async def test_issue_token(tmp_path: Path, factory: ComponentFactory) -> None: config = await configure(tmp_path, "oidc") factory.reconfigure(config) issuer = factory.create_token_issuer() token_data = await create_session_token(factory) oidc_token = issuer.issue_token(token_data, jti="new-jti", scope="openid") assert oidc_token.claims == { "aud": config.issuer.aud, "exp": ANY, "iat": ANY, "iss": config.issuer.iss, "jti": "new-jti", "name": token_data.name, "preferred_username": token_data.username, "scope": "openid", "sub": token_data.username, config.issuer.username_claim: token_data.username, config.issuer.uid_claim: token_data.uid, } now = time.time() assert now - 5 <= oidc_token.claims["iat"] <= now + 5 expected_exp = now + config.issuer.exp_minutes * 60 assert expected_exp - 5 <= oidc_token.claims["exp"] <= expected_exp + 5
async def test_userinfo(client: AsyncClient, factory: ComponentFactory) -> None: token_data = await create_session_token(factory) issuer = factory.create_token_issuer() oidc_token = issuer.issue_token(token_data, jti="some-jti") r = await client.get( "/auth/userinfo", headers={"Authorization": f"Bearer {oidc_token.encoded}"}, ) assert r.status_code == 200 assert r.json() == oidc_token.claims
async def test_invalid( client: AsyncClient, config: Config, factory: ComponentFactory, caplog: LogCaptureFixture, ) -> None: token_data = await create_session_token(factory) issuer = factory.create_token_issuer() oidc_token = issuer.issue_token(token_data, jti="some-jti") caplog.clear() r = await client.get( "/auth/userinfo", headers={"Authorization": f"token {oidc_token.encoded}"}, ) assert r.status_code == 400 authenticate = parse_www_authenticate(r.headers["WWW-Authenticate"]) assert isinstance(authenticate, AuthErrorChallenge) assert authenticate.auth_type == AuthType.Bearer assert authenticate.realm == config.realm assert authenticate.error == AuthError.invalid_request assert authenticate.error_description == "Unknown Authorization type token" assert parse_log(caplog) == [{ "error": "Unknown Authorization type token", "event": "Invalid request", "httpRequest": { "requestMethod": "GET", "requestUrl": f"https://{TEST_HOSTNAME}/auth/userinfo", "remoteIp": "127.0.0.1", }, "severity": "warning", }] r = await client.get( "/auth/userinfo", headers={"Authorization": f"bearer{oidc_token.encoded}"}, ) assert r.status_code == 400 authenticate = parse_www_authenticate(r.headers["WWW-Authenticate"]) assert isinstance(authenticate, AuthErrorChallenge) assert authenticate.auth_type == AuthType.Bearer assert authenticate.realm == config.realm assert authenticate.error == AuthError.invalid_request assert authenticate.error_description == "Malformed Authorization header" caplog.clear() r = await client.get( "/auth/userinfo", headers={"Authorization": f"bearer XXX{oidc_token.encoded}"}, ) assert r.status_code == 401 authenticate = parse_www_authenticate(r.headers["WWW-Authenticate"]) assert isinstance(authenticate, AuthErrorChallenge) assert authenticate.auth_type == AuthType.Bearer assert authenticate.realm == config.realm assert authenticate.error == AuthError.invalid_token assert authenticate.error_description assert parse_log(caplog) == [{ "error": ANY, "event": "Invalid token", "httpRequest": { "requestMethod": "GET", "requestUrl": f"https://{TEST_HOSTNAME}/auth/userinfo", "remoteIp": "127.0.0.1", }, "severity": "warning", "token_source": "bearer", }]