def test_userinfo_endpoint():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO)
cons.debug = True
cons.client_secret = "drickyoughurt"
cons.config["response_type"] = ["token"]
cons.config["request_method"] = "parameter"
cons.keyjar[""] = KC_RSA
location = cons.begin("openid", "token", path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
line = resp.message
path, query = line.split("?")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp3 = server.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
assert ident["sub"] == USERDB["username"]["sub"]
def setup_userinfo_endpoint(self):
cons = Consumer({}, CONSUMER_CONFIG, {"client_id": CLIENT_ID},
server_info=SERVER_INFO, )
cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
cons.keyjar[""] = KC_RSA
cons.client_secret = "drickyoughurt"
state, location = cons.begin("openid", "token",
path=TestConfiguration.get_instance().rp_base)
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(
urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
responses.add(
responses.POST,
self.op_base + "userinfo",
body=resp.message,
status=200,
content_type='application/json')
def setup_userinfo_endpoint(self):
cons = Consumer(
{},
CONSUMER_CONFIG,
{"client_id": CLIENT_ID},
server_info=SERVER_INFO,
)
cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
cons.keyjar[""] = KC_RSA
cons.client_secret = "drickyoughurt"
state, location = cons.begin(
"openid", "token", path=TestConfiguration.get_instance().rp_base)
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(
urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"],
schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
responses.add(responses.POST,
self.op_base + "userinfo",
body=resp.message,
status=200,
content_type='application/json')
def test_userinfo_endpoint():
server = provider_init
_session_db = {}
cons = Consumer(_session_db,
CONSUMER_CONFIG,
CLIENT_CONFIG,
server_info=SERVER_INFO)
cons.debug = True
cons.client_secret = "drickyoughurt"
cons.config["response_type"] = ["token"]
cons.config["request_method"] = "parameter"
cons.keyjar[""] = KC_RSA
state, location = cons.begin("openid",
"token",
path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
line = resp.message
path, query = line.split("#")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp3 = server.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def test_userinfo_endpoint(self):
self.cons.client_secret = "drickyoughurt"
self.cons.config["response_type"] = ["token"]
self.cons.config["request_method"] = "parameter"
state, location = self.cons.begin("openid",
"token",
path="http://localhost:8087")
resp = self.server.authorization_endpoint(
request=location.split("?")[1])
line = resp.message
path, query = line.split("#")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"],
schema="openid")
resp3 = self.server.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def test_scope_who_am_i(provider):
registration_params = {
"application_type": "web",
"response_types": ["code", "token"],
"redirect_uris": "http://example.org"
}
reg_req = RegistrationRequest(**registration_params)
resp = provider.registration_endpoint(reg_req.to_urlencoded())
reg_resp = RegistrationResponse().from_json(resp.message)
auth_req = AuthorizationRequest(
**{
"client_id": reg_resp["client_id"],
"scope": "openid who_am_i",
"response_type": "code token",
"redirect_uri": "http://example.org",
"state": "state0",
"nonce": "nonce0"
})
resp = provider.authorization_endpoint(auth_req.to_urlencoded())
auth_resp = AuthorizationResponse().from_urlencoded(resp.message)
userinfo_req = UserInfoRequest(
**{"access_token": auth_resp["access_token"]})
resp = provider.userinfo_endpoint(userinfo_req.to_urlencoded())
userinfo_resp = AuthorizationResponse().from_json(resp.message)
assert userinfo_resp["given_name"] == "Bruce"
assert userinfo_resp["family_name"] == "Lee"
def test_userinfo_endpoint_malformed(self):
uir = UserInfoRequest(schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded(),
authn='Not a token')
assert json.loads(resp.message) == {'error_description': 'Token is malformed',
'error': 'invalid_request'}
def test_userinfo_endpoint_malformed(self):
uir = UserInfoRequest(schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded(),
authn='Not a token')
assert json.loads(resp.message) == {
'error_description': 'Token is malformed',
'error': 'invalid_request'}
def test_parse_userinfo_requesr(self):
uireq = UserInfoRequest(access_token="access_token")
uencq = uireq.to_urlencoded()
qdict = self.srv.parse_user_info_request(data=uencq)
assert _eq(qdict.keys(), ['access_token'])
assert qdict["access_token"] == "access_token"
url = "https://example.org/userinfo?{}".format(uencq)
qdict = self.srv.parse_user_info_request(data=url)
assert _eq(qdict.keys(), ['access_token'])
assert qdict["access_token"] == "access_token"
def test_parse_userinfo_requesr(self):
uireq = UserInfoRequest(access_token="access_token")
uencq = uireq.to_urlencoded()
qdict = self.srv.parse_user_info_request(data=uencq)
assert _eq(qdict.keys(), ["access_token"])
assert qdict["access_token"] == "access_token"
url = "https://example.org/userinfo?{}".format(uencq)
qdict = self.srv.parse_user_info_request(data=url)
assert _eq(qdict.keys(), ["access_token"])
assert qdict["access_token"] == "access_token"
def get_userinfo_claims(self,
access_token,
endpoint,
method="POST",
schema_class=OpenIDSchema,
**kwargs):
uir = UserInfoRequest(access_token=access_token)
h_args = dict([(k, v) for k, v in kwargs.items() if k in HTTP_ARGS])
if "authn_method" in kwargs:
http_args = self.init_authentication_method(**kwargs)
else:
# If nothing defined this is the default
http_args = self.init_authentication_method(
uir, "bearer_header", **kwargs)
h_args.update(http_args)
path, body, kwargs = self.get_or_post(endpoint, method, uir, **kwargs)
try:
resp = self.http_request(path, method, data=body, **h_args)
except oauth2.MissingRequiredAttribute:
raise
if resp.status_code == 200:
assert "application/json" in resp.headers["content-type"]
elif resp.status_code == 500:
raise PyoidcError("ERROR: Something went wrong: %s" % resp.text)
else:
raise PyoidcError("ERROR: Something went wrong [%s]" %
resp.status_code)
return schema_class().from_json(txt=resp.text)
def test_userinfo_endpoint_authn(self):
self.cons.client_secret = "drickyoughurt"
self.cons.config["response_type"] = ["token"]
self.cons.config["request_method"] = "parameter"
state, location = self.cons.begin("openid", "token", path="http://localhost:8087")
resp = self.provider.authorization_endpoint(request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded(), authn="Bearer " + atr["access_token"])
ident = OpenIDSchema().deserialize(resp.message, "json")
assert _eq(ident.keys(), ["nickname", "sub", "name", "email"])
def test_userinfo_endpoint():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO)
cons.debug = True
cons.client_secret = "drickyoughurt"
cons.config["response_type"] = ["token"]
cons.config["request_method"] = "parameter"
cons.keyjar[""] = KC_RSA
environ = BASE_ENVIRON
location = cons.begin(environ, start_response)
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = location.split("?")[1]
resp = server.authorization_endpoint(environ, start_response)
sid = resp[0][len("<form>"):-len("</form>")]
environ2 = create_return_form_env("user", "password", sid)
resp2 = server.authenticated(environ2, start_response)
line = resp2[0]
start = line.index("<title>")
start += len("<title>Redirecting to ")
stop = line.index("</title>")
path, query = line[start:stop].split("?")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = uir.to_urlencoded()
resp3 = server.userinfo_endpoint(environ, start_response)
ident = OpenIDSchema().deserialize(resp3[0], "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
assert ident["sub"] == USERDB["user"]["sub"]
def test_userinfo_endpoint_authn(self):
self.cons.client_secret = "drickyoughurt"
self.cons.config["response_type"] = ["token"]
self.cons.config["request_method"] = "parameter"
state, location = self.cons.begin("openid", "token",
path="http://localhost:8087")
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(
urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded(),
authn='Bearer ' + atr[
'access_token'])
ident = OpenIDSchema().deserialize(resp.message, "json")
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def test_scope_who_am_i(provider):
registration_params = {
"application_type": "web",
"response_types": ["code", "token"],
"redirect_uris": "http://example.org"}
reg_req = RegistrationRequest(**registration_params)
resp = provider.registration_endpoint(reg_req.to_urlencoded())
reg_resp = RegistrationResponse().from_json(resp.message)
auth_req = AuthorizationRequest(
**{"client_id": reg_resp["client_id"], "scope": "openid who_am_i",
"response_type": "code token",
"redirect_uri": "http://example.org", "state": "state0", "nonce": "nonce0"})
resp = provider.authorization_endpoint(auth_req.to_urlencoded())
auth_resp = AuthorizationResponse().from_urlencoded(resp.message)
userinfo_req = UserInfoRequest(**{"access_token": auth_resp["access_token"]})
resp = provider.userinfo_endpoint(userinfo_req.to_urlencoded())
userinfo_resp = AuthorizationResponse().from_json(resp.message)
assert userinfo_resp["given_name"] == "Bruce"
assert userinfo_resp["family_name"] == "Lee"
def test_userinfo_endpoint(self):
self.cons.client_secret = "drickyoughurt"
self.cons.config["response_type"] = ["token"]
self.cons.config["request_method"] = "parameter"
state, location = self.cons.begin("openid", "token",
path="http://localhost:8087")
resp = self.server.authorization_endpoint(request=location.split("?")[1])
line = resp.message
path, query = line.split("#")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp3 = self.server.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def test_userinfo_endpoint_malformed(self):
uir = UserInfoRequest(schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded(), authn="Not a token")
assert json.loads(resp.message) == {"error_description": "Token is malformed", "error": "invalid_request"}
# cli.http = MyFakeOICServer(KEYS)
# ----------------------------------------------------------------------------
TREQ = AccessTokenRequest(code="code",
redirect_uri="http://example.com/authz",
client_id=CLIENT_ID)
AREQ = AuthorizationRequest(response_type="code",
client_id="client_id",
redirect_uri="http://example.com/authz",
scope=["openid"],
state="state0",
nonce="N0nce")
UIREQ = UserInfoRequest(access_token="access_token")
REGREQ = RegistrationRequest(contacts=["*****@*****.**"],
redirect_uris=["http://example.org/jqauthz"],
application_name="pacubar",
client_id=CLIENT_ID,
operation="register",
application_type="web")
RSREQ = RefreshSessionRequest(id_token="id_token",
redirect_url="http://example.com/authz",
state="state0")
#key, type, usage, owner="."
alg = "HS256"
def user_info_request(self, method="GET", state="", scope="", **kwargs):
uir = UserInfoRequest()
logger.debug("[user_info_request]: kwargs:%s" % (kwargs, ))
if "token" in kwargs:
if kwargs["token"]:
uir["access_token"] = kwargs["token"]
token = Token()
token.token_type = "Bearer"
token.access_token = kwargs["token"]
kwargs["behavior"] = "use_authorization_header"
else:
# What to do ? Need a callback
token = None
elif "access_token" in kwargs and kwargs["access_token"]:
uir["access_token"] = kwargs["access_token"]
del kwargs["access_token"]
token = None
else:
token = self.grant[state].get_token(scope)
if token.is_valid():
uir["access_token"] = token.access_token
if token.token_type == "Bearer" and method == "GET":
kwargs["behavior"] = "use_authorization_header"
else:
# raise oauth2.OldAccessToken
if self.log:
self.log.info("do access token refresh")
try:
self.do_access_token_refresh(token=token)
token = self.grant[state].get_token(scope)
uir["access_token"] = token.access_token
except Exception:
raise
uri = self._endpoint("userinfo_endpoint", **kwargs)
# If access token is a bearer token it might be sent in the
# authorization header
# 3-ways of sending the access_token:
# - POST with token in authorization header
# - POST with token in message body
# - GET with token in authorization header
if "behavior" in kwargs:
_behav = kwargs["behavior"]
_token = uir["access_token"]
try:
_ttype = kwargs["token_type"]
except KeyError:
try:
_ttype = token.token_type
except AttributeError:
raise MissingParameter("Unspecified token type")
# use_authorization_header, token_in_message_body
if "use_authorization_header" in _behav and _ttype == "Bearer":
bh = "Bearer %s" % _token
if "headers" in kwargs:
kwargs["headers"].update({"Authorization": bh})
else:
kwargs["headers"] = {"Authorization": bh}
if not "token_in_message_body" in _behav:
# remove the token from the request
del uir["access_token"]
path, body, kwargs = self.get_or_post(uri, method, uir, **kwargs)
h_args = dict([(k, v) for k, v in kwargs.items() if k in HTTP_ARGS])
return path, body, method, h_args