def test_no_sub_or_sid(self):
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
)
with pytest.raises(ValueError):
lt.verify()
def test_with_sid(self):
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
sid=rndstr(),
)
assert lt.verify()
def test_wrong_iss(self):
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
sub="https://example.com/sub",
)
with pytest.raises(NotForMe):
lt.verify(iss="https://rp.example.org")
def test_wrong_event(self):
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={"http://schemas.openid.net/event/other}": {}},
jti=rndstr(16),
iat=utc_time_sans_frac(),
sub="https://example.com/sub",
)
with pytest.raises(ValueError):
lt.verify()
def test_with_nonce(self):
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
nonce=rndstr(16),
)
with pytest.raises(MessageException):
lt.verify()
def test_with_sub(self):
# All the required claims. Note there must be a sub, a sid or both
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
sub="https://example.com/sub",
)
assert lt.verify()
def test_wrong_event_content(self):
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {"foo": "bar"}},
jti=rndstr(16),
iat=utc_time_sans_frac(),
sub="https://example.com/sub",
)
with pytest.raises(ValueError):
lt.verify()
def test_wrong_iat(self):
# Issued sometime in the future
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac() + 86400,
jti=rndstr(16),
sub="https://example.com/sub",
)
with pytest.raises(ValueError):
lt.verify()
def test_bogus_logout_token(self):
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
nonce=rndstr(16),
)
signed_jwt = lt.to_jwt(key=self.key, algorithm="HS256")
bclr = BackChannelLogoutRequest(logout_token=signed_jwt)
with pytest.raises(MessageException):
bclr.verify(key=self.key)
def setup(self):
self.kj = KeyJar()
self.kj.add_symmetric("", "dYMmrcQksKaPkhdgRNYk3zzh5l7ewdDJ", ["sig"])
self.key = self.kj.get_signing_key("oct")
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={BACK_CHANNEL_LOGOUT_EVENT: {}},
iat=utc_time_sans_frac(),
jti=rndstr(16),
sub="https://example.com/sub",
)
self.signed_jwt = lt.to_jwt(key=self.key, algorithm="HS256")
def test_extra_event(self):
# more the one event
lt = LogoutToken(
iss="https://example.com",
aud=["https://rp.example.org"],
events={
BACK_CHANNEL_LOGOUT_EVENT: {},
"http://schemas.openid.net/event/other}": {},
},
jti=rndstr(16),
iat=utc_time_sans_frac(),
sub="https://example.com/sub",
)
with pytest.raises(ValueError):
lt.verify()
def test_logout_with_none(self):
# Now for the backchannel logout. This happens on the OP
logout_info = LogoutToken(events={BACK_CHANNEL_LOGOUT_EVENT: {}})
alg = "RS256"
_jws = JWT(
self.provider.keyjar,
iss=self.provider.baseurl,
lifetime=86400,
sign_alg=alg,
)
logout_token = _jws.pack(aud=CLIENT_ID, **logout_info)
# The logout request that gets sent to the RP
request = BackChannelLogoutRequest(logout_token=logout_token)
# The RP evaluates the request. If everything is OK a session ID (== original state
# value) is returned.
with pytest.raises(MessageException):
self.consumer.backchannel_logout(request_args=request.to_dict())