def test_token_endpoint_unauth(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client_1") _sdb = self.server.sdb sid = _sdb.token.key(user="******", areq=authreq) access_grant = _sdb.token(sid=sid) ae = AuthnEvent("user") _sdb[sid] = { "authn_event": ae, "oauth_state": "authz", "authzreq": "", "client_id": "client_1", "code": access_grant, "code_used": False, "scope": ["openid"], "redirect_uri": "http://example.com/authz" } _sdb.do_sub(sid) # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client_1", client_secret="secret", ) print areq.to_dict() txt = areq.to_urlencoded() resp = self.server.token_endpoint(request=txt, remote_user="******", request_method="POST") print resp atr = TokenErrorResponse().deserialize(resp.message, "json") print atr.keys() assert _eq(atr.keys(), ['error'])
def token_endpoint(self, environ, start_response, **kwargs): """ This is where clients come to get their access tokens """ _log_info = logger.info _log_debug = logger.debug _sdb = self.sdb _log_debug("- token -") try: body = kwargs["query"] except KeyError: body = get_post(environ) if self.test_mode: _log_info("token_request: %s" % body) areq = AccessTokenRequest().deserialize(body, "urlencoded") if not self.verify_client(environ, areq): _log_info("could not verify client") err = TokenErrorResponse(error="unathorized_client") resp = Unauthorized(err.to_json(), content="application/json") return resp(environ, start_response) _log_debug("AccessTokenRequest: %s" % areq) assert areq["grant_type"] == "authorization_code" _access_code = areq["code"] # assert that the code is valid if self.sdb.is_revoked(_access_code): return self._error(environ, start_response, error="access_denied", descr="Token is revoked") _info = _sdb[_access_code] # If redirect_uri was in the initial authorization request # verify that the one given here is the correct one. if "redirect_uri" in _info: assert areq["redirect_uri"] == _info["redirect_uri"] _log_debug("All checks OK") try: _tinfo = _sdb.update_to_token(_access_code) except Exception,err: _log_info("Error: %s" % err) # Should revoke the token issued to this access code _sdb.revoke_all_tokens(_access_code) return self._error(environ, start_response, error="access_denied", descr= "%s" % err)
def token_error(exception): error_response = TokenErrorResponse(error=exception.oauth_error, error_description=str(exception)) response = make_response((jsonify(error_response.to_dict()), 400)) if isinstance(exception, InvalidClientAuthentication): response.status = '401' response.headers['WWW-Authenticate'] = 'basic' return response
def test_token_endpoint_unauth(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client_1") _sdb = self.provider.sdb sid = _sdb.token.key(user="******", areq=authreq) access_grant = _sdb.token(sid=sid) ae = AuthnEvent("user", "salt") _sdb[sid] = { "authn_event": ae, "oauth_state": "authz", "authzreq": "", "client_id": "client_1", "code": access_grant, "code_used": False, "scope": ["openid"], "redirect_uri": "http://example.com/authz" } _sdb.do_sub(sid, "client_salt") # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client_1", client_secret="secret", ) txt = areq.to_urlencoded() resp = self.provider.token_endpoint(request=txt, remote_user="******", request_method="POST") atr = TokenErrorResponse().deserialize(resp.message, "json") assert atr["error"] == "unauthorized_client"
def test_token_endpoint_auth(self): state, location = self.cons.begin("openid", "code", path="http://localhost:8087") resp = self.provider.authorization_endpoint( request=urlparse(location).query) aresp = self.cons.parse_response(AuthorizationResponse, resp.message, sformat="urlencoded") # Construct Access token request areq = self.cons.construct_AccessTokenRequest( redirect_uri="http://example.com/authz", client_id="client_1", client_secret='abcdefghijklmnop', state=state) txt = areq.to_urlencoded() self.cons.client_secret = 'drickyoughurt' csb = ClientSecretBasic(self.cons) http_args = csb.construct(areq) resp = self.provider.token_endpoint( request=txt, remote_user="******", request_method="POST", authn=http_args['headers']['Authorization']) atr = TokenErrorResponse().deserialize(resp.message, "json") assert atr["token_type"] == 'Bearer'
def test_token_endpoint_malformed(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id=CLIENT_ID, response_type="code", scope=["openid"]) _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) ae = AuthnEvent("user", "salt") _sdb[sid] = { "oauth_state": "authz", "authn_event": ae, "authzreq": authreq.to_json(), "client_id": CLIENT_ID, "code": access_grant, "code_used": False, "scope": ["openid"], "redirect_uri": "http://example.com/authz", } _sdb.do_sub(sid, "client_salt") # Construct Access token request areq = AccessTokenRequest(code=access_grant[0:len(access_grant) - 1], client_id=CLIENT_ID, redirect_uri="http://example.com/authz", client_secret=CLIENT_SECRET, grant_type='authorization_code') txt = areq.to_urlencoded() resp = self.provider.token_endpoint(request=txt) atr = TokenErrorResponse().deserialize(resp.message, "json") assert atr['error'] == "invalid_request"
def token_endpoint(self, data): if "grant_type=refresh_token" in data: req = self.parse_refresh_token_request(body=data) _info = self.sdb.refresh_token(req["refresh_token"]) elif "grant_type=authorization_code": req = self.parse_token_request(body=data) _info = self.sdb.upgrade_to_token(req["code"]) else: response = TokenErrorResponse(error="unsupported_grant_type") return response, "" resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) response = Response() response.headers = {"content-type": "application/json"} response.text = resp.to_json() return response
def token_endpoint(): try: token_response = current_app.provider.handle_token_request(flask.request.get_data().decode('utf-8'), flask.request.headers, extra_userinfo) return jsonify(token_response.to_dict()) except InvalidClientAuthentication as e: current_app.logger.debug('invalid client authentication at token endpoint', exc_info=True) error_resp = TokenErrorResponse(error='invalid_client', error_description=str(e)) response = make_response(error_resp.to_json(), 401) response.headers['Content-Type'] = 'application/json' response.headers['WWW-Authenticate'] = 'Basic' return response except OAuthError as e: current_app.logger.debug('invalid request: %s', str(e), exc_info=True) error_resp = TokenErrorResponse(error=e.oauth_error, error_description=str(e)) response = make_response(error_resp.to_json(), 400) response.headers['Content-Type'] = 'application/json' return response
def test_token_endpoint_with_invalid_client_authentication(self, context, frontend, authn_req): context.request = AccessTokenRequest(redirect_uri=authn_req["redirect_uri"], code="code").to_dict() credentials = "{}:{}".format("unknown", "unknown") basic_auth = urlsafe_b64encode(credentials.encode("utf-8")).decode("utf-8") context.request_authorization = "Basic {}".format(basic_auth) response = frontend.token_endpoint(context) parsed_message = TokenErrorResponse().deserialize(response.message, "json") assert response.status == "401 Unauthorized" assert parsed_message["error"] == "invalid_client"
def test_token_endpoint_with_invalid_code(self, context, frontend, authn_req): self.insert_client_in_client_db(frontend, authn_req["redirect_uri"]) context.request = AccessTokenRequest(redirect_uri=authn_req["redirect_uri"], code="invalid").to_dict() credentials = "{}:{}".format(CLIENT_ID, CLIENT_SECRET) basic_auth = urlsafe_b64encode(credentials.encode("utf-8")).decode("utf-8") context.request_authorization = "Basic {}".format(basic_auth) response = frontend.token_endpoint(context) parsed_message = TokenErrorResponse().deserialize(response.message, "json") assert response.status == "400 Bad Request" assert parsed_message["error"] == "invalid_grant"
def test_token_endpoint_unauth(): server = provider_init authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client_1") _sdb = server.sdb sid = _sdb.token.key(user="******", areq=authreq) access_grant = _sdb.token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "user_id", "authzreq": "", "client_id": "client_1", "code": access_grant, "code_used": False, "scope": ["openid"], "redirect_uri":"http://example.com/authz" } # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client_1", client_secret="secret",) print areq.to_dict() str = areq.to_urlencoded() fil = StringIO.StringIO(buf=str) environ = BASE_ENVIRON.copy() environ["CONTENT_LENGTH"] = len(str) environ["wsgi.input"] = fil environ["REMOTE_USER"] = "******" environ["REQUEST_METHOD"] = "POST" resp = server.token_endpoint(environ, start_response) print resp atr = TokenErrorResponse().deserialize(resp[0] ,"json") print atr.keys() assert _eq(atr.keys(), ['error'])
def token_endpoint(self, context): """ Handle token requests (served at /token). :type context: satosa.context.Context :rtype: oic.utils.http_util.Response :param context: the current context :return: HTTP response to the client """ headers = {"Authorization": context.request_authorization} try: response = self.provider.handle_token_request( urlencode(context.request), headers) return Response(response.to_json(), content="application/json") except InvalidClientAuthentication as e: logger.debug('invalid client authentication at token endpoint', exc_info=True) error_resp = TokenErrorResponse(error='invalid_client', error_description=str(e)) response = Unauthorized(error_resp.to_json(), headers=[("WWW-Authenticate", "Basic")], content="application/json") return response except OAuthError as e: logger.debug('invalid request: %s', str(e), exc_info=True) error_resp = TokenErrorResponse(error=e.oauth_error, error_description=str(e)) return BadRequest(error_resp.to_json(), content="application/json")
def test_token_endpoint_unauth(): server = provider_init authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client_1") _sdb = server.sdb sid = _sdb.token.key(user="******", areq=authreq) access_grant = _sdb.token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": "", "client_id": "client_1", "code": access_grant, "code_used": False, "scope": ["openid"], "redirect_uri": "http://example.com/authz" } # Construct Access token request areq = AccessTokenRequest( code=access_grant, redirect_uri="http://example.com/authz", client_id="client_1", client_secret="secret", ) print areq.to_dict() txt = areq.to_urlencoded() resp = server.token_endpoint(request=txt, remote_user="******", request_method="POST") print resp atr = TokenErrorResponse().deserialize(resp.message, "json") print atr.keys() assert _eq(atr.keys(), ['error'])
def claims_endpoint(self, environ, start_response, *args): _log_info = logger.info query = get_or_post(environ) ucreq = self.srvmethod.parse_user_claims_request(query) _log_info("request: %s" % ucreq) if not self.function["verify_client"](environ, ucreq, self.cdb): _log_info("could not verify client") err = TokenErrorResponse(error="unathorized_client") resp = Unauthorized(err.to_json(), content="application/json") return resp(environ, start_response) if "claims_names" in ucreq: args = dict([(n, {"optional": True}) for n in ucreq["claims_names"]]) uic = UserInfoClaim(claims=Claims(**args)) else: uic = None _log_info("User info claims: %s" % uic) #oicsrv, userdb, subject, client_id="", user_info_claims=None info = self.function["userinfo"](self, self.userdb, ucreq["sub"], ucreq["client_id"], user_info_claims=uic) _log_info("User info: %s" % info.to_dict()) if self.do_aggregation(info, ucreq["sub"]): cresp = self._aggregation(info) else: cresp = self._distributed(info) _log_info("response: %s" % cresp.to_dict()) resp = Response(cresp.to_json(), content="application/json") return resp(environ, start_response)
def token_endpoint(self, context): """ Handle token requests (served at /token). :type context: satosa.context.Context :rtype: oic.utils.http_util.Response :param context: the current context :return: HTTP response to the client """ headers = {"Authorization": context.request_authorization} try: response = self.provider.handle_token_request(urlencode(context.request), headers) return Response(response.to_json(), content="application/json") except InvalidClientAuthentication as e: logger.debug('invalid client authentication at token endpoint', exc_info=True) error_resp = TokenErrorResponse(error='invalid_client', error_description=str(e)) response = Unauthorized(error_resp.to_json(), headers=[("WWW-Authenticate", "Basic")], content="application/json") return response except OAuthError as e: logger.debug('invalid request: %s', str(e), exc_info=True) error_resp = TokenErrorResponse(error=e.oauth_error, error_description=str(e)) return BadRequest(error_resp.to_json(), content="application/json")
def token_endpoint(self, data): if "grant_type=refresh_token" in data: req = self.parse_refresh_token_request(body=data) _info = self.sdb.refresh_token(req["refresh_token"], req['client_id']) elif "grant_type=authorization_code" in data: req = self.parse_token_request(body=data) if 'offline_access' in self.sdb[req['code']]['scope']: _info = self.sdb.upgrade_to_token(req["code"], issue_refresh=True) else: _info = self.sdb.upgrade_to_token(req["code"]) else: response = TokenErrorResponse(error="unsupported_grant_type") return response, "" resp = AccessTokenResponse(**by_schema(AccessTokenResponse, **_info)) response2 = Response() response2.headers = {"content-type": "application/json"} response2.text = resp.to_json() return response2
def token_endpoint(): try: token_response = current_app.provider.handle_token_request(flask.request.get_data().decode('utf-8'), flask.request.headers) return jsonify(token_response.to_dict()) except InvalidClientAuthentication as e: current_app.logger.debug('invalid client authentication at token endpoint', exc_info=True) error_resp = TokenErrorResponse(error='invalid_client', error_description=str(e)) response = make_response(error_resp.to_json(), 401) response.headers['Content-Type'] = 'application/json' response.headers['WWW-Authenticate'] = 'Basic' return response except OAuthError as e: current_app.logger.debug('invalid request: %s', str(e), exc_info=True) error_resp = TokenErrorResponse(error=e.oauth_error, error_description=str(e)) response = make_response(error_resp.to_json(), 400) response.headers['Content-Type'] = 'application/json' return response
def oidc_token(self) -> Union[str, Response]: print(request) try: token_response = self.provider.handle_token_request( request.get_data().decode("utf-8"), request.headers) return Response(token_response.to_json(), mimetype="application/json") except InvalidClientAuthentication as err: error_resp = TokenErrorResponse(error="invalid_client", error_description=str(err)) http_response = Response(error_resp.to_json(), status=401, mimetype="application/json") http_response.headers["WWW-Authenticate"] = "Basic" logging.error(error_resp.to_dict()) return http_response except OAuthError as err: error_resp = TokenErrorResponse(error=err.oauth_error, error_description=str(err)) return Response(error_resp.to_json(), status=400, mimetype="application/json")
logger.info("token_request: %s" % request) req = AccessTokenRequest().deserialize(request, "urlencoded") if "refresh_token" in req: req = RefreshAccessTokenRequest().deserialize(request, "urlencoded") logger.debug("%s: %s" % (req.__class__.__name__, req)) try: resp = self.client_authn(self, req, authn) except Exception, err: logger.error("Failed to verify client due to: %s" % err) resp = False if not resp: err = TokenErrorResponse(error="unathorized_client") return Unauthorized(err.to_json(), content="application/json") if isinstance(req, AccessTokenRequest): return self._access_token_endpoint(req, **kwargs) else: return self._refresh_access_token_endpoint(req, **kwargs) def _collect_user_info(self, session, userinfo_claims=None): """ Collect information about a user. This can happen in two cases, either when constructing an IdToken or when returning user info through the UserInfo endpoint :param session: Session information