def test_no_key_raises_invalid_token(rf): """ If we dont' have a key at all we should be raising an InvalidTokenSignature. """ token = build_id_token() c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value=None)), pytest.raises(InvalidTokenSignature): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_wrong_key_raises_invalid_token(rf): """ If we get the wrong key then we should be raising an InvalidTokenSignature. """ token = build_id_token() c = Config() with patch( "okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="wrongkey") ), pytest.raises(InvalidTokenSignature): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_unmatching_nonce_raises_error(rf): """ If our token has the wrong nonce then raise a NonceDoesNotMatch """ token = build_id_token(nonce="wrong-nonce") c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(NonceDoesNotMatch): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_expired_token_raises_error(rf): """ If our token is expired then we should raise an TokenExpired. """ token = build_id_token(exp=now().timestamp() - 3600) c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(TokenExpired): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_invalid_audience_in_decoded_token(rf): """ If our audience doesn't match our client id we should raise an InvalidClientID """ token = build_id_token(aud="invalid-aud") c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(InvalidClientID): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_invalid_issuer_in_decoded_token(rf): """ If our issuers don't match we should raise an IssuerDoesNotMatch. """ token = build_id_token(iss="invalid-issuer") c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(IssuerDoesNotMatch): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_issue_time_is_too_far_in_the_past_raises_error(rf): """ If our token was issued more than about 24 hours ago we want to raise a TokenTooFarAway. """ token = build_id_token(iat=now().timestamp() - 200000) c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")), pytest.raises(TokenTooFarAway): tv = TokenValidator(c, "defaultnonce", rf.get("/")) tv.validate_token(token)
def test_validate_token_successfully_validates(rf): """ A valid token should return the decoded token. """ token = build_id_token() c = Config() with patch("okta_oauth2.tokens.TokenValidator._jwks", Mock(return_value="secret")): tv = TokenValidator(c, "defaultnonce", rf.get("/")) decoded_token = tv.validate_token(token) assert decoded_token["jti"] == "randomid"