async def test_expired_token(
server: AuthorizationServer, storage: Dict[str, List], defaults: Defaults
):
settings = Settings()
token = Token(
client_id=defaults.client_id,
expires_in=settings.TOKEN_EXPIRES_IN,
access_token=generate_token(42),
refresh_token=generate_token(48),
issued_at=int(time.time() - settings.TOKEN_EXPIRES_IN),
scope=defaults.scope,
)
client_id = defaults.client_id
client_secret = defaults.client_secret
storage["tokens"].append(token)
post = Post(token=token.access_token)
request = Request(
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_introspection_response(request)
assert response.status_code == HTTPStatus.OK
assert not response.content.active
async def test_invalid_response_type(server: AuthorizationServer,
defaults: Defaults, storage):
code_verifier = generate_token(128)
code_challenge = create_s256_code_challenge(code_verifier)
request_url = "https://localhost"
user = "******"
client = storage["clients"][0]
client = set_values(client, {"response_types": [ResponseType.TYPE_TOKEN]})
storage["clients"][0] = client
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_CODE,
redirect_uri=defaults.redirect_uri,
scope=defaults.scope,
state=generate_token(10),
code_challenge_method=CodeChallengeMethod.S256,
code_challenge=code_challenge,
)
request = Request(
url=request_url,
query=query,
method=RequestMethod.GET,
user=user,
)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.BAD_REQUEST
assert response.content.error == ErrorType.UNSUPPORTED_RESPONSE_TYPE
def defaults() -> Defaults:
return Defaults(
client_id=generate_token(48),
client_secret=generate_token(48),
code=generate_token(5),
refresh_token=generate_token(48),
access_token=generate_token(42),
username="******",
password="******",
redirect_uri="https://ownauth.com/callback",
scope="read write",
)
async def test_implicit_flow(server: AuthorizationServer, defaults: Defaults):
request_url = "https://localhost"
state = generate_token(10)
scope = defaults.scope
user = "******"
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_TOKEN,
redirect_uri=defaults.redirect_uri,
scope=scope,
state=state,
)
request = Request(
url=request_url,
query=query,
method=RequestMethod.GET,
user=user,
)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.FOUND
location = response.headers["location"]
location = urlparse(location)
fragment = dict(parse_qsl(location.fragment))
assert fragment["state"] == state
assert fragment["scope"] == scope
async def test_anonymous_user(server: AuthorizationServer, defaults: Defaults,
storage):
code_verifier = generate_token(128)
code_challenge = create_s256_code_challenge(code_verifier)
request_url = "https://localhost"
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_CODE,
redirect_uri=defaults.redirect_uri,
scope=defaults.scope,
state=generate_token(10),
code_challenge_method=CodeChallengeMethod.S256,
code_challenge=code_challenge,
)
request = Request(url=request_url, query=query, method=RequestMethod.GET)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.UNAUTHORIZED
assert response.content.error == ErrorType.INVALID_CLIENT
async def test_authorization_code_flow_credentials_in_post(
server: AuthorizationServer, defaults: Defaults):
client_id = defaults.client_id
client_secret = defaults.client_secret
request_url = "https://localhost"
user = "******"
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_CODE,
redirect_uri=defaults.redirect_uri,
scope=defaults.scope,
state=generate_token(10),
)
request = Request(
url=request_url,
query=query,
method=RequestMethod.GET,
user=user,
)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.FOUND
location = response.headers["location"]
location = urlparse(location)
query = dict(parse_qsl(location.query))
code = query["code"]
post = Post(
grant_type=GrantType.TYPE_AUTHORIZATION_CODE,
client_id=client_id,
client_secret=client_secret,
redirect_uri=defaults.redirect_uri,
code=code,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
async def test_authorization_code_flow_plan_code_challenge(
server: AuthorizationServer, defaults: Defaults, db: BaseDB):
code_challenge = generate_token(128)
client_id = defaults.client_id
client_secret = defaults.client_secret
scope = defaults.scope
state = generate_token(10)
redirect_uri = defaults.redirect_uri
request_url = "https://localhost"
user = "******"
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_CODE,
redirect_uri=redirect_uri,
scope=scope,
state=state,
code_challenge_method=CodeChallengeMethod.PLAIN,
code_challenge=code_challenge,
)
request = Request(
url=request_url,
query=query,
method=RequestMethod.GET,
user=user,
)
await check_request_validators(request,
server.create_authorization_response)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.FOUND
location = response.headers["location"]
location = urlparse(location)
query = dict(parse_qsl(location.query))
assert query["state"] == state
assert query["scope"] == scope
assert await db.get_authorization_code(request, client_id, query["code"])
assert "code" in query
location = response.headers["location"]
location = urlparse(location)
query = dict(parse_qsl(location.query))
code = query["code"]
post = Post(
grant_type=GrantType.TYPE_AUTHORIZATION_CODE,
redirect_uri=defaults.redirect_uri,
code=code,
code_verifier=code_challenge,
scope=scope,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
assert response.headers == default_headers
assert response.content.scope == scope
assert response.content.token_type == "Bearer"
# Check that token was created in db
assert await db.get_token(
request,
client_id,
response.content.access_token,
response.content.refresh_token,
)
access_token = response.content.access_token
refresh_token = response.content.refresh_token
post = Post(
grant_type=GrantType.TYPE_REFRESH_TOKEN,
refresh_token=refresh_token,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
await check_request_validators(request, server.create_token_response)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
assert response.content.access_token != access_token
assert response.content.refresh_token != refresh_token
# Check that token was created in db
assert await db.get_token(
request,
client_id,
response.content.access_token,
response.content.refresh_token,
)
# Check that previous token was revoken
token_in_db = await db.get_token(request, client_id, access_token,
refresh_token)
assert token_in_db.revoked
async def test_authorization_code_flow_pkce_code_challenge(
server: AuthorizationServer, defaults: Defaults, db: BaseDB):
client_id = defaults.client_id
client_secret = defaults.client_secret
code_verifier = generate_token(128)
scope = defaults.scope
code_challenge = create_s256_code_challenge(code_verifier)
request_url = "https://localhost"
user = "******"
state = generate_token(10)
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_CODE,
redirect_uri=defaults.redirect_uri,
scope=scope,
state=state,
code_challenge_method=CodeChallengeMethod.S256,
code_challenge=code_challenge,
)
request = Request(
url=request_url,
query=query,
method=RequestMethod.GET,
user=user,
)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.FOUND
location = response.headers["location"]
location = urlparse(location)
query = dict(parse_qsl(location.query))
assert query["state"] == state
assert query["scope"] == scope
assert "code" in query
code = query["code"]
post = Post(
grant_type=GrantType.TYPE_AUTHORIZATION_CODE,
redirect_uri=defaults.redirect_uri,
code=code,
scope=scope,
code_verifier=code_verifier,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
await check_request_validators(request, server.create_token_response)
code_record = await db.get_authorization_code(request, client_id, code)
assert code_record
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
assert response.headers == default_headers
assert response.content.scope == scope
assert response.content.token_type == "Bearer"
code_record = await db.get_authorization_code(request, client_id, code)
assert not code_record