def test_parse_authorization_request():
srv = Server()
qdict = srv.parse_authorization_request(query=AREQ.to_urlencoded())
assert _eq(qdict.keys(), [
'nonce', 'state', 'redirect_uri', 'response_type', 'client_id', 'scope'
])
assert qdict["state"] == "state0"
def test_parse_urlencoded():
loc = "http://example.com/userinfo?access_token=access_token"
srv = Server()
qdict = srv._parse_urlencoded(loc)
assert _eq(qdict.keys(), ["access_token"])
# all values as lists
assert qdict["access_token"] == ["access_token"]
def test_server_parse_parse_authorization_request():
srv = Server()
srv.keyjar = KEYJ
ar = AuthorizationRequest(
response_type=["code"],
client_id="foobar",
redirect_uri="http://foobar.example.com/oaclient",
state="cold",
nonce="NONCE",
scope=["openid"])
uencq = ar.to_urlencoded()
areq = srv.parse_authorization_request(query=uencq)
assert areq.type() == "AuthorizationRequest"
assert areq["response_type"] == ["code"]
assert areq["client_id"] == "foobar"
assert areq["redirect_uri"] == "http://foobar.example.com/oaclient"
assert areq["state"] == "cold"
urluenc = "%s?%s" % ("https://example.com/authz", uencq)
areq = srv.parse_authorization_request(url=urluenc)
assert areq.type() == "AuthorizationRequest"
assert areq["response_type"] == ["code"]
assert areq["client_id"] == "foobar"
assert areq["redirect_uri"] == "http://foobar.example.com/oaclient"
assert areq["state"] == "cold"
def __init__(self, patch, config={}):
Server.__init__(self)
self.patch = patch
self.session = None
self.config = {
'issuer': 'https://example.com',
}
self.config.update(config)
self.authz_codes = {}
self.access_tokens = {}
self.client = {
'test-client': {
'client_name': 'Test Client',
'client_secret': 'test-secret',
'post_logout_redirect_uris': [
'http://localhost:5000/sign-out',
],
'redirect_uris': [
'http://localhost:5000/oidc_callback',
],
'response_types': ['code'],
}
}
self.access_token_lifetime = 3600
self.authorization_code_lifetime = 600
self.id_token_lifetime = 3600
self.registration_expires_in = 3600
self.host = ''
self.userinfo_signed_response_alg = ''
self.signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256')
self.urls = []
def test_server_parse_token_request():
atr = AccessTokenRequest(grant_type="authorization_code",
code="SplxlOBeZQQYbYS6WxSbIA",
redirect_uri="https://client.example.com/cb",
client_id=CLIENT_ID,
extra="foo")
uenc = atr.to_urlencoded()
srv = Server()
srv.keyjar = KEYJ
tr = srv.parse_token_request(body=uenc)
print tr.keys()
assert tr.type() == "AccessTokenRequest"
assert _eq(tr.keys(),
['code', 'redirect_uri', 'grant_type', 'client_id', 'extra'])
assert tr["grant_type"] == "authorization_code"
assert tr["code"] == "SplxlOBeZQQYbYS6WxSbIA"
tr = srv.parse_token_request(body=uenc)
print tr.keys()
assert tr.type() == "AccessTokenRequest"
assert _eq(tr.keys(),
['code', 'grant_type', 'client_id', 'redirect_uri', 'extra'])
assert tr["extra"] == "foo"
def test_begin_file(self, tmpdir):
path = tmpdir.strpath
external_path = "/exported"
self.consumer.consumer_config["request_method"] = "file"
self.consumer.consumer_config["temp_dir"] = path
self.consumer.consumer_config["temp_path"] = external_path
self.consumer.consumer_config["authz_page"] = "/authz"
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid", "code",
path="http://localhost:8087")
with responses.RequestsMock() as rsps:
p = urlparse(self.consumer.request_uri)
assert p.netloc == "localhost:8087"
# Map the URL path to the local path
relative_path = os.path.relpath(p.path, external_path)
file_path = os.path.join(path, relative_path)
with open(file_path) as f:
rsps.add(rsps.GET, self.consumer.request_uri,
body=f.read(), status=200,
content_type='application/urlencoded')
authreq = srv.parse_authorization_request(url=location)
assert _eq(list(authreq.keys()),
['max_age', 'state', 'redirect_uri', 'response_type',
'client_id', 'scope', 'claims'])
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.consumer_config["scope"]
assert authreq["client_id"] == self.consumer.client_id
assert authreq["redirect_uri"].startswith(
"http://localhost:8087/authz")
def test_begin_file(self):
tempdir = tempfile.mkdtemp()
self.consumer.config["request_method"] = "file"
self.consumer.config["temp_dir"] = tempdir
self.consumer.config["temp_path"] = tempdir
self.consumer.config["authz_page"] = "/authz"
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid",
"code",
path="http://localhost:8087")
print location
# vkeys = {".":srv.keyjar.get_verify_key()}
authreq = srv.parse_authorization_request(url=location)
print authreq.keys()
assert _eq(authreq.keys(), [
'max_age', 'state', 'redirect_uri', 'response_type', 'client_id',
'scope', 'claims', 'request_uri'
])
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.config["scope"]
assert authreq["client_id"] == self.consumer.client_id
assert authreq["redirect_uri"].startswith(
"http://localhost:8087/authz")
# Cleanup the file we have created
shutil.rmtree(tempdir)
def test_request_attr_mis_match():
redirect_uri = "http://example.com/redirect"
client = Client(CLIENT_ID, client_authn_method=CLIENT_AUTHN_METHOD)
client.redirect_uris = [redirect_uri]
client.authorization_endpoint = "http://example.com/authorization"
client.client_secret = "abcdefghijklmnop"
client.keyjar[""] = KC_RSA
client.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
srv = Server()
srv.keyjar = KEYJ
areq = client.construct_AuthorizationRequest(
request_args={
"scope": "openid",
"response_type": ["code"],
"max_age": 86400,
'state': 'foobar'
},
request_param="request")
for attr in ['state', 'max_age', 'client_id']:
del areq[attr]
areq.lax = True
req = srv.parse_authorization_request(query=areq.to_urlencoded())
assert req.verify()
def __init__(self, jwt_keys=None, name=""):
Server.__init__(self, jwt_keys=jwt_keys)
self.sdb = SessionDB()
self.name = name
self.client = {}
self.registration_expires_in = 3600
self.host = ""
def test_parse_urlencoded():
loc = "http://example.com/userinfo?access_token=access_token"
srv = Server()
qdict = srv._parse_urlencoded(loc)
assert _eq(qdict.keys(), ["access_token"])
# all values as lists
assert qdict["access_token"] == ["access_token"]
def test_parse_registration_request():
srv = Server()
request = srv.parse_registration_request(data=REGREQ.to_urlencoded())
assert request.type() == "RegistrationRequest"
assert _eq(request.keys(), ["redirect_uris", "contacts", "client_id", "application_name", "type"])
assert request["application_name"] == "pacubar"
assert request["type"] == "client_associate"
def test_server_parse_parse_authorization_request():
srv = Server()
srv.keyjar = KEYJ
ar = AuthorizationRequest(response_type=["code"], client_id="foobar",
redirect_uri="http://foobar.example.com/oaclient",
state="cold", nonce="NONCE", scope=["openid"])
uencq = ar.to_urlencoded()
areq = srv.parse_authorization_request(query=uencq)
assert areq.type() == "AuthorizationRequest"
assert areq["response_type"] == ["code"]
assert areq["client_id"] == "foobar"
assert areq["redirect_uri"] == "http://foobar.example.com/oaclient"
assert areq["state"] == "cold"
urluenc = "%s?%s" % ("https://example.com/authz", uencq)
areq = srv.parse_authorization_request(url=urluenc)
assert areq.type() == "AuthorizationRequest"
assert areq["response_type"] == ["code"]
assert areq["client_id"] == "foobar"
assert areq["redirect_uri"] == "http://foobar.example.com/oaclient"
assert areq["state"] == "cold"
def test_server_parse_token_request():
atr = AccessTokenRequest(grant_type="authorization_code",
code="SplxlOBeZQQYbYS6WxSbIA",
redirect_uri="https://client.example.com/cb",
client_id=CLIENT_ID, extra="foo")
uenc = atr.to_urlencoded()
srv = Server()
srv.keyjar = KEYJ
tr = srv.parse_token_request(body=uenc)
print tr.keys()
assert tr.type() == "AccessTokenRequest"
assert _eq(tr.keys(), ['code', 'redirect_uri', 'grant_type', 'client_id',
'extra'])
assert tr["grant_type"] == "authorization_code"
assert tr["code"] == "SplxlOBeZQQYbYS6WxSbIA"
tr = srv.parse_token_request(body=uenc)
print tr.keys()
assert tr.type() == "AccessTokenRequest"
assert _eq(tr.keys(), ['code', 'grant_type', 'client_id', 'redirect_uri',
'extra'])
assert tr["extra"] == "foo"
def test_parse_token_request():
srv = Server()
qdict = srv.parse_token_request(body=TREQ.to_urlencoded())
assert qdict.type() == "AccessTokenRequest"
assert _eq(qdict.keys(), ["code", "redirect_uri", "client_id", "grant_type"])
assert qdict["client_id"] == CLIENT_ID
assert qdict["code"] == "code"
def test_begin_file(self, tmpdir):
path = tmpdir.strpath
self.consumer.consumer_config["request_method"] = "file"
self.consumer.consumer_config["temp_dir"] = path
self.consumer.consumer_config["temp_path"] = path
self.consumer.consumer_config["authz_page"] = "/authz"
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid",
"code",
path="http://localhost:8087")
with responses.RequestsMock() as rsps:
p = urlparse(self.consumer.request_uri)
rsps.add(rsps.GET,
self.consumer.request_uri,
body=open(p.path).read(),
status=200,
content_type='application/urlencoded')
authreq = srv.parse_authorization_request(url=location)
assert _eq(list(authreq.keys()), [
'max_age', 'state', 'redirect_uri', 'response_type',
'client_id', 'scope', 'claims'
])
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.consumer_config["scope"]
assert authreq["client_id"] == self.consumer.client_id
assert authreq["redirect_uri"].startswith(
"http://localhost:8087/authz")
def test_server_parse_token_request():
atr = AccessTokenRequest(
grant_type="authorization_code",
code="SplxlOBeZQQYbYS6WxSbIA",
redirect_uri="https://client.example.com/cb",
client_id="client_id",
extra="foo",
)
uenc = atr.to_urlencoded()
srv = Server()
tr = srv.parse_token_request(body=uenc)
print tr.keys()
assert tr.type() == "AccessTokenRequest"
assert _eq(tr.keys(), ["code", "redirect_uri", "grant_type", "client_id", "extra"])
assert tr["grant_type"] == "authorization_code"
assert tr["code"] == "SplxlOBeZQQYbYS6WxSbIA"
tr = srv.parse_token_request(body=uenc)
print tr.keys()
assert tr.type() == "AccessTokenRequest"
assert _eq(tr.keys(), ["code", "grant_type", "client_id", "redirect_uri", "extra"])
assert tr["extra"] == "foo"
def test_parse_check_session_request():
srv = Server()
srv.keyjar = KEYJ
request = srv.parse_check_session_request(query=CSREQ.to_urlencoded())
assert request.type() == "IdToken"
assert _eq(request.keys(), ['nonce', 'sub', 'aud', 'iss', 'exp', 'iat'])
assert request["aud"] == ["client_1"]
def test_begin_file(self):
tempdir = tempfile.mkdtemp()
self.consumer.config["request_method"] = "file"
self.consumer.config["temp_dir"] = tempdir
self.consumer.config["temp_path"] = tempdir
self.consumer.config["authz_page"] = "/authz"
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid", "code",
path="http://localhost:8087")
print location
#vkeys = {".":srv.keyjar.get_verify_key()}
authreq = srv.parse_authorization_request(url=location)
print authreq.keys()
assert _eq(authreq.keys(), ['max_age', 'state', 'redirect_uri',
'response_type', 'client_id', 'scope',
'claims', 'request_uri'])
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.config["scope"]
assert authreq["client_id"] == self.consumer.client_id
assert authreq["redirect_uri"].startswith("http://localhost:8087/authz")
# Cleanup the file we have created
shutil.rmtree(tempdir)
def test_request_attr_mis_match():
redirect_uri = "http://example.com/redirect"
client = Client(CLIENT_ID, client_authn_method=CLIENT_AUTHN_METHOD)
client.redirect_uris = [redirect_uri]
client.authorization_endpoint = "http://example.com/authorization"
client.client_secret = "abcdefghijklmnop"
client.keyjar[""] = KC_RSA
client.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
srv = Server()
srv.keyjar = KEYJ
areq = client.construct_AuthorizationRequest(
request_args={
"scope": "openid",
"response_type": ["code"],
"max_age": 86400,
"state": "foobar",
},
request_param="request",
)
for attr in ["state", "max_age", "client_id"]:
del areq[attr]
areq.lax = True
req = srv.parse_authorization_request(query=areq.to_urlencoded())
assert req.verify()
def __init__(self, patch, config={}):
Server.__init__(self)
self.patch = patch
self.session = None
self.config = {
'issuer': 'https://example.com',
}
self.config.update(config)
self.authz_codes = {}
self.access_tokens = {}
self.client = {
'test-client': {
'client_name': 'Test Client',
'client_secret': 'test-secret',
'post_logout_redirect_uris': [
'http://localhost:5000/sign-out',
],
'redirect_uris': [
'http://localhost:5000/oidc_callback',
],
'response_types': ['code'],
}
}
self.access_token_lifetime = 3600
self.authorization_code_lifetime = 600
self.id_token_lifetime = 3600
self.registration_expires_in = 3600
self.host = ''
self.userinfo_signed_response_alg = ''
self.signing_key = RSAKey(key=rsa_load('signing_key.pem'), alg='RS256')
self.urls = []
def test_parse_check_session_request():
srv = Server()
srv.keyjar = KEYJ
request = srv.parse_check_session_request(query=CSREQ.to_urlencoded())
assert request.type() == "IdToken"
assert _eq(request.keys(), ['nonce', 'sub', 'aud', 'iss', 'exp', 'iat'])
assert request["aud"] == ["client_1"]
def test_make_id_token():
srv = Server()
srv.keyjar = KEYJ
srv.keyjar["http://oic.example/rp"] = KC_RSA
session = {"sub": "user0", "client_id": "http://oic.example/rp"}
issuer = "http://oic.example/idp"
code = "abcdefghijklmnop"
_idt = srv.make_id_token(session,
loa="2",
issuer=issuer,
code=code,
access_token="access_token")
algo = "RS256"
ckey = srv.keyjar.get_signing_key(alg2keytype(algo), session["client_id"])
_signed_jwt = _idt.to_jwt(key=ckey, algorithm="RS256")
idt = IdToken().from_jwt(_signed_jwt, keyjar=srv.keyjar)
print idt
header = unpack(_signed_jwt)
lha = left_hash(code, func="HS" + header[0]["alg"][-3:])
assert lha == idt["c_hash"]
atr = AccessTokenResponse(id_token=_signed_jwt,
access_token="access_token",
token_type="Bearer")
atr["code"] = code
assert atr.verify(keyjar=srv.keyjar)
def test_make_id_token():
srv = Server()
srv.keyjar = KEYJ
srv.keyjar["http://oic.example/rp"] = KC_RSA
session = {"sub": "user0",
"client_id": "http://oic.example/rp"}
issuer = "http://oic.example/idp"
code = "abcdefghijklmnop"
_idt = srv.make_id_token(session, loa="2", issuer=issuer,
code=code, access_token="access_token")
algo = "RS256"
ckey = srv.keyjar.get_signing_key(alg2keytype(algo), session["client_id"])
_signed_jwt = _idt.to_jwt(key=ckey, algorithm="RS256")
idt = IdToken().from_jwt(_signed_jwt, keyjar=srv.keyjar)
print idt
header = unpack(_signed_jwt)
lha = left_hash(code, func="HS" + header[0]["alg"][-3:])
assert lha == idt["c_hash"]
atr = AccessTokenResponse(id_token=_signed_jwt, access_token="access_token",
token_type="Bearer")
atr["code"] = code
assert atr.verify(keyjar=srv.keyjar)
def test_parse_token_request():
srv = Server()
qdict = srv.parse_token_request(body=TREQ.to_urlencoded())
assert qdict.type() == "AccessTokenRequest"
assert _eq(qdict.keys(),
['code', 'redirect_uri', 'client_id', 'grant_type'])
assert qdict["client_id"] == CLIENT_ID
assert qdict["code"] == "code"
def test_parse_registration_request():
srv = Server()
request = srv.parse_registration_request(data=REGREQ.to_urlencoded())
assert request.type() == "RegistrationRequest"
assert _eq(request.keys(),['redirect_uris', 'contacts', 'client_id',
'application_name', 'operation', 'application_type'])
assert request["application_name"] == "pacubar"
assert request["operation"] == "register"
def test_parse_end_session_request():
srv = Server(KEYS)
request = srv.parse_end_session_request(query=ESREQ.to_urlencoded())
assert request.type() == "EndSessionRequest"
assert _eq(request.keys(), ["id_token", "redirect_url", "state"])
assert request["state"] == "state0"
assert request["id_token"]["aud"] == "client_1"
def __init__(self, name=""):
Server.__init__(self)
self.sdb = SessionDB()
self.name = name
self.client = {}
self.registration_expires_in = 3600
self.host = ""
self.webfinger = WebFinger()
def __init__(self, name=""):
Server.__init__(self)
self.sdb = SessionDB()
self.name = name
self.client = {}
self.registration_expires_in = 3600
self.host = ""
self.webfinger = WebFinger()
def __init__(self, name="", session_db_factory=None):
Server.__init__(self)
self.sdb = session_db_factory(name)
self.name = name
self.client = {} # type: Dict[str, Dict[str, Any]]
self.registration_expires_in = 3600
self.host = ""
self.webfinger = WebFinger()
self.userinfo_signed_response_alg = ""
def __init__(self, name=""):
Server.__init__(self)
self.sdb = SessionDB(name)
self.name = name
self.client = {}
self.registration_expires_in = 3600
self.host = ""
self.webfinger = WebFinger()
self.userinfo_signed_response_alg = ""
def test_parse_registration_request():
srv = Server()
request = srv.parse_registration_request(data=REGREQ.to_urlencoded())
assert request.type() == "RegistrationRequest"
assert _eq(request.keys(), ['redirect_uris', 'contacts', 'client_id',
'application_name', 'operation',
'application_type'])
assert request["application_name"] == "pacubar"
assert request["operation"] == "register"
def __init__(self, name=""):
Server.__init__(self)
self.sdb = SessionDB(name)
self.name = name
self.client = {}
self.registration_expires_in = 3600
self.host = ""
self.webfinger = WebFinger()
self.userinfo_signed_response_alg = ""
def test_parse_userinfo_request():
srv = Server()
qdict = srv.parse_user_info_request(data=UIREQ.to_urlencoded())
assert _eq(qdict.keys(), ['access_token'])
assert qdict["access_token"] == "access_token"
url = "https://example.org/userinfo?%s" % UIREQ.to_urlencoded()
qdict = srv.parse_user_info_request(data=url)
assert _eq(qdict.keys(), ['access_token'])
assert qdict["access_token"] == "access_token"
def test_parse_end_session_request():
srv = Server()
srv.keyjar = KEYJ
request = srv.parse_end_session_request(query=ESREQ.to_urlencoded())
assert request.type() == "EndSessionRequest"
assert _eq(request.keys(), ['id_token', 'redirect_url', 'state'])
assert request["state"] == "state0"
assert request["id_token"]["aud"] == ["client_1"]
def test_parse_end_session_request():
srv = Server()
srv.keyjar = KEYJ
request = srv.parse_end_session_request(query=ESREQ.to_urlencoded())
assert request.type() == "EndSessionRequest"
assert _eq(request.keys(), ['id_token', 'redirect_url', 'state'])
assert request["state"] == "state0"
assert request["id_token"]["aud"] == ["client_1"]
def test_parse_userinfo_request():
srv = Server()
qdict = srv.parse_user_info_request(data=UIREQ.to_urlencoded())
assert _eq(qdict.keys(), ['access_token'])
assert qdict["access_token"] == "access_token"
url = "https://example.org/userinfo?%s" % UIREQ.to_urlencoded()
qdict = srv.parse_user_info_request(data=url)
assert _eq(qdict.keys(), ['access_token'])
assert qdict["access_token"] == "access_token"
def test_request_1():
srv = Server()
srv.keyjar = KEYJ
areq = 'redirect_uri=https%3A%2F%2Fnode-openid-client.dev%2Fcb&request' \
'=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0' \
'.eyJzdGF0ZSI6ImZvb2JhciIsImlzcyI6Inp2bWk4UGdJbURiOSIsImF1ZCI6Imh0dHBzOi8vcnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0OjgwODAvbm9kZS1vcGVuaWQtY2xpZW50L3JwLXJlcXVlc3RfdXJpLXVuc2lnbmVkIiwiY2xpZW50X2lkIjoienZtaThQZ0ltRGI5In0.&client_id=zvmi8PgImDb9&scope=openid&response_type=code'
req = srv.parse_authorization_request(query=areq)
assert req
def test_begin(self):
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid", "code")
authreq = srv.parse_authorization_request(url=location)
assert _eq(authreq.keys(), ['request', 'state', 'max_age', 'claims',
'response_type', 'client_id', 'scope',
'redirect_uri'])
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.consumer_config["scope"]
assert authreq["client_id"] == self.consumer.client_id
def test_server_parse_refresh_token_request():
ratr = RefreshAccessTokenRequest(refresh_token="ababababab", client_id="Client_id")
uenc = ratr.to_urlencoded()
srv = Server()
tr = srv.parse_refresh_token_request(body=uenc)
print tr.keys()
assert tr.type() == "RefreshAccessTokenRequest"
assert tr["refresh_token"] == "ababababab"
assert tr["client_id"] == "Client_id"
def test_parse_refresh_session_request():
srv = Server()
request = srv.parse_refresh_session_request(query=RSREQ.to_urlencoded())
assert request.type() == "RefreshSessionRequest"
assert _eq(request.keys(), ['id_token', 'state', 'redirect_url'])
assert request["id_token"] == "id_token"
url = "https://example.org/userinfo?%s" % RSREQ.to_urlencoded()
request = srv.parse_refresh_session_request(url=url)
assert request.type() == "RefreshSessionRequest"
assert _eq(request.keys(), ['id_token', 'state', 'redirect_url'])
assert request["id_token"] == "id_token"
def test_parse_refresh_session_request():
srv = Server()
request = srv.parse_refresh_session_request(query=RSREQ.to_urlencoded())
assert request.type() == "RefreshSessionRequest"
assert _eq(request.keys(), ['id_token', 'state', 'redirect_url'])
assert request["id_token"] == "id_token"
url = "https://example.org/userinfo?%s" % RSREQ.to_urlencoded()
request = srv.parse_refresh_session_request(url=url)
assert request.type() == "RefreshSessionRequest"
assert _eq(request.keys(), ['id_token', 'state', 'redirect_url'])
assert request["id_token"] == "id_token"
def test_begin(self):
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid", "code")
authreq = srv.parse_authorization_request(url=location)
assert _eq(list(authreq.keys()),
['state', 'max_age', 'claims', 'response_type', 'client_id',
'scope', 'redirect_uri'])
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.consumer_config["scope"]
assert authreq["client_id"] == self.consumer.client_id
def test_server_parse_refresh_token_request():
ratr = RefreshAccessTokenRequest(refresh_token="ababababab",
client_id="Client_id")
uenc = ratr.to_urlencoded()
srv = Server()
srv.keyjar = KEYJ
tr = srv.parse_refresh_token_request(body=uenc)
print tr.keys()
assert tr.type() == "RefreshAccessTokenRequest"
assert tr["refresh_token"] == "ababababab"
assert tr["client_id"] == "Client_id"
def test_begin_file(self, tmpdir):
path = tmpdir.strpath
external_path = "/exported"
self.consumer.consumer_config["request_method"] = "file"
self.consumer.consumer_config["temp_dir"] = path
self.consumer.consumer_config["temp_path"] = external_path
self.consumer.consumer_config["authz_page"] = "/authz"
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid",
"code",
path="http://localhost:8087")
with responses.RequestsMock() as rsps:
p = urlparse(self.consumer.request_uri)
assert p.netloc == "localhost:8087"
# Map the URL path to the local path
relative_path = os.path.relpath(p.path, external_path)
file_path = os.path.join(path, relative_path)
with open(file_path) as f:
rsps.add(
rsps.GET,
self.consumer.request_uri,
body=f.read(),
status=200,
content_type="application/urlencoded",
)
authreq = srv.parse_authorization_request(url=location)
assert _eq(
list(authreq.keys()),
[
"max_age",
"state",
"redirect_uri",
"response_type",
"client_id",
"scope",
"claims",
],
)
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.consumer_config["scope"]
assert authreq["client_id"] == self.consumer.client_id
assert authreq["redirect_uri"].startswith(
"http://localhost:8087/authz")
def __init__(self, name, sdb, cdb, authn_broker, userinfo, authz,
client_authn, symkey, urlmap=None, ca_certs="", keyjar=None,
hostname="", template_lookup=None, verify_login_template=None):
AProvider.__init__(self, name, sdb, cdb, authn_broker, authz,
client_authn, symkey, urlmap)
self.endp.extend([UserinfoEndpoint, RegistrationEndpoint,
EndSessionEndpoint])
self.userinfo = userinfo
self.server = Server(ca_certs=ca_certs)
if keyjar:
self.server.keyjar = keyjar
self.template_lookup = template_lookup
self.verify_login_template = verify_login_template
self.keyjar = self.server.keyjar
self.baseurl = ""
self.cert = []
self.cert_encryption = []
self.cookie_name = "pyoidc"
self.seed = ""
self.sso_ttl = 0
self.test_mode = False
self.jwks_uri = []
self.authn_as = None
self.preferred_id_type = "public"
self.hostname = hostname or socket.gethostname
self.register_endpoint = "%s%s" % (self.baseurl, "register")
def __init__(self, name, sdb, cdb, authn_method, userinfo, authz,
client_authn, symkey, urlmap=None, ca_certs="", keyjar=None,
hostname=""):
AProvider.__init__(self, name, sdb, cdb, authn_method, authz,
client_authn, symkey, urlmap)
self.userinfo = userinfo
self.server = Server(ca_certs=ca_certs)
if keyjar:
self.server.keyjar = keyjar
self.keyjar = self.server.keyjar
self.endpoints = []
self.baseurl = ""
self.cert = []
self.cert_encryption = []
if authn_method:
self.cookie_func = authn_method.create_cookie
else:
self.cookie_func = None
self.cookie_name = "pyoidc"
self.seed = ""
self.sso_ttl = 0
self.test_mode = False
self.jwks_uri = []
self.authn_as = None
self.preferred_id_type = "public"
self.hostname = hostname or socket.gethostname
self.register_endpoint = "%s%s" % (self.baseurl, "register")
def test_parse_open_id_request():
srv = Server(KEYS)
request = srv.parse_open_id_request(data=OIDREQ.to_json(), format="json")
assert request.type() == "OpenIDRequest"
print request.keys()
assert _eq(
request.keys(),
["nonce", "id_token", "userinfo", "state", "redirect_uri", "response_type", "client_id", "scope"],
)
assert request["nonce"] == "af0ifjsldkj"
print request["userinfo"]
# assert request.userinfo.format == "signed"
print request["userinfo"]["claims"].to_dict()
assert "email" in request["userinfo"]["claims"]
def test_server_parse_jwt_request():
srv = Server()
srv.keyjar = KEYJ
ar = AuthorizationRequest(response_type=["code"], client_id=CLIENT_ID,
redirect_uri="http://foobar.example.com/oaclient",
state="cold", nonce="NONCE", scope=["openid"])
_keys = srv.keyjar.get_verify_key(owner=CLIENT_ID)
_jwt = ar.to_jwt(key=_keys, algorithm="HS256")
req = srv.parse_jwt_request(txt=_jwt)
assert req.type() == "AuthorizationRequest"
assert req["response_type"] == ["code"]
assert req["client_id"] == CLIENT_ID
assert req["redirect_uri"] == "http://foobar.example.com/oaclient"
assert req["state"] == "cold"
def test_request_duplicate_state():
srv = Server()
srv.keyjar = KEYJ
areq = (
"redirect_uri=https%3A%2F%2Fnode-openid-client.dev%2Fcb&state=barf"
"&request"
"=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0"
".eyJzdGF0ZSI6ImZvb2JhciIsImlzcyI6Inp2bWk4UGdJbURiOSIsImF1ZCI6Imh0dHBzOi8v"
"cnAuY2VydGlmaWNhdGlvbi5vcGVuaWQubmV0OjgwODAvbm9kZS1vcGVuaWQtY2xpZW50L3JwL"
"XJlcXVlc3RfdXJpLXVuc2lnbmVkIiwiY2xpZW50X2lkIjoienZtaThQZ0ltRGI5In0.&"
"client_id=zvmi8PgImDb9&scope=openid&response_type=code")
req = srv.parse_authorization_request(query=areq)
assert req["state"] == "foobar"
assert req["redirect_uri"] == "https://node-openid-client.dev/cb"
def test_parse_open_id_request():
srv = Server()
srv.keyjar = KEYJ
request = srv.parse_open_id_request(data=OIDREQ.to_json(), sformat="json")
assert request.type() == "OpenIDRequest"
print request.keys()
assert _eq(request.keys(), ['nonce', 'claims', 'state', 'redirect_uri',
'response_type', 'client_id', 'scope',
'max_age'])
assert request["nonce"] == "af0ifjsldkj"
print request["claims"]
#assert request.userinfo.format == "signed"
print request["claims"]["userinfo"]
assert "email" in request["claims"]["userinfo"]
def test_parse_open_id_request():
srv = Server()
srv.keyjar = KEYJ
request = srv.parse_open_id_request(data=OIDREQ.to_json(), sformat="json")
assert request.type() == "OpenIDRequest"
print request.keys()
assert _eq(request.keys(), ['nonce', 'claims', 'state', 'redirect_uri',
'response_type', 'client_id', 'scope',
'max_age'])
assert request["nonce"] == "af0ifjsldkj"
print request["claims"]
#assert request.userinfo.format == "signed"
print request["claims"]["userinfo"]
assert "email" in request["claims"]["userinfo"]
def test_server_parse_jwt_request():
srv = Server()
srv.keyjar = KEYJ
ar = AuthorizationRequest(response_type=["code"], client_id=CLIENT_ID,
redirect_uri="http://foobar.example.com/oaclient",
state="cold", nonce="NONCE", scope=["openid"])
_keys = srv.keyjar.get_verify_key(owner=CLIENT_ID)
_jwt = ar.to_jwt(key=_keys, algorithm="HS256")
req = srv.parse_jwt_request(txt=_jwt)
assert req.type() == "AuthorizationRequest"
assert req["response_type"] == ["code"]
assert req["client_id"] == CLIENT_ID
assert req["redirect_uri"] == "http://foobar.example.com/oaclient"
assert req["state"] == "cold"
def test_make_id_token():
srv = Server(KEYS)
session = {"user_id": "user0", "client_id": "http://oic.example/rp"}
issuer = "http://oic.example/idp"
code = "abcdefghijklmnop"
idt_jwt = srv.make_id_token(session, loa="2", issuer=issuer, code=code, access_token="access_token")
jwt_keys = srv.keystore.get_keys("ver", owner=None)
idt = IdToken().from_jwt(idt_jwt, key=jwt_keys)
print idt
header = unpack(idt_jwt)
lha = left_hash(code, func="HS" + header[0]["alg"][-3:])
assert lha == idt["c_hash"]
atr = AccessTokenResponse(id_token=idt_jwt, access_token="access_token", token_type="Bearer")
atr["code"] = code
assert atr.verify(key=jwt_keys)
def test_begin_file(self):
self.consumer.config["request_method"] = "file"
self.consumer.config["temp_dir"] = "./file"
self.consumer.config["temp_path"] = "/tmp/"
srv = Server(SRVKEYS)
location = self.consumer.begin(BASE_ENVIRON, start_response)
print location
vkeys = {".":srv.keystore.get_verify_key()}
authreq = srv.parse_authorization_request(url=location, keys=vkeys)
print authreq.keys()
assert _eq(authreq.keys(), ['state', 'redirect_uri',
'response_type', 'client_id', 'scope',
'request_uri'])
assert authreq["state"] == self.consumer.state
assert authreq["scope"] == self.consumer.config["scope"]
assert authreq["client_id"] == self.consumer.client_id
assert authreq["redirect_uri"].startswith("http://localhost:8087/authz")
def test_begin(self):
self.consumer.authorization_endpoint = AUTHZ_URL
self.consumer.keyjar[""].append(KC_RSA)
#self.consumer.keyjar.set_sign_key(rsapub, "rsa")
#self.consumer.keyjar.set_verify_key(rsapub, "rsa")
srv = Server()
srv.keyjar = SRVKEYS
print "redirect_uris", self.consumer.redirect_uris
print "config", self.consumer.config
location = self.consumer.begin("openid", "code")
print location
authreq = srv.parse_authorization_request(url=location)
print authreq.keys()
assert _eq(authreq.keys(), ['request', 'state', 'max_age', 'claims',
'response_type', 'client_id', 'scope',
'redirect_uri'])
assert authreq["state"] == self.consumer.state
assert authreq["scope"] == self.consumer.config["scope"]
assert authreq["client_id"] == self.consumer.client_id
def test_begin_file(self, tmpdir):
path = tmpdir.strpath
self.consumer.consumer_config["request_method"] = "file"
self.consumer.consumer_config["temp_dir"] = path
self.consumer.consumer_config["temp_path"] = path
self.consumer.consumer_config["authz_page"] = "/authz"
srv = Server()
srv.keyjar = SRVKEYS
sid, location = self.consumer.begin("openid",
"code",
path="http://localhost:8087")
authreq = srv.parse_authorization_request(url=location)
assert _eq(authreq.keys(), [
'max_age', 'state', 'redirect_uri', 'response_type', 'client_id',
'scope', 'claims', 'request_uri'
])
assert authreq["state"] == sid
assert authreq["scope"] == self.consumer.consumer_config["scope"]
assert authreq["client_id"] == self.consumer.client_id
assert authreq["redirect_uri"].startswith(
"http://localhost:8087/authz")
def test_server_init():
srv = Server()
assert srv
srv = Server()
assert srv
class TestServer(object):
@pytest.fixture(autouse=True)
def create_server(self):
self.srv = Server()
self.srv.keyjar = KEYJ
def test_parse_authz_req(self):
ar = AuthorizationRequest(
response_type=["code"],
client_id="foobar",
redirect_uri="http://foobar.example.com/oaclient",
state="cold",
nonce="NONCE",
scope=["openid"],
)
# query string
uencq = ar.to_urlencoded()
areq = self.srv.parse_authorization_request(query=uencq)
assert isinstance(areq, AuthorizationRequest)
assert areq["response_type"] == ["code"]
assert areq["client_id"] == "foobar"
assert areq["redirect_uri"] == "http://foobar.example.com/oaclient"
assert areq["state"] == "cold"
# urlencoded
urluenc = "https://example.com/authz?{}".format(uencq)
areq = self.srv.parse_authorization_request(url=urluenc)
assert isinstance(areq, AuthorizationRequest)
assert areq["response_type"] == ["code"]
assert areq["client_id"] == "foobar"
assert areq["redirect_uri"] == "http://foobar.example.com/oaclient"
assert areq["state"] == "cold"
def test_parse_authz_req_jwt(self):
ar = AuthorizationRequest(
response_type=["code"],
client_id=CLIENT_ID,
redirect_uri="http://foobar.example.com/oaclient",
state="cold",
nonce="NONCE",
scope=["openid"],
)
_keys = self.srv.keyjar.get_verify_key(owner=CLIENT_ID)
_jwt = ar.to_jwt(key=_keys, algorithm="HS256")
req = self.srv.parse_jwt_request(txt=_jwt)
assert isinstance(req, AuthorizationRequest)
assert req["response_type"] == ["code"]
assert req["client_id"] == CLIENT_ID
assert req["redirect_uri"] == "http://foobar.example.com/oaclient"
assert req["state"] == "cold"
def test_server_parse_token_request(self):
atr = AccessTokenRequest(
grant_type="authorization_code",
code="SplxlOBeZQQYbYS6WxSbIA",
redirect_uri="https://client.example.com/cb",
client_id=CLIENT_ID,
extra="foo",
)
uenc = atr.to_urlencoded()
tr = self.srv.parse_token_request(body=uenc)
assert isinstance(tr, AccessTokenRequest)
assert _eq(
tr.keys(),
["code", "redirect_uri", "grant_type", "client_id", "extra"])
assert tr["grant_type"] == "authorization_code"
assert tr["code"] == "SplxlOBeZQQYbYS6WxSbIA"
assert tr["extra"] == "foo"
def test_server_parse_refresh_token_request(self):
ratr = RefreshAccessTokenRequest(refresh_token="ababababab",
client_id="Client_id")
uenc = ratr.to_urlencoded()
tr = self.srv.parse_refresh_token_request(body=uenc)
assert isinstance(tr, RefreshAccessTokenRequest)
assert tr["refresh_token"] == "ababababab"
assert tr["client_id"] == "Client_id"
def test_parse_urlencoded(self):
loc = "http://example.com/userinfo?access_token=access_token"
qdict = self.srv._parse_urlencoded(loc)
assert qdict["access_token"] == ["access_token"]
def test_parse_authorization_request(self):
areq = AuthorizationRequest(
response_type="code",
client_id="client_id",
redirect_uri="http://example.com/authz",
scope=["openid"],
state="state0",
nonce="N0nce",
)
qdict = self.srv.parse_authorization_request(
query=areq.to_urlencoded())
assert _eq(
qdict.keys(),
[
"nonce", "state", "redirect_uri", "response_type", "client_id",
"scope"
],
)
assert qdict["state"] == "state0"
def test_parse_token_request(self):
treq = AccessTokenRequest(
code="code",
redirect_uri="http://example.com/authz",
client_id=CLIENT_ID,
grant_type="authorization_code",
)
qdict = self.srv.parse_token_request(body=treq.to_urlencoded())
assert isinstance(qdict, AccessTokenRequest)
assert _eq(qdict.keys(),
["code", "redirect_uri", "client_id", "grant_type"])
assert qdict["client_id"] == CLIENT_ID
assert qdict["code"] == "code"
def test_parse_userinfo_requesr(self):
uireq = UserInfoRequest(access_token="access_token")
uencq = uireq.to_urlencoded()
qdict = self.srv.parse_user_info_request(data=uencq)
assert _eq(qdict.keys(), ["access_token"])
assert qdict["access_token"] == "access_token"
url = "https://example.org/userinfo?{}".format(uencq)
qdict = self.srv.parse_user_info_request(data=url)
assert _eq(qdict.keys(), ["access_token"])
assert qdict["access_token"] == "access_token"
def test_parse_registration_request(self):
regreq = RegistrationRequest(
contacts=["*****@*****.**"],
redirect_uris=["http://example.org/jqauthz"],
application_name="pacubar",
client_id=CLIENT_ID,
operation="register",
application_type="web",
)
request = self.srv.parse_registration_request(
data=regreq.to_urlencoded())
assert isinstance(request, RegistrationRequest)
assert _eq(
request.keys(),
[
"redirect_uris",
"contacts",
"client_id",
"application_name",
"operation",
"application_type",
"response_types",
],
)
assert request["application_name"] == "pacubar"
assert request["operation"] == "register"
def test_parse_refresh_session_request(self):
rsreq = RefreshSessionRequest(id_token="id_token",
redirect_url="http://example.com/authz",
state="state0")
uencq = rsreq.to_urlencoded()
request = self.srv.parse_refresh_session_request(query=uencq)
assert isinstance(request, RefreshSessionRequest)
assert _eq(request.keys(), ["id_token", "state", "redirect_url"])
assert request["id_token"] == "id_token"
url = "https://example.org/userinfo?{}".format(uencq)
request = self.srv.parse_refresh_session_request(url=url)
assert isinstance(request, RefreshSessionRequest)
assert _eq(request.keys(), ["id_token", "state", "redirect_url"])
assert request["id_token"] == "id_token"
def test_parse_check_session_request(self):
csreq = CheckSessionRequest(id_token=IDTOKEN.to_jwt(
key=KC_SYM_S.get(alg2keytype("HS256")), algorithm="HS256"))
request = self.srv.parse_check_session_request(
query=csreq.to_urlencoded())
assert isinstance(request, IdToken)
assert _eq(request.keys(),
["nonce", "sub", "aud", "iss", "exp", "iat"])
assert request["aud"] == ["client_1"]
def test_parse_end_session_request(self):
esreq = EndSessionRequest(
id_token=IDTOKEN.to_jwt(key=KC_SYM_S.get(alg2keytype("HS256")),
algorithm="HS256"),
redirect_url="http://example.org/jqauthz",
state="state0",
)
request = self.srv.parse_end_session_request(
query=esreq.to_urlencoded())
assert isinstance(request, EndSessionRequest)
assert _eq(request.keys(), ["id_token", "redirect_url", "state"])
assert request["state"] == "state0"
assert request["id_token"]["aud"] == ["client_1"]
def test_parse_open_id_request(self):
userinfo_claims = Claims(
name={"essential": True},
nickname=None,
email={"essential": True},
email_verified={"essential": True},
picture=None,
)
id_token_claims = Claims(
auth_time={
"essential": True,
"acr": {
"values": ["urn:mace:incommon:iap:silver"]
},
})
claims_req = ClaimsRequest(userinfo=userinfo_claims,
id_token=id_token_claims)
oidreq = OpenIDRequest(
response_type=["code", "id_token"],
client_id=CLIENT_ID,
redirect_uri="https://client.example.com/cb",
scope="openid profile",
state="n-0S6_WzA2Mj",
nonce="af0ifjsldkj",
max_age=86400,
claims=claims_req,
)
request = self.srv.parse_open_id_request(data=oidreq.to_json(),
sformat="json")
assert isinstance(request, OpenIDRequest)
assert _eq(
request.keys(),
[
"nonce",
"claims",
"state",
"redirect_uri",
"response_type",
"client_id",
"scope",
"max_age",
],
)
assert request["nonce"] == "af0ifjsldkj"
assert "email" in request["claims"]["userinfo"]
def test_make_id_token(self):
self.srv.keyjar["http://oic.example/idp"] = KC_RSA
session = {"sub": "user0", "client_id": "http://oic.example/rp"}
issuer = "http://oic.example/idp"
code = "abcdefghijklmnop"
_idt = self.srv.make_id_token(session,
loa="2",
issuer=issuer,
code=code,
access_token="access_token")
algo = "RS256"
ckey = self.srv.keyjar.get_signing_key(alg2keytype(algo), issuer)
_signed_jwt = _idt.to_jwt(key=ckey, algorithm="RS256")
idt = IdToken().from_jwt(_signed_jwt, keyjar=self.srv.keyjar)
_jwt = JWT().unpack(_signed_jwt)
lha = left_hash(code.encode("utf-8"),
func="HS" + _jwt.headers["alg"][-3:])
assert lha == idt["c_hash"]
atr = AccessTokenResponse(id_token=_signed_jwt,
access_token="access_token",
token_type="Bearer")
atr["code"] = code
assert atr.verify(keyjar=self.srv.keyjar)
def create_server(self):
self.srv = Server()
self.srv.keyjar = KEYJ