 200
assert 'access_token' in resp.content_json
assert 'refresh_token' in resp.content_json
assert 'token_type' in resp.content_json
assert 'expires_in' in resp.content_json
def test_authorization_code_unsafe(self):
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
# Logging the user in.
self.client.login(username='******', password='******')
# Valid code request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_1.identifier})
self.assertEqual(resp.status_code, 200)
# User confirms auth.
resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
self.assertEqual(resp.status_code, 302)
params = parse_location_header(resp)
self.assertIn('code', params)
# Auth code given.
code = params['code']
# Valid token by code request.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code,
'redirect_uri': redirect_1.uri,
'client_id': client_1.identifier,
'client_secret': client_1.password})
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
def test_token_by_client_credentials(self):
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient', identifier='OClient', password='******')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
# Valid token by client credentials request.
resp = self.client.post(URL_TOKEN, {'grant_type': 'client_credentials'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' not in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
access_token = resp.content_json['access_token']
token = Token.objects.get(access_token=access_token)
self.assertEqual(user_1, token.user)
def test_grant_authorization_code(self, settings, client, user):
# Secure connection check
with settings(DEBUG=False):
resp = client.get(URL_TOKEN, {})
assert resp.status_code == 403
settings.DEBUG = True
resp = client.post(URL_TOKEN, {'grant_type': 'a'})
assert resp.status_code == 400
assert resp.content_json['error'] == 'unsupported_grant_type'
client_1 = Client(user=user, title='OClient')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
code_1 = AuthorizationCode(user=user, client=client_1, uri=redirect_1.uri)
code_1.save()
Scope(identifier='scope1').save()
# Missing client authentication data.
resp = client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'scope': 'scope1'})
assert resp.status_code == 401
assert resp.content_json['error'] == 'invalid_client'
# Missing all required params.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1',
'client_id': client_1.identifier, 'client_secret': client_1.password})
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_request'
# Missing redirect URI.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1', 'code': 'wrong_code',
'client_id': client_1.identifier, 'client_secret': client_1.password})
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_request'
# Missing code.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1',
'redirect_uri': 'http://wrong-url.com', 'client_id': client_1.identifier,
'client_secret': client_1.password})
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_request'
# Wrong code.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1', 'code': 'invalid',
'redirect_uri': 'http://localhost:8000/abc/',
'client_id': client_1.identifier, 'client_secret': client_1.password})
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_grant'
# Wrong URI.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code_1.code,
'redirect_uri': 'http://wrong-url.com/', 'client_id': client_1.identifier,
'client_secret': client_1.password})
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_grant'
# Valid call for a token.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1', 'code': code_1.code,
'redirect_uri': redirect_1.uri, 'client_id': client_1.identifier, 'client_secret': client_1.password})
assert resp.status_code == 200
assert 'access_token' in resp.content_json
assert 'refresh_token' in resp.content_json
assert 'token_type' in resp.content_json
# An additional call for code issues token and code invalidation.
resp = client.post(
URL_TOKEN,
{'grant_type': 'authorization_code', 'scope': 'scope1', 'code': '1234567',
'redirect_uri': 'http://localhost:8000/abc/',
'client_id': client_1.identifier, 'client_secret': client_1.password})
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_grant'
def test_refresh_token_http_basic(self, settings, client, user):
settings.DEBUG = True
client_1 = Client(user=user, title='OClient', identifier='OClient', password='******')
client_1.save()
client_2 = Client(user=user, title='OGOClient', identifier='OGOClient', password='******')
client_2.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
token_1 = Token(client=client_1, user=user)
token_1.save()
token_2 = Token(client=client_2, user=user)
token_2.save()
date_issued = token_1.date_issued
access_token = token_1.access_token
refresh_token = token_1.refresh_token
refresh_token_wrong_client = token_2.refresh_token
# Missing required params.
resp = client.post(
URL_TOKEN, {'grant_type': 'refresh_token'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_request'
# Invalid refresh token supplied.
resp = client.post(
URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': 'invalid'},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_grant'
# Refresh token from another client is supplied.
resp = client.post(
URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': refresh_token_wrong_client},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 400
assert resp.content_json['error'] == 'invalid_grant'
# Valid request.
resp = client.post(
URL_TOKEN, {'grant_type': 'refresh_token', 'refresh_token': refresh_token},
Authorization='Basic T0NsaWVudDpjbDAxMjM0NQ==')
assert resp.status_code == 200
assert 'access_token' in resp.content_json
assert 'refresh_token' in resp.content_json
assert 'token_type' in resp.content_json
assert 'expires_in' not in resp.content_json
assert access_token != resp.content_json['access_token']
assert refresh_token != resp.content_json['refresh_token']
token_updated = Token.objects.get(access_token=resp.content_json['access_token'])
assert date_issued != token_updated.date_issued
def test_auth(self):
# User is not logged in.
resp = self.client.get(URL_AUTHORIZE, {'client_id': '100'})
self.assertEqual(resp.status_code, 302)
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
# Logging the user in.
self.client.login(username='******', password='******')
# Secure connection check
settings.DEBUG = False
resp = self.client.get(URL_AUTHORIZE, {})
self.assertEqual(resp.status_code, 403)
settings.DEBUG = True
# Missing client id.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code'})
self.assertEqual(resp.status_code, 400)
# Missing response type.
resp = self.client.get(URL_AUTHORIZE, {'client_id': '100'})
self.assertEqual(resp.status_code, 400)
# Wrong response type
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'habrahabr'})
self.assertEqual(resp.status_code, 400)
# Invalid client id.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': 'invalid'})
self.assertEqual(resp.status_code, 400)
client_1 = Client(user=user_1, title='OClient', identifier='cl012345')
client_1.save()
client_2 = Client(user=user_1, title='OGOClient')
client_2.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
redirect_2 = RedirectionEndpoint(client=client_2, uri='http://redirect-test1.com')
redirect_2.save()
redirect_3 = RedirectionEndpoint(client=client_2, uri='http://redirect-test2.com')
redirect_3.save()
# Client 2 - No redirect URI in request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_2.identifier})
self.assertEqual(resp.status_code, 400)
# Client 2 - Unknown URI in request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'redirect_uri': 'http://noitisnot.com', 'client_id': client_2.identifier})
self.assertEqual(resp.status_code, 400)
# Valid code request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_1.identifier})
self.assertEqual(resp.status_code, 200)
# User declines auth.
resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made'})
self.assertEqual(resp.status_code, 302)
self.assertEqual(parse_location_header(resp)['error'], 'access_denied')
# Again Valid code request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'code', 'client_id': client_1.identifier})
self.assertEqual(resp.status_code, 200)
# User confirms auth.
resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
self.assertEqual(resp.status_code, 302)
self.assertIn('code', parse_location_header(resp))
# ============= Implicit grant tests.
# Valid token request.
resp = self.client.get(URL_AUTHORIZE, {'response_type': 'token', 'client_id': client_1.identifier})
self.assertEqual(resp.status_code, 200)
# User confirms token grant.
resp = self.client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
self.assertEqual(resp.status_code, 302)
params = parse_location_header(resp, True)
self.assertIn('access_token', params)
self.assertIn('token_type', params)
def test_auth(self, settings, client, user):
def login():
return client.login(username=user.username, password='******')
# User is not logged in, redirect to login page
resp = client.get(URL_AUTHORIZE, {'client_id': '100'})
assert resp.status_code == 302
# Logging the user in.
assert login()
# Secure connection check
resp = client.get(URL_AUTHORIZE, {})
assert resp.status_code == 403
settings.DEBUG = True
client_1 = Client(user=user, title='OClient', identifier='cl012345')
client_1.save()
client_2 = Client(user=user, title='OGOClient')
client_2.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
redirect_2 = RedirectionEndpoint(client=client_2, uri='http://redirect-test1.com')
redirect_2.save()
redirect_3 = RedirectionEndpoint(client=client_2, uri='http://redirect-test2.com')
redirect_3.save()
Scope(identifier='scope1').save()
# Missing client id.
login()
resp = client.get(URL_AUTHORIZE, {'response_type': 'code', 'scope': 'scope1'})
assert resp.status_code == 400
# Invalid client id.
login()
resp = client.get(URL_AUTHORIZE, {'response_type': 'code', 'scope': 'scope1', 'client_id': 'invalid'})
assert resp.status_code == 400
# Client 2 - No redirect URI in request.
login()
resp = client.get(
URL_AUTHORIZE,
{'response_type': 'code', 'scope': 'scope1', 'client_id': client_2.identifier})
assert resp.status_code == 400
# Client 2 - Unknown URI in request.
login()
resp = client.get(
URL_AUTHORIZE,
{'response_type': 'code', 'scope': 'scope1',
'redirect_uri': 'http://noitisnot.com', 'client_id': client_2.identifier})
assert resp.status_code == 400
# Missing response type.
login()
resp = client.get(URL_AUTHORIZE, {'client_id': client_1.identifier, 'state': 'abc', 'scope': 'scope1'})
assert resp.status_code == 302
assert parse_location_header(resp)['error'] == 'unsupported_response_type'
assert parse_location_header(resp)['state'] == 'abc'
# Wrong response type
login()
resp = client.get(
URL_AUTHORIZE,
{'client_id': client_1.identifier, 'response_type': 'habrahabr', 'state': 'abc', 'scope': 'scope1'})
assert resp.status_code == 302
assert parse_location_header(resp)['error'] == 'unsupported_response_type'
assert parse_location_header(resp)['state'] == 'abc'
# Valid code request.
login()
resp = client.get(
URL_AUTHORIZE,
{'response_type': 'code', 'scope': 'scope1', 'state': 'somestate', 'client_id': client_1.identifier})
assert resp.status_code == 200
# User declines auth.
resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made'})
assert resp.status_code == 302
assert parse_location_header(resp)['error'] == 'access_denied'
# Again Valid code request.
login()
resp = client.get(
URL_AUTHORIZE,
{'response_type': 'code', 'scope': 'scope1', 'state': 'somestatetwo', 'client_id': client_1.identifier})
assert resp.status_code == 200
# User confirms auth.
resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
assert resp.status_code == 302
assert 'code' in parse_location_header(resp)
assert parse_location_header(resp)['state'] == 'somestatetwo'
# ============= Implicit grant tests.
# Valid token request.
login()
resp = client.get(
URL_AUTHORIZE,
{'response_type': 'token', 'scope': 'scope1',
'state': 'some_state_three', 'client_id': client_1.identifier})
assert resp.status_code == 200
# User confirms token grant.
resp = client.post(URL_AUTHORIZE, {'auth_decision': 'is_made', 'confirmed': 'yes'})
assert resp.status_code == 302
params = parse_location_header(resp, True)
assert 'access_token' in params
assert 'token_type' in params
assert params['state'] == 'some_state_three'
def test_grant_authorization_code(self):
# Secure connection check
settings.DEBUG = False
resp = self.client.get(URL_TOKEN, {})
self.assertEqual(resp.status_code, 403)
settings.DEBUG = True
resp = self.client.post(URL_TOKEN, {'grant_type': 'a'})
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'unsupported_grant_type')
user_1 = User(username='******')
user_1.set_password('12345')
user_1.save()
client_1 = Client(user=user_1, title='OClient')
client_1.save()
redirect_1 = RedirectionEndpoint(client=client_1, uri='http://redirect-test.com')
redirect_1.save()
code_1 = AuthorizationCode(user=user_1, client=client_1, uri=redirect_1.uri)
code_1.save()
# Missing client authentication data.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code'})
self.assertEqual(resp.status_code, 401)
self.assertEqual(resp.content_json['error'], 'invalid_client')
# Missing all required params.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'client_id': client_1.identifier,
'client_secret': client_1.password})
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_request')
# Missing redirect URI.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': 'wrong_code',
'client_id': client_1.identifier, 'client_secret': client_1.password})
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_request')
# Missing code.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'redirect_uri': 'http://wrong-url.com',
'client_id': client_1.identifier, 'client_secret': client_1.password})
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_request')
# Wrong code.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': 'invalid',
'redirect_uri': 'http://localhost:8000/abc/',
'client_id': client_1.identifier, 'client_secret': client_1.password})
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_grant')
# Wrong URI.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code_1.code,
'redirect_uri': 'http://wrong-url.com/', 'client_id': client_1.identifier,
'client_secret': client_1.password})
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_grant')
# Valid call for a token.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': code_1.code,
'redirect_uri': redirect_1.uri, 'client_id': client_1.identifier,
'client_secret': client_1.password})
self.assertEqual(resp.status_code, 200)
self.assertTrue('access_token' in resp.content_json)
self.assertTrue('refresh_token' in resp.content_json)
self.assertTrue('token_type' in resp.content_json)
# An additional call for code issues token and code invalidation.
resp = self.client.post(URL_TOKEN, {'grant_type': 'authorization_code', 'code': '1234567',
'redirect_uri': 'http://localhost:8000/abc/',
'client_id': client_1.identifier, 'client_secret': client_1.password})
self.assertEqual(resp.status_code, 400)
self.assertEqual(resp.content_json['error'], 'invalid_grant')