Exemple #1
0
    def client_authentication(self,
                              request: Message,
                              http_info: Optional[dict] = None,
                              **kwargs):
        """
        Do client authentication

        :param request: Parsed request, a self.request_cls class instance
        :param http_info: HTTP headers, URL used and cookies.
        :return: client_id or raise an exception
        """

        if "endpoint" not in kwargs:
            kwargs["endpoint"] = self

        authn_info = verify_client(
            endpoint_context=self.server_get("endpoint_context"),
            request=request,
            http_info=http_info,
            get_client_id_from_token=self.get_client_id_from_token,
            **kwargs)

        LOGGER.debug("authn_info: %s", authn_info)
        if authn_info == {} and self.client_authn_method and len(
                self.client_authn_method):
            LOGGER.debug("client_authn_method: %s", self.client_authn_method)
            raise UnAuthorizedClient("Authorization failed")

        return authn_info
    def test_verify_client_jws_authn_method(self):
        client_keyjar = KeyJar()
        client_keyjar.import_jwks(KEYJAR.export_jwks(private=True),
                                  CONF["issuer"])
        # The only own key the client has a this point
        client_keyjar.add_symmetric("", client_secret, ["sig"])

        _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
        # Audience is OP issuer ID
        aud = "{}token".format(CONF["issuer"])  # aud == Token endpoint
        _assertion = _jwt.pack({"aud": [aud]})

        request = {
            "client_assertion": _assertion,
            "client_assertion_type": JWT_BEARER
        }
        http_info = {"headers": {}}
        res = verify_client(
            self.endpoint_context,
            request,
            http_info=http_info,
            endpoint=self.server.server_get("endpoint", "token"),
        )
        assert res["method"] == "client_secret_jwt"
        assert res["client_id"] == "client_id"
 def test_verify_client_registration_none(self):
     # This is when no special auth method is configured
     request = {"redirect_uris": ["https://example.com/cb"]}
     res = verify_client(
         self.endpoint_context,
         request,
         endpoint=self.server.server_get("endpoint", "registration"),
     )
     assert res == {}
 def test_verify_client_client_secret_post(self):
     request = {"client_id": client_id, "client_secret": client_secret}
     res = verify_client(
         self.endpoint_context,
         request,
         endpoint=self.server.server_get("endpoint", "token"),
     )
     assert set(res.keys()) == {"method", "client_id"}
     assert res["method"] == "client_secret_post"
 def test_verify_client_authorization_none(self):
     # This is when it's explicitly said that no client auth method is allowed
     request = {"client_id": client_id}
     res = verify_client(
         self.endpoint_context,
         request,
         endpoint=self.server.server_get("endpoint", "authorization"),
     )
     assert res["method"] == "none"
     assert res["client_id"] == "client_id"
 def test_verify_client_bearer_body(self):
     request = {"access_token": "1234567890", "client_id": client_id}
     self.endpoint_context.registration_access_token[
         "1234567890"] = client_id
     res = verify_client(
         self.endpoint_context,
         request,
         get_client_id_from_token=get_client_id_from_token,
         endpoint=self.server.server_get("endpoint", "userinfo"),
     )
     assert set(res.keys()) == {"token", "method", "client_id"}
     assert res["method"] == "bearer_body"
    def test_verify_client_client_secret_basic(self):
        _token = "{}:{}".format(client_id, client_secret)
        token = as_unicode(base64.b64encode(as_bytes(_token)))
        authz_token = "Basic {}".format(token)
        http_info = {"headers": {"authorization": authz_token}}

        res = verify_client(
            self.endpoint_context,
            {},
            http_info=http_info,
            endpoint=self.server.server_get("endpoint", "token"),
        )
        assert set(res.keys()) == {"method", "client_id"}
        assert res["method"] == "client_secret_basic"
    def test_verify_client_bearer_header(self):
        # A prerequisite for the get_client_id_from_token function
        self.endpoint_context.registration_access_token[
            "1234567890"] = client_id

        token = "Bearer 1234567890"
        http_info = {"headers": {"authorization": token}}
        request = {"client_id": client_id}
        res = verify_client(
            self.endpoint_context,
            request,
            http_info=http_info,
            get_client_id_from_token=get_client_id_from_token,
            endpoint=self.server.server_get("endpoint", "authorization"),
        )
        assert set(res.keys()) == {"token", "method", "client_id"}
        assert res["method"] == "bearer_header"