def test_spa_app_noscope():
resp = requests.post(
f'https://{auth0_domain}/oauth/token',
headers={'content-type': 'application/x-www-form-urlencoded'},
data={
'grant_type': 'password',
'username': auth0_spa_username,
'password': auth0_spa_password,
'client_id': auth0_spa_client_id,
'client_secret': auth0_spa_client_secret,
'audience': auth0_api_audience,
# the app is not explicitly requesting scope
})
assert resp.status_code == 200, resp.text
access_token = resp.json()['access_token']
resp = client.get('/secure', headers=get_bearer_header(access_token))
assert resp.status_code == 200, resp.text
resp = client.get('/also-secure', headers=get_bearer_header(access_token))
assert resp.status_code == 200, resp.text
user = Auth0User(**resp.json())
assert auth0_test_permission in user.permissions
assert user.email == auth0_spa_username
# The user has the permission, but the scope authorization must fail because
# the SPA app did not request a scope on user's behalf.
# This is the subtle difference between permissions and scopes in auth0.
resp = client.get('/secure-scoped',
headers=get_bearer_header(access_token))
assert resp.status_code == 403, resp.text
def test_spa_app():
resp = requests.post(
f'https://{auth0_domain}/oauth/token',
headers={'content-type': 'application/x-www-form-urlencoded'},
data={
'grant_type': 'password',
'username': auth0_spa_username,
'password': auth0_spa_password,
'client_id': auth0_spa_client_id,
'client_secret': auth0_spa_client_secret,
'audience': auth0_api_audience,
'scope': auth0_test_permission
})
assert resp.status_code == 200, resp.text
access_token = resp.json()['access_token']
resp = client.get('/secure', headers=get_bearer_header(access_token))
assert resp.status_code == 200, resp.text
resp = client.get('/also-secure', headers=get_bearer_header(access_token))
assert resp.status_code == 200, resp.text
user = Auth0User(**resp.json())
assert auth0_test_permission in user.permissions
assert user.email == auth0_spa_username
resp = client.get('/secure-scoped',
headers=get_bearer_header(access_token))
assert resp.status_code == 200, resp.text
def test_m2m_app():
resp = requests.post(f'https://{auth0_domain}/oauth/token',
json={
'grant_type': 'client_credentials',
'client_id': auth0_m2m_client_id,
'client_secret': auth0_m2m_client_secret,
'audience': auth0_api_audience,
})
assert resp.status_code == 200, resp.text
access_token = resp.json()['access_token']
resp = client.get('/secure', headers=get_bearer_header(access_token))
assert resp.status_code == 200, resp.text
resp = client.get('/also-secure', headers=get_bearer_header(access_token))
assert resp.status_code == 200, resp.text
resp2 = client.get('/also-secure-2',
headers=get_bearer_header(access_token))
assert resp2.status_code == 200, resp2.text
user = Auth0User(**resp.json())
assert auth0_test_permission in user.permissions
assert user.email is None # auth0 cannot provide an email because the end user is a machine
# M2M app is not subject to RBAC, so any permission given to it will also authorize the scope.
resp = client.get('/secure-scoped',
headers=get_bearer_header(access_token))
assert resp.status_code == 200, resp.text