def test_jws_authn_method_wrong_key():
client_keyjar = KeyJar()
client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""]
# Fake symmetric key
client_keyjar.add_symmetric("", "client_secret:client_secret", ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
_assertion = _jwt.pack({"aud": [conf["issuer"]]})
request = {
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
}
with pytest.raises(AuthnFailure):
JWSAuthnMethod(endpoint_context).verify(request)
def test_jws_authn_method_aud_iss():
client_keyjar = KeyJar()
client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""]
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# Audience is OP issuer ID
aud = conf["issuer"]
_assertion = _jwt.pack({"aud": [aud]})
request = {
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
}
assert JWSAuthnMethod(endpoint_context).verify(request)
def test_jws_authn_method_aud_userinfo_endpoint():
client_keyjar = KeyJar()
client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""]
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# audience is the OP - not specifically the user info endpoint
_assertion = _jwt.pack({"aud": [conf["issuer"]]})
request = {
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
}
assert JWSAuthnMethod(endpoint_context).verify(request,
endpoint="userinfo")
def test_jws_authn_method_aud_not_me():
client_keyjar = KeyJar()
client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""]
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# Other audiences not OK
aud = "https://example.org"
_assertion = _jwt.pack({"aud": [aud]})
request = {
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
}
with pytest.raises(NotForMe):
JWSAuthnMethod(endpoint_context).verify(request)
def create_method(self):
self.method = JWSAuthnMethod(endpoint_context)
class TestJWSAuthnMethod():
@pytest.fixture(autouse=True)
def create_method(self):
self.method = JWSAuthnMethod(endpoint_context)
def test_jws_authn_method_wrong_key(self):
client_keyjar = KeyJar()
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
# Fake symmetric key
client_keyjar.add_symmetric("", "client_secret:client_secret", ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
_assertion = _jwt.pack({"aud": [CONF["issuer"]]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
with pytest.raises(NoSuitableSigningKeys):
self.method.verify(request=request, key_type='private_key')
def test_jws_authn_method_aud_iss(self):
client_keyjar = KeyJar()
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# Audience is OP issuer ID
aud = CONF["issuer"]
_assertion = _jwt.pack({"aud": [aud]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
assert self.method.verify(request=request, key_type='client_secret')
def test_jws_authn_method_aud_token_endpoint(self):
client_keyjar = KeyJar()
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# audience is OP token endpoint - that's OK
aud = "{}token".format(CONF["issuer"])
_assertion = _jwt.pack({"aud": [aud]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
assert self.method.verify(request=request, endpoint="token", key_type='client_secret')
def test_jws_authn_method_aud_not_me(self):
client_keyjar = KeyJar()
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# Other audiences not OK
aud = "https://example.org"
_assertion = _jwt.pack({"aud": [aud]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
with pytest.raises(NotForMe):
self.method.verify(request=request, key_type='client_secret')
def test_jws_authn_method_aud_userinfo_endpoint(self):
client_keyjar = KeyJar()
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# audience is the OP - not specifically the user info endpoint
_assertion = _jwt.pack({"aud": [CONF["issuer"]]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
assert self.method.verify(request=request, endpoint="userinfo", key_type='client_secret')