def scope_is_valid_for_client(provider, authentication_request):
# Invalid scope requesting validation of more than one affiliation type
requested_affiliations = [a for a in AFFILIATIONS if a in authentication_request['scope']]
if len(requested_affiliations) == 0:
raise InvalidAuthenticationRequest('Requested validation not allowed.', authentication_request,
oauth_error='invalid_scope')
if len(requested_affiliations) != 1:
raise InvalidAuthenticationRequest('Requested validation of too many affiliations.', authentication_request,
oauth_error='invalid_scope')
# Invalid scope requesting both persistent and transient identifier
if 'persistent' in authentication_request['scope'] and 'transient' in authentication_request['scope']:
raise InvalidAuthenticationRequest('Requested both transient and persistent identifier.',
authentication_request,
oauth_error='invalid_scope')
# Verify the client is allowed to request this scope
client_info = provider.clients[authentication_request['client_id']]
allowed = client_info['allowed_scope_values']
id_modifier = 'persistent' if 'persistent' in authentication_request['scope'] else 'transient'
if id_modifier not in allowed:
raise InvalidAuthenticationRequest('Scope value \'{}\' not allowed.'.format(id_modifier),
authentication_request, oauth_error='invalid_scope')
for value in authentication_request['scope']:
if value == 'openid': # Always allow 'openid' in scope
continue
elif value in SCOPE_VALUES and value not in allowed: # a scope we understand, but not allowed for client
logger.debug('Scope value \'{}\' not in \'{}\' for client.'.format(value, allowed))
raise InvalidAuthenticationRequest('Scope value \'{}\' not allowed.'.format(value),
authentication_request, oauth_error='invalid_scope')
def test_error_url_should_handle_unknown_response_type(self):
authn_params = {
'redirect_uri': 'test_redirect_uri',
'state': 'test_state'
} # no 'response_type'
authn_req = AuthorizationRequest().from_dict(authn_params)
error = InvalidAuthenticationRequest('test', authn_req,
'invalid_request')
assert error.to_error_url() is None
def claims_request_is_valid_for_client(provider, authentication_request):
requested_claims = authentication_request.get('claims', {})
if 'userinfo' in requested_claims:
raise InvalidAuthenticationRequest('Userinfo claims can\'t be requested.',
authentication_request, oauth_error='invalid_request')
id_token_claims = requested_claims.get('id_token', {}).keys()
if not id_token_claims:
return
allowed = provider.clients[authentication_request['client_id']]['allowed_claims']
if not all(c in allowed for c in id_token_claims):
raise InvalidAuthenticationRequest('Requested claims \'{}\' not allowed.'.format(id_token_claims),
authentication_request, oauth_error='invalid_request')
def test_error_url_should_contain_state_from_authentication_request(self):
authn_params = {
'redirect_uri': 'test_redirect_uri',
'response_type': 'code',
'state': 'test_state'
}
authn_req = AuthorizationRequest().from_dict(authn_params)
error_url = InvalidAuthenticationRequest(
'test', authn_req, 'invalid_request').to_error_url()
error = dict(parse_qsl(urlparse(error_url).query))
assert error['state'] == authn_params['state']
def fail_all_requests(auth_req):
raise InvalidAuthenticationRequest("Test exception",
auth_req) from TestException()