def test_auth_flow_denied(provider_fixture): app = provider_fixture with app.test_request_context(): redirect_uri = url_for('oauth2test.authorized', _external=True) with app.test_client() as client: # First login on provider site login(client) r = client.get(url_for('oauth2test.login')) assert r.status_code == 302 next_url, data = parse_redirect(r.location) # Authorize page r = client.get(next_url, query_string=data) assert r.status_code == 200 # User rejects request data['confirm'] = 'no' data['scope'] = 'test:scope' data['state'] = '' r = client.post(next_url, data=data) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert next_url == redirect_uri assert data.get('error') == 'access_denied' # Returned r = client.get(next_url, query_string=data) assert r.status_code == 200 assert r.data == b'Access denied: error=access_denied'
def test_auth_flow_denied(provider_fixture): app = provider_fixture with app.test_request_context(): redirect_uri = url_for("oauth2test.authorized", _external=True) with app.test_client() as client: # First login on provider site login(client) r = client.get(url_for("oauth2test.login")) assert r.status_code == 302 next_url, data = parse_redirect(r.location) # Authorize page r = client.get(next_url, query_string=data) assert r.status_code == 200 # User rejects request data["confirm"] = "no" data["scope"] = "test:scope" data["state"] = "" r = client.post(next_url, data=data) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert next_url == redirect_uri assert data.get("error") == "access_denied" # Returned r = client.get(next_url, query_string=data) assert r.status_code == 200 assert r.data == b"Access denied: error=access_denied"
def test_implicit_flow(provider_fixture): app = provider_fixture with app.test_request_context(): redirect_uri = url_for('oauth2test.authorized', _external=True) with app.test_client() as client: # First login on provider site login(client) for client_id in ['dev', 'confidential']: data = dict( redirect_uri=redirect_uri, response_type='token', # For implicit grant type client_id=client_id, scope='test:scope', state='teststate' ) # Authorize page r = client.get(url_for( 'invenio_oauth2server.authorize', **data ), follow_redirects=True) assert r.status_code == 200 # User confirms request data['confirm'] = 'yes' data['scope'] = 'test:scope' data['state'] = 'teststate' r = client.post(url_for('invenio_oauth2server.authorize'), data=data) assert r.status_code == 302 # Important - access token exists in URI fragment and must not # be sent to the client. next_url, data = parse_redirect(r.location, parse_fragment=True) assert data['access_token'] assert data['token_type'] == 'Bearer' assert data['state'] == 'teststate' assert data['scope'] == 'test:scope' assert data.get('refresh_token') is None assert next_url == redirect_uri # Authentication flow has now been completed, and the client # can use the access token to make request to the provider. r = client.get(url_for('invenio_oauth2server.info', access_token=data['access_token'])) assert r.status_code == 200 assert json.loads(r.get_data()).get('client') == client_id assert json.loads(r.get_data()).get('user') == app.user1_id assert json.loads(r.get_data()).get('scopes') \ == [u'test:scope']
def test_implicit_flow(provider_fixture): app = provider_fixture with app.test_request_context(): redirect_uri = url_for('oauth2test.authorized', _external=True) with app.test_client() as client: # First login on provider site login(client) for client_id in ['dev', 'confidential']: data = dict( redirect_uri=redirect_uri, response_type='token', # For implicit grant type client_id=client_id, scope='test:scope', state='teststate' ) # Authorize page r = client.get(url_for( 'invenio_oauth2server.authorize', **data ), follow_redirects=True) assert r.status_code == 200 # User confirms request data['confirm'] = 'yes' data['scope'] = 'test:scope' data['state'] = 'teststate' r = client.post(url_for('invenio_oauth2server.authorize'), data=data) assert r.status_code == 302 # Important - access token exists in URI fragment and must not # be sent to the client. next_url, data = parse_redirect(r.location, parse_fragment=True) assert data['access_token'] assert data['token_type'] == 'Bearer' assert data['state'] == 'teststate' assert data['scope'] == 'test:scope' assert data.get('refresh_token') is None assert next_url == redirect_uri # Authentication flow has now been completed, and the client # can use the access token to make request to the provider. r = client.get(url_for('invenio_oauth2server.info', access_token=data['access_token'])) assert r.status_code == 200 assert json.loads(r.get_data()).get('client') == client_id assert json.loads(r.get_data()).get('user') == app.user1.id assert json.loads(r.get_data()).get('scopes') \ == [u'test:scope']
def test_implicit_flow(provider_fixture): app = provider_fixture with app.test_request_context(): redirect_uri = url_for("oauth2test.authorized", _external=True) with app.test_client() as client: # First login on provider site login(client) for client_id in ["dev", "confidential"]: data = dict( redirect_uri=redirect_uri, response_type="token", # For implicit grant type client_id=client_id, scope="test:scope", state="teststate", ) # Authorize page r = client.get(url_for("invenio_oauth2server.authorize", **data), follow_redirects=True) assert r.status_code == 200 # User confirms request data["confirm"] = "yes" data["scope"] = "test:scope" data["state"] = "teststate" r = client.post(url_for("invenio_oauth2server.authorize"), data=data) assert r.status_code == 302 # Important - access token exists in URI fragment and must not # be sent to the client. next_url, data = parse_redirect(r.location, parse_fragment=True) assert data["access_token"] assert data["token_type"] == "Bearer" assert data["state"] == "teststate" assert data["scope"] == "test:scope" assert data.get("refresh_token") is None assert next_url == redirect_uri # Authentication flow has now been completed, and the client # can use the access token to make request to the provider. r = client.get(url_for("invenio_oauth2server.info", access_token=data["access_token"])) assert r.status_code == 200 assert json.loads(r.get_data()).get("client") == client_id assert json.loads(r.get_data()).get("user") == app.user1_id assert json.loads(r.get_data()).get("scopes") == [u"test:scope"]
def web_auth_flow(provider_fixture): app = provider_fixture # Go to login - should redirect to oauth2 server for login an # authorization with app.app_context(): with app.test_client() as client: r = client.get('/oauth2test/test-ping') # First login on provider site login(client) r = client.get('/oauth2test/login') assert r.status_code == 302 next_url, data = parse_redirect(r.location) # Authorize page r = client.get(next_url, query_string=data) assert r.status_code == 200 # User confirms request data['confirm'] = 'yes' data['scope'] = 'test:scope' data['state'] = '' r = client.post(next_url, data=data) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert next_url == 'http://{0}/oauth2test/authorized'.format( app.config['SERVER_NAME']) assert 'code' in data # User is redirected back to client site. # - The client view /oauth2test/authorized will in the # background fetch the access token. r = client.get(next_url, query_string=data) assert r.status_code == 200 # Authentication flow has now been completed, and the access # token can be used to access protected resources. r = client.get('/oauth2test/test-ping') assert r.status_code == 200 assert json.loads(r.get_data()) == dict(ping='pong') # Authentication flow has now been completed, and the access # token can be used to access protected resources. r = client.get('/oauth2test/test-ping') assert r.status_code == 200 assert json.loads(r.get_data()) == dict(ping='pong') r = client.get('/oauth2test/test-info') assert r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp['client'] == 'confidential' assert json_resp['user'] == app.user1_id assert json_resp['scopes'] == [u'test:scope'] # Access token doesn't provide access to this URL. r = client.get( '/oauth2test/test-invalid', base_url='http://{0}'.format(app.config['SERVER_NAME']) ) assert r.status_code == 401 # # Now logout r = client.get('/oauth2test/logout') assert r.status_code == 200 assert r.data == "logout" # And try to access the information again r = client.get('/oauth2test/test-ping') assert r.status_code == 403
def test_refresh_flow(provider_fixture): app = provider_fixture with app.test_request_context(): base_url = 'https://{0}'.format(app.config['SERVER_NAME']) redirect_uri = url_for('oauth2test.authorized', _external=True) with app.test_client() as client: # First login on provider site login(client) data = dict( redirect_uri=redirect_uri, scope='test:scope', response_type='code', client_id='confidential', state='mystate' ) r = client.get(url_for('invenio_oauth2server.authorize', **data)) assert r.status_code == 200 data['confirm'] = 'yes' data['scope'] = 'test:scope' data['state'] = 'mystate' # Obtain one time code r = client.post( url_for('invenio_oauth2server.authorize'), data=data ) r.status_code == 302 next_url, res_data = parse_redirect(r.location) assert res_data['code'] assert res_data['state'] == 'mystate' # Exchange one time code for access token r = client.post( url_for('invenio_oauth2server.access_token'), data=dict( client_id='confidential', client_secret='confidential', grant_type='authorization_code', code=res_data['code'], ) ) assert r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp['access_token'] assert json_resp['refresh_token'] assert json_resp['scope'] == 'test:scope' assert json_resp['token_type'] == 'Bearer' refresh_token = json_resp['refresh_token'] old_access_token = json_resp['access_token'] # Access token valid r = client.get(url_for('invenio_oauth2server.info', access_token=old_access_token)) assert r.status_code == 200 # Obtain new access token with refresh token r = client.post( url_for('invenio_oauth2server.access_token'), data=dict( client_id='confidential', client_secret='confidential', grant_type='refresh_token', refresh_token=refresh_token, ) ) r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp['access_token'] assert json_resp['refresh_token'] assert json_resp['access_token'] != old_access_token assert json_resp['refresh_token'] != refresh_token assert json_resp['scope'] == 'test:scope' assert json_resp['token_type'] == 'Bearer' # New access token valid r = client.get(url_for('invenio_oauth2server.info', access_token=json_resp['access_token'])) assert r.status_code == 200 # Old access token no longer valid r = client.get(url_for('invenio_oauth2server.info', access_token=old_access_token,), base_url=base_url) assert r.status_code == 401
def test_expired_refresh_flow(provider_fixture): """Test refresh flow with an expired token.""" app = provider_fixture # First login on provider site with app.test_request_context(): with app.test_client() as client: login(client) data = dict( redirect_uri=url_for('oauth2test.authorized', _external=True), scope='test:scope', response_type='code', client_id='confidential', state='mystate' ) r = client.get(url_for('invenio_oauth2server.authorize', **data)) assert r.status_code == 200 data['confirm'] = 'yes' data['scope'] = 'test:scope' data['state'] = 'mystate' # Obtain one time code r = client.post( url_for('invenio_oauth2server.authorize'), data=data ) assert r.status_code == 302 next_url, res_data = parse_redirect(r.location) assert res_data['code'] assert res_data['state'] == 'mystate' # Exchange one time code for access token r = client.post( url_for('invenio_oauth2server.access_token'), data=dict( client_id='confidential', client_secret='confidential', grant_type='authorization_code', code=res_data['code'], ) ) assert r.status_code == 200 assert json.loads(r.get_data())['access_token'] assert json.loads(r.get_data())['refresh_token'] assert json.loads(r.get_data())['expires_in'] > 0 assert json.loads(r.get_data())['scope'] == 'test:scope' assert json.loads(r.get_data())['token_type'] == 'Bearer' assert json.loads(r.get_data())['user']['id'] refresh_token = json.loads(r.get_data())['refresh_token'] old_access_token = json.loads(r.get_data())['access_token'] # Access token valid r = client.get(url_for('invenio_oauth2server.info', access_token=old_access_token)) assert r.status_code == 200 Token.query.filter_by(access_token=old_access_token).update( dict(expires=datetime.utcnow() - timedelta(seconds=1)) ) db.session.commit() # Access token is expired r = client.get(url_for('invenio_oauth2server.info', access_token=old_access_token)) assert r.status_code == 401 # Obtain new access token with refresh token r = client.post( url_for('invenio_oauth2server.access_token'), data=dict( client_id='confidential', client_secret='confidential', grant_type='refresh_token', refresh_token=refresh_token, ) ) assert r.status_code == 200 resp_json = json.loads(r.get_data()) assert resp_json['access_token'] assert resp_json['refresh_token'] assert resp_json['expires_in'] > 0 assert resp_json['access_token'] != old_access_token assert resp_json['refresh_token'] != refresh_token assert resp_json['scope'] == 'test:scope' assert resp_json['token_type'] == 'Bearer' assert resp_json['user']['id'] # New access token valid r = client.get(url_for('invenio_oauth2server.info', access_token=resp_json['access_token'])) assert r.status_code == 200 # Old access token no longer valid r = client.get(url_for('invenio_oauth2server.info', access_token=old_access_token)) assert r.status_code == 401
def test_not_allowed_public_refresh_flow(expiration_fixture): """Public token should not allow refreshing.""" app = expiration_fixture # First login on provider site with app.test_request_context(): with app.test_client() as client: login(client) data = dict( redirect_uri=url_for("oauth2test.authorized", _external=True), scope="test:scope", response_type="code", client_id="dev", state="mystate", ) r = client.get(url_for("invenio_oauth2server.authorize", **data)) assert r.status_code == 200 data["confirm"] = "yes" data["scope"] = "test:scope" data["state"] = "mystate" # Obtain one time code r = client.post(url_for("invenio_oauth2server.authorize"), data=data) assert r.status_code == 302 next_url, res_data = parse_redirect(r.location) assert res_data["code"] assert res_data["state"] == "mystate" # Exchange one time code for access token r = client.post( url_for("invenio_oauth2server.access_token"), data=dict(client_id="dev", client_secret="dev", grant_type="authorization_code", code=res_data["code"]), ) assert r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp["access_token"] assert json_resp["refresh_token"] assert json_resp["expires_in"] > 0 assert json_resp["scope"] == "test:scope" assert json_resp["token_type"] == "Bearer" refresh_token = json_resp["refresh_token"] old_access_token = json_resp["access_token"] # Access token valid r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token)) assert r.status_code == 200 Token.query.filter_by(access_token=old_access_token).update( dict(expires=datetime.utcnow() - timedelta(seconds=1)) ) db.session.commit() # Access token is expired r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token), follow_redirects=True) assert r.status_code == 401 # Obtain new access token with refresh token r = client.post( url_for("invenio_oauth2server.access_token"), data=dict( client_id="dev", client_secret="dev", grant_type="refresh_token", refresh_token=refresh_token ), follow_redirects=True, ) # Only confidential clients can refresh expired token. assert r.status_code == 401
def web_auth_flow(provider_fixture): app = provider_fixture # Go to login - should redirect to oauth2 server for login an # authorization with app.app_context(): with app.test_client() as client: r = client.get('/oauth2test/test-ping') # First login on provider site login(client) r = client.get('/oauth2test/login') assert r.status_code == 302 next_url, data = parse_redirect(r.location) # Authorize page r = client.get(next_url, query_string=data) assert r.status_code == 200 # User confirms request data['confirm'] = 'yes' data['scope'] = 'test:scope' data['state'] = '' r = client.post(next_url, data=data) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert next_url == 'http://{0}/oauth2test/authorized'.format( app.config['SERVER_NAME']) assert 'code' in data # User is redirected back to client site. # - The client view /oauth2test/authorized will in the # background fetch the access token. r = client.get(next_url, query_string=data) assert r.status_code == 200 # Authentication flow has now been completed, and the access # token can be used to access protected resources. r = client.get('/oauth2test/test-ping') assert r.status_code == 200 assert json.loads(r.get_data()) == dict(ping='pong') # Authentication flow has now been completed, and the access # token can be used to access protected resources. r = client.get('/oauth2test/test-ping') assert r.status_code == 200 assert json.loads(r.get_data()) == dict(ping='pong') r = client.get('/oauth2test/test-info') assert r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp['client'] == 'confidential' assert json_resp['user'] == app.user1.id assert json_resp['scopes'] == [u'test:scope'] # Access token doesn't provide access to this URL. r = client.get( '/oauth2test/test-invalid', base_url='http://{0}'.format(app.config['SERVER_NAME']) ) assert r.status_code == 401 # # Now logout r = client.get('/oauth2test/logout') assert r.status_code == 200 assert r.data == "logout" # And try to access the information again r = client.get('/oauth2test/test-ping') assert r.status_code == 403
def web_auth_flow(provider_fixture): app = provider_fixture # Go to login - should redirect to oauth2 server for login an # authorization with app.app_context(): with app.test_client() as client: r = client.get("/oauth2test/test-ping") # First login on provider site login(client) r = client.get("/oauth2test/login") assert r.status_code == 302 next_url, data = parse_redirect(r.location) # Authorize page r = client.get(next_url, query_string=data) assert r.status_code == 200 # User confirms request data["confirm"] = "yes" data["scope"] = "test:scope" data["state"] = "" r = client.post(next_url, data=data) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert next_url == "http://{0}/oauth2test/authorized".format(app.config["SERVER_NAME"]) assert "code" in data # User is redirected back to client site. # - The client view /oauth2test/authorized will in the # background fetch the access token. r = client.get(next_url, query_string=data) assert r.status_code == 200 # Authentication flow has now been completed, and the access # token can be used to access protected resources. r = client.get("/oauth2test/test-ping") assert r.status_code == 200 assert json.loads(r.get_data()) == dict(ping="pong") # Authentication flow has now been completed, and the access # token can be used to access protected resources. r = client.get("/oauth2test/test-ping") assert r.status_code == 200 assert json.loads(r.get_data()) == dict(ping="pong") r = client.get("/oauth2test/test-info") assert r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp["client"] == "confidential" assert json_resp["user"] == app.user1_id assert json_resp["scopes"] == [u"test:scope"] # Access token doesn't provide access to this URL. r = client.get("/oauth2test/test-invalid", base_url="http://{0}".format(app.config["SERVER_NAME"])) assert r.status_code == 401 # # Now logout r = client.get("/oauth2test/logout") assert r.status_code == 200 assert r.data == "logout" # And try to access the information again r = client.get("/oauth2test/test-ping") assert r.status_code == 403
def test_refresh_flow(provider_fixture): app = provider_fixture with app.test_request_context(): base_url = "https://{0}".format(app.config["SERVER_NAME"]) redirect_uri = url_for("oauth2test.authorized", _external=True) with app.test_client() as client: # First login on provider site login(client) data = dict( redirect_uri=redirect_uri, scope="test:scope", response_type="code", client_id="confidential", state="mystate", ) r = client.get(url_for("invenio_oauth2server.authorize", **data)) assert r.status_code == 200 data["confirm"] = "yes" data["scope"] = "test:scope" data["state"] = "mystate" # Obtain one time code r = client.post(url_for("invenio_oauth2server.authorize"), data=data) r.status_code == 302 next_url, res_data = parse_redirect(r.location) assert res_data["code"] assert res_data["state"] == "mystate" # Exchange one time code for access token r = client.post( url_for("invenio_oauth2server.access_token"), data=dict( client_id="confidential", client_secret="confidential", grant_type="authorization_code", code=res_data["code"], ), ) assert r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp["access_token"] assert json_resp["refresh_token"] assert json_resp["scope"] == "test:scope" assert json_resp["token_type"] == "Bearer" refresh_token = json_resp["refresh_token"] old_access_token = json_resp["access_token"] # Access token valid r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token)) assert r.status_code == 200 # Obtain new access token with refresh token r = client.post( url_for("invenio_oauth2server.access_token"), data=dict( client_id="confidential", client_secret="confidential", grant_type="refresh_token", refresh_token=refresh_token, ), ) r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp["access_token"] assert json_resp["refresh_token"] assert json_resp["access_token"] != old_access_token assert json_resp["refresh_token"] != refresh_token assert json_resp["scope"] == "test:scope" assert json_resp["token_type"] == "Bearer" # New access token valid r = client.get(url_for("invenio_oauth2server.info", access_token=json_resp["access_token"])) assert r.status_code == 200 # Old access token no longer valid r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token), base_url=base_url) assert r.status_code == 401
def test_invalid_authorize_requests(provider_fixture): app = provider_fixture # First login on provider site with app.test_request_context(): redirect_uri = url_for('oauth2test.authorized', _external=True) with app.test_client() as client: login(client) for client_id in ['dev', 'confidential']: scope = 'test:scope' response_type = 'code' error_url = url_for('invenio_oauth2server.errors') # Valid request authorize request r = client.get( url_for('invenio_oauth2server.authorize'), data={ 'redirect_uri': redirect_uri, 'scope': scope, 'response_type': response_type, 'client_id': client_id, }) assert r.status_code == 200 # Invalid scope r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope='INVALID', response_type=response_type, client_id=client_id, )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_scope' assert next_url == redirect_uri # Invalid response type r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope=scope, response_type='invalid', client_id=client_id, )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'unauthorized_client' assert next_url == redirect_uri # Missing response_type r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope=scope, client_id=client_id, )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_request' assert next_url == redirect_uri # Duplicate parameter r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope=scope, response_type='invalid', client_id=client_id, ) + "&client_id={0}".format(client_id)) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_request' assert next_url == redirect_uri # Invalid client_id r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope=scope, response_type=response_type, client_id='invalid', )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_client_id' assert error_url in next_url r = client.get(next_url, query_string=data) assert 'invalid_client_id' in str(r.data) # Invalid redirect uri r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri='http://localhost/', scope=scope, response_type=response_type, client_id=client_id, )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'mismatching_redirect_uri' assert error_url in next_url
def test_invalid_authorize_requests(provider_fixture): app = provider_fixture # First login on provider site with app.test_request_context(): redirect_uri = url_for('oauth2test.authorized', _external=True) with app.test_client() as client: login(client) for client_id in ['dev', 'confidential']: scope = 'test:scope' response_type = 'code' error_url = url_for('invenio_oauth2server.errors', _external=True) # Valid request authorize request r = client.get( url_for('invenio_oauth2server.authorize'), data={ 'redirect_uri': redirect_uri, 'scope': scope, 'response_type': response_type, 'client_id': client_id, }) assert r.status_code == 200 # Invalid scope r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope='INVALID', response_type=response_type, client_id=client_id, )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_scope' assert next_url == redirect_uri # Invalid response type r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope=scope, response_type='invalid', client_id=client_id, )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'unsupported_response_type' assert next_url == redirect_uri # Missing response_type r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope=scope, client_id=client_id, )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_request' assert next_url == redirect_uri # Duplicate parameter r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope=scope, response_type='invalid', client_id=client_id, ) + "&client_id={0}".format(client_id)) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_request' assert next_url == error_url # Invalid client_id r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri=redirect_uri, scope=scope, response_type=response_type, client_id='invalid', )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_request' assert error_url in next_url r = client.get(next_url, query_string=data) assert 'invalid_request' in str(r.data) # Invalid redirect uri r = client.get(url_for( 'invenio_oauth2server.authorize', redirect_uri='http://localhost/', scope=scope, response_type=response_type, client_id=client_id, )) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data['error'] == 'invalid_request' assert error_url in next_url
def test_invalid_authorize_requests(provider_fixture): app = provider_fixture # First login on provider site with app.test_request_context(): redirect_uri = url_for("oauth2test.authorized", _external=True) with app.test_client() as client: login(client) for client_id in ["dev", "confidential"]: scope = "test:scope" response_type = "code" error_url = url_for("invenio_oauth2server.errors", _external=True) # Valid request authorize request r = client.get( url_for("invenio_oauth2server.authorize"), data={ "redirect_uri": redirect_uri, "scope": scope, "response_type": response_type, "client_id": client_id, }, ) assert r.status_code == 200 # Invalid scope r = client.get( url_for( "invenio_oauth2server.authorize", redirect_uri=redirect_uri, scope="INVALID", response_type=response_type, client_id=client_id, ) ) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data["error"] == "invalid_scope" assert next_url == redirect_uri # Invalid response type r = client.get( url_for( "invenio_oauth2server.authorize", redirect_uri=redirect_uri, scope=scope, response_type="invalid", client_id=client_id, ) ) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data["error"] == "unsupported_response_type" assert next_url == redirect_uri # Missing response_type r = client.get( url_for( "invenio_oauth2server.authorize", redirect_uri=redirect_uri, scope=scope, client_id=client_id ) ) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data["error"] == "invalid_request" assert next_url == redirect_uri # Duplicate parameter r = client.get( url_for( "invenio_oauth2server.authorize", redirect_uri=redirect_uri, scope=scope, response_type="invalid", client_id=client_id, ) + "&client_id={0}".format(client_id) ) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data["error"] == "invalid_request" assert next_url == error_url # Invalid client_id r = client.get( url_for( "invenio_oauth2server.authorize", redirect_uri=redirect_uri, scope=scope, response_type=response_type, client_id="invalid", ) ) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data["error"] == "invalid_request" assert error_url in next_url r = client.get(next_url, query_string=data) assert "invalid_request" in str(r.data) # Invalid redirect uri r = client.get( url_for( "invenio_oauth2server.authorize", redirect_uri="http://localhost/", scope=scope, response_type=response_type, client_id=client_id, ) ) assert r.status_code == 302 next_url, data = parse_redirect(r.location) assert data["error"] == "invalid_request" assert error_url in next_url
def test_not_allowed_public_refresh_flow(expiration_fixture): """Public token should not allow refreshing.""" app = expiration_fixture # First login on provider site with app.test_request_context(): with app.test_client() as client: login(client) data = dict( redirect_uri=url_for('oauth2test.authorized', _external=True), scope='test:scope', response_type='code', client_id='dev', state='mystate' ) r = client.get(url_for('invenio_oauth2server.authorize', **data)) assert r.status_code == 200 data['confirm'] = 'yes' data['scope'] = 'test:scope' data['state'] = 'mystate' # Obtain one time code r = client.post( url_for('invenio_oauth2server.authorize'), data=data ) assert r.status_code == 302 next_url, res_data = parse_redirect(r.location) assert res_data['code'] assert res_data['state'] == 'mystate' # Exchange one time code for access token r = client.post( url_for('invenio_oauth2server.access_token'), data=dict( client_id='dev', client_secret='dev', grant_type='authorization_code', code=res_data['code'], ) ) assert r.status_code == 200 json_resp = json.loads(r.get_data()) assert json_resp['access_token'] assert json_resp['refresh_token'] assert json_resp['expires_in'] > 0 assert json_resp['scope'] == 'test:scope' assert json_resp['token_type'] == 'Bearer' refresh_token = json_resp['refresh_token'] old_access_token = json_resp['access_token'] # Access token valid r = client.get(url_for('invenio_oauth2server.info', access_token=old_access_token)) assert r.status_code == 200 Token.query.filter_by(access_token=old_access_token).update( dict(expires=datetime.utcnow() - timedelta(seconds=1)) ) db.session.commit() # Access token is expired r = client.get(url_for('invenio_oauth2server.info', access_token=old_access_token), follow_redirects=True) assert r.status_code == 401 # Obtain new access token with refresh token r = client.post( url_for('invenio_oauth2server.access_token'), data=dict( client_id='dev', client_secret='dev', grant_type='refresh_token', refresh_token=refresh_token, ), follow_redirects=True ) # Only confidential clients can refresh expired token. assert r.status_code == 401