def test_construct_with_token(self, services):
authz_service = services['authorization']
_state = authz_service.create_state('Issuer')
req = AuthorizationRequest(state=_state,
response_type='code',
redirect_uri='https://example.com',
scope=['openid'])
authz_service.store_item(req, 'auth_request', _state)
# Add a state and bind a code to it
resp1 = AuthorizationResponse(code="auth_grant", state=_state)
response = services['authorization'].parse_response(
resp1.to_urlencoded(), "urlencoded")
services['authorization'].update_service_context(response, key=_state)
# based on state find the code and then get an access token
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer",
expires_in=0,
state=_state)
response = services['accesstoken'].parse_response(
resp2.to_urlencoded(), "urlencoded")
services['accesstoken'].update_service_context(response, key=_state)
# and finally use the access token, bound to a state, to
# construct the authorization header
http_args = BearerHeader().construct(ResourceRequest(),
services['accesstoken'],
key=_state)
assert http_args == {"headers": {"Authorization": "Bearer token1"}}
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
_state = State(auth_request=auth_request.to_json(),
auth_response=auth_response.to_json())
db.set('state', _state.to_json())
service = service_factory(
'AccessToken', ['oauth2'],
state_db=db,
service_context=service_context,
conf={'default_authn_method': 'client_secret_post'})
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
service.endpoint = 'https://example.com/authorize'
_info = service.get_request_parameters(request_args=req_args,
state='state')
assert _info
msg = AccessTokenRequest().from_urlencoded(
service.get_urlinfo(_info['body']))
assert 'client_secret' in msg
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
entity = Entity(config=client_config)
token_service = entity.client_get("service", 'accesstoken')
_state_interface = token_service.client_get("service_context").state
_state_val = _state_interface.create_state(
token_service.client_get("service_context").issuer)
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state=_state_val)
_state_interface.store_item(auth_request, "auth_request", _state_val)
auth_response = AuthorizationResponse(code='access_code')
_state_interface.store_item(auth_response, "auth_response", _state_val)
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
token_service.endpoint = 'https://example.com/authorize'
_info = token_service.get_request_parameters(request_args=req_args,
state=_state_val)
assert _info
msg = AccessTokenRequest().from_urlencoded(_info['body'])
# client_secret_basic by default
assert 'client_secret' not in msg
def test_access_token_srv_conf():
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
service = service_factory(
'AccessToken', ['oauth2'],
service_context=service_context,
conf={'default_authn_method': 'client_secret_post'})
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
service.store_item(auth_request, "auth_request", 'state')
service.store_item(auth_response, "auth_response", 'state')
req_args = {
'redirect_uri': 'https://example.com/cli/authz_cb',
'code': 'access_code'
}
service.endpoint = 'https://example.com/authorize'
_info = service.get_request_parameters(request_args=req_args,
state='state')
assert _info
msg = AccessTokenRequest().from_urlencoded(
service.get_urlinfo(_info['body']))
assert 'client_secret' in msg
def test_construct_accesstoken_request(self):
# Bind access code to state
req_args = {}
self.client.session_interface.create_state('issuer', 'ABCDE')
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='ABCDE')
self.client.session_interface.store_item(auth_request, 'auth_request',
'ABCDE')
auth_response = AuthorizationResponse(code='access_code')
self.client.session_interface.store_item(auth_response,
'auth_response', 'ABCDE')
msg = self.client.service['accesstoken'].construct(
request_args=req_args, state='ABCDE')
assert isinstance(msg, AccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'code': 'access_code',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'authorization_code',
'redirect_uri': 'https://example.com/cli/authz_cb',
'state': 'ABCDE'
}
def test_update_service_context_with_idtoken(self):
req_args = {'response_type': 'code', 'state': 'state', 'nonce': 'nonce'}
self.service.endpoint = 'https://example.com/authorize'
_info = self.service.get_request_parameters(request_args=req_args)
# Build an ID Token
idt = JWT(key_jar=ISS_KEY, iss=ISS, lifetime=3600)
payload = {'sub': '123456789', 'aud': ['client_id'], 'nonce': 'nonce'}
# have to calculate c_hash
alg = 'RS256'
halg = "HS%s" % alg[-3:]
payload["c_hash"] = left_hash('code', halg)
_idt = idt.pack(payload)
resp = AuthorizationResponse(state='state', code='code', id_token=_idt)
resp = self.service.parse_response(resp.to_urlencoded())
self.service.update_service_context(resp, 'state')
def test_construct_accesstoken_request(self):
_context = self.client.client_get("service_context")
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb')
_state = _context.state.create_state('issuer')
auth_request["state"] = _state
_context.state.store_item(auth_request, 'auth_request', _state)
auth_response = AuthorizationResponse(code='access_code')
_context.state.store_item(auth_response, 'auth_response', _state)
# Bind access code to state
req_args = {}
msg = self.client.client_get("service", 'accesstoken').construct(
request_args=req_args, state=_state)
assert isinstance(msg, AccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'authorization_code',
'state': _state,
'code': 'access_code',
'redirect_uri': 'https://example.com/cli/authz_cb'
}
def test_construct_accesstoken_request(self):
# Client 1 starts the chain of event
client_1 = Client(config=CONF)
_context_1 = client_1.client_get("service_context")
_state = _context_1.state.create_state('issuer')
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state=_state)
_context_1.state.store_item(auth_request, 'auth_request', _state)
# Client 2 carries on
client_2 = Client(config=CONF)
_state_dump = _context_1.dump()
_context2 = client_2.client_get("service_context")
_context2.load(_state_dump)
auth_response = AuthorizationResponse(code='access_code')
_context2.state.store_item(auth_response, 'auth_response', _state)
msg = client_2.client_get("service",
'accesstoken').construct(request_args={},
state=_state)
assert isinstance(msg, AccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'code': 'access_code',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'authorization_code',
'redirect_uri': 'https://example.com/cli/authz_cb',
'state': _state
}
def test_construct_refresh_token_request(self):
self.client.session_interface.create_state('issuer', 'ABCDE')
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
self.client.session_interface.store_item(auth_request, 'auth_request',
'ABCDE')
auth_response = AuthorizationResponse(code='access_code')
self.client.session_interface.store_item(auth_response,
'auth_response', 'ABCDE')
token_response = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access")
self.client.session_interface.store_item(token_response,
'token_response', 'ABCDE')
req_args = {}
msg = self.client.service['refresh_token'].construct(
request_args=req_args, state='ABCDE')
assert isinstance(msg, RefreshAccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'refresh_token',
'refresh_token': 'refresh_with_me'
}
def create_request(self):
self._iss = ISS
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': self._iss, 'requests_dir': 'requests',
'base_url': 'https://example.com/cli/'
}
service_context = ServiceContext(config=client_config)
service_context.keyjar = CLI_KEY
service_context.behaviour = {
'userinfo_signed_response_alg': 'RS256',
"userinfo_encrypted_response_alg": "RSA-OAEP",
"userinfo_encrypted_response_enc": "A256GCM"
}
db = InMemoryStateDataBase()
auth_response = AuthorizationResponse(code='access_code').to_json()
idtval = {
'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'diana',
'iss': ISS, 'aud': 'client_id'
}
idt = create_jws(idtval)
ver_idt = IdToken().from_jwt(idt, CLI_KEY)
token_response = AccessTokenResponse(
access_token='access_token', id_token=idt,
__verified_id_token=ver_idt).to_json()
db.set('abcde', State(token_response=token_response,
auth_response=auth_response).to_json())
self.service = service_factory('UserInfo', ['oidc'], state_db=db,
service_context=service_context)
def test_init(self):
atr = AuthorizationResponse(code="SplxlOBeZQQYbYS6WxSbIA",
state="Fun_state", extra="foo")
assert atr["code"] == "SplxlOBeZQQYbYS6WxSbIA"
assert atr["state"] == "Fun_state"
assert atr["extra"] == "foo"
def test_do_userinfo_request_init(self):
self.client.session_interface.create_state('issuer', 'ABCDE')
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb',
state='state'
)
self.client.session_interface.store_item(auth_request,
'auth_request', 'ABCDE')
auth_response = AuthorizationResponse(code='access_code')
self.client.session_interface.store_item(auth_response,
'auth_response', 'ABCDE')
token_response = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access")
self.client.session_interface.store_item(token_response,
'token_response', 'ABCDE')
_srv = self.client.service['userinfo']
_srv.endpoint = "https://example.com/userinfo"
_info = _srv.get_request_parameters(state='ABCDE')
assert _info
assert _info['headers'] == {'Authorization': 'Bearer access'}
assert _info['url'] == 'https://example.com/userinfo'
def test_construct_accesstoken_request(self):
# Client 1 starts
client_1 = RP(config=CONF)
_state = client_1.client_get("service_context").state.create_state(
ISSUER)
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state=_state)
client_1.client_get("service_context").state.store_item(
auth_request, 'auth_request', _state)
# Client 2 carries on
client_2 = RP(config=CONF)
_state_dump = client_1.client_get("service_context").dump()
client_2.client_get("service_context").load(_state_dump)
auth_response = AuthorizationResponse(code='access_code')
client_2.client_get("service_context").state.store_item(
auth_response, 'auth_response', _state)
# Bind access code to state
req_args = {}
msg = client_2.client_get("service", 'accesstoken').construct(
request_args=req_args, state=_state)
assert isinstance(msg, AccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'code': 'access_code',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'authorization_code',
'redirect_uri': 'https://example.com/cli/authz_cb',
'state': _state
}
def test_do_userinfo_request_init(self):
# Client 1 starts
client_1 = RP(config=CONF)
_state = client_1.client_get("service_context").state.create_state(
ISSUER)
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
# Client 2 carries on
client_2 = RP(config=CONF)
_state_dump = client_1.client_get("service_context").dump()
client_2.client_get("service_context").load(_state_dump)
auth_response = AuthorizationResponse(code='access_code')
client_2.client_get("service_context").state.store_item(
auth_response, 'auth_response', _state)
token_response = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access")
client_2.client_get("service_context").state.store_item(
token_response, 'token_response', _state)
# Back to Client 1
_state_dump = client_2.client_get("service_context").dump()
client_1.client_get("service_context").load(_state_dump)
_srv = client_1.client_get("service", 'userinfo')
_srv.endpoint = "https://example.com/userinfo"
_info = _srv.get_request_parameters(state=_state)
assert _info
assert _info['headers'] == {'Authorization': 'Bearer access'}
assert _info['url'] == 'https://example.com/userinfo'
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
_state = State(auth_response=auth_response.to_json(),
auth_request=auth_request.to_json())
db.set('state', _state.to_json())
self.service = service_factory('AccessToken', ['oauth2'],
state_db=db,
service_context=service_context)
def test_response(self):
_state = "today"
req_args = {'response_type': 'code', 'state': _state}
self.auth_service.endpoint = 'https://example.com/authorize'
_info = self.auth_service.get_request_parameters(request_args=req_args)
assert set(_info.keys()) == {'url', 'method', 'request'}
msg = AuthorizationRequest().from_urlencoded(
self.auth_service.get_urlinfo(_info['url']))
self.auth_service.client_get("service_context").state.store_item(
msg, "auth_request", _state)
resp1 = AuthorizationResponse(code="auth_grant", state=_state)
response = self.auth_service.parse_response(resp1.to_urlencoded(),
"urlencoded",
state=_state)
self.auth_service.update_service_context(response, key=_state)
assert self.auth_service.client_get("service_context").state.get_state(
_state)
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
db = InMemoryStateDataBase()
auth_response = AuthorizationResponse(code='access_code')
token_response = AccessTokenResponse(access_token='bearer_token',
refresh_token='refresh')
_state = State(auth_response=auth_response.to_json(),
token_response=token_response.to_json())
db.set('abcdef', _state.to_json())
self.service = service_factory('RefreshAccessToken', ['oauth2'],
state_db=db,
service_context=service_context)
self.service.endpoint = 'https://example.com/token'
def test_do_userinfo_request_init(self):
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
token_response = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access")
_state = State(auth_response=auth_response.to_json(),
auth_request=auth_request.to_json(),
token_response=token_response.to_json())
self.client.state_db.set('ABCDE', _state.to_json())
_srv = self.client.service['userinfo']
_srv.endpoint = "https://example.com/userinfo"
_info = _srv.get_request_parameters(state='ABCDE')
assert _info
assert _info['headers'] == {'Authorization': 'Bearer access'}
assert _info['url'] == 'https://example.com/userinfo'
def test_construct_accesstoken_request(self):
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
_state = State(auth_response=auth_response.to_json(),
auth_request=auth_request.to_json())
self.client.state_db.set('ABCDE', _state.to_json())
# Bind access code to state
req_args = {}
msg = self.client.service['accesstoken'].construct(
request_args=req_args, state='ABCDE')
assert isinstance(msg, AccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'code': 'access_code',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'authorization_code',
'redirect_uri': 'https://example.com/cli/authz_cb',
'state': 'state'
}
def test_construct_with_request(self, services):
authz_service = services['authorization']
authz_service.state_db.set('EEEE', State(iss='Issuer').to_json())
resp1 = AuthorizationResponse(code="auth_grant", state="EEEE")
response = authz_service.parse_response(resp1.to_urlencoded(),
"urlencoded")
authz_service.update_service_context(response, key='EEEE')
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer",
expires_in=0,
state="EEEE")
response = services['accesstoken'].parse_response(
resp2.to_urlencoded(), "urlencoded")
services['accesstoken'].update_service_context(response, key='EEEE')
request = ResourceRequest()
BearerBody().construct(request, service=authz_service, key="EEEE")
assert "access_token" in request
assert request["access_token"] == "token1"
def test_construct_refresh_token_request(self):
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
token_response = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access")
_state = State(auth_response=auth_response.to_json(),
auth_request=auth_request.to_json(),
token_response=token_response.to_json())
self.client.state_db.set('ABCDE', _state.to_json())
req_args = {}
msg = self.client.service['refresh_token'].construct(
request_args=req_args, state='ABCDE')
assert isinstance(msg, RefreshAccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'refresh_token',
'refresh_token': 'refresh_with_me'
}
def test_access_token_and_pkce(self):
authz_service = self.service["authorization"]
request = authz_service.construct_request({"state": 'state', "response_type": "code"})
_state = request['state']
auth_response = AuthorizationResponse(code='access code')
authz_service.store_item(auth_response, 'auth_response', _state)
token_service = self.service["accesstoken"]
request = token_service.construct_request(state=_state)
assert set(request.keys()) == {'client_id', 'redirect_uri', 'grant_type',
'client_secret', 'code_verifier', 'code',
'state'}
def services():
db = InMemoryStateDataBase()
auth_request = AuthorizationRequest(redirect_uri="http://example.com",
state='ABCDE').to_json()
auth_response = AuthorizationResponse(access_token="token",
state='ABCDE').to_json()
db.set(
'ABCDE',
State(iss='Issuer',
auth_request=auth_request,
auth_response=auth_response).to_json())
return init_services(DEFAULT_SERVICES, get_service_context(), db)
def test_allow_unsigned_idtoken(self, allow_sign_alg_none):
req_args = {
'response_type': 'code',
'state': 'state',
'nonce': 'nonce'
}
self.service.endpoint = 'https://example.com/authorize'
self.service.get_request_parameters(request_args=req_args)
# Build an ID Token
idt = JWT(ISS_KEY, iss=ISS, lifetime=3600, sign_alg='none')
payload = {'sub': '123456789', 'aud': ['client_id']}
_idt = idt.pack(payload)
self.service.service_context.get('behaviour')["verify_args"] = {
"allow_sign_alg_none": allow_sign_alg_none
}
resp = AuthorizationResponse(state='state', code='code', id_token=_idt)
if allow_sign_alg_none:
resp = self.service.parse_response(resp.to_urlencoded())
else:
with pytest.raises(UnsupportedAlgorithm):
self.service.parse_response(resp.to_urlencoded())
def test_response_mode_form_post(self):
request = {"response_mode": "form_post"}
info = {
"response_args": AuthorizationResponse(foo="bar"),
"return_uri": "https://example.com/cb",
}
info = self.endpoint.response_mode(request, **info)
assert set(info.keys()) == {"response_args", "return_uri", "response_msg",
"content_type", "response_placement"}
assert info["response_msg"] == FORM_POST.format(
action="https://example.com/cb",
inputs='<input type="hidden" name="foo" value="bar"/>',
)
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
entity = Entity(config=client_config)
self.token_service = entity.client_get("service", "accesstoken")
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
_state = self.token_service.client_get("service_context").state
_state.store_item(auth_request, 'auth_request', 'state')
_state.store_item(auth_response, 'auth_response', 'state')
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
entity = Entity(config=client_config)
self.refresh_service = entity.client_get("service", 'refresh_token')
auth_response = AuthorizationResponse(code='access_code')
token_response = AccessTokenResponse(access_token='bearer_token',
refresh_token='refresh')
_state = self.refresh_service.client_get("service_context").state
_state.store_item(auth_response, 'auth_response', 'abcdef')
_state.store_item(token_response, 'token_response', 'abcdef')
self.refresh_service.endpoint = 'https://example.com/token'
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
self.service = service_factory('RefreshAccessToken', ['oauth2'],
service_context=service_context)
auth_response = AuthorizationResponse(code='access_code')
token_response = AccessTokenResponse(access_token='bearer_token',
refresh_token='refresh')
self.service.store_item(auth_response, 'auth_response', 'abcdef')
self.service.store_item(token_response, 'token_response', 'abcdef')
self.service.endpoint = 'https://example.com/token'
def test_construct_with_request(self, entity):
authz_service = entity.client_get("service", 'authorization')
_cntx = authz_service.client_get("service_context")
_key = _cntx.state.create_state(iss='Issuer')
resp1 = AuthorizationResponse(code="auth_grant", state=_key)
response = authz_service.parse_response(resp1.to_urlencoded(),
"urlencoded")
authz_service.update_service_context(response, key=_key)
resp2 = AccessTokenResponse(access_token="token1",
token_type="Bearer",
expires_in=0,
state=_key)
_token_service = entity.client_get("service", 'accesstoken')
response = _token_service.parse_response(resp2.to_urlencoded(),
"urlencoded")
_token_service.update_service_context(response, key=_key)
request = ResourceRequest()
BearerBody().construct(request, service=authz_service, key=_key)
assert "access_token" in request
assert request["access_token"] == "token1"
def create_service(self):
client_config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb']
}
service_context = ServiceContext(config=client_config)
service_context.set('redirect_uris',
['https://example.com/cli/authz_cb'])
self.service = service_factory('AccessToken', ['oauth2'],
service_context=service_context)
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
auth_response = AuthorizationResponse(code='access_code')
self.service.store_item(auth_request, 'auth_request', 'state')
self.service.store_item(auth_response, 'auth_response', 'state')
