def test_faulty_idtoken(): idval = { 'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject', 'iss': 'https://alpha.cloud.nds.rub.de', 'exp': 1420823073, 'iat': 1420822473, 'aud': 'TestClient' } idts = IdToken(**idval) key = SYMKey(key="TestPassword") _signed_jwt = idts.to_jwt(key=[key], algorithm="HS256") #Mess with the signed id_token p = _signed_jwt.split(".") p[2] = "aaa" _faulty_signed_jwt = ".".join(p) _info = { "access_token": "accessTok", "id_token": _faulty_signed_jwt, "token_type": "Bearer", "expires_in": 3600 } # Should fail at = AccessTokenResponse(**_info) try: at.verify(key=[key]) except BadSignature: pass else: raise
def test_faulty_idtoken(self): _now = time_util.utc_time_sans_frac() idval = { 'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject', 'iss': 'https://alpha.cloud.nds.rub.de', 'exp': _now + 3600, 'iat': _now, 'aud': 'TestClient' } idts = IdToken(**idval) key = SYMKey(key="TestPassword") _signed_jwt = idts.to_jwt(key=[key], algorithm="HS256") # Mess with the signed id_token p = _signed_jwt.split(".") p[2] = "aaa" _faulty_signed_jwt = ".".join(p) _info = { "access_token": "accessTok", "id_token": _faulty_signed_jwt, "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) with pytest.raises(BadSignature): at.verify(key=[key])
def test_wrong_alg(): idval = { 'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject', 'iss': 'https://alpha.cloud.nds.rub.de', 'exp': 1420823073, 'iat': 1420822473, 'aud': 'TestClient' } idts = IdToken(**idval) key = SYMKey(key="TestPassword") _signed_jwt = idts.to_jwt(key=[key], algorithm="HS256") _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) try: at.verify(key=[key], algs={"sign": "HS512"}) except WrongSigningAlgorithm: pass
def test_wrong_alg(self): idval = {'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject', 'iss': 'https://alpha.cloud.nds.rub.de', 'exp': 1420823073, 'iat': 1420822473, 'aud': 'TestClient'} idts = IdToken(**idval) key = SYMKey(key="TestPassword") _signed_jwt = idts.to_jwt(key=[key], algorithm="HS256") _info = {"access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600} at = AccessTokenResponse(**_info) with pytest.raises(WrongSigningAlgorithm): at.verify(key=[key], algs={"sign": "HS512"})
def test_wrong_alg(self): _now = time_util.utc_time_sans_frac() idval = {'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject', 'iss': 'https://alpha.cloud.nds.rub.de', 'exp': _now + 3600, 'iat': _now, 'aud': 'TestClient'} idts = IdToken(**idval) key = SYMKey(key="TestPassword") _signed_jwt = idts.to_jwt(key=[key], algorithm="HS256") _info = {"access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600} at = AccessTokenResponse(**_info) with pytest.raises(WrongSigningAlgorithm): at.verify(key=[key], algs={"sign": "HS512"})
def test_make_id_token(self): self.srv.keyjar["http://oic.example/rp"] = KC_RSA session = {"sub": "user0", "client_id": "http://oic.example/rp"} issuer = "http://oic.example/idp" code = "abcdefghijklmnop" _idt = self.srv.make_id_token(session, loa="2", issuer=issuer, code=code, access_token="access_token") algo = "RS256" ckey = self.srv.keyjar.get_signing_key(alg2keytype(algo), session["client_id"]) _signed_jwt = _idt.to_jwt(key=ckey, algorithm="RS256") idt = IdToken().from_jwt(_signed_jwt, keyjar=self.srv.keyjar) _jwt = JWT().unpack(_signed_jwt) lha = left_hash(code.encode("utf-8"), func="HS" + _jwt.headers["alg"][-3:]) assert lha == idt["c_hash"] atr = AccessTokenResponse(id_token=_signed_jwt, access_token="access_token", token_type="Bearer") atr["code"] = code assert atr.verify(keyjar=self.srv.keyjar)
def test_make_id_token(): srv = Server() srv.keyjar = KEYJ srv.keyjar["http://oic.example/rp"] = KC_RSA session = {"sub": "user0", "client_id": "http://oic.example/rp"} issuer = "http://oic.example/idp" code = "abcdefghijklmnop" _idt = srv.make_id_token(session, loa="2", issuer=issuer, code=code, access_token="access_token") algo = "RS256" ckey = srv.keyjar.get_signing_key(alg2keytype(algo), session["client_id"]) _signed_jwt = _idt.to_jwt(key=ckey, algorithm="RS256") idt = IdToken().from_jwt(_signed_jwt, keyjar=srv.keyjar) print idt header = unpack(_signed_jwt) lha = left_hash(code, func="HS" + header[0]["alg"][-3:]) assert lha == idt["c_hash"] atr = AccessTokenResponse(id_token=_signed_jwt, access_token="access_token", token_type="Bearer") atr["code"] = code assert atr.verify(keyjar=srv.keyjar)
def test_construct_EndSessionRequest_kwargs_and_reqargs_state(self): self.client.grant["foo"] = Grant() self.client.grant["foo"].grant_expiration_time = int(time.time()) + 60 self.client.grant["foo"].code = "access_code" # Need a proper ID Token self.client.keyjar.add_kb(IDTOKEN["iss"], KC_SYM_S) _sig_key = self.client.keyjar.get_signing_key("oct", IDTOKEN["iss"]) _signed_jwt = IDTOKEN.to_jwt(_sig_key, algorithm="HS256") resp = AccessTokenResponse( id_token=_signed_jwt, access_token="access", scope=["openid"], token_type="bearer", ) assert resp.verify(keyjar=self.client.keyjar) self.client.grant["foo"].tokens.append(Token(resp)) # state both in request_args and kwargs args = {"redirect_url": "http://example.com/end", "state": "req_args_state"} esr = self.client.construct_EndSessionRequest(state="foo", request_args=args) assert _eq(esr.keys(), ["id_token", "state", "redirect_url"]) assert esr["state"] == "req_args_state"
def make_refresh_request(self, refresh_token): request_args = { 'grant_type': 'refresh_token', 'refresh_token': refresh_token, } resp = self.app.test_client().post('/token', data=request_args, headers=self.create_basic_auth_header()) assert resp.status_code == 200 token_response = AccessTokenResponse().from_json(resp.data.decode('utf-8')) assert token_response.verify() return token_response
def test_faulty_idtoken(self): idval = {'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject', 'iss': 'https://alpha.cloud.nds.rub.de', 'exp': 1420823073, 'iat': 1420822473, 'aud': 'TestClient'} idts = IdToken(**idval) key = SYMKey(key="TestPassword") _signed_jwt = idts.to_jwt(key=[key], algorithm="HS256") # Mess with the signed id_token p = _signed_jwt.split(".") p[2] = "aaa" _faulty_signed_jwt = ".".join(p) _info = {"access_token": "accessTok", "id_token": _faulty_signed_jwt, "token_type": "Bearer", "expires_in": 3600} at = AccessTokenResponse(**_info) with pytest.raises(BadSignature): at.verify(key=[key])
def make_code_exchange_request(self, code): request_args = { 'grant_type': 'authorization_code', 'code': code, 'redirect_uri': TEST_REDIRECT_URI } resp = self.app.test_client().post('/token', data=request_args, headers=self.create_basic_auth_header()) assert resp.status_code == 200 token_response = AccessTokenResponse().from_json(resp.data.decode('utf-8')) assert token_response.verify(key=[self.app.provider.signing_key]) return token_response
def test_make_id_token(): srv = Server(KEYS) session = {"user_id": "user0", "client_id": "http://oic.example/rp"} issuer = "http://oic.example/idp" code = "abcdefghijklmnop" idt_jwt = srv.make_id_token(session, loa="2", issuer=issuer, code=code, access_token="access_token") jwt_keys = srv.keystore.get_keys("ver", owner=None) idt = IdToken().from_jwt(idt_jwt, key=jwt_keys) print idt header = unpack(idt_jwt) lha = left_hash(code, func="HS" + header[0]["alg"][-3:]) assert lha == idt["c_hash"] atr = AccessTokenResponse(id_token=idt_jwt, access_token="access_token", token_type="Bearer") atr["code"] = code assert atr.verify(key=jwt_keys)
def test_construct_CheckSessionRequest_2(self): self.client.grant["foo"] = Grant() self.client.grant["foo"].grant_expiration_time = int(time.time() + 60) self.client.grant["foo"].code = "access_code" # Need a proper ID Token self.client.keyjar.add_kb(IDTOKEN["iss"], KC_SYM_S) _sig_key = self.client.keyjar.get_signing_key("oct", IDTOKEN["iss"]) _signed_jwt = IDTOKEN.to_jwt(_sig_key, algorithm="HS256") resp = AccessTokenResponse( id_token=_signed_jwt, access_token="access", scope=["openid"], token_type="bearer", ) assert resp.verify(keyjar=self.client.keyjar) self.client.grant["foo"].tokens.append(Token(resp)) csr = self.client.construct_CheckSessionRequest(state="foo", scope=["openid"]) assert csr["id_token"] == _signed_jwt
def test_token_type(self): # lacks required token_type parameter _info = {"access_token": "accessTok", "id_token": "blabla"} at = AccessTokenResponse(**_info) with pytest.raises(MissingRequiredAttribute): at.verify()
def test_token_type(self): # lacks required token_type parameter _info = {"access_token": "accessTok", "id_token": "blabla"} at = AccessTokenResponse(**_info) with pytest.raises(MissingRequiredAttribute): at.verify()