def test_refresh_token_not_expired(self):
"""
Test for requesting access token using refresh token with expiration date
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('refresh_token' in response.data)
token_request = {
'grant_type': 'refresh_token',
'refresh_token': response.data['refresh_token'],
'scope': response.data['scope'],
}
# Set expiration time to future
RefreshToken.objects.update(expires=timezone.now() + timedelta(days=7))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_refresh_token_repeating_request_fail(self):
"""
Test for requesting access token using refresh token and repeating the request
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('refresh_token' in response.data)
token_request = {
'grant_type': 'refresh_token',
'refresh_token': response.data['refresh_token'],
'scope': response.data['scope'],
}
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_refresh_token_override_authorization(self):
"""
Test overriding Authorization header by providing client ID and secret as param
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('refresh_token' in response.data)
token_request = {
'grant_type': 'refresh_token',
'refresh_token': response.data['refresh_token'],
'scope': response.data['scope'],
'client_id': self.application.client_id,
'client_secret': self.application.client_secret,
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth('invalid_client_id',
'invalid_client_secret'))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('access_token' in response.data)
def test_refresh_token_repeating_request_fail(self):
"""
Test for requesting access token using refresh token and repeating the request
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('refresh_token' in response.data)
token_request = {
'grant_type': 'refresh_token',
'refresh_token': response.data['refresh_token'],
'scope': response.data['scope'],
}
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_refresh_token_not_expired(self):
"""
Test for requesting access token using refresh token with expiration date
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('refresh_token' in response.data)
token_request = {
'grant_type': 'refresh_token',
'refresh_token': response.data['refresh_token'],
'scope': response.data['scope'],
}
# Set expiration time to future
RefreshToken.objects.update(expires=timezone.now() + timedelta(days=7))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_access_allowed(self):
"""
Test for accessing resource using valid access token
"""
self.client.login(username='******', password='******')
form_data = {
'client_id': self.application.client_id,
'state': 'random_state_string',
'scopes': 'read write',
'redirect_uri': 'http://localhost',
'response_type': 'token',
'allow': True,
}
response = self.client.post(reverse('oauth_api:authorize'),
data=form_data)
self.assertEqual(response.status_code, status.HTTP_302_FOUND)
fragments = self.parse_fragments(response['Location'])
access_token = fragments['access_token'].pop()
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, RESPONSE_DATA)
def test_refresh_token_override_authorization(self):
"""
Test overriding Authorization header by providing client ID and secret as param
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('refresh_token' in response.data)
token_request = {
'grant_type': 'refresh_token',
'refresh_token': response.data['refresh_token'],
'scope': response.data['scope'],
'client_id': self.application.client_id,
'client_secret': self.application.client_secret,
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
'invalid_client_id', 'invalid_client_secret'))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('access_token' in response.data)
def test_access_allowed(self):
"""
Test for accessing resource using valid access token
"""
self.client.login(username='******', password='******')
form_data = {
'client_id': self.application.client_id,
'state': 'random_state_string',
'scopes': 'read write',
'redirect_uri': 'http://localhost',
'response_type': 'token',
'allow': True,
}
response = self.client.post(reverse('oauth_api:authorize'), data=form_data)
self.assertEqual(response.status_code, status.HTTP_302_FOUND)
fragments = self.parse_fragments(response['Location'])
access_token = fragments['access_token'].pop()
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, RESPONSE_DATA)
def test_refresh_token(self):
"""
Test for requesting access token using refresh token
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('refresh_token' in response.data)
# Make second token request to be sure that previous refresh token
# remains valid.
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.post(reverse('oauth_api:token'), token_request)
# Request new access token using the refresh token from the first
# request
token_request = {
'grant_type': 'refresh_token',
'refresh_token': response.data['refresh_token'],
'scope': response.data['scope'],
}
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('access_token' in response.data)
# Refresh tokens cannot be used twice
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
self.assertTrue('invalid_grant' in response.data.values())
def test_refresh_token(self):
"""
Test for requesting access token using refresh token
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('refresh_token' in response.data)
# Make second token request to be sure that previous refresh token
# remains valid.
authorization_code = self.get_authorization_code()
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.post(reverse('oauth_api:token'), token_request)
# Request new access token using the refresh token from the first
# request
token_request = {
'grant_type': 'refresh_token',
'refresh_token': response.data['refresh_token'],
'scope': response.data['scope'],
}
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('access_token' in response.data)
# Refresh tokens cannot be used twice
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
self.assertTrue('invalid_grant' in response.data.values())
def test_revoke_access_token_with_mismatching_app(self):
"""
Test token revocation using mismatching application
"""
other_access_token = AccessToken.objects.create(user=self.test_user, token='1029384756',
application=self.public_application,
expires=timezone.now() + timezone.timedelta(days=1),
scope='read write')
other_refresh_token = RefreshToken.objects.create(user=self.test_user, token='1122334455',
application=self.public_application,
access_token=other_access_token,
expires=timezone.now() + timezone.timedelta(days=3))
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'token': other_refresh_token.token,
'token_type_hint': 'refresh_token',
}
response = self.client.post(reverse('oauth_api:revoke-token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue(AccessToken.objects.filter(pk=other_access_token.pk).exists())
self.assertTrue(AccessToken.objects.filter(pk=self.access_token.pk).exists())
self.assertTrue(RefreshToken.objects.filter(pk=other_refresh_token.pk).exists())
self.assertTrue(RefreshToken.objects.filter(pk=self.refresh_token.pk).exists())
def test_expired_authorization_code(self):
"""
Test for requesting access code when authorization code has been expired
"""
self.client.login(username='******', password='******')
ac = AuthorizationCode(application=self.application,
user=self.test_user,
code='BANANA',
expires=timezone.now(),
redirect_uri='',
scope='')
ac.save()
token_request = {
'grant_type': 'authorization_code',
'code': 'BANANA',
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_revoke_access_token_without_app(self):
data = {
'token': self.access_token.token,
}
response = self.client.post(reverse('oauth_api:revoke-token'), data)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
self.assertTrue(AccessToken.objects.filter(pk=self.access_token.pk).exists())
def test_scopes_in_access_token(self):
"""
Test scopes are properly saved in access tokens
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code(scopes='write scope1')
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('access_token' in response.data)
access_token = response.data['access_token']
token = AccessToken.objects.get(token=access_token)
self.assertEqual(token.scope, 'write scope1')
def test_post_allow(self):
"""
Test for resource owner authorized the client
"""
self.client.login(username='******', password='******')
form_data = {
'client_id': self.application.client_id,
'state': 'random_state_string',
'scopes': 'read write',
'redirect_uri': 'http://localhost',
'response_type': 'token',
'allow': True,
}
response = self.client.post(reverse('oauth_api:authorize'),
data=form_data)
self.assertEqual(response.status_code, status.HTTP_302_FOUND)
self.assertIn('http://localhost#', response['Location'])
self.assertIn('access_token=', response['Location'])
self.assertIn('state=random_state_string', response['Location'])
self.assertIn(
'expires_in=%s' % oauth_api_settings.ACCESS_TOKEN_EXPIRATION,
response['Location'])
def test_scopes_in_access_token(self):
"""
Test scopes are properly saved in access tokens
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code(scopes='write scope1')
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': 'http://localhost',
}
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue('access_token' in response.data)
access_token = response.data['access_token']
token = AccessToken.objects.get(token=access_token)
self.assertEqual(token.scope, 'write scope1')
def test_revoke_access_token_with_mismatching_app(self):
"""
Test token revocation using mismatching application
"""
other_access_token = AccessToken.objects.create(
user=self.test_user,
token='1029384756',
application=self.public_application,
expires=timezone.now() + timezone.timedelta(days=1),
scope='read write')
other_refresh_token = RefreshToken.objects.create(
user=self.test_user,
token='1122334455',
application=self.public_application,
access_token=other_access_token,
expires=timezone.now() + timezone.timedelta(days=3))
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'token': other_refresh_token.token,
'token_type_hint': 'refresh_token',
}
response = self.client.post(reverse('oauth_api:revoke-token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertTrue(
AccessToken.objects.filter(pk=other_access_token.pk).exists())
self.assertTrue(
AccessToken.objects.filter(pk=self.access_token.pk).exists())
self.assertTrue(
RefreshToken.objects.filter(pk=other_refresh_token.pk).exists())
self.assertTrue(
RefreshToken.objects.filter(pk=self.refresh_token.pk).exists())
def test_valid_client(self):
"""
Test for valid client information
"""
self.client.login(username='******', password='******')
query_string = {
'client_id': self.application.client_id,
'response_type': 'token',
'redirect_uri': 'http://localhost',
'scope': 'read write',
'state': 'random_state_string',
}
response = self.client.get(reverse('oauth_api:authorize'),
data=query_string)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertIn('form', response.context)
form = response.context['form']
self.assertEqual(form['redirect_uri'].value(), 'http://localhost')
self.assertEqual(form['state'].value(), 'random_state_string')
self.assertEqual(form['scopes'].value(), 'read write')
self.assertEqual(form['client_id'].value(), self.application.client_id)
def test_revoke_access_token_with_public_app(self):
data = {
'client_id': self.public_application.client_id,
'token': self.public_access_token.token,
}
response = self.client.post(reverse('oauth_api:revoke-token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertFalse(AccessToken.objects.filter(pk=self.public_access_token.pk).exists())
def test_revoke_access_token_without_app(self):
data = {
'token': self.access_token.token,
}
response = self.client.post(reverse('oauth_api:revoke-token'), data)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
self.assertTrue(
AccessToken.objects.filter(pk=self.access_token.pk).exists())
def test_revoke_access_token(self):
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'token': self.access_token.token,
}
response = self.client.post(reverse('oauth_api:revoke-token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertFalse(AccessToken.objects.filter(pk=self.access_token.pk).exists())
def test_revoke_access_token_with_public_app(self):
data = {
'client_id': self.public_application.client_id,
'token': self.public_access_token.token,
}
response = self.client.post(reverse('oauth_api:revoke-token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertFalse(
AccessToken.objects.filter(
pk=self.public_access_token.pk).exists())
def test_basic_auth(self):
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_basic_auth(self):
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_revoke_access_token(self):
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'token': self.access_token.token,
}
response = self.client.post(reverse('oauth_api:revoke-token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertFalse(
AccessToken.objects.filter(pk=self.access_token.pk).exists())
def test_access_denied(self):
"""
Test for accessing resource using invalid access token
"""
self.client.force_authenticate(user=self.test_user)
self.client.credentials(HTTP_AUTHORIZATION='Bearer invalid')
response = self.client.get(reverse('resource-view'))
self.client.force_authenticate(user=None)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_access_denied(self):
"""
Test for accessing resource using invalid access token
"""
self.client.force_authenticate(user=self.test_user)
self.client.credentials(HTTP_AUTHORIZATION='Bearer invalid')
response = self.client.get(reverse('resource-view'))
self.client.force_authenticate(user=None)
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_mixed_scopes_invalid_write(self):
"""
Test access to resource protected by required_scopes, read_scopes and write_scopes with invalid write scope
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code(scopes='scope1 read')
access_token = self.get_access_token(authorization_code)
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.post(reverse('resource-mixed-view'))
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_missing_response_type(self):
"""
Test for missing response_type
"""
self.client.login(username='******', password='******')
query_string = {
'client_id': self.application.client_id,
}
response = self.client.get(reverse('oauth_api:authorize'), data=query_string)
self.assertEqual(response.status_code, status.HTTP_302_FOUND)
self.assertIn('error=invalid_request', response['Location'])
def test_denied_resource_access(self):
"""
Request an access toke and try to fetch data using it
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'grant_type': 'client_credentials',
'scope': 'read',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
access_token = response.data['access_token']
# Update Basic Auth information
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_auth_as_data(self):
"""
Authenticate by sending client_id and client_secret as part of data payload
"""
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
'client_id': self.application.client_id,
'client_secret': self.application.client_secret,
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_client_credentials_should_not_create_refresh_token(self):
"""
Client Credentials grant should not create Refresh Tokens
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'grant_type': 'client_credentials',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertNotIn('refresh_token', response.data)
def test_invalid_scope(self):
"""
Request an access toke and try to fetch data using it
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'client_credentials',
'scope': 'invalid',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_denied_resource_access(self):
"""
Request an access toke and try to fetch data using it
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'client_credentials',
'scope': 'read',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
access_token = response.data['access_token']
# Update Basic Auth information
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_invalid_scope(self):
"""
Request an access toke and try to fetch data using it
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'grant_type': 'client_credentials',
'scope': 'invalid',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_auth_as_data(self):
"""
Authenticate by sending client_id and client_secret as part of data payload
"""
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
'client_id': self.application.client_id,
'client_secret': self.application.client_secret,
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
def test_client_credentials_should_not_create_refresh_token(self):
"""
Client Credentials grant should not create Refresh Tokens
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'client_credentials',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertNotIn('refresh_token', response.data)
def test_invalid_client(self):
"""
Request token with invalid client credentials
"""
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
'client_id': 'invalid',
'client_secret': 'invalid',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_mixed_scopes_invalid_write(self):
"""
Test access to resource protected by required_scopes, read_scopes and write_scopes with invalid write scope
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code(scopes='scope1 read')
access_token = self.get_access_token(authorization_code)
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.post(reverse('resource-mixed-view'))
self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
def test_invalid_client(self):
"""
Request token with invalid client credentials
"""
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
'client_id': 'invalid',
'client_secret': 'invalid',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_missing_response_type(self):
"""
Test for missing response_type
"""
self.client.login(username='******', password='******')
query_string = {
'client_id': self.application.client_id,
}
response = self.client.get(reverse('oauth_api:authorize'),
data=query_string)
self.assertEqual(response.status_code, status.HTTP_302_FOUND)
self.assertIn('error=invalid_request', response['Location'])
def test_required_scopes_valid(self):
"""
Test access to resource protected by required_scope
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code(scopes='read write')
access_token = self.get_access_token(authorization_code)
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, RESPONSE_DATA)
def test_required_scopes_valid(self):
"""
Test access to resource protected by required_scope
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code(scopes='read write')
access_token = self.get_access_token(authorization_code)
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, RESPONSE_DATA)
def test_access_allowed(self):
"""
Test for accessing resource using valid access token
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
access_token = self.get_access_token(authorization_code)
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, RESPONSE_DATA)
def test_access_allowed(self):
"""
Test for accessing resource using valid access token
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code()
access_token = self.get_access_token(authorization_code)
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, RESPONSE_DATA)
def test_auth_as_data(self):
"""
Authenticate by sending client_id and client_secret as part of data payload
"""
data = {
'grant_type': 'client_credentials',
'client_id': self.application.client_id,
'client_secret': self.application.client_secret,
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['token_type'], 'Bearer')
self.assertTrue(self.scopes_valid(response.data['scope'], oauth_api_settings.SCOPES))
self.assertEqual(response.data['expires_in'], oauth_api_settings.ACCESS_TOKEN_EXPIRATION)
def test_basic_auth(self):
"""
Authenticate using Basic Authentication
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'client_credentials',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['token_type'], 'Bearer')
self.assertTrue(self.scopes_valid(response.data['scope'], oauth_api_settings.SCOPES))
self.assertEqual(response.data['expires_in'], oauth_api_settings.ACCESS_TOKEN_EXPIRATION)
def test_resouce_access(self):
"""
Request an access token and try to fetch data using it
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
access_token = response.data['access_token']
# Update Basic Auth information
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, RESPONSE_DATA)
def test_invalid_scope_request(self):
"""
Test for invalid scopes
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
'scope': 'BANANA',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_resouce_access(self):
"""
Request an access token and try to fetch data using it
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
access_token = response.data['access_token']
# Update Basic Auth information
self.client.credentials(HTTP_AUTHORIZATION='Bearer %s' % access_token)
response = self.client.get(reverse('resource-view'))
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, RESPONSE_DATA)
def test_invalid_scope_request(self):
"""
Test for invalid scopes
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
'scope': 'BANANA',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
def test_client_credentials_should_not_assign_user(self):
"""
Client Credentials grant shouldn't assign user to Access Token object
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'client_credentials',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
# Client Credentials should not assign user to Access Tokens
access_token = AccessToken.objects.get(token=response.data['access_token'])
self.assertIsNone(access_token.user)
def test_public_with_invalid_redirect_uri(self):
"""
Test for requesting access token using client_type 'public' and providing
invalid redirect_uri
"""
self.client.login(username='******', password='******')
authorization_code = self.get_authorization_code(self.application_public.client_id)
token_request = {
'grant_type': 'authorization_code',
'code': authorization_code,
'redirect_uri': '/../',
'client_id': self.application_public.client_id,
}
response = self.client.post(reverse('oauth_api:token'), token_request)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def test_valid_default_scope_request(self):
"""
Test valid token request
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(self.application.client_id,
self.application.client_secret))
data = {
'grant_type': 'password',
'username': '******',
'password': '******',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['token_type'], 'Bearer')
self.assertTrue(self.scopes_valid(response.data['scope'], oauth_api_settings.SCOPES))
self.assertEqual(response.data['expires_in'], oauth_api_settings.ACCESS_TOKEN_EXPIRATION)
def test_client_credentials_should_not_assign_user(self):
"""
Client Credentials grant shouldn't assign user to Access Token object
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'grant_type': 'client_credentials',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
# Client Credentials should not assign user to Access Tokens
access_token = AccessToken.objects.get(
token=response.data['access_token'])
self.assertIsNone(access_token.user)
def test_missing_client(self):
"""
Test for missing client information
"""
self.client.login(username='******', password='******')
query_string = {
'response_type': 'token',
}
response = self.client.get(reverse('oauth_api:authorize'), data=query_string)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertIn('error', response.context)
error = response.context['error']
self.assertTrue(isinstance(error, MissingClientIdError))
def test_missing_client(self):
"""
Test for missing client information
"""
self.client.login(username='******', password='******')
query_string = {
'response_type': 'token',
}
response = self.client.get(reverse('oauth_api:authorize'),
data=query_string)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
self.assertIn('error', response.context)
error = response.context['error']
self.assertTrue(isinstance(error, MissingClientIdError))
def test_basic_auth(self):
"""
Authenticate using Basic Authentication
"""
self.client.credentials(HTTP_AUTHORIZATION=self.get_basic_auth(
self.application.client_id, self.application.client_secret))
data = {
'grant_type': 'client_credentials',
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['token_type'], 'Bearer')
self.assertTrue(
self.scopes_valid(response.data['scope'],
oauth_api_settings.SCOPES))
self.assertEqual(response.data['expires_in'],
oauth_api_settings.ACCESS_TOKEN_EXPIRATION)
def test_auth_as_data(self):
"""
Authenticate by sending client_id and client_secret as part of data payload
"""
data = {
'grant_type': 'client_credentials',
'client_id': self.application.client_id,
'client_secret': self.application.client_secret,
}
response = self.client.post(reverse('oauth_api:token'), data)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data['token_type'], 'Bearer')
self.assertTrue(
self.scopes_valid(response.data['scope'],
oauth_api_settings.SCOPES))
self.assertEqual(response.data['expires_in'],
oauth_api_settings.ACCESS_TOKEN_EXPIRATION)
def test_default_redirect_uri(self):
"""
Test for default redirect_uri if user-agent did not provide any
"""
self.client.login(username='******', password='******')
query_string = {
'client_id': self.application.client_id,
'response_type': 'token',
}
response = self.client.get(reverse('oauth_api:authorize'), data=query_string)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertIn('form', response.context)
form = response.context['form']
self.assertEqual(form['redirect_uri'].value(), 'http://localhost')
