def test_oauth2_client_credentials_flow_token_is_expired_after_30_seconds_by_default(
token_cache, responses: RequestsMock):
auth = requests_auth.OAuth2ClientCredentials("http://provide_access_token",
client_id="test_user",
client_secret="test_pwd")
# Add a token that expires in 29 seconds, so should be considered as expired when issuing the request
token_cache._add_token(
key=
"a8a1c17ded24b3710524306819084310b08f97e151c79f4f1979202c541f3e8506c93176f7ee816bfcd2b2f6de9c5c3e16aaff220f1ad8f08d31ee086e8618da",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
# Meaning a new one will be requested
responses.add(
responses.POST,
"http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_okta_client_credentials_flow_token_is_expired_after_30_seconds_by_default(
token_cache, responses: RequestsMock):
auth = requests_auth.OktaClientCredentials("test_okta",
client_id="test_user",
client_secret="test_pwd")
# Add a token that expires in 29 seconds, so should be considered as expired when issuing the request
token_cache._add_token(
key=
"f0d25aa4e496c6615328e776bb981dabe53fa77768a0a58eaf6d54215c598d80e57ffc7926fd96ec6a6a872942cb684a473e36233b593fb760d3eb6dc22ae550",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
# Meaning a new one will be requested
responses.add(
responses.POST,
"https://test_okta/oauth2/default/v1/token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_oauth2_password_credentials_flow_token_is_expired_after_30_seconds_by_default(
token_cache, responses: RequestsMock):
auth = requests_auth.OAuth2ResourceOwnerPasswordCredentials(
"http://provide_access_token",
username="******",
password="******")
# Add a token that expires in 29 seconds, so should be considered as expired when issuing the request
token_cache._add_token(
key=
"db2be9203dd2718c7285319dde1270056808482fbf7fffa6a9362d092d1cf799b393dd15140ea13e4d76d1603e56390a6222ff7063736a1b686d317706b2c001",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
# Meaning a new one will be requested
responses.add(
responses.POST,
"http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
assert (get_request(responses, "http://provide_access_token/").body ==
"grant_type=password&username=test_user&password=test_pwd")
def test_oauth2_implicit_flow_token_custom_expiry(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
auth = requests_auth.OAuth2Implicit("http://provide_token", early_expiry=28)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
expiry_in_29_seconds = datetime.datetime.utcnow() + datetime.timedelta(seconds=29)
token_cache._add_token(
key="42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
token=create_token(expiry_in_29_seconds),
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
token = create_token(expiry_in_29_seconds)
assert get_header(responses, auth).get("Authorization") == f"Bearer {token}"
def test_okta_authorization_code_flow_token_custom_expiry(
token_cache, responses: RequestsMock, browser_mock: BrowserMock):
auth = requests_auth.OktaAuthorizationCode(
"testserver.okta-emea.com",
"54239d18-c68c-4c47-8bdd-ce71ea1d50cd",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_okta_client_credentials_flow_token_custom_expiry(
token_cache, responses: RequestsMock):
auth = requests_auth.OktaClientCredentials(
"test_okta",
client_id="test_user",
client_secret="test_pwd",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"f0d25aa4e496c6615328e776bb981dabe53fa77768a0a58eaf6d54215c598d80e57ffc7926fd96ec6a6a872942cb684a473e36233b593fb760d3eb6dc22ae550",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_oauth2_password_credentials_flow_token_custom_expiry(
token_cache, responses: RequestsMock):
auth = requests_auth.OAuth2ResourceOwnerPasswordCredentials(
"http://provide_access_token",
username="******",
password="******",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"db2be9203dd2718c7285319dde1270056808482fbf7fffa6a9362d092d1cf799b393dd15140ea13e4d76d1603e56390a6222ff7063736a1b686d317706b2c001",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_oauth2_client_credentials_flow_token_custom_expiry(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
auth = requests_auth.OAuth2AuthorizationCode(
"http://provide_code",
"http://provide_access_token",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key="163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (
get_header(responses, auth).get("Authorization")
== "Bearer 2YotnFZFEjr1zCsicMWpAA"
)
def test_oauth2_client_credentials_flow_token_custom_expiry(
token_cache, responses: RequestsMock):
auth = requests_auth.OAuth2ClientCredentials(
"http://provide_access_token",
client_id="test_user",
client_secret="test_pwd",
early_expiry=28,
)
# Add a token that expires in 29 seconds, so should be considered as not expired when issuing the request
token_cache._add_token(
key=
"a8a1c17ded24b3710524306819084310b08f97e151c79f4f1979202c541f3e8506c93176f7ee816bfcd2b2f6de9c5c3e16aaff220f1ad8f08d31ee086e8618da",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
def test_okta_pkce_flow_token_is_expired_after_30_seconds_by_default(
token_cache, responses: RequestsMock, monkeypatch,
browser_mock: BrowserMock):
monkeypatch.setattr(requests_auth.authentication.os, "urandom",
lambda x: b"1" * 63)
auth = requests_auth.OktaAuthorizationCodePKCE(
"testserver.okta-emea.com", "54239d18-c68c-4c47-8bdd-ce71ea1d50cd")
tab = browser_mock.add_response(
opened_url=
"https://testserver.okta-emea.com/oauth2/default/v1/authorize?client_id=54239d18-c68c-4c47-8bdd-ce71ea1d50cd&scope=openid&response_type=code&state=5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&code_challenge=5C_ph_KZ3DstYUc965SiqmKAA-ShvKF4Ut7daKd3fjc&code_challenge_method=S256",
reply_url=
"http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b",
)
# Add a token that expires in 29 seconds, so should be considered as expired when issuing the request
token_cache._add_token(
key=
"5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
# Meaning a new one will be requested
responses.add(
responses.POST,
"https://testserver.okta-emea.com/oauth2/default/v1/token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (get_header(
responses,
auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA")
assert (
get_request(
responses,
"https://testserver.okta-emea.com/oauth2/default/v1/token").body ==
"code_verifier=MTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTEx&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&client_id=54239d18-c68c-4c47-8bdd-ce71ea1d50cd&scope=openid&response_type=code&code=SplxlOBeZQQYbYS6WxSbIA"
)
tab.assert_success(
"You are now authenticated on 5264d11c8b268ccf911ce564ca42fd75cea68c4a3c1ec3ac1ab20243891ab7cd5250ad4c2d002017c6e8ac2ba34954293baa5e0e4fd00bb9ffd4a39c45f1960b. You may close this tab."
)
def test_oauth2_authorization_code_flow_token_is_expired_after_30_seconds_by_default(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
auth = requests_auth.OAuth2AuthorizationCode(
"http://provide_code", "http://provide_access_token"
)
tab = browser_mock.add_response(
opened_url="http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de",
)
# Add a token that expires in 29 seconds, so should be considered as expired when issuing the request
token_cache._add_token(
key="163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de",
token="2YotnFZFEjr1zCsicMWpAA",
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
# Meaning a new one will be requested
responses.add(
responses.POST,
"http://provide_access_token",
json={
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value",
},
)
assert (
get_header(responses, auth).get("Authorization")
== "Bearer 2YotnFZFEjr1zCsicMWpAA"
)
assert (
get_request(responses, "http://provide_access_token/").body
== "grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&response_type=code&code=SplxlOBeZQQYbYS6WxSbIA"
)
tab.assert_success(
"You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab."
)
def test_oauth2_implicit_flow_token_is_expired_after_30_seconds_by_default(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
auth = requests_auth.OAuth2Implicit("http://provide_token")
# Add a token that expires in 29 seconds, so should be considered as expired when issuing the request
expiry_in_29_seconds = datetime.datetime.utcnow() + datetime.timedelta(seconds=29)
token_cache._add_token(
key="42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
token=create_token(expiry_in_29_seconds),
expiry=requests_auth.oauth2_tokens._to_expiry(expires_in=29),
)
# Meaning a new one will be requested
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url="http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=f"access_token={token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
assert get_header(responses, auth).get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)