def test_userinfo_request(self):
aresp = AuthorizationResponse(code="code", state="state000")
tresp = AccessTokenResponse(
access_token="access_token",
token_type="Bearer",
expires_in=600,
refresh_token="refresh",
scope=["openid"],
)
self.client.parse_response(
AuthorizationResponse,
aresp.to_urlencoded(),
sformat="urlencoded",
state="state0",
)
self.client.parse_response(AccessTokenResponse,
tresp.to_json(),
state="state0")
path, body, method, h_args = self.client.user_info_request(
state="state0")
assert path == "http://example.com/userinfo"
assert method == "GET"
assert body is None
assert h_args == {"headers": {"Authorization": "Bearer access_token"}}
def test_userinfo_request_post(self):
aresp = AuthorizationResponse(code="code", state="state000")
tresp = AccessTokenResponse(
access_token="access_token",
token_type="bearer",
expires_in=600,
refresh_token="refresh",
scope=["openid"],
)
self.client.parse_response(
AuthorizationResponse,
aresp.to_urlencoded(),
sformat="urlencoded",
state="state0",
)
self.client.parse_response(AccessTokenResponse,
tresp.to_json(),
state="state0")
path, body, method, h_args = self.client.user_info_request(
method="POST", state="state0")
assert path == "http://example.com/userinfo"
assert method == "POST"
assert body == "access_token=access_token"
assert h_args == {
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
}
}
def token_endpoint(self, data):
if "grant_type=refresh_token" in data:
req = self.parse_refresh_token_request(body=data)
_info = self.sdb.refresh_token(req["refresh_token"])
elif "grant_type=authorization_code":
req = self.parse_token_request(body=data)
_info = self.sdb.upgrade_to_token(req["code"])
else:
response = TokenErrorResponse(error="unsupported_grant_type")
return response, ""
resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info))
response = Response()
response.headers = {"content-type": "application/json"}
response.text = resp.to_json()
return response
def token_endpoint(self, data):
if "grant_type=refresh_token" in data:
req = self.parse_refresh_token_request(body=data)
_info = self.sdb.refresh_token(req["refresh_token"])
elif "grant_type=authorization_code":
req = self.parse_token_request(body=data)
_info = self.sdb.upgrade_to_token(req["code"])
else:
response = TokenErrorResponse(error="unsupported_grant_type")
return response, ""
resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info))
response = Response()
response.headers = {"content-type": "application/json"}
response.text = resp.to_json()
return response
def test_parse_access_token_response():
client = Client()
at = AccessTokenResponse(access_token="SlAV32hkKG",
token_type="Bearer",
refresh_token="8xLOxBtZp8",
expires_in=3600)
atj = at.to_json()
ATR = AccessTokenResponse
atr = client.parse_response(ATR, info=atj)
assert _eq(atr.keys(),
['access_token', 'token_type', 'expires_in', 'refresh_token'])
uec = at.to_urlencoded()
raises(ValueError, 'client.parse_response(ATR, info=uec)')
uatr = client.parse_response(ATR, info=uec, sformat="urlencoded")
assert _eq(uatr.keys(),
['access_token', 'token_type', 'expires_in', 'refresh_token'])
huec = "%s?%s" % ("https://example.com/token", uec)
uatr = client.parse_response(ATR, info=huec, sformat="urlencoded")
assert _eq(uatr.keys(),
['access_token', 'token_type', 'expires_in', 'refresh_token'])
err = ErrorResponse(error="invalid_request",
error_description="Something was missing",
error_uri="http://example.com/error_message.html")
jerr = err.to_json()
uerr = err.to_urlencoded()
_ = client.parse_response(ATR, info=jerr)
_ = client.parse_response(ATR, info=uerr, sformat="urlencoded")
raises(Exception,
'client.parse_response(ATR, info=jerr, sformat="urlencoded")')
raises(Exception, "client.parse_response(ATR, info=uerr)")
raises(Exception, 'client.parse_response(ATR, info=jerr, sformat="focus")')
def test_userinfo_request(self):
aresp = AuthorizationResponse(code="code", state="state000")
tresp = AccessTokenResponse(access_token="access_token",
token_type="Bearer",
expires_in=600, refresh_token="refresh",
scope=["openid"])
self.client.parse_response(AuthorizationResponse, aresp.to_urlencoded(),
sformat="urlencoded", state="state0")
self.client.parse_response(AccessTokenResponse, tresp.to_json(),
state="state0")
path, body, method, h_args = self.client.user_info_request(
state="state0")
assert path == "http://example.com/userinfo"
assert method == "GET"
assert body is None
assert h_args == {'headers': {'Authorization': 'Bearer access_token'}}
def test_parse_access_token_response():
client = Client()
at = AccessTokenResponse(access_token="SlAV32hkKG", token_type="Bearer",
refresh_token="8xLOxBtZp8", expires_in=3600)
atj = at.to_json()
ATR = AccessTokenResponse
atr = client.parse_response(ATR, info=atj)
assert _eq(atr.keys(), ['access_token', 'token_type', 'expires_in',
'refresh_token'])
uec = at.to_urlencoded()
raises(ValueError, 'client.parse_response(ATR, info=uec)')
uatr = client.parse_response(ATR, info=uec, sformat="urlencoded")
assert _eq(uatr.keys(), ['access_token', 'token_type', 'expires_in',
'refresh_token'])
huec = "%s?%s" % ("https://example.com/token", uec)
uatr = client.parse_response(ATR, info=huec, sformat="urlencoded")
assert _eq(uatr.keys(), ['access_token', 'token_type', 'expires_in',
'refresh_token'])
err = ErrorResponse(error="invalid_request",
error_description="Something was missing",
error_uri="http://example.com/error_message.html")
jerr = err.to_json()
uerr = err.to_urlencoded()
_ = client.parse_response(ATR, info=jerr)
_ = client.parse_response(ATR, info=uerr, sformat="urlencoded")
raises(Exception,
'client.parse_response(ATR, info=jerr, sformat="urlencoded")')
raises(Exception, "client.parse_response(ATR, info=uerr)")
raises(Exception,
'client.parse_response(ATR, info=jerr, sformat="focus")')
def test_userinfo_request_post(self):
aresp = AuthorizationResponse(code="code", state="state000")
tresp = AccessTokenResponse(access_token="access_token",
token_type="bearer",
expires_in=600, refresh_token="refresh",
scope=["openid"])
self.client.parse_response(AuthorizationResponse, aresp.to_urlencoded(),
sformat="urlencoded", state="state0")
self.client.parse_response(AccessTokenResponse, tresp.to_json(),
state="state0")
path, body, method, h_args = self.client.user_info_request(
method="POST",
state="state0")
assert path == "http://example.com/userinfo"
assert method == "POST"
assert body == "access_token=access_token"
assert h_args == {'headers': {
'Content-Type': 'application/x-www-form-urlencoded'}}
def token_endpoint(self, data):
if "grant_type=refresh_token" in data:
req = self.parse_refresh_token_request(body=data)
_info = self.sdb.refresh_token(req["refresh_token"],
req['client_id'])
elif "grant_type=authorization_code" in data:
req = self.parse_token_request(body=data)
if 'offline_access' in self.sdb[req['code']]['scope']:
_info = self.sdb.upgrade_to_token(req["code"],
issue_refresh=True)
else:
_info = self.sdb.upgrade_to_token(req["code"])
else:
response = TokenErrorResponse(error="unsupported_grant_type")
return response, ""
resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info))
response2 = Response()
response2.headers = {"content-type": "application/json"}
response2.text = resp.to_json()
return response2
def _refresh_access_token_endpoint(self, req, **kwargs):
_sdb = self.sdb
_log_debug = logger.debug
client_info = self.cdb[req["client_id"]]
assert req["grant_type"] == "refresh_token"
rtoken = req["refresh_token"]
_info = _sdb.refresh_token(rtoken)
if "openid" in _info["scope"]:
userinfo = self.userinfo_in_id_token_claims(_info)
_idtoken = self.sign_encrypt_id_token(_info, client_info, req,
user_info=userinfo)
sid = _sdb.token.get_key(rtoken)
_sdb.update(sid, "id_token", _idtoken)
_log_debug("_info: %s" % _info)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info))
_log_debug("access_token_response: %s" % atr.to_dict())
return Response(atr.to_json(), content="application/json")
try:
_idtoken = self._id_token(_info)
except AccessDenied:
return self._error(environ, start_response,
error="access_denied")
_sdb.update_by_token(_access_code, "id_token", _idtoken)
_log_debug("_tinfo: %s" % _tinfo)
atr = AccessTokenResponse(**by_schema(AccessTokenResponse, **_tinfo))
if self.test_mode:
_log_info("access_token_response: %s" % atr.to_dict())
resp = Response(atr.to_json(), content="application/json")
return resp(environ, start_response)
def _bearer_auth(self, environ):
#'HTTP_AUTHORIZATION': 'Bearer pC7efiVgbI8UASlolltdh76DrTZ2BQJQXFhVvwWlKekFvWCcdMTmNCI/BCSCxQiG'
try:
authn = environ["HTTP_AUTHORIZATION"]
try:
assert authn[:6].lower() == "bearer"
_token = authn[7:]
except AssertionError:
raise AuthnFailure("AuthZ type I don't know")
except KeyError:
raise AuthnFailure
return _token
def __call__(self, request):
data = request.body
req = self.provider.parse_token_request(body=data)
if 'grant_type' not in req:
return (400, {}, 'Missing grant_type')
if req['grant_type'] == 'authorization_code':
authz_code = req['code']
authz_info = self.provider.authz_codes[authz_code]
auth_req = authz_info['auth_req']
client_id = auth_req['client_id']
if authz_info['used']:
raise Exception('code already used')
return (400, {}, 'Invalid authorization code')
if authz_info['exp'] < time.time():
raise Exception('code expired')
return (400, {}, 'Invalid authorization code')
authz_info['used'] = True
access_token = {
'value': rndstr(),
'expires_in': self.provider.access_token_lifetime,
'type': 'Bearer'
}
at_value = access_token['value']
self.provider.access_tokens[at_value] = {
'iat': time.time(),
'exp': time.time() + self.provider.access_token_lifetime,
'sub': 'test-sub',
'client_id': client_id,
'aud': [client_id],
'scope': authz_info['granted_scope'],
'granted_scope': authz_info['granted_scope'],
'token_type': access_token['type'],
'auth_req': auth_req
}
resp = AccessTokenResponse()
resp['access_token'] = at_value
resp['token_type'] = access_token['type']
resp['expires_in'] = access_token['expires_in']
resp['refresh_token'] = None
args = {
'c_hash': jws.left_hash(authz_code.encode('utf-8'), 'HS256'),
'at_hash': jws.left_hash(at_value.encode('utf-8'), 'HS256'),
}
id_token = IdToken(iss=self.config['issuer'],
sub='test-sub',
aud=client_id,
iat=time.time(),
exp=time.time() +
self.provider.id_token_lifetime,
**args)
if 'nonce' in auth_req:
id_token['nonce'] = auth_req['nonce']
resp['id_token'] = id_token.to_jwt([self.provider.signing_key],
'RS256')
json_data = resp.to_json()
return (200, {
'Content-Type': 'application/json',
'Cache-Control': 'no-store',
'Pragma': 'no-cache',
}, json_data)
return (400, {}, 'Unsupported grant_type')
def __call__(self, request):
data = request.body
req = self.provider.parse_token_request(body=data)
if 'grant_type' not in req:
return (400, {}, 'Missing grant_type')
if req['grant_type'] == 'authorization_code':
authz_code = req['code']
authz_info = self.provider.authz_codes[authz_code]
auth_req = authz_info['auth_req']
client_id = auth_req['client_id']
if authz_info['used']:
raise Exception('code already used')
return (400, {}, 'Invalid authorization code')
if authz_info['exp'] < time.time():
raise Exception('code expired')
return (400, {}, 'Invalid authorization code')
authz_info['used'] = True
access_token = {
'value': rndstr(),
'expires_in': self.provider.access_token_lifetime,
'type': 'Bearer'
}
at_value = access_token['value']
self.provider.access_tokens[at_value] = {
'iat': time.time(),
'exp': time.time() + self.provider.access_token_lifetime,
'sub': 'test-sub',
'client_id': client_id,
'aud': [client_id],
'scope': authz_info['granted_scope'],
'granted_scope': authz_info['granted_scope'],
'token_type': access_token['type'],
'auth_req': auth_req
}
resp = AccessTokenResponse()
resp['access_token'] = at_value
resp['token_type'] = access_token['type']
resp['expires_in'] = access_token['expires_in']
resp['refresh_token'] = None
args = {
'c_hash': jws.left_hash(authz_code.encode('utf-8'), 'HS256'),
'at_hash': jws.left_hash(at_value.encode('utf-8'), 'HS256'),
}
id_token = IdToken(
iss=self.config['issuer'],
sub='test-sub',
aud=client_id,
iat=time.time(),
exp=time.time() + self.provider.id_token_lifetime,
**args)
if 'nonce' in auth_req:
id_token['nonce'] = auth_req['nonce']
resp['id_token'] = id_token.to_jwt(
[self.provider.signing_key], 'RS256')
json_data = resp.to_json()
return (
200,
{
'Content-Type': 'application/json',
'Cache-Control': 'no-store',
'Pragma': 'no-cache',
},
json_data
)
return (400, {}, 'Unsupported grant_type')
