def test_response_type_can_be_provided_in_url( token_cache, responses: RequestsMock, monkeypatch, browser_mock: BrowserMock ): monkeypatch.setattr(requests_auth.authentication.os, "urandom", lambda x: b"1" * 63) auth = requests_auth.OAuth2AuthorizationCodePKCE( "http://provide_code?response_type=my_code", "http://provide_access_token", response_type="not_used", ) tab = browser_mock.add_response( opened_url="http://provide_code?response_type=%5B%27my_code%27%5D&state=b32e05720bd3722e0ac87bf72897a78b669a0810adf8da46b675793dcfe0f41a40f7d7fdda952bd73ea533a2462907d805adf8c1a162d51b99b2ddec0d411feb&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&code_challenge=5C_ph_KZ3DstYUc965SiqmKAA-ShvKF4Ut7daKd3fjc&code_challenge_method=S256", reply_url="http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=b32e05720bd3722e0ac87bf72897a78b669a0810adf8da46b675793dcfe0f41a40f7d7fdda952bd73ea533a2462907d805adf8c1a162d51b99b2ddec0d411feb", ) responses.add( responses.POST, "http://provide_access_token", json={ "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter": "example_value", }, ) assert ( get_header(responses, auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA" ) assert ( get_request(responses, "http://provide_access_token/").body == "code_verifier=MTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTEx&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&response_type=my_code&code=SplxlOBeZQQYbYS6WxSbIA" ) tab.assert_success( "You are now authenticated on b32e05720bd3722e0ac87bf72897a78b669a0810adf8da46b675793dcfe0f41a40f7d7fdda952bd73ea533a2462907d805adf8c1a162d51b99b2ddec0d411feb. You may close this tab." )
def test_oauth2_pkce_and_multiple_authentication_can_be_combined( token_cache, responses: RequestsMock, browser_mock: BrowserMock, monkeypatch): monkeypatch.setattr(requests_auth.authentication.os, "urandom", lambda x: b"1" * 63) pkce_auth = requests_auth.OAuth2AuthorizationCodePKCE( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&code_challenge=5C_ph_KZ3DstYUc965SiqmKAA-ShvKF4Ut7daKd3fjc&code_challenge_method=S256", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={ "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter": "example_value", }, ) api_key_auth = requests_auth.HeaderApiKey("my_provided_api_key") api_key_auth2 = requests_auth.HeaderApiKey("my_provided_api_key2", header_name="X-Api-Key2") header = get_header(responses, pkce_auth + (api_key_auth + api_key_auth2)) assert header.get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA" assert header.get("X-Api-Key") == "my_provided_api_key" assert header.get("X-Api-Key2") == "my_provided_api_key2" tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_nonce_is_sent_if_provided_in_authorization_url( token_cache, responses: RequestsMock, monkeypatch, browser_mock: BrowserMock ): monkeypatch.setattr(requests_auth.authentication.os, "urandom", lambda x: b"1" * 63) auth = requests_auth.OAuth2AuthorizationCodePKCE( "http://provide_code?nonce=123456", "http://provide_access_token" ) tab = browser_mock.add_response( opened_url="http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&nonce=%5B%27123456%27%5D&code_challenge=5C_ph_KZ3DstYUc965SiqmKAA-ShvKF4Ut7daKd3fjc&code_challenge_method=S256", reply_url="http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={ "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter": "example_value", }, ) assert ( get_header(responses, auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA" ) assert ( get_request(responses, "http://provide_access_token/").body == "code_verifier=MTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTEx&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&response_type=code&code=SplxlOBeZQQYbYS6WxSbIA" ) tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_with_invalid_grant_request_invalid_request_error( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={"error": "invalid_request"}, status=400, ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "invalid_request: The request is missing a required parameter, includes an " "unsupported parameter value (other than grant type), repeats a parameter, " "includes multiple credentials, utilizes more than one mechanism for " "authenticating the client, or is otherwise malformed.") tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_with_invalid_grant_request_invalid_scope_error( token_cache, responses: RequestsMock, monkeypatch, browser_mock: BrowserMock ): monkeypatch.setattr(requests_auth.authentication.os, "urandom", lambda x: b"1" * 63) auth = requests_auth.OAuth2AuthorizationCodePKCE( "http://provide_code?nonce=123456", "http://provide_access_token" ) tab = browser_mock.add_response( opened_url="http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&nonce=%5B%27123456%27%5D&code_challenge=5C_ph_KZ3DstYUc965SiqmKAA-ShvKF4Ut7daKd3fjc&code_challenge_method=S256", reply_url="http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={"error": "invalid_scope"}, status=400, ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "invalid_scope: The requested scope is invalid, unknown, malformed, or " "exceeds the scope granted by the resource owner." ) tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_oauth2_implicit_flow_token_is_reused_if_only_nonce_differs( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth1 = requests_auth.OAuth2Implicit( "http://provide_token?response_type=custom_token&nonce=1", token_field_name="custom_token", ) expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1) token = create_token(expiry_in_1_hour) tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=custom_token&state=67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&nonce=%5B%271%27%5D", reply_url="http://localhost:5000", data= f"custom_token={token}&state=67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2", ) assert get_header(responses, auth1).get("Authorization") == f"Bearer {token}" auth2 = requests_auth.OAuth2Implicit( "http://provide_token?response_type=custom_token&nonce=2", token_field_name="custom_token", ) response = requests.get("http://authorized_only", auth=auth2) # Return headers received on this dummy URL assert response.request.headers.get("Authorization") == f"Bearer {token}" tab.assert_success( "You are now authenticated on 67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2. You may close this tab." )
def test_with_invalid_grant_request_invalid_client_error( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={"error": "invalid_client"}, status=400, ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "invalid_client: Client authentication failed (e.g., unknown client, no " "client authentication included, or unsupported authentication method). The " "authorization server MAY return an HTTP 401 (Unauthorized) status code to " "indicate which HTTP authentication schemes are supported. If the client " 'attempted to authenticate via the "Authorization" request header field, the ' "authorization server MUST respond with an HTTP 401 (Unauthorized) status " 'code and include the "WWW-Authenticate" response header field matching the ' "authentication scheme used by the client.") tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_with_invalid_grant_request_invalid_request_error_and_error_description_and_uri_and_other_fields( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={ "error": "invalid_request", "error_description": "desc of the error", "error_uri": "http://test_url", "other": "other info", }, status=400, ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "invalid_request: desc of the error\nMore information can be found on http://test_url\nAdditional information: {'other': 'other info'}" ) tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_with_invalid_grant_request_invalid_grant_error( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={"error": "invalid_grant"}, status=400, ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "invalid_grant: The provided authorization grant (e.g., authorization code, " "resource owner credentials) or refresh token is invalid, expired, revoked, " "does not match the redirection URI used in the authorization request, or was " "issued to another client.") tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_oauth2_authorization_code_flow_get_code_is_sent_in_authorization_header_by_default( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={ "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter": "example_value", }, ) assert (get_header( responses, auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA") assert ( get_request(responses, "http://provide_access_token/").body == "grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&response_type=code&code=SplxlOBeZQQYbYS6WxSbIA" ) tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_with_invalid_grant_request_invalid_scope_error( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={"error": "invalid_scope"}, status=400, ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "invalid_scope: The requested scope is invalid, unknown, malformed, or " "exceeds the scope granted by the resource owner.") tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_empty_token_is_invalid(token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de", ) responses.add( responses.POST, "http://provide_access_token", json={ "access_token": "", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter": "example_value", }, ) with pytest.raises(requests_auth.GrantNotProvided) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "access_token not provided within {'access_token': '', 'token_type': 'example', 'expires_in': 3600, 'refresh_token': 'tGzv3JOkF0XG5Qx2TlKWIA', 'example_parameter': 'example_value'}." ) tab.assert_success( "You are now authenticated on 163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de. You may close this tab." )
def test_response_type_can_be_provided_in_url(token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code?response_type=my_code", "http://provide_access_token", response_type="not_used", ) tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=my_code&state=49b67a19e70f692c3fc09dd124e5782b41a86f4f4931e1cc938ccbb466eecf1b730edb9eb01e42005de77ce3dd5a016418f8e780f30c4477d71102fe03e39e62&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#code=SplxlOBeZQQYbYS6WxSbIA&state=49b67a19e70f692c3fc09dd124e5782b41a86f4f4931e1cc938ccbb466eecf1b730edb9eb01e42005de77ce3dd5a016418f8e780f30c4477d71102fe03e39e62", ) responses.add( responses.POST, "http://provide_access_token", json={ "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "example", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter": "example_value", }, ) assert (get_header( responses, auth).get("Authorization") == "Bearer 2YotnFZFEjr1zCsicMWpAA") assert ( get_request(responses, "http://provide_access_token/").body == "grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&code=SplxlOBeZQQYbYS6WxSbIA" ) tab.assert_success( "You are now authenticated on 49b67a19e70f692c3fc09dd124e5782b41a86f4f4931e1cc938ccbb466eecf1b730edb9eb01e42005de77ce3dd5a016418f8e780f30c4477d71102fe03e39e62. You may close this tab." )
def test_oauth2_implicit_flow_failure_if_token_is_not_received_within_the_timeout_interval( token_cache, browser_mock: BrowserMock): browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", # Simulate no redirect reply_url=None, ) with pytest.raises(requests_auth.TimeoutOccurred) as exception_info: requests.get( "http://authorized_only", auth=requests_auth.OAuth2Implicit("http://provide_token", timeout=0.1), ) assert (str(exception_info.value) == "User authentication was not received within 0.1 seconds.")
def test_oauth2_implicit_flow_token_is_not_reused_if_a_url_parameter_is_changing( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth1 = requests_auth.OAuth2Implicit( "http://provide_token?response_type=custom_token&fake_param=1", token_field_name="custom_token", ) expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1) first_token = create_token(expiry_in_1_hour) tab1 = browser_mock.add_response( opened_url= "http://provide_token?response_type=custom_token&fake_param=1&state=5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", data= f"custom_token={first_token}&state=5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe", ) assert get_header(responses, auth1).get("Authorization") == f"Bearer {first_token}" # Ensure that the new token is different than previous one expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta( hours=1, seconds=1) auth2 = requests_auth.OAuth2Implicit( "http://provide_token?response_type=custom_token&fake_param=2", token_field_name="custom_token", ) second_token = create_token(expiry_in_1_hour) tab2 = browser_mock.add_response( opened_url= "http://provide_token?response_type=custom_token&fake_param=2&state=5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", data= f"custom_token={second_token}&state=5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9", ) response = requests.get("http://authorized_only", auth=auth2) # Return headers received on this dummy URL assert response.request.headers.get( "Authorization") == f"Bearer {second_token}" tab1.assert_success( "You are now authenticated on 5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe. You may close this tab." ) tab2.assert_success( "You are now authenticated on 5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9. You may close this tab." )
def test_oauth2_implicit_flow_token_is_requested_again_if_expired( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2Implicit("http://provide_token") # This token will expires in 100 milliseconds expiry_in_1_second = datetime.datetime.utcnow() + datetime.timedelta( milliseconds=100) first_token = create_token(expiry_in_1_second) tab1 = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", data= f"access_token={first_token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521", ) assert get_header(responses, auth).get("Authorization") == f"Bearer {first_token}" # Wait to ensure that the token will be considered as expired time.sleep(0.2) # Token should now be expired, a new one should be requested expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1) second_token = create_token(expiry_in_1_hour) tab2 = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", data= f"access_token={second_token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521", ) response = requests.get("http://authorized_only", auth=auth) # Return headers received on this dummy URL assert response.request.headers.get( "Authorization") == f"Bearer {second_token}" tab1.assert_success( "You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab." ) tab2.assert_success( "You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab." )
def test_with_invalid_token_request_invalid_request_error_and_error_description( token_cache, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#error=invalid_request&error_description=desc", ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert str(exception_info.value) == "invalid_request: desc" tab.assert_failure( "Unable to properly perform authentication: invalid_request: desc")
def test_state_change(token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2Implicit("http://provide_token") expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1) token = create_token(expiry_in_1_hour) tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", data=f"access_token={token}&state=123456", ) assert get_header(responses, auth).get("Authorization") == f"Bearer {token}" tab.assert_success( "You are now authenticated on 123456. You may close this tab.")
def test_oauth2_implicit_flow_get_failure_if_token_is_not_provided( token_cache, browser_mock: BrowserMock): tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", ) with pytest.raises(Exception) as exception_info: requests.get( "http://authorized_only", auth=requests_auth.OAuth2Implicit("http://provide_token"), ) assert str(exception_info.value) == "access_token not provided within {}." tab.assert_failure( "Unable to properly perform authentication: access_token not provided within {}." )
def test_with_invalid_token_request_invalid_request_error_and_error_description( token_cache, browser_mock: BrowserMock): tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url= "http://localhost:5000#error=invalid_request&error_description=desc", ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get( "http://authorized_only", auth=requests_auth.OAuth2Implicit("http://provide_token"), ) assert str(exception_info.value) == "invalid_request: desc" tab.assert_failure( "Unable to properly perform authentication: invalid_request: desc")
def test_empty_token_is_invalid(token_cache, browser_mock: BrowserMock): tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", data= f"access_token=&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521", ) with pytest.raises(requests_auth.InvalidToken) as exception_info: requests.get( "http://authorized_only", auth=requests_auth.OAuth2Implicit("http://provide_token"), ) assert str(exception_info.value) == " is invalid." tab.assert_success( "You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab." )
def test_with_invalid_token_request_invalid_request_error_and_error_description( token_cache, responses: RequestsMock, monkeypatch, browser_mock: BrowserMock ): monkeypatch.setattr(requests_auth.authentication.os, "urandom", lambda x: b"1" * 63) auth = requests_auth.OAuth2AuthorizationCodePKCE( "http://provide_code", "http://provide_access_token" ) tab = browser_mock.add_response( opened_url="http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&code_challenge=5C_ph_KZ3DstYUc965SiqmKAA-ShvKF4Ut7daKd3fjc&code_challenge_method=S256", reply_url="http://localhost:5000#error=invalid_request&error_description=desc", ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert str(exception_info.value) == "invalid_request: desc" tab.assert_failure( "Unable to properly perform authentication: invalid_request: desc" )
def test_with_invalid_token_request_temporarily_unavailable_error( token_cache, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000#error=temporarily_unavailable", ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "temporarily_unavailable: The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via an HTTP redirect.)" ) tab.assert_failure( "Unable to properly perform authentication: temporarily_unavailable: The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via an HTTP redirect.)" )
def test_with_invalid_token_request_server_error_error( token_cache, browser_mock: BrowserMock): auth = requests_auth.OAuth2AuthorizationCode( "http://provide_code", "http://provide_access_token") tab = browser_mock.add_response( opened_url= "http://provide_code?response_type=code&state=163f0455b3e9cad3ca04254e5a0169553100d3aa0756c7964d897da316a695ffed5b4f46ef305094fd0a88cfe4b55ff257652015e4aa8f87b97513dba440f8de&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000#error=server_error", ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get("http://authorized_only", auth=auth) assert ( str(exception_info.value) == "server_error: The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.)" ) tab.assert_failure( "Unable to properly perform authentication: server_error: The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.)" )
def test_oauth2_implicit_flow_expects_token_in_id_token_if_response_type_in_url_is_id_token( token_cache, responses: RequestsMock, browser_mock: BrowserMock): auth = requests_auth.OAuth2Implicit( "http://provide_token?response_type=id_token") expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1) token = create_token(expiry_in_1_hour) tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=id_token&state=87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", data= f"id_token={token}&state=87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a", ) assert get_header(responses, auth).get("Authorization") == f"Bearer {token}" tab.assert_success( "You are now authenticated on 87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a. You may close this tab." )
def test_with_invalid_token_request_unsupported_response_type_error( token_cache, browser_mock: BrowserMock): tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000#error=unsupported_response_type", ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get( "http://authorized_only", auth=requests_auth.OAuth2Implicit("http://provide_token"), ) assert ( str(exception_info.value) == "unsupported_response_type: The authorization server does not support obtaining an authorization code or an access token using this method." ) tab.assert_failure( "Unable to properly perform authentication: unsupported_response_type: The authorization server does not support obtaining an authorization code or an access token using this method." )
def test_with_invalid_token_request_server_error_error( token_cache, browser_mock: BrowserMock): tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000#error=server_error", ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get( "http://authorized_only", auth=requests_auth.OAuth2Implicit("http://provide_token"), ) assert ( str(exception_info.value) == "server_error: The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.)" ) tab.assert_failure( "Unable to properly perform authentication: server_error: The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.)" )
def test_with_invalid_token_request_temporarily_unavailable_error( token_cache, browser_mock: BrowserMock): tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000#error=temporarily_unavailable", ) with pytest.raises(requests_auth.InvalidGrantRequest) as exception_info: requests.get( "http://authorized_only", auth=requests_auth.OAuth2Implicit("http://provide_token"), ) assert ( str(exception_info.value) == "temporarily_unavailable: The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via an HTTP redirect.)" ) tab.assert_failure( "Unable to properly perform authentication: temporarily_unavailable: The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via an HTTP redirect.)" )
def test_oauth2_implicit_flow_token_can_be_requested_on_a_custom_server_port( token_cache, responses: RequestsMock, browser_mock: BrowserMock): # TODO Should use a method to retrieve a free port instead available_port = 5002 auth = requests_auth.OAuth2Implicit("http://provide_token", redirect_uri_port=available_port) expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1) token = create_token(expiry_in_1_hour) tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5002%2F", reply_url="http://localhost:5002", data= f"access_token={token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521", ) assert get_header(responses, auth).get("Authorization") == f"Bearer {token}" tab.assert_success( "You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab." )
def test_oauth2_implicit_flow_post_failure_if_state_is_not_provided( token_cache, browser_mock: BrowserMock): expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1) token = create_token(expiry_in_1_hour) tab = browser_mock.add_response( opened_url= "http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F", reply_url="http://localhost:5000", data=f"access_token={token}", ) with pytest.raises(requests_auth.StateNotProvided) as exception_info: requests.get( "http://authorized_only", auth=requests_auth.OAuth2Implicit("http://provide_token"), ) assert (str(exception_info.value) == f"state not provided within {{'access_token': ['{token}']}}.") tab.assert_failure( f"Unable to properly perform authentication: state not provided within {{'access_token': ['{token}']}}." )