async def test_introspect_revoked_token( server: AuthorizationServer, storage: Dict[str, List], defaults: Defaults ): client_id = defaults.client_id client_secret = defaults.client_secret request_url = "https://localhost" token = storage["tokens"][0] post = Post( grant_type=GrantType.TYPE_REFRESH_TOKEN, refresh_token=token.refresh_token, ) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.OK # Check that refreshed token was revoked post = Post(token=token.access_token) request = Request( post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) response = await server.create_token_introspection_response(request) assert not response.content.active, "The refresh_token must be revoked"
async def test_expired_token( server: AuthorizationServer, storage: Dict[str, List], defaults: Defaults ): settings = Settings() token = Token( client_id=defaults.client_id, expires_in=settings.TOKEN_EXPIRES_IN, access_token=generate_token(42), refresh_token=generate_token(48), issued_at=int(time.time() - settings.TOKEN_EXPIRES_IN), scope=defaults.scope, ) client_id = defaults.client_id client_secret = defaults.client_secret storage["tokens"].append(token) post = Post(token=token.access_token) request = Request( post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) response = await server.create_token_introspection_response(request) assert response.status_code == HTTPStatus.OK assert not response.content.active
async def test_expired_authorization_code(server: AuthorizationServer, defaults: Defaults, storage: Dict[str, List]): request_url = "https://localhost" settings = Settings() authorization_code = storage["authorization_codes"][0] storage["authorization_codes"][0] = set_values( authorization_code, {"auth_time": time.time() - settings.AUTHORIZATION_CODE_EXPIRES_IN}, ) post = Post( grant_type=GrantType.TYPE_AUTHORIZATION_CODE, redirect_uri=defaults.redirect_uri, code=storage["authorization_codes"][0].code, ) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(defaults.client_id, defaults.client_secret), ) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.BAD_REQUEST assert response.content.error == ErrorType.INVALID_GRANT
async def test_invalid_grant_type(server: AuthorizationServer, defaults: Defaults, storage): client: Client = storage["clients"][0] client = set_values(client, {"grant_types": [GrantType.TYPE_AUTHORIZATION_CODE]}) storage["clients"][0] = client client_id = defaults.client_id client_secret = defaults.client_secret request_url = "https://localhost" post = Post( grant_type=GrantType.TYPE_PASSWORD, username=defaults.username, password=defaults.password, scope="test test", ) request = Request( post=post, url=request_url, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.BAD_REQUEST assert response.content.error == ErrorType.UNAUTHORIZED_CLIENT
async def test_invalid_token(server: AuthorizationServer, defaults: Defaults): client_id = defaults.client_id client_secret = defaults.client_secret request_url = "https://localhost" token = "invalid token" post = Post(token=token) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) response = await server.create_token_introspection_response(request) assert not response.content.active assert response.status_code == HTTPStatus.OK
async def test_valid_token(server: AuthorizationServer, storage: Dict[str, List], defaults: Defaults): client_id = defaults.client_id client_secret = defaults.client_secret token = storage["tokens"][0] post = Post(token=token.access_token) request = Request( post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) response = await server.create_token_introspection_response(request) assert response.status_code == HTTPStatus.OK assert response.content.active
async def test_authorization_code_flow(server: AuthorizationServer, defaults: Defaults): client_id = defaults.client_id client_secret = defaults.client_secret request_url = "https://localhost" user = "******" query = Query( client_id=defaults.client_id, response_type=ResponseType.TYPE_CODE, redirect_uri=defaults.redirect_uri, scope=defaults.scope, state=generate_token(10), ) request = Request( url=request_url, query=query, method=RequestMethod.GET, user=user, ) response = await server.create_authorization_response(request) assert response.status_code == HTTPStatus.FOUND location = response.headers["location"] location = urlparse(location) query = dict(parse_qsl(location.query)) code = query["code"] post = Post( grant_type=GrantType.TYPE_AUTHORIZATION_CODE, redirect_uri=defaults.redirect_uri, code=code, ) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.OK
async def test_client_credentials_flow_auth_header(server: AuthorizationServer, defaults: Defaults): request_url = "https://localhost" post = Post( grant_type=GrantType.TYPE_CLIENT_CREDENTIALS, scope=defaults.scope, ) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id=defaults.client_id, client_secret=defaults.client_secret), ) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.OK
async def test_invalid_client_credentials(server: AuthorizationServer, defaults: Defaults): client_id = defaults.client_id request_url = "https://localhost" post = Post( grant_type=GrantType.TYPE_PASSWORD, username=defaults.username, password=defaults.password, ) request = Request( post=post, url=request_url, method=RequestMethod.POST, headers=encode_auth_headers(client_id, "client_secret"), ) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.BAD_REQUEST assert response.content.error == ErrorType.INVALID_REQUEST
async def test_password_grant_type(server: AuthorizationServer, defaults: Defaults): client_id = defaults.client_id client_secret = defaults.client_secret request_url = "https://localhost" post = Post( grant_type=GrantType.TYPE_PASSWORD, username=defaults.username, password=defaults.password, ) request = Request( post=post, url=request_url, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) await check_request_validators(request, server.create_token_response) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.OK
async def test_expired_refresh_token(server: AuthorizationServer, defaults: Defaults, storage: Dict[str, List]): settings = Settings() token = storage["tokens"][0] refresh_token = token.refresh_token storage["tokens"][0] = set_values( token, {"issued_at": time.time() - (settings.TOKEN_EXPIRES_IN * 2)}) request_url = "https://localhost" post = Post( grant_type=GrantType.TYPE_REFRESH_TOKEN, refresh_token=refresh_token, ) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(defaults.client_id, defaults.client_secret), ) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.BAD_REQUEST assert response.content.error == ErrorType.INVALID_GRANT
async def test_authorization_code_flow_plan_code_challenge( server: AuthorizationServer, defaults: Defaults, db: BaseDB): code_challenge = generate_token(128) client_id = defaults.client_id client_secret = defaults.client_secret scope = defaults.scope state = generate_token(10) redirect_uri = defaults.redirect_uri request_url = "https://localhost" user = "******" query = Query( client_id=defaults.client_id, response_type=ResponseType.TYPE_CODE, redirect_uri=redirect_uri, scope=scope, state=state, code_challenge_method=CodeChallengeMethod.PLAIN, code_challenge=code_challenge, ) request = Request( url=request_url, query=query, method=RequestMethod.GET, user=user, ) await check_request_validators(request, server.create_authorization_response) response = await server.create_authorization_response(request) assert response.status_code == HTTPStatus.FOUND location = response.headers["location"] location = urlparse(location) query = dict(parse_qsl(location.query)) assert query["state"] == state assert query["scope"] == scope assert await db.get_authorization_code(request, client_id, query["code"]) assert "code" in query location = response.headers["location"] location = urlparse(location) query = dict(parse_qsl(location.query)) code = query["code"] post = Post( grant_type=GrantType.TYPE_AUTHORIZATION_CODE, redirect_uri=defaults.redirect_uri, code=code, code_verifier=code_challenge, scope=scope, ) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.OK assert response.headers == default_headers assert response.content.scope == scope assert response.content.token_type == "Bearer" # Check that token was created in db assert await db.get_token( request, client_id, response.content.access_token, response.content.refresh_token, ) access_token = response.content.access_token refresh_token = response.content.refresh_token post = Post( grant_type=GrantType.TYPE_REFRESH_TOKEN, refresh_token=refresh_token, ) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) await check_request_validators(request, server.create_token_response) response = await server.create_token_response(request) assert response.status_code == HTTPStatus.OK assert response.content.access_token != access_token assert response.content.refresh_token != refresh_token # Check that token was created in db assert await db.get_token( request, client_id, response.content.access_token, response.content.refresh_token, ) # Check that previous token was revoken token_in_db = await db.get_token(request, client_id, access_token, refresh_token) assert token_in_db.revoked
async def test_authorization_code_flow_pkce_code_challenge( server: AuthorizationServer, defaults: Defaults, db: BaseDB): client_id = defaults.client_id client_secret = defaults.client_secret code_verifier = generate_token(128) scope = defaults.scope code_challenge = create_s256_code_challenge(code_verifier) request_url = "https://localhost" user = "******" state = generate_token(10) query = Query( client_id=defaults.client_id, response_type=ResponseType.TYPE_CODE, redirect_uri=defaults.redirect_uri, scope=scope, state=state, code_challenge_method=CodeChallengeMethod.S256, code_challenge=code_challenge, ) request = Request( url=request_url, query=query, method=RequestMethod.GET, user=user, ) response = await server.create_authorization_response(request) assert response.status_code == HTTPStatus.FOUND location = response.headers["location"] location = urlparse(location) query = dict(parse_qsl(location.query)) assert query["state"] == state assert query["scope"] == scope assert "code" in query code = query["code"] post = Post( grant_type=GrantType.TYPE_AUTHORIZATION_CODE, redirect_uri=defaults.redirect_uri, code=code, scope=scope, code_verifier=code_verifier, ) request = Request( url=request_url, post=post, method=RequestMethod.POST, headers=encode_auth_headers(client_id, client_secret), ) await check_request_validators(request, server.create_token_response) code_record = await db.get_authorization_code(request, client_id, code) assert code_record response = await server.create_token_response(request) assert response.status_code == HTTPStatus.OK assert response.headers == default_headers assert response.content.scope == scope assert response.content.token_type == "Bearer" code_record = await db.get_authorization_code(request, client_id, code) assert not code_record