def test_construct_with_token(self, services): authz_service = services['authorization'] _state = authz_service.create_state('Issuer') req = AuthorizationRequest(state=_state, response_type='code', redirect_uri='https://example.com', scope=['openid']) authz_service.store_item(req, 'auth_request', _state) # Add a state and bind a code to it resp1 = AuthorizationResponse(code="auth_grant", state=_state) response = services['authorization'].parse_response( resp1.to_urlencoded(), "urlencoded") services['authorization'].update_service_context(response, key=_state) # based on state find the code and then get an access token resp2 = AccessTokenResponse(access_token="token1", token_type="Bearer", expires_in=0, state=_state) response = services['accesstoken'].parse_response( resp2.to_urlencoded(), "urlencoded") services['accesstoken'].update_service_context(response, key=_state) # and finally use the access token, bound to a state, to # construct the authorization header http_args = BearerHeader().construct(ResourceRequest(), services['accesstoken'], key=_state) assert http_args == {"headers": {"Authorization": "Bearer token1"}}
def test_access_token_srv_conf(): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) db = InMemoryStateDataBase() auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') _state = State(auth_request=auth_request.to_json(), auth_response=auth_response.to_json()) db.set('state', _state.to_json()) service = service_factory( 'AccessToken', ['oauth2'], state_db=db, service_context=service_context, conf={'default_authn_method': 'client_secret_post'}) req_args = { 'redirect_uri': 'https://example.com/cli/authz_cb', 'code': 'access_code' } service.endpoint = 'https://example.com/authorize' _info = service.get_request_parameters(request_args=req_args, state='state') assert _info msg = AccessTokenRequest().from_urlencoded( service.get_urlinfo(_info['body'])) assert 'client_secret' in msg
def test_access_token_srv_conf(): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } entity = Entity(config=client_config) token_service = entity.client_get("service", 'accesstoken') _state_interface = token_service.client_get("service_context").state _state_val = _state_interface.create_state( token_service.client_get("service_context").issuer) auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state=_state_val) _state_interface.store_item(auth_request, "auth_request", _state_val) auth_response = AuthorizationResponse(code='access_code') _state_interface.store_item(auth_response, "auth_response", _state_val) req_args = { 'redirect_uri': 'https://example.com/cli/authz_cb', 'code': 'access_code' } token_service.endpoint = 'https://example.com/authorize' _info = token_service.get_request_parameters(request_args=req_args, state=_state_val) assert _info msg = AccessTokenRequest().from_urlencoded(_info['body']) # client_secret_basic by default assert 'client_secret' not in msg
def test_access_token_srv_conf(): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) service = service_factory( 'AccessToken', ['oauth2'], service_context=service_context, conf={'default_authn_method': 'client_secret_post'}) auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') service.store_item(auth_request, "auth_request", 'state') service.store_item(auth_response, "auth_response", 'state') req_args = { 'redirect_uri': 'https://example.com/cli/authz_cb', 'code': 'access_code' } service.endpoint = 'https://example.com/authorize' _info = service.get_request_parameters(request_args=req_args, state='state') assert _info msg = AccessTokenRequest().from_urlencoded( service.get_urlinfo(_info['body'])) assert 'client_secret' in msg
def test_construct_accesstoken_request(self): # Bind access code to state req_args = {} self.client.session_interface.create_state('issuer', 'ABCDE') auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='ABCDE') self.client.session_interface.store_item(auth_request, 'auth_request', 'ABCDE') auth_response = AuthorizationResponse(code='access_code') self.client.session_interface.store_item(auth_response, 'auth_response', 'ABCDE') msg = self.client.service['accesstoken'].construct( request_args=req_args, state='ABCDE') assert isinstance(msg, AccessTokenRequest) assert msg.to_dict() == { 'client_id': 'client_1', 'code': 'access_code', 'client_secret': 'abcdefghijklmnop', 'grant_type': 'authorization_code', 'redirect_uri': 'https://example.com/cli/authz_cb', 'state': 'ABCDE' }
def test_update_service_context_with_idtoken(self): req_args = {'response_type': 'code', 'state': 'state', 'nonce': 'nonce'} self.service.endpoint = 'https://example.com/authorize' _info = self.service.get_request_parameters(request_args=req_args) # Build an ID Token idt = JWT(key_jar=ISS_KEY, iss=ISS, lifetime=3600) payload = {'sub': '123456789', 'aud': ['client_id'], 'nonce': 'nonce'} # have to calculate c_hash alg = 'RS256' halg = "HS%s" % alg[-3:] payload["c_hash"] = left_hash('code', halg) _idt = idt.pack(payload) resp = AuthorizationResponse(state='state', code='code', id_token=_idt) resp = self.service.parse_response(resp.to_urlencoded()) self.service.update_service_context(resp, 'state')
def test_construct_accesstoken_request(self): _context = self.client.client_get("service_context") auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb') _state = _context.state.create_state('issuer') auth_request["state"] = _state _context.state.store_item(auth_request, 'auth_request', _state) auth_response = AuthorizationResponse(code='access_code') _context.state.store_item(auth_response, 'auth_response', _state) # Bind access code to state req_args = {} msg = self.client.client_get("service", 'accesstoken').construct( request_args=req_args, state=_state) assert isinstance(msg, AccessTokenRequest) assert msg.to_dict() == { 'client_id': 'client_1', 'client_secret': 'abcdefghijklmnop', 'grant_type': 'authorization_code', 'state': _state, 'code': 'access_code', 'redirect_uri': 'https://example.com/cli/authz_cb' }
def test_construct_accesstoken_request(self): # Client 1 starts the chain of event client_1 = Client(config=CONF) _context_1 = client_1.client_get("service_context") _state = _context_1.state.create_state('issuer') auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state=_state) _context_1.state.store_item(auth_request, 'auth_request', _state) # Client 2 carries on client_2 = Client(config=CONF) _state_dump = _context_1.dump() _context2 = client_2.client_get("service_context") _context2.load(_state_dump) auth_response = AuthorizationResponse(code='access_code') _context2.state.store_item(auth_response, 'auth_response', _state) msg = client_2.client_get("service", 'accesstoken').construct(request_args={}, state=_state) assert isinstance(msg, AccessTokenRequest) assert msg.to_dict() == { 'client_id': 'client_1', 'code': 'access_code', 'client_secret': 'abcdefghijklmnop', 'grant_type': 'authorization_code', 'redirect_uri': 'https://example.com/cli/authz_cb', 'state': _state }
def test_construct_refresh_token_request(self): self.client.session_interface.create_state('issuer', 'ABCDE') auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') self.client.session_interface.store_item(auth_request, 'auth_request', 'ABCDE') auth_response = AuthorizationResponse(code='access_code') self.client.session_interface.store_item(auth_response, 'auth_response', 'ABCDE') token_response = AccessTokenResponse(refresh_token="refresh_with_me", access_token="access") self.client.session_interface.store_item(token_response, 'token_response', 'ABCDE') req_args = {} msg = self.client.service['refresh_token'].construct( request_args=req_args, state='ABCDE') assert isinstance(msg, RefreshAccessTokenRequest) assert msg.to_dict() == { 'client_id': 'client_1', 'client_secret': 'abcdefghijklmnop', 'grant_type': 'refresh_token', 'refresh_token': 'refresh_with_me' }
def create_request(self): self._iss = ISS client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'], 'issuer': self._iss, 'requests_dir': 'requests', 'base_url': 'https://example.com/cli/' } service_context = ServiceContext(config=client_config) service_context.keyjar = CLI_KEY service_context.behaviour = { 'userinfo_signed_response_alg': 'RS256', "userinfo_encrypted_response_alg": "RSA-OAEP", "userinfo_encrypted_response_enc": "A256GCM" } db = InMemoryStateDataBase() auth_response = AuthorizationResponse(code='access_code').to_json() idtval = { 'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'diana', 'iss': ISS, 'aud': 'client_id' } idt = create_jws(idtval) ver_idt = IdToken().from_jwt(idt, CLI_KEY) token_response = AccessTokenResponse( access_token='access_token', id_token=idt, __verified_id_token=ver_idt).to_json() db.set('abcde', State(token_response=token_response, auth_response=auth_response).to_json()) self.service = service_factory('UserInfo', ['oidc'], state_db=db, service_context=service_context)
def test_init(self): atr = AuthorizationResponse(code="SplxlOBeZQQYbYS6WxSbIA", state="Fun_state", extra="foo") assert atr["code"] == "SplxlOBeZQQYbYS6WxSbIA" assert atr["state"] == "Fun_state" assert atr["extra"] == "foo"
def test_do_userinfo_request_init(self): self.client.session_interface.create_state('issuer', 'ABCDE') auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state' ) self.client.session_interface.store_item(auth_request, 'auth_request', 'ABCDE') auth_response = AuthorizationResponse(code='access_code') self.client.session_interface.store_item(auth_response, 'auth_response', 'ABCDE') token_response = AccessTokenResponse(refresh_token="refresh_with_me", access_token="access") self.client.session_interface.store_item(token_response, 'token_response', 'ABCDE') _srv = self.client.service['userinfo'] _srv.endpoint = "https://example.com/userinfo" _info = _srv.get_request_parameters(state='ABCDE') assert _info assert _info['headers'] == {'Authorization': 'Bearer access'} assert _info['url'] == 'https://example.com/userinfo'
def test_construct_accesstoken_request(self): # Client 1 starts client_1 = RP(config=CONF) _state = client_1.client_get("service_context").state.create_state( ISSUER) auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state=_state) client_1.client_get("service_context").state.store_item( auth_request, 'auth_request', _state) # Client 2 carries on client_2 = RP(config=CONF) _state_dump = client_1.client_get("service_context").dump() client_2.client_get("service_context").load(_state_dump) auth_response = AuthorizationResponse(code='access_code') client_2.client_get("service_context").state.store_item( auth_response, 'auth_response', _state) # Bind access code to state req_args = {} msg = client_2.client_get("service", 'accesstoken').construct( request_args=req_args, state=_state) assert isinstance(msg, AccessTokenRequest) assert msg.to_dict() == { 'client_id': 'client_1', 'code': 'access_code', 'client_secret': 'abcdefghijklmnop', 'grant_type': 'authorization_code', 'redirect_uri': 'https://example.com/cli/authz_cb', 'state': _state }
def test_do_userinfo_request_init(self): # Client 1 starts client_1 = RP(config=CONF) _state = client_1.client_get("service_context").state.create_state( ISSUER) auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') # Client 2 carries on client_2 = RP(config=CONF) _state_dump = client_1.client_get("service_context").dump() client_2.client_get("service_context").load(_state_dump) auth_response = AuthorizationResponse(code='access_code') client_2.client_get("service_context").state.store_item( auth_response, 'auth_response', _state) token_response = AccessTokenResponse(refresh_token="refresh_with_me", access_token="access") client_2.client_get("service_context").state.store_item( token_response, 'token_response', _state) # Back to Client 1 _state_dump = client_2.client_get("service_context").dump() client_1.client_get("service_context").load(_state_dump) _srv = client_1.client_get("service", 'userinfo') _srv.endpoint = "https://example.com/userinfo" _info = _srv.get_request_parameters(state=_state) assert _info assert _info['headers'] == {'Authorization': 'Bearer access'} assert _info['url'] == 'https://example.com/userinfo'
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) db = InMemoryStateDataBase() auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') _state = State(auth_response=auth_response.to_json(), auth_request=auth_request.to_json()) db.set('state', _state.to_json()) self.service = service_factory('AccessToken', ['oauth2'], state_db=db, service_context=service_context)
def test_response(self): _state = "today" req_args = {'response_type': 'code', 'state': _state} self.auth_service.endpoint = 'https://example.com/authorize' _info = self.auth_service.get_request_parameters(request_args=req_args) assert set(_info.keys()) == {'url', 'method', 'request'} msg = AuthorizationRequest().from_urlencoded( self.auth_service.get_urlinfo(_info['url'])) self.auth_service.client_get("service_context").state.store_item( msg, "auth_request", _state) resp1 = AuthorizationResponse(code="auth_grant", state=_state) response = self.auth_service.parse_response(resp1.to_urlencoded(), "urlencoded", state=_state) self.auth_service.update_service_context(response, key=_state) assert self.auth_service.client_get("service_context").state.get_state( _state)
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) db = InMemoryStateDataBase() auth_response = AuthorizationResponse(code='access_code') token_response = AccessTokenResponse(access_token='bearer_token', refresh_token='refresh') _state = State(auth_response=auth_response.to_json(), token_response=token_response.to_json()) db.set('abcdef', _state.to_json()) self.service = service_factory('RefreshAccessToken', ['oauth2'], state_db=db, service_context=service_context) self.service.endpoint = 'https://example.com/token'
def test_do_userinfo_request_init(self): auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') token_response = AccessTokenResponse(refresh_token="refresh_with_me", access_token="access") _state = State(auth_response=auth_response.to_json(), auth_request=auth_request.to_json(), token_response=token_response.to_json()) self.client.state_db.set('ABCDE', _state.to_json()) _srv = self.client.service['userinfo'] _srv.endpoint = "https://example.com/userinfo" _info = _srv.get_request_parameters(state='ABCDE') assert _info assert _info['headers'] == {'Authorization': 'Bearer access'} assert _info['url'] == 'https://example.com/userinfo'
def test_construct_accesstoken_request(self): auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') _state = State(auth_response=auth_response.to_json(), auth_request=auth_request.to_json()) self.client.state_db.set('ABCDE', _state.to_json()) # Bind access code to state req_args = {} msg = self.client.service['accesstoken'].construct( request_args=req_args, state='ABCDE') assert isinstance(msg, AccessTokenRequest) assert msg.to_dict() == { 'client_id': 'client_1', 'code': 'access_code', 'client_secret': 'abcdefghijklmnop', 'grant_type': 'authorization_code', 'redirect_uri': 'https://example.com/cli/authz_cb', 'state': 'state' }
def test_construct_with_request(self, services): authz_service = services['authorization'] authz_service.state_db.set('EEEE', State(iss='Issuer').to_json()) resp1 = AuthorizationResponse(code="auth_grant", state="EEEE") response = authz_service.parse_response(resp1.to_urlencoded(), "urlencoded") authz_service.update_service_context(response, key='EEEE') resp2 = AccessTokenResponse(access_token="token1", token_type="Bearer", expires_in=0, state="EEEE") response = services['accesstoken'].parse_response( resp2.to_urlencoded(), "urlencoded") services['accesstoken'].update_service_context(response, key='EEEE') request = ResourceRequest() BearerBody().construct(request, service=authz_service, key="EEEE") assert "access_token" in request assert request["access_token"] == "token1"
def test_construct_refresh_token_request(self): auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') token_response = AccessTokenResponse(refresh_token="refresh_with_me", access_token="access") _state = State(auth_response=auth_response.to_json(), auth_request=auth_request.to_json(), token_response=token_response.to_json()) self.client.state_db.set('ABCDE', _state.to_json()) req_args = {} msg = self.client.service['refresh_token'].construct( request_args=req_args, state='ABCDE') assert isinstance(msg, RefreshAccessTokenRequest) assert msg.to_dict() == { 'client_id': 'client_1', 'client_secret': 'abcdefghijklmnop', 'grant_type': 'refresh_token', 'refresh_token': 'refresh_with_me' }
def test_access_token_and_pkce(self): authz_service = self.service["authorization"] request = authz_service.construct_request({"state": 'state', "response_type": "code"}) _state = request['state'] auth_response = AuthorizationResponse(code='access code') authz_service.store_item(auth_response, 'auth_response', _state) token_service = self.service["accesstoken"] request = token_service.construct_request(state=_state) assert set(request.keys()) == {'client_id', 'redirect_uri', 'grant_type', 'client_secret', 'code_verifier', 'code', 'state'}
def services(): db = InMemoryStateDataBase() auth_request = AuthorizationRequest(redirect_uri="http://example.com", state='ABCDE').to_json() auth_response = AuthorizationResponse(access_token="token", state='ABCDE').to_json() db.set( 'ABCDE', State(iss='Issuer', auth_request=auth_request, auth_response=auth_response).to_json()) return init_services(DEFAULT_SERVICES, get_service_context(), db)
def test_allow_unsigned_idtoken(self, allow_sign_alg_none): req_args = { 'response_type': 'code', 'state': 'state', 'nonce': 'nonce' } self.service.endpoint = 'https://example.com/authorize' self.service.get_request_parameters(request_args=req_args) # Build an ID Token idt = JWT(ISS_KEY, iss=ISS, lifetime=3600, sign_alg='none') payload = {'sub': '123456789', 'aud': ['client_id']} _idt = idt.pack(payload) self.service.service_context.get('behaviour')["verify_args"] = { "allow_sign_alg_none": allow_sign_alg_none } resp = AuthorizationResponse(state='state', code='code', id_token=_idt) if allow_sign_alg_none: resp = self.service.parse_response(resp.to_urlencoded()) else: with pytest.raises(UnsupportedAlgorithm): self.service.parse_response(resp.to_urlencoded())
def test_response_mode_form_post(self): request = {"response_mode": "form_post"} info = { "response_args": AuthorizationResponse(foo="bar"), "return_uri": "https://example.com/cb", } info = self.endpoint.response_mode(request, **info) assert set(info.keys()) == {"response_args", "return_uri", "response_msg", "content_type", "response_placement"} assert info["response_msg"] == FORM_POST.format( action="https://example.com/cb", inputs='<input type="hidden" name="foo" value="bar"/>', )
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } entity = Entity(config=client_config) self.token_service = entity.client_get("service", "accesstoken") auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') _state = self.token_service.client_get("service_context").state _state.store_item(auth_request, 'auth_request', 'state') _state.store_item(auth_response, 'auth_response', 'state')
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } entity = Entity(config=client_config) self.refresh_service = entity.client_get("service", 'refresh_token') auth_response = AuthorizationResponse(code='access_code') token_response = AccessTokenResponse(access_token='bearer_token', refresh_token='refresh') _state = self.refresh_service.client_get("service_context").state _state.store_item(auth_response, 'auth_response', 'abcdef') _state.store_item(token_response, 'token_response', 'abcdef') self.refresh_service.endpoint = 'https://example.com/token'
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) self.service = service_factory('RefreshAccessToken', ['oauth2'], service_context=service_context) auth_response = AuthorizationResponse(code='access_code') token_response = AccessTokenResponse(access_token='bearer_token', refresh_token='refresh') self.service.store_item(auth_response, 'auth_response', 'abcdef') self.service.store_item(token_response, 'token_response', 'abcdef') self.service.endpoint = 'https://example.com/token'
def test_construct_with_request(self, entity): authz_service = entity.client_get("service", 'authorization') _cntx = authz_service.client_get("service_context") _key = _cntx.state.create_state(iss='Issuer') resp1 = AuthorizationResponse(code="auth_grant", state=_key) response = authz_service.parse_response(resp1.to_urlencoded(), "urlencoded") authz_service.update_service_context(response, key=_key) resp2 = AccessTokenResponse(access_token="token1", token_type="Bearer", expires_in=0, state=_key) _token_service = entity.client_get("service", 'accesstoken') response = _token_service.parse_response(resp2.to_urlencoded(), "urlencoded") _token_service.update_service_context(response, key=_key) request = ResourceRequest() BearerBody().construct(request, service=authz_service, key=_key) assert "access_token" in request assert request["access_token"] == "token1"
def create_service(self): client_config = { 'client_id': 'client_id', 'client_secret': 'a longesh password', 'redirect_uris': ['https://example.com/cli/authz_cb'] } service_context = ServiceContext(config=client_config) service_context.set('redirect_uris', ['https://example.com/cli/authz_cb']) self.service = service_factory('AccessToken', ['oauth2'], service_context=service_context) auth_request = AuthorizationRequest( redirect_uri='https://example.com/cli/authz_cb', state='state') auth_response = AuthorizationResponse(code='access_code') self.service.store_item(auth_request, 'auth_request', 'state') self.service.store_item(auth_response, 'auth_response', 'state')