def test_issuer_mismatch(self):
ISSUER = "https://login.microsoftonline.com/b4ea3de6-839e-4ad1-ae78-c78e5c0cdc06/v2.0/"
kb = KeyBundle(JWK2["keys"])
kj = KeyJar()
kj.issuer_keys[ISSUER] = [kb]
kj.issuer_keys[""] = []
authz_resp = AuthorizationResponse().from_urlencoded(
"id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1u"
"Q19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMTZlZDBlNC1mYzUyLTRlYjgtOWVhYy1lODg1MmM4MjEwNTUiLCJpc3Mi"
"OiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vYjRlYTNkZTYtODM5ZS00YWQxLWFlNzgtYzc4ZTVjMGNkYzA2L3YyLjAvI"
"iwiaWF0IjoxNDM5OTIzNDY5LCJuYmYiOjE0Mzk5MjM0NjksImV4cCI6MTQzOTkyNzM2OSwidmVyIjoiMi4wIiwidGlkIjoiYjRlYTNkZT"
"YtODM5ZS00YWQxLWFlNzgtYzc4ZTVjMGNkYzA2Iiwib2lkIjoiNDJjMzliNWUtYmQwNS00YTlhLTlhNWUtMTY5ZDc2N2ZlZjJmIiwicHJ"
"lZmVycmVkX3VzZXJuYW1lIjoiaW50ZXJvcEBrYXV0aS5vbm1pY3Jvc29mdC5jb20iLCJzdWIiOiJFWGlaVldjakpsREN1LXZzOUxNb1V3"
"ZGRNNEJZZ2ZISzBJNk40dWpXZkRFIiwibmFtZSI6ImludGVyb3AiLCJub25jZSI6IlpkSHRxQWwzR3c4QiJ9.tH4FKM4H9YCHX2XF4V64"
"SsLaKh31c0oLpEVlFxFHw8jxL5HujUthZJDUMwngXZ2mPU_1G152ybKiRCV9DKaBh1rFSlZxTDBp0SV_YTwOkGYOt-sOzFUJyvVCjGmRh"
"vFkOF1kiT3IYjDoRh72U8pMchj1duWSytLczdOc4LJmg24ya5jwqApuyQu7gVqoDH1kEqBAuhBj3a7ZDwxIt-bTKZklsht0RutZjv4Ckg"
"8qJpzWnY7rIjSKFKfEpAAfk_LqWvTktvDMKTHXLxEPVZymoskE1LthtC8AYoNmtVPxgxf87yGCqYZBsuAnVChdnsItXP7tPeqUjC8Lm3J"
"jabV-5g&id_token_expires_in=3599&state=6o3FmQ0QZl1zifsE&session_state=d2c97e8a-497c-4ce1-bb10-5058501164eb"
)
try:
authz_resp.verify(keyjar=kj, skew=100000000)
except MissingSigningKey:
authz_resp.verify(keyjar=kj, sender=ISSUER, skew=100000000)
def test_handle_authentication_response_POST(self):
access_token = 'test_access_token'
state = 'test_state'
authn = self.init_app()
auth_response = AuthorizationResponse(**{
'state': state,
'token_type': 'Bearer',
'access_token': access_token
})
with self.app.test_request_context(
'/redirect_uri',
method='POST',
data=auth_response.to_dict(),
mimetype='application/x-www-form-urlencoded'):
UserSession(flask.session, self.PROVIDER_NAME)
flask.session['destination'] = '/test'
flask.session['auth_request'] = json.dumps({
'state': state,
'nonce': 'test_nonce'
})
response = authn._handle_authentication_response()
session = UserSession(flask.session)
assert session.access_token == access_token
assert response == '/test'
def _func(self, conv):
_response = conv.last_response
_content = conv.last_content
_client = conv.client
res = {}
if _response.status_code == 400:
err = ErrorResponse().deserialize(_content, "json")
err.verify()
if err["error"] in ["consent_required", "interaction_required"]:
# This is OK
res["content"] = err.to_json()
conv.protocol_response.append((err, _content))
else:
self._message = "Not an error I expected"
self._status = CRITICAL
elif _response.status_code in [301, 302]:
_loc = _response.headers["location"]
callback = False
for url in _client.redirect_uris:
if _loc.startswith(url):
callback = True
break
if not callback:
self._message = "Not valid to not redirect back to RP"
self._status = ERROR
return res
if "?" in _loc:
_query = _loc.split("?")[1]
elif "#" in _loc:
_query = _loc.split("#")[1]
else: # ???
self._message = "Expected info in the redirect"
self._status = CRITICAL
return res
try:
err = ErrorResponse().deserialize(_query, "urlencoded")
err.verify()
if err["error"] in ["consent_required", "interaction_required",
"login_required"]:
# This is OK
res["content"] = err.to_json()
conv.protocol_response.append((err, _query))
else:
self._message = "Not an error I expected '%s'" % err[
"error"]
self._status = CRITICAL
except:
resp = AuthorizationResponse().deserialize(_query, "urlencoded")
resp.verify()
res["content"] = resp.to_json()
conv.protocol_response.append((resp, _query))
else: # should not get anything else
self._message = "Not an response I expected"
self._status = CRITICAL
return res
def test_handle_implicit_authentication_response(self, time_mock,
utc_time_sans_frac_mock):
# freeze time since ID Token validation includes expiration timestamps
timestamp = time.mktime(datetime(2017, 1, 1).timetuple())
time_mock.return_value = timestamp
utc_time_sans_frac_mock.return_value = int(timestamp)
# mock auth response
access_token = 'test_access_token'
user_id = 'user1'
exp_time = 10
nonce = 'test_nonce'
id_token_claims = {
'iss': self.PROVIDER_BASEURL,
'aud': [self.CLIENT_ID],
'sub': user_id,
'exp': int(timestamp) + exp_time,
'iat': int(timestamp),
'nonce': nonce,
'at_hash': jws.left_hash(access_token)
}
id_token_jwt, id_token_signing_key = signed_id_token(id_token_claims)
responses.add(responses.GET,
self.PROVIDER_BASEURL + '/jwks',
json={'keys': [id_token_signing_key.serialize()]})
# mock userinfo response
userinfo = {'sub': user_id, 'name': 'Test User'}
userinfo_endpoint = self.PROVIDER_BASEURL + '/userinfo'
responses.add(responses.GET, userinfo_endpoint, json=userinfo)
authn = self.init_app(
provider_metadata_extras={'userinfo_endpoint': userinfo_endpoint})
state = 'test_state'
auth_response = AuthorizationResponse(
**{
'state': state,
'access_token': access_token,
'token_type': 'Bearer',
'id_token': id_token_jwt
})
with self.app.test_request_context('/redirect_uri?{}'.format(
auth_response.to_urlencoded())):
UserSession(flask.session, self.PROVIDER_NAME)
flask.session['destination'] = '/'
flask.session['auth_request'] = json.dumps({
'state': state,
'nonce': nonce
})
authn._handle_authentication_response()
session = UserSession(flask.session)
assert session.access_token == access_token
assert session.id_token == id_token_claims
assert session.id_token_jwt == id_token_jwt
assert session.userinfo == userinfo
def test_parse_authentication_response(self):
facade = PyoidcFacade(ProviderConfiguration(provider_metadata=self.PROVIDER_METADATA,
client_metadata=self.CLIENT_METADATA),
self.REDIRECT_URI)
auth_code = 'auth_code-1234'
state = 'state-1234'
auth_response = AuthorizationResponse(**{'state': state, 'code': auth_code})
parsed_auth_response = facade.parse_authentication_response(auth_response.to_dict())
assert isinstance(parsed_auth_response, AuthorizationResponse)
assert parsed_auth_response.to_dict() == auth_response.to_dict()
def test_should_handle_token_error_response(self, client_mock):
client_mock.exchange_authorization_code.return_value = TokenErrorResponse(
**self.ERROR_RESPONSE)
with pytest.raises(AuthResponseErrorResponseError) as exc:
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE), self.AUTH_REQUEST)
assert exc.value.error_response == self.ERROR_RESPONSE
def test_should_detect_mismatching_subject(self, client_mock):
client_mock.exchange_authorization_code.return_value = AccessTokenResponse(**self.TOKEN_RESPONSE)
client_mock.userinfo_request.return_value = OpenIDSchema(**{'sub': 'other_sub'})
with pytest.raises(AuthResponseMismatchingSubjectError):
AuthResponseHandler(client_mock).process_auth_response(AuthorizationResponse(**self.AUTH_RESPONSE),
self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
def test_parse_authentication_response_preserves_id_token_jwt(self):
facade = PyoidcFacade(
ProviderConfiguration(provider_metadata=self.PROVIDER_METADATA,
client_metadata=self.CLIENT_METADATA),
REDIRECT_URI)
state = 'state-1234'
now = int(time.time())
id_token, id_token_signing_key = signed_id_token({
'iss':
self.PROVIDER_METADATA['issuer'],
'sub':
'test_sub',
'aud':
'client1',
'exp':
now + 1,
'iat':
now
})
responses.add(responses.GET,
self.PROVIDER_METADATA['jwks_uri'],
json={'keys': [id_token_signing_key.serialize()]})
auth_response = AuthorizationResponse(**{
'state': state,
'id_token': id_token
})
parsed_auth_response = facade.parse_authentication_response(
auth_response)
assert isinstance(parsed_auth_response, AuthorizationResponse)
assert parsed_auth_response['state'] == state
assert parsed_auth_response['id_token_jwt'] == id_token
def test_should_handle_token_response_without_id_token(self, client_mock):
token_response = {'access_token': 'test_token'}
client_mock.exchange_authorization_code.return_value = AccessTokenResponse(
**token_response)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE), self.AUTH_REQUEST)
assert result.access_token == 'test_token'
assert result.id_token_claims is None
def test_should_handle_token_response_without_id_token(self, client_mock):
token_response = {'access_token': 'test_token'}
client_mock.token_request.return_value = AccessTokenResponse(
**token_response)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE),
self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
assert result.access_token == 'test_token'
assert result.id_token_claims is None
def do_authentication_request(self, url, ht_args, csi):
self.conv.trace.request(url)
self.conv.trace.request("HT_ARGS: {}".format(ht_args))
r = self.conv.client.http_request(url, **ht_args)
resp = None
if 300 < r.status_code < 400:
r = self.conv.intermit(r)
resp = self.conv.parse_request_response(
r, AuthorizationResponse, body_type="urlencoded",
state=self.conv.state, keyjar=self.conv.client.keyjar)
elif r.status_code == 200:
resp = AuthorizationResponse()
if "response_mode" in csi and csi["response_mode"] == "form_post":
forms = BeautifulSoup(r.content).findAll('form')
for inp in forms[0].find_all("input"):
resp[inp.attrs["name"]] = inp.attrs["value"]
resp.verify(keyjar=self.conv.client.keyjar)
self.conv.trace.response(resp)
return resp
def test_should_handle_no_token_response(self, client_mock):
client_mock.exchange_authorization_code.return_value = None
client_mock.userinfo_request.return_value = None
hybrid_auth_response = self.AUTH_RESPONSE.copy()
hybrid_auth_response.update(self.TOKEN_RESPONSE)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**hybrid_auth_response), self.AUTH_REQUEST)
assert result.access_token == 'test_token'
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
def test_should_handle_auth_response_without_authorization_code(self, client_mock):
auth_response = AuthorizationResponse(**self.TOKEN_RESPONSE)
auth_response['state'] = 'test_state'
client_mock.userinfo_request.return_value = self.USERINFO_RESPONSE
result = AuthResponseHandler(client_mock).process_auth_response(auth_response, 'test_state')
assert not client_mock.exchange_authorization_code.called
assert result.access_token == 'test_token'
assert result.expires_in == self.TOKEN_RESPONSE['expires_in']
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
assert result.id_token_claims == self.TOKEN_RESPONSE['id_token'].to_dict()
assert result.userinfo_claims == self.USERINFO_RESPONSE.to_dict()
assert result.refresh_token == None
def test_issuer_mismatch(self):
ISSUER = "https://login.microsoftonline.com/b4ea3de6-839e-4ad1-ae78-c78e5c0cdc06/v2.0/"
kb = KeyBundle(JWK2["keys"])
kj = KeyJar()
kj.issuer_keys[ISSUER] = [kb]
kj.issuer_keys[""] = []
authz_resp = AuthorizationResponse().from_urlencoded(
"id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSIsImtpZCI6Ik1u"
"Q19WWmNBVGZNNXBPWWlKSE1iYTlnb0VLWSJ9.eyJhdWQiOiIwMTZlZDBlNC1mYzUyLTRlYjgtOWVhYy1lODg1MmM4MjEwNTUiLCJpc3Mi"
"OiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vYjRlYTNkZTYtODM5ZS00YWQxLWFlNzgtYzc4ZTVjMGNkYzA2L3YyLjAvI"
"iwiaWF0IjoxNDM5OTIzNDY5LCJuYmYiOjE0Mzk5MjM0NjksImV4cCI6MTQzOTkyNzM2OSwidmVyIjoiMi4wIiwidGlkIjoiYjRlYTNkZT"
"YtODM5ZS00YWQxLWFlNzgtYzc4ZTVjMGNkYzA2Iiwib2lkIjoiNDJjMzliNWUtYmQwNS00YTlhLTlhNWUtMTY5ZDc2N2ZlZjJmIiwicHJ"
"lZmVycmVkX3VzZXJuYW1lIjoiaW50ZXJvcEBrYXV0aS5vbm1pY3Jvc29mdC5jb20iLCJzdWIiOiJFWGlaVldjakpsREN1LXZzOUxNb1V3"
"ZGRNNEJZZ2ZISzBJNk40dWpXZkRFIiwibmFtZSI6ImludGVyb3AiLCJub25jZSI6IlpkSHRxQWwzR3c4QiJ9.tH4FKM4H9YCHX2XF4V64"
"SsLaKh31c0oLpEVlFxFHw8jxL5HujUthZJDUMwngXZ2mPU_1G152ybKiRCV9DKaBh1rFSlZxTDBp0SV_YTwOkGYOt-sOzFUJyvVCjGmRh"
"vFkOF1kiT3IYjDoRh72U8pMchj1duWSytLczdOc4LJmg24ya5jwqApuyQu7gVqoDH1kEqBAuhBj3a7ZDwxIt-bTKZklsht0RutZjv4Ckg"
"8qJpzWnY7rIjSKFKfEpAAfk_LqWvTktvDMKTHXLxEPVZymoskE1LthtC8AYoNmtVPxgxf87yGCqYZBsuAnVChdnsItXP7tPeqUjC8Lm3J"
"jabV-5g&id_token_expires_in=3599&state=6o3FmQ0QZl1zifsE&session_state=d2c97e8a-497c-4ce1-bb10-5058501164eb"
)
try:
authz_resp.verify(keyjar=kj, skew=100000000)
except MissingSigningKey:
authz_resp.verify(keyjar=kj, sender=ISSUER, skew=100000000)
def do_authentication_request(self, url, ht_args, csi):
self.conv.trace.request(url)
self.conv.trace.request("HT_ARGS: {}".format(ht_args))
r = self.conv.client.http_request(url, **ht_args)
resp = None
if 300 < r.status_code < 400:
r = self.conv.intermit(r)
resp = self.conv.parse_request_response(
r,
AuthorizationResponse,
body_type="urlencoded",
state=self.conv.state,
keyjar=self.conv.client.keyjar)
elif r.status_code == 200:
resp = AuthorizationResponse()
if "response_mode" in csi and csi["response_mode"] == "form_post":
forms = BeautifulSoup(r.content).findAll('form')
for inp in forms[0].find_all("input"):
resp[inp.attrs["name"]] = inp.attrs["value"]
resp.verify(keyjar=self.conv.client.keyjar)
self.conv.trace.response(resp)
return resp
def test_parse_authentication_response_preserves_id_token_jwt(self):
facade = PyoidcFacade(
ProviderConfiguration(
provider_metadata=self.PROVIDER_METADATA,
client_metadata=self.CLIENT_METADATA,
),
self.REDIRECT_URI,
)
state = "state-1234"
now = int(time.time())
id_token, id_token_signing_key = signed_id_token({
"iss":
self.PROVIDER_METADATA["issuer"],
"sub":
"test_sub",
"aud":
"client1",
"exp":
now + 1,
"iat":
now,
})
responses.add(
responses.GET,
self.PROVIDER_METADATA["jwks_uri"],
json={"keys": [id_token_signing_key.serialize()]},
)
auth_response = AuthorizationResponse(**{
"state": state,
"id_token": id_token
})
parsed_auth_response = facade.parse_authentication_response(
auth_response)
assert isinstance(parsed_auth_response, AuthorizationResponse)
assert parsed_auth_response["state"] == state
assert parsed_auth_response["id_token_jwt"] == id_token
def authorization_response():
return AuthorizationResponse(code='code', state='state')
class TestAuthResponseHandler:
AUTH_RESPONSE = AuthorizationResponse(**{
'code': 'test_auth_code',
'state': 'test_state'
})
TOKEN_RESPONSE = AccessTokenResponse(
**{
'access_token': 'test_token',
'id_token': IdToken(**{
'sub': 'test_sub',
'nonce': 'test_nonce'
}),
'id_token_jwt': 'test_id_token_jwt'
})
USERINFO_RESPONSE = OpenIDSchema(**{'sub': 'test_sub'})
ERROR_RESPONSE = {
'error': 'test_error',
'error_description': 'something went wrong'
}
@pytest.fixture
def client_mock(self):
return create_autospec(PyoidcFacade, True, True)
def test_should_detect_state_mismatch(self, client_mock):
with pytest.raises(AuthResponseUnexpectedStateError):
AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, 'other_state')
def test_should_detect_nonce_mismatch(self, client_mock):
client_mock.token_request.return_value = self.TOKEN_RESPONSE
with pytest.raises(AuthResponseUnexpectedNonceError):
AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, self.AUTH_RESPONSE['state'], 'other_nonce')
def test_should_handle_auth_error_response(self, client_mock):
with pytest.raises(AuthResponseErrorResponseError) as exc:
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationErrorResponse(**self.ERROR_RESPONSE),
self.AUTH_RESPONSE['state'])
assert exc.value.error_response == self.ERROR_RESPONSE
def test_should_handle_token_error_response(self, client_mock):
client_mock.token_request.return_value = TokenErrorResponse(
**self.ERROR_RESPONSE)
with pytest.raises(AuthResponseErrorResponseError) as exc:
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE),
self.AUTH_RESPONSE['state'])
assert exc.value.error_response == self.ERROR_RESPONSE
def test_should_detect_mismatching_subject(self, client_mock):
client_mock.token_request.return_value = AccessTokenResponse(
**self.TOKEN_RESPONSE)
client_mock.userinfo_request.return_value = OpenIDSchema(
**{'sub': 'other_sub'})
with pytest.raises(AuthResponseMismatchingSubjectError):
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE),
self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
def test_should_handle_auth_response_with_authorization_code(
self, client_mock):
client_mock.token_request.return_value = self.TOKEN_RESPONSE
client_mock.userinfo_request.return_value = self.USERINFO_RESPONSE
result = AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
assert result.access_token == 'test_token'
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
assert result.userinfo_claims == self.USERINFO_RESPONSE.to_dict()
def test_should_handle_auth_response_without_authorization_code(
self, client_mock):
auth_response = AuthorizationResponse(**self.TOKEN_RESPONSE)
auth_response['state'] = 'test_state'
client_mock.userinfo_request.return_value = self.USERINFO_RESPONSE
result = AuthResponseHandler(client_mock).process_auth_response(
auth_response, 'test_state')
assert not client_mock.token_request.called
assert result.access_token == 'test_token'
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.userinfo_claims == self.USERINFO_RESPONSE.to_dict()
def test_should_handle_token_response_without_id_token(self, client_mock):
token_response = {'access_token': 'test_token'}
client_mock.token_request.return_value = AccessTokenResponse(
**token_response)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE),
self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
assert result.access_token == 'test_token'
assert result.id_token_claims is None
def test_should_handle_no_token_response(self, client_mock):
client_mock.token_request.return_value = None
client_mock.userinfo_request.return_value = None
hybrid_auth_response = self.AUTH_RESPONSE.copy()
hybrid_auth_response.update(self.TOKEN_RESPONSE)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**hybrid_auth_response),
self.AUTH_RESPONSE['state'],
self.TOKEN_RESPONSE['id_token']['nonce'])
assert result.access_token == 'test_token'
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
@pytest.mark.parametrize(
'response_type, expected',
[
('code', False), # Authorization Code Flow
('id_token', True), # Implicit Flow
('id_token token', True), # Implicit Flow
('code id_token', True), # Hybrid Flow
('code token', True), # Hybrid Flow
('code id_token token', True) # Hybrid Flow
])
def test_expect_fragment_encoded_response_by_response_type(
self, response_type, expected):
assert AuthResponseHandler.expect_fragment_encoded_response(
{'response_type': response_type}) is expected
@pytest.mark.parametrize('response_type, response_mode, expected', [
('code', 'fragment', True),
('id_token', 'query', False),
('code token', 'form_post', False),
])
def test_expect_fragment_encoded_response_with_non_default_response_mode(
self, response_type, response_mode, expected):
auth_req = {
'response_type': response_type,
'response_mode': response_mode
}
assert AuthResponseHandler.expect_fragment_encoded_response(
auth_req) is expected
class TestAuthResponseHandler:
ISSUER = 'https://issuer.example.com'
CLIENT_ID = 'client1'
AUTH_REQUEST = AuthorizationRequest(**{
'state': 'test_state',
'nonce': 'test_nonce'
})
AUTH_RESPONSE = AuthorizationResponse(**{
'code': 'test_auth_code',
'state': AUTH_REQUEST['state']
})
TOKEN_RESPONSE = AccessTokenResponse(
**{
'access_token': 'test_token',
'expires_in': 3600,
'id_token': _create_id_token(ISSUER, CLIENT_ID,
AUTH_REQUEST['nonce']),
'id_token_jwt': 'test_id_token_jwt',
'refresh_token': 'test_refresh_token'
})
USERINFO_RESPONSE = OpenIDSchema(**{'sub': 'test_sub'})
ERROR_RESPONSE = {
'error': 'test_error',
'error_description': 'something went wrong'
}
@pytest.fixture
def client_mock(self):
return create_autospec(PyoidcFacade, True, True)
def test_should_detect_state_mismatch(self, client_mock):
auth_request = {
'state': 'other_state',
'nonce': self.AUTH_REQUEST['nonce']
}
with pytest.raises(AuthResponseUnexpectedStateError):
AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, auth_request)
def test_should_detect_nonce_mismatch(self, client_mock):
client = PyoidcFacade(
ProviderConfiguration(
provider_metadata=ProviderMetadata(issuer=self.ISSUER),
client_metadata=ClientMetadata(client_id=self.CLIENT_ID)),
redirect_uri='https://client.example.com/redirect')
client.exchange_authorization_code = MagicMock(
return_value=self.TOKEN_RESPONSE)
auth_request = {
'state': self.AUTH_RESPONSE['state'],
'nonce': 'other_nonce'
}
with pytest.raises(InvalidIdTokenError):
AuthResponseHandler(client).process_auth_response(
self.AUTH_RESPONSE, auth_request)
def test_should_handle_auth_error_response(self, client_mock):
with pytest.raises(AuthResponseErrorResponseError) as exc:
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationErrorResponse(**self.ERROR_RESPONSE),
self.AUTH_REQUEST)
assert exc.value.error_response == self.ERROR_RESPONSE
def test_should_handle_token_error_response(self, client_mock):
client_mock.exchange_authorization_code.return_value = TokenErrorResponse(
**self.ERROR_RESPONSE)
with pytest.raises(AuthResponseErrorResponseError) as exc:
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE), self.AUTH_REQUEST)
assert exc.value.error_response == self.ERROR_RESPONSE
def test_should_detect_mismatching_subject(self, client_mock):
client_mock.exchange_authorization_code.return_value = AccessTokenResponse(
**self.TOKEN_RESPONSE)
client_mock.userinfo_request.return_value = OpenIDSchema(
**{'sub': 'other_sub'})
with pytest.raises(AuthResponseMismatchingSubjectError):
AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE), self.AUTH_REQUEST)
def test_should_handle_auth_response_with_authorization_code(
self, client_mock):
client_mock.exchange_authorization_code.return_value = self.TOKEN_RESPONSE
client_mock.userinfo_request.return_value = self.USERINFO_RESPONSE
result = AuthResponseHandler(client_mock).process_auth_response(
self.AUTH_RESPONSE, self.AUTH_REQUEST)
assert result.access_token == 'test_token'
assert result.expires_in == self.TOKEN_RESPONSE['expires_in']
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
assert result.userinfo_claims == self.USERINFO_RESPONSE.to_dict()
assert result.refresh_token == self.TOKEN_RESPONSE['refresh_token']
def test_should_handle_auth_response_without_authorization_code(
self, client_mock):
auth_response = AuthorizationResponse(**self.TOKEN_RESPONSE)
auth_response['state'] = 'test_state'
client_mock.userinfo_request.return_value = self.USERINFO_RESPONSE
result = AuthResponseHandler(client_mock).process_auth_response(
auth_response, self.AUTH_REQUEST)
assert not client_mock.exchange_authorization_code.called
assert result.access_token == 'test_token'
assert result.expires_in == self.TOKEN_RESPONSE['expires_in']
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.userinfo_claims == self.USERINFO_RESPONSE.to_dict()
assert result.refresh_token == None
def test_should_handle_token_response_without_id_token(self, client_mock):
token_response = {'access_token': 'test_token'}
client_mock.exchange_authorization_code.return_value = AccessTokenResponse(
**token_response)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**self.AUTH_RESPONSE), self.AUTH_REQUEST)
assert result.access_token == 'test_token'
assert result.id_token_claims is None
def test_should_handle_no_token_response(self, client_mock):
client_mock.exchange_authorization_code.return_value = None
client_mock.userinfo_request.return_value = None
hybrid_auth_response = self.AUTH_RESPONSE.copy()
hybrid_auth_response.update(self.TOKEN_RESPONSE)
result = AuthResponseHandler(client_mock).process_auth_response(
AuthorizationResponse(**hybrid_auth_response), self.AUTH_REQUEST)
assert result.access_token == 'test_token'
assert result.id_token_claims == self.TOKEN_RESPONSE[
'id_token'].to_dict()
assert result.id_token_jwt == self.TOKEN_RESPONSE['id_token_jwt']
@pytest.mark.parametrize(
'response_type, expected',
[
('code', False), # Authorization Code Flow
('id_token', True), # Implicit Flow
('id_token token', True), # Implicit Flow
('code id_token', True), # Hybrid Flow
('code token', True), # Hybrid Flow
('code id_token token', True) # Hybrid Flow
])
def test_expect_fragment_encoded_response_by_response_type(
self, response_type, expected):
assert AuthResponseHandler.expect_fragment_encoded_response(
{'response_type': response_type}) is expected
@pytest.mark.parametrize('response_type, response_mode, expected', [
('code', 'fragment', True),
('id_token', 'query', False),
('code token', 'form_post', False),
])
def test_expect_fragment_encoded_response_with_non_default_response_mode(
self, response_type, response_mode, expected):
auth_req = {
'response_type': response_type,
'response_mode': response_mode
}
assert AuthResponseHandler.expect_fragment_encoded_response(
auth_req) is expected
def get_tokens(self, query):
aresp = AuthorizationResponse().from_urlencoded(query)
uid = self.client.acquire_access_token(aresp, "AAT")
self.client.get_rpt(uid)
return uid
