def test_access_and_id_token_by_reference(self, httpserver): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = client.client_id idval = {'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud} idts = IdToken(**idval) _signed_jwt = idts.to_jwt( key=client.service_context.keyjar.get_signing_key('oct'), algorithm="HS256", lifetime=300) _info = {"access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600} at = AccessTokenResponse(**_info) httpserver.serve_content(at.to_json()) client.service['accesstoken'].endpoint = httpserver.url _response = AuthorizationResponse(code='access_code', state=res['state']) auth_response = self.rph.finalize_auth(client, _session['iss'], _response.to_dict()) resp = self.rph.get_access_and_id_token(state=res['state']) assert resp['access_token'] == 'accessTok' assert isinstance(resp['id_token'], IdToken)
def test_get_access_token(self): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] _github_id = iss_id('github') client.service_context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = client.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } idts = IdToken(**idval) _signed_jwt = idts.to_jwt( key=GITHUB_KEY.get_signing_key(issuer_id=_github_id), algorithm="RS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) _url = "https://github.com/token" with responses.RequestsMock() as rsps: rsps.add("POST", _url, body=at.to_json(), adding_headers={"Content-Type": "application/json"}, status=200) client.service['accesstoken'].endpoint = _url auth_response = AuthorizationResponse(code='access_code', state=res['state']) resp = self.rph.finalize_auth(client, _session['iss'], auth_response.to_dict()) resp = self.rph.get_access_token(res['state'], client) assert set(resp.keys()) == { 'access_token', 'expires_in', 'id_token', 'token_type', '__verified_id_token', '__expires_at' } atresp = client.service['accesstoken'].get_item( AccessTokenResponse, 'token_response', res['state']) assert set(atresp.keys()) == { 'access_token', 'expires_in', 'id_token', 'token_type', '__verified_id_token', '__expires_at' }
def rphandler_setup(self, httpserver): self.rph = RPHandler(base_url=BASE_URL, client_configs=CLIENT_CONFIG, keyjar=CLI_KEY) res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = client.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') client.service_context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer=_github_id), _github_id) idts = IdToken(**idval) _signed_jwt = idts.to_jwt(key=GITHUB_KEY.get_signing_key( 'rsa', owner=_github_id), algorithm="RS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600, 'refresh_token': 'refreshing' } at = AccessTokenResponse(**_info) httpserver.serve_content(at.to_json(), headers={'Content-Type': 'application/json'}) client.service['accesstoken'].endpoint = httpserver.url _response = AuthorizationResponse(code='access_code', state=res['state']) auth_response = self.rph.finalize_auth(client, _session['iss'], _response.to_dict()) token_resp = self.rph.get_access_and_id_token(auth_response, client=client) httpserver.serve_content('{"sub":"EndUserSubject"}', headers={'Content-Type': 'application/json'}) client.service['userinfo'].endpoint = httpserver.url self.rph.get_user_info(res['state'], client, token_resp['access_token']) self.state = res['state']
def test_access_and_id_token_by_reference(self): rph_1 = RPHandler(BASE_URL, client_configs=CLIENT_CONFIG, keyjar=CLI_KEY, module_dirs=['oidc']) res = rph_1.begin(issuer_id='github') _session = rph_1.get_session_information(res['state']) client = rph_1.issuer2rp[_session['iss']] _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) _signed_jwt = idts.to_jwt(key=GITHUB_KEY.get_signing_key( 'rsa', issuer_id=_github_id), algorithm="RS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) _url = "https://github.com/token" with responses.RequestsMock() as rsps: rsps.add("POST", _url, body=at.to_json(), adding_headers={"Content-Type": "application/json"}, status=200) client.client_get("service", 'accesstoken').endpoint = _url _response = AuthorizationResponse(code='access_code', state=res['state']) _ = rph_1.finalize_auth(client, _session['iss'], _response.to_dict()) resp = rph_1.get_access_and_id_token(state=res['state']) assert resp['access_token'] == 'accessTok' assert isinstance(resp['id_token'], IdToken)
def test_finalize_auth(self): res = self.rph.begin(issuer_id='linkedin') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] auth_response = AuthorizationResponse(code='access_code', state=res['state']) resp = self.rph.finalize_auth(client, _session['iss'], auth_response.to_dict()) assert set(resp.keys()) == {'state', 'code'} aresp = client.service['authorization'].get_item( AuthorizationResponse, 'auth_response', res['state']) assert set(aresp.keys()) == {'state', 'code'}
def test_finalize(self): auth_query = self.rph.begin(issuer_id='github') # The authorization query is sent and after successful authentication client = self.rph.get_client_from_session_key( state=auth_query['state']) # register a response p = urlparse( CLIENT_CONFIG['github']['provider_info']['authorization_endpoint']) self.mock_op.register_get_response(p.path, 'Redirect', 302) _ = client.http(auth_query['url']) # the user is redirected back to the RP with a positive response auth_response = AuthorizationResponse(code='access_code', state=auth_query['state']) # need session information and the client instance _session = self.rph.get_session_information(auth_response['state']) client = self.rph.get_client_from_session_key( state=auth_response['state']) # Faking resp = construct_access_token_response( _session['auth_request']['nonce'], issuer=self.issuer, client_id=CLIENT_CONFIG['github']['client_id'], key_jar=GITHUB_KEY) p = urlparse( CLIENT_CONFIG['github']['provider_info']['token_endpoint']) self.mock_op.register_post_response( p.path, resp.to_json(), 200, {'content-type': "application/json"}) _info = OpenIDSchema(sub='EndUserSubject', given_name='Diana', family_name='Krall', occupation='Jazz pianist') p = urlparse( CLIENT_CONFIG['github']['provider_info']['userinfo_endpoint']) self.mock_op.register_get_response( p.path, _info.to_json(), 200, {'content-type': "application/json"}) _github_id = iss_id('github') client.service_context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) # do the rest (= get access token and user info) # assume code flow resp = self.rph.finalize(_session['iss'], auth_response.to_dict()) assert set(resp.keys()) == {'userinfo', 'state', 'token', 'id_token'}
def test_get_access_token(self, httpserver): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = client.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } idts = IdToken(**idval) _signed_jwt = idts.to_jwt( key=client.service_context.keyjar.get_signing_key('oct'), algorithm="HS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) httpserver.serve_content(at.to_json(), headers={'Content-Type': 'application/json'}) client.service['accesstoken'].endpoint = httpserver.url auth_response = AuthorizationResponse(code='access_code', state=res['state']) resp = self.rph.finalize_auth(client, _session['iss'], auth_response.to_dict()) resp = self.rph.get_access_token(res['state'], client) assert set(resp.keys()) == { 'access_token', 'expires_in', 'id_token', 'token_type', '__verified_id_token', '__expires_at' } atresp = client.service['accesstoken'].get_item( AccessTokenResponse, 'token_response', res['state']) assert set(atresp.keys()) == { 'access_token', 'expires_in', 'id_token', 'token_type', '__verified_id_token', '__expires_at' }
def test_finalize_auth(self): rph_1 = RPHandler(BASE_URL, client_configs=CLIENT_CONFIG, keyjar=CLI_KEY, module_dirs=['oidc']) res = rph_1.begin(issuer_id='linkedin') _session = rph_1.get_session_information(res['state']) client = rph_1.issuer2rp[_session['iss']] auth_response = AuthorizationResponse(code='access_code', state=res['state']) resp = rph_1.finalize_auth(client, _session['iss'], auth_response.to_dict()) assert set(resp.keys()) == {'state', 'code'} aresp = client.client_get( "service", 'authorization').client_get("service_context").state.get_item( AuthorizationResponse, 'auth_response', res['state']) assert set(aresp.keys()) == {'state', 'code'}
def test_finalize(self): auth_query = self.rph.begin(issuer_id='github') # The authorization query is sent and after successful authentication client = self.rph.get_client_from_session_key( state=auth_query['state']) _ = client.http(auth_query['url']) # the user is redirected back to the RP with a positive response auth_response = AuthorizationResponse(code='access_code', state=auth_query['state']) # need session information and the client instance _session = self.rph.get_session_information(auth_response['state']) client = self.rph.get_client_from_session_key( state=auth_response['state']) # Faking self.rph.httplib.keyjar = client.service_context.keyjar # do the rest (= get access token and user info) # assume code flow resp = self.rph.finalize(_session['iss'], auth_response.to_dict()) assert set(resp.keys()) == {'userinfo', 'state', 'token'}