def test_no_key_raises_invalid_token(rf):
"""
If we dont' have a key at all we should be raising an InvalidTokenSignature.
"""
token = build_id_token()
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value=None)), pytest.raises(InvalidTokenSignature):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_wrong_key_raises_invalid_token(rf):
"""
If we get the wrong key then we should be raising an InvalidTokenSignature.
"""
token = build_id_token()
c = Config()
with patch(
"okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="wrongkey")
), pytest.raises(InvalidTokenSignature):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_unmatching_nonce_raises_error(rf):
"""
If our token has the wrong nonce then raise a NonceDoesNotMatch
"""
token = build_id_token(nonce="wrong-nonce")
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(NonceDoesNotMatch):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_expired_token_raises_error(rf):
"""
If our token is expired then we should raise an TokenExpired.
"""
token = build_id_token(exp=now().timestamp() - 3600)
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(TokenExpired):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_invalid_audience_in_decoded_token(rf):
"""
If our audience doesn't match our client id we should raise an InvalidClientID
"""
token = build_id_token(aud="invalid-aud")
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(InvalidClientID):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_invalid_issuer_in_decoded_token(rf):
"""
If our issuers don't match we should raise an IssuerDoesNotMatch.
"""
token = build_id_token(iss="invalid-issuer")
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(IssuerDoesNotMatch):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_issue_time_is_too_far_in_the_past_raises_error(rf):
"""
If our token was issued more than about 24 hours ago
we want to raise a TokenTooFarAway.
"""
token = build_id_token(iat=now().timestamp() - 200000)
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks",
Mock(return_value="secret")), pytest.raises(TokenTooFarAway):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
tv.validate_token(token)
def test_validate_token_successfully_validates(rf):
""" A valid token should return the decoded token. """
token = build_id_token()
c = Config()
with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")):
tv = TokenValidator(c, "defaultnonce", rf.get("/"))
decoded_token = tv.validate_token(token)
assert decoded_token["jti"] == "randomid"
