def test_auth_flow_denied(provider_fixture):
app = provider_fixture
with app.test_request_context():
redirect_uri = url_for('oauth2test.authorized', _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
r = client.get(url_for('oauth2test.login'))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
# Authorize page
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# User rejects request
data['confirm'] = 'no'
data['scope'] = 'test:scope'
data['state'] = ''
r = client.post(next_url, data=data)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert next_url == redirect_uri
assert data.get('error') == 'access_denied'
# Returned
r = client.get(next_url, query_string=data)
assert r.status_code == 200
assert r.data == b'Access denied: error=access_denied'
def test_auth_flow_denied(provider_fixture):
app = provider_fixture
with app.test_request_context():
redirect_uri = url_for('oauth2test.authorized', _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
r = client.get(url_for('oauth2test.login'))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
# Authorize page
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# User rejects request
data['confirm'] = 'no'
data['scope'] = 'test:scope'
data['state'] = ''
r = client.post(next_url, data=data)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert next_url == redirect_uri
assert data.get('error') == 'access_denied'
# Returned
r = client.get(next_url, query_string=data)
assert r.status_code == 200
assert r.data == b'Access denied: error=access_denied'
def test_auth_flow_denied(provider_fixture):
app = provider_fixture
with app.test_request_context():
redirect_uri = url_for("oauth2test.authorized", _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
r = client.get(url_for("oauth2test.login"))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
# Authorize page
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# User rejects request
data["confirm"] = "no"
data["scope"] = "test:scope"
data["state"] = ""
r = client.post(next_url, data=data)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert next_url == redirect_uri
assert data.get("error") == "access_denied"
# Returned
r = client.get(next_url, query_string=data)
assert r.status_code == 200
assert r.data == b"Access denied: error=access_denied"
def test_implicit_flow(provider_fixture):
app = provider_fixture
with app.test_request_context():
redirect_uri = url_for('oauth2test.authorized', _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
for client_id in ['dev', 'confidential']:
data = dict(
redirect_uri=redirect_uri,
response_type='token', # For implicit grant type
client_id=client_id,
scope='test:scope',
state='teststate'
)
# Authorize page
r = client.get(url_for(
'invenio_oauth2server.authorize',
**data
), follow_redirects=True)
assert r.status_code == 200
# User confirms request
data['confirm'] = 'yes'
data['scope'] = 'test:scope'
data['state'] = 'teststate'
r = client.post(url_for('invenio_oauth2server.authorize'),
data=data)
assert r.status_code == 302
# Important - access token exists in URI fragment and must not
# be sent to the client.
next_url, data = parse_redirect(r.location,
parse_fragment=True)
assert data['access_token']
assert data['token_type'] == 'Bearer'
assert data['state'] == 'teststate'
assert data['scope'] == 'test:scope'
assert data.get('refresh_token') is None
assert next_url == redirect_uri
# Authentication flow has now been completed, and the client
# can use the access token to make request to the provider.
r = client.get(url_for('invenio_oauth2server.info',
access_token=data['access_token']))
assert r.status_code == 200
assert json.loads(r.get_data()).get('client') == client_id
assert json.loads(r.get_data()).get('user') == app.user1_id
assert json.loads(r.get_data()).get('scopes') \
== [u'test:scope']
def test_implicit_flow(provider_fixture):
app = provider_fixture
with app.test_request_context():
redirect_uri = url_for('oauth2test.authorized', _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
for client_id in ['dev', 'confidential']:
data = dict(
redirect_uri=redirect_uri,
response_type='token', # For implicit grant type
client_id=client_id,
scope='test:scope',
state='teststate'
)
# Authorize page
r = client.get(url_for(
'invenio_oauth2server.authorize',
**data
), follow_redirects=True)
assert r.status_code == 200
# User confirms request
data['confirm'] = 'yes'
data['scope'] = 'test:scope'
data['state'] = 'teststate'
r = client.post(url_for('invenio_oauth2server.authorize'),
data=data)
assert r.status_code == 302
# Important - access token exists in URI fragment and must not
# be sent to the client.
next_url, data = parse_redirect(r.location,
parse_fragment=True)
assert data['access_token']
assert data['token_type'] == 'Bearer'
assert data['state'] == 'teststate'
assert data['scope'] == 'test:scope'
assert data.get('refresh_token') is None
assert next_url == redirect_uri
# Authentication flow has now been completed, and the client
# can use the access token to make request to the provider.
r = client.get(url_for('invenio_oauth2server.info',
access_token=data['access_token']))
assert r.status_code == 200
assert json.loads(r.get_data()).get('client') == client_id
assert json.loads(r.get_data()).get('user') == app.user1.id
assert json.loads(r.get_data()).get('scopes') \
== [u'test:scope']
def test_implicit_flow(provider_fixture):
app = provider_fixture
with app.test_request_context():
redirect_uri = url_for("oauth2test.authorized", _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
for client_id in ["dev", "confidential"]:
data = dict(
redirect_uri=redirect_uri,
response_type="token", # For implicit grant type
client_id=client_id,
scope="test:scope",
state="teststate",
)
# Authorize page
r = client.get(url_for("invenio_oauth2server.authorize", **data), follow_redirects=True)
assert r.status_code == 200
# User confirms request
data["confirm"] = "yes"
data["scope"] = "test:scope"
data["state"] = "teststate"
r = client.post(url_for("invenio_oauth2server.authorize"), data=data)
assert r.status_code == 302
# Important - access token exists in URI fragment and must not
# be sent to the client.
next_url, data = parse_redirect(r.location, parse_fragment=True)
assert data["access_token"]
assert data["token_type"] == "Bearer"
assert data["state"] == "teststate"
assert data["scope"] == "test:scope"
assert data.get("refresh_token") is None
assert next_url == redirect_uri
# Authentication flow has now been completed, and the client
# can use the access token to make request to the provider.
r = client.get(url_for("invenio_oauth2server.info", access_token=data["access_token"]))
assert r.status_code == 200
assert json.loads(r.get_data()).get("client") == client_id
assert json.loads(r.get_data()).get("user") == app.user1_id
assert json.loads(r.get_data()).get("scopes") == [u"test:scope"]
def web_auth_flow(provider_fixture):
app = provider_fixture
# Go to login - should redirect to oauth2 server for login an
# authorization
with app.app_context():
with app.test_client() as client:
r = client.get('/oauth2test/test-ping')
# First login on provider site
login(client)
r = client.get('/oauth2test/login')
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
# Authorize page
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# User confirms request
data['confirm'] = 'yes'
data['scope'] = 'test:scope'
data['state'] = ''
r = client.post(next_url, data=data)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert next_url == 'http://{0}/oauth2test/authorized'.format(
app.config['SERVER_NAME'])
assert 'code' in data
# User is redirected back to client site.
# - The client view /oauth2test/authorized will in the
# background fetch the access token.
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# Authentication flow has now been completed, and the access
# token can be used to access protected resources.
r = client.get('/oauth2test/test-ping')
assert r.status_code == 200
assert json.loads(r.get_data()) == dict(ping='pong')
# Authentication flow has now been completed, and the access
# token can be used to access protected resources.
r = client.get('/oauth2test/test-ping')
assert r.status_code == 200
assert json.loads(r.get_data()) == dict(ping='pong')
r = client.get('/oauth2test/test-info')
assert r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp['client'] == 'confidential'
assert json_resp['user'] == app.user1_id
assert json_resp['scopes'] == [u'test:scope']
# Access token doesn't provide access to this URL.
r = client.get(
'/oauth2test/test-invalid',
base_url='http://{0}'.format(app.config['SERVER_NAME'])
)
assert r.status_code == 401
# # Now logout
r = client.get('/oauth2test/logout')
assert r.status_code == 200
assert r.data == "logout"
# And try to access the information again
r = client.get('/oauth2test/test-ping')
assert r.status_code == 403
def test_refresh_flow(provider_fixture):
app = provider_fixture
with app.test_request_context():
base_url = 'https://{0}'.format(app.config['SERVER_NAME'])
redirect_uri = url_for('oauth2test.authorized', _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
data = dict(
redirect_uri=redirect_uri,
scope='test:scope',
response_type='code',
client_id='confidential',
state='mystate'
)
r = client.get(url_for('invenio_oauth2server.authorize', **data))
assert r.status_code == 200
data['confirm'] = 'yes'
data['scope'] = 'test:scope'
data['state'] = 'mystate'
# Obtain one time code
r = client.post(
url_for('invenio_oauth2server.authorize'), data=data
)
r.status_code == 302
next_url, res_data = parse_redirect(r.location)
assert res_data['code']
assert res_data['state'] == 'mystate'
# Exchange one time code for access token
r = client.post(
url_for('invenio_oauth2server.access_token'), data=dict(
client_id='confidential',
client_secret='confidential',
grant_type='authorization_code',
code=res_data['code'],
)
)
assert r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp['access_token']
assert json_resp['refresh_token']
assert json_resp['scope'] == 'test:scope'
assert json_resp['token_type'] == 'Bearer'
refresh_token = json_resp['refresh_token']
old_access_token = json_resp['access_token']
# Access token valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token))
assert r.status_code == 200
# Obtain new access token with refresh token
r = client.post(
url_for('invenio_oauth2server.access_token'), data=dict(
client_id='confidential',
client_secret='confidential',
grant_type='refresh_token',
refresh_token=refresh_token,
)
)
r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp['access_token']
assert json_resp['refresh_token']
assert json_resp['access_token'] != old_access_token
assert json_resp['refresh_token'] != refresh_token
assert json_resp['scope'] == 'test:scope'
assert json_resp['token_type'] == 'Bearer'
# New access token valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=json_resp['access_token']))
assert r.status_code == 200
# Old access token no longer valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token,),
base_url=base_url)
assert r.status_code == 401
def test_expired_refresh_flow(provider_fixture):
"""Test refresh flow with an expired token."""
app = provider_fixture
# First login on provider site
with app.test_request_context():
with app.test_client() as client:
login(client)
data = dict(
redirect_uri=url_for('oauth2test.authorized', _external=True),
scope='test:scope',
response_type='code',
client_id='confidential',
state='mystate'
)
r = client.get(url_for('invenio_oauth2server.authorize', **data))
assert r.status_code == 200
data['confirm'] = 'yes'
data['scope'] = 'test:scope'
data['state'] = 'mystate'
# Obtain one time code
r = client.post(
url_for('invenio_oauth2server.authorize'), data=data
)
assert r.status_code == 302
next_url, res_data = parse_redirect(r.location)
assert res_data['code']
assert res_data['state'] == 'mystate'
# Exchange one time code for access token
r = client.post(
url_for('invenio_oauth2server.access_token'), data=dict(
client_id='confidential',
client_secret='confidential',
grant_type='authorization_code',
code=res_data['code'],
)
)
assert r.status_code == 200
assert json.loads(r.get_data())['access_token']
assert json.loads(r.get_data())['refresh_token']
assert json.loads(r.get_data())['expires_in'] > 0
assert json.loads(r.get_data())['scope'] == 'test:scope'
assert json.loads(r.get_data())['token_type'] == 'Bearer'
assert json.loads(r.get_data())['user']['id']
refresh_token = json.loads(r.get_data())['refresh_token']
old_access_token = json.loads(r.get_data())['access_token']
# Access token valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token))
assert r.status_code == 200
Token.query.filter_by(access_token=old_access_token).update(
dict(expires=datetime.utcnow() - timedelta(seconds=1))
)
db.session.commit()
# Access token is expired
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token))
assert r.status_code == 401
# Obtain new access token with refresh token
r = client.post(
url_for('invenio_oauth2server.access_token'), data=dict(
client_id='confidential',
client_secret='confidential',
grant_type='refresh_token',
refresh_token=refresh_token,
)
)
assert r.status_code == 200
resp_json = json.loads(r.get_data())
assert resp_json['access_token']
assert resp_json['refresh_token']
assert resp_json['expires_in'] > 0
assert resp_json['access_token'] != old_access_token
assert resp_json['refresh_token'] != refresh_token
assert resp_json['scope'] == 'test:scope'
assert resp_json['token_type'] == 'Bearer'
assert resp_json['user']['id']
# New access token valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=resp_json['access_token']))
assert r.status_code == 200
# Old access token no longer valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token))
assert r.status_code == 401
def test_not_allowed_public_refresh_flow(expiration_fixture):
"""Public token should not allow refreshing."""
app = expiration_fixture
# First login on provider site
with app.test_request_context():
with app.test_client() as client:
login(client)
data = dict(
redirect_uri=url_for("oauth2test.authorized", _external=True),
scope="test:scope",
response_type="code",
client_id="dev",
state="mystate",
)
r = client.get(url_for("invenio_oauth2server.authorize", **data))
assert r.status_code == 200
data["confirm"] = "yes"
data["scope"] = "test:scope"
data["state"] = "mystate"
# Obtain one time code
r = client.post(url_for("invenio_oauth2server.authorize"), data=data)
assert r.status_code == 302
next_url, res_data = parse_redirect(r.location)
assert res_data["code"]
assert res_data["state"] == "mystate"
# Exchange one time code for access token
r = client.post(
url_for("invenio_oauth2server.access_token"),
data=dict(client_id="dev", client_secret="dev", grant_type="authorization_code", code=res_data["code"]),
)
assert r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp["access_token"]
assert json_resp["refresh_token"]
assert json_resp["expires_in"] > 0
assert json_resp["scope"] == "test:scope"
assert json_resp["token_type"] == "Bearer"
refresh_token = json_resp["refresh_token"]
old_access_token = json_resp["access_token"]
# Access token valid
r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token))
assert r.status_code == 200
Token.query.filter_by(access_token=old_access_token).update(
dict(expires=datetime.utcnow() - timedelta(seconds=1))
)
db.session.commit()
# Access token is expired
r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token), follow_redirects=True)
assert r.status_code == 401
# Obtain new access token with refresh token
r = client.post(
url_for("invenio_oauth2server.access_token"),
data=dict(
client_id="dev", client_secret="dev", grant_type="refresh_token", refresh_token=refresh_token
),
follow_redirects=True,
)
# Only confidential clients can refresh expired token.
assert r.status_code == 401
def web_auth_flow(provider_fixture):
app = provider_fixture
# Go to login - should redirect to oauth2 server for login an
# authorization
with app.app_context():
with app.test_client() as client:
r = client.get('/oauth2test/test-ping')
# First login on provider site
login(client)
r = client.get('/oauth2test/login')
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
# Authorize page
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# User confirms request
data['confirm'] = 'yes'
data['scope'] = 'test:scope'
data['state'] = ''
r = client.post(next_url, data=data)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert next_url == 'http://{0}/oauth2test/authorized'.format(
app.config['SERVER_NAME'])
assert 'code' in data
# User is redirected back to client site.
# - The client view /oauth2test/authorized will in the
# background fetch the access token.
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# Authentication flow has now been completed, and the access
# token can be used to access protected resources.
r = client.get('/oauth2test/test-ping')
assert r.status_code == 200
assert json.loads(r.get_data()) == dict(ping='pong')
# Authentication flow has now been completed, and the access
# token can be used to access protected resources.
r = client.get('/oauth2test/test-ping')
assert r.status_code == 200
assert json.loads(r.get_data()) == dict(ping='pong')
r = client.get('/oauth2test/test-info')
assert r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp['client'] == 'confidential'
assert json_resp['user'] == app.user1.id
assert json_resp['scopes'] == [u'test:scope']
# Access token doesn't provide access to this URL.
r = client.get(
'/oauth2test/test-invalid',
base_url='http://{0}'.format(app.config['SERVER_NAME'])
)
assert r.status_code == 401
# # Now logout
r = client.get('/oauth2test/logout')
assert r.status_code == 200
assert r.data == "logout"
# And try to access the information again
r = client.get('/oauth2test/test-ping')
assert r.status_code == 403
def web_auth_flow(provider_fixture):
app = provider_fixture
# Go to login - should redirect to oauth2 server for login an
# authorization
with app.app_context():
with app.test_client() as client:
r = client.get("/oauth2test/test-ping")
# First login on provider site
login(client)
r = client.get("/oauth2test/login")
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
# Authorize page
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# User confirms request
data["confirm"] = "yes"
data["scope"] = "test:scope"
data["state"] = ""
r = client.post(next_url, data=data)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert next_url == "http://{0}/oauth2test/authorized".format(app.config["SERVER_NAME"])
assert "code" in data
# User is redirected back to client site.
# - The client view /oauth2test/authorized will in the
# background fetch the access token.
r = client.get(next_url, query_string=data)
assert r.status_code == 200
# Authentication flow has now been completed, and the access
# token can be used to access protected resources.
r = client.get("/oauth2test/test-ping")
assert r.status_code == 200
assert json.loads(r.get_data()) == dict(ping="pong")
# Authentication flow has now been completed, and the access
# token can be used to access protected resources.
r = client.get("/oauth2test/test-ping")
assert r.status_code == 200
assert json.loads(r.get_data()) == dict(ping="pong")
r = client.get("/oauth2test/test-info")
assert r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp["client"] == "confidential"
assert json_resp["user"] == app.user1_id
assert json_resp["scopes"] == [u"test:scope"]
# Access token doesn't provide access to this URL.
r = client.get("/oauth2test/test-invalid", base_url="http://{0}".format(app.config["SERVER_NAME"]))
assert r.status_code == 401
# # Now logout
r = client.get("/oauth2test/logout")
assert r.status_code == 200
assert r.data == "logout"
# And try to access the information again
r = client.get("/oauth2test/test-ping")
assert r.status_code == 403
def test_refresh_flow(provider_fixture):
app = provider_fixture
with app.test_request_context():
base_url = "https://{0}".format(app.config["SERVER_NAME"])
redirect_uri = url_for("oauth2test.authorized", _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
data = dict(
redirect_uri=redirect_uri,
scope="test:scope",
response_type="code",
client_id="confidential",
state="mystate",
)
r = client.get(url_for("invenio_oauth2server.authorize", **data))
assert r.status_code == 200
data["confirm"] = "yes"
data["scope"] = "test:scope"
data["state"] = "mystate"
# Obtain one time code
r = client.post(url_for("invenio_oauth2server.authorize"), data=data)
r.status_code == 302
next_url, res_data = parse_redirect(r.location)
assert res_data["code"]
assert res_data["state"] == "mystate"
# Exchange one time code for access token
r = client.post(
url_for("invenio_oauth2server.access_token"),
data=dict(
client_id="confidential",
client_secret="confidential",
grant_type="authorization_code",
code=res_data["code"],
),
)
assert r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp["access_token"]
assert json_resp["refresh_token"]
assert json_resp["scope"] == "test:scope"
assert json_resp["token_type"] == "Bearer"
refresh_token = json_resp["refresh_token"]
old_access_token = json_resp["access_token"]
# Access token valid
r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token))
assert r.status_code == 200
# Obtain new access token with refresh token
r = client.post(
url_for("invenio_oauth2server.access_token"),
data=dict(
client_id="confidential",
client_secret="confidential",
grant_type="refresh_token",
refresh_token=refresh_token,
),
)
r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp["access_token"]
assert json_resp["refresh_token"]
assert json_resp["access_token"] != old_access_token
assert json_resp["refresh_token"] != refresh_token
assert json_resp["scope"] == "test:scope"
assert json_resp["token_type"] == "Bearer"
# New access token valid
r = client.get(url_for("invenio_oauth2server.info", access_token=json_resp["access_token"]))
assert r.status_code == 200
# Old access token no longer valid
r = client.get(url_for("invenio_oauth2server.info", access_token=old_access_token), base_url=base_url)
assert r.status_code == 401
def test_invalid_authorize_requests(provider_fixture):
app = provider_fixture
# First login on provider site
with app.test_request_context():
redirect_uri = url_for('oauth2test.authorized', _external=True)
with app.test_client() as client:
login(client)
for client_id in ['dev', 'confidential']:
scope = 'test:scope'
response_type = 'code'
error_url = url_for('invenio_oauth2server.errors')
# Valid request authorize request
r = client.get(
url_for('invenio_oauth2server.authorize'),
data={
'redirect_uri': redirect_uri,
'scope': scope,
'response_type': response_type,
'client_id': client_id,
})
assert r.status_code == 200
# Invalid scope
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope='INVALID',
response_type=response_type,
client_id=client_id,
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_scope'
assert next_url == redirect_uri
# Invalid response type
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope=scope,
response_type='invalid',
client_id=client_id,
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'unauthorized_client'
assert next_url == redirect_uri
# Missing response_type
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope=scope,
client_id=client_id,
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_request'
assert next_url == redirect_uri
# Duplicate parameter
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope=scope,
response_type='invalid',
client_id=client_id,
) + "&client_id={0}".format(client_id))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_request'
assert next_url == redirect_uri
# Invalid client_id
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope=scope,
response_type=response_type,
client_id='invalid',
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_client_id'
assert error_url in next_url
r = client.get(next_url, query_string=data)
assert 'invalid_client_id' in str(r.data)
# Invalid redirect uri
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri='http://localhost/',
scope=scope,
response_type=response_type,
client_id=client_id,
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'mismatching_redirect_uri'
assert error_url in next_url
def test_invalid_authorize_requests(provider_fixture):
app = provider_fixture
# First login on provider site
with app.test_request_context():
redirect_uri = url_for('oauth2test.authorized', _external=True)
with app.test_client() as client:
login(client)
for client_id in ['dev', 'confidential']:
scope = 'test:scope'
response_type = 'code'
error_url = url_for('invenio_oauth2server.errors',
_external=True)
# Valid request authorize request
r = client.get(
url_for('invenio_oauth2server.authorize'),
data={
'redirect_uri': redirect_uri,
'scope': scope,
'response_type': response_type,
'client_id': client_id,
})
assert r.status_code == 200
# Invalid scope
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope='INVALID',
response_type=response_type,
client_id=client_id,
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_scope'
assert next_url == redirect_uri
# Invalid response type
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope=scope,
response_type='invalid',
client_id=client_id,
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'unsupported_response_type'
assert next_url == redirect_uri
# Missing response_type
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope=scope,
client_id=client_id,
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_request'
assert next_url == redirect_uri
# Duplicate parameter
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope=scope,
response_type='invalid',
client_id=client_id,
) + "&client_id={0}".format(client_id))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_request'
assert next_url == error_url
# Invalid client_id
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri=redirect_uri,
scope=scope,
response_type=response_type,
client_id='invalid',
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_request'
assert error_url in next_url
r = client.get(next_url, query_string=data)
assert 'invalid_request' in str(r.data)
# Invalid redirect uri
r = client.get(url_for(
'invenio_oauth2server.authorize',
redirect_uri='http://localhost/',
scope=scope,
response_type=response_type,
client_id=client_id,
))
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data['error'] == 'invalid_request'
assert error_url in next_url
def test_invalid_authorize_requests(provider_fixture):
app = provider_fixture
# First login on provider site
with app.test_request_context():
redirect_uri = url_for("oauth2test.authorized", _external=True)
with app.test_client() as client:
login(client)
for client_id in ["dev", "confidential"]:
scope = "test:scope"
response_type = "code"
error_url = url_for("invenio_oauth2server.errors", _external=True)
# Valid request authorize request
r = client.get(
url_for("invenio_oauth2server.authorize"),
data={
"redirect_uri": redirect_uri,
"scope": scope,
"response_type": response_type,
"client_id": client_id,
},
)
assert r.status_code == 200
# Invalid scope
r = client.get(
url_for(
"invenio_oauth2server.authorize",
redirect_uri=redirect_uri,
scope="INVALID",
response_type=response_type,
client_id=client_id,
)
)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data["error"] == "invalid_scope"
assert next_url == redirect_uri
# Invalid response type
r = client.get(
url_for(
"invenio_oauth2server.authorize",
redirect_uri=redirect_uri,
scope=scope,
response_type="invalid",
client_id=client_id,
)
)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data["error"] == "unsupported_response_type"
assert next_url == redirect_uri
# Missing response_type
r = client.get(
url_for(
"invenio_oauth2server.authorize", redirect_uri=redirect_uri, scope=scope, client_id=client_id
)
)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data["error"] == "invalid_request"
assert next_url == redirect_uri
# Duplicate parameter
r = client.get(
url_for(
"invenio_oauth2server.authorize",
redirect_uri=redirect_uri,
scope=scope,
response_type="invalid",
client_id=client_id,
)
+ "&client_id={0}".format(client_id)
)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data["error"] == "invalid_request"
assert next_url == error_url
# Invalid client_id
r = client.get(
url_for(
"invenio_oauth2server.authorize",
redirect_uri=redirect_uri,
scope=scope,
response_type=response_type,
client_id="invalid",
)
)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data["error"] == "invalid_request"
assert error_url in next_url
r = client.get(next_url, query_string=data)
assert "invalid_request" in str(r.data)
# Invalid redirect uri
r = client.get(
url_for(
"invenio_oauth2server.authorize",
redirect_uri="http://localhost/",
scope=scope,
response_type=response_type,
client_id=client_id,
)
)
assert r.status_code == 302
next_url, data = parse_redirect(r.location)
assert data["error"] == "invalid_request"
assert error_url in next_url
def test_not_allowed_public_refresh_flow(expiration_fixture):
"""Public token should not allow refreshing."""
app = expiration_fixture
# First login on provider site
with app.test_request_context():
with app.test_client() as client:
login(client)
data = dict(
redirect_uri=url_for('oauth2test.authorized', _external=True),
scope='test:scope',
response_type='code',
client_id='dev',
state='mystate'
)
r = client.get(url_for('invenio_oauth2server.authorize', **data))
assert r.status_code == 200
data['confirm'] = 'yes'
data['scope'] = 'test:scope'
data['state'] = 'mystate'
# Obtain one time code
r = client.post(
url_for('invenio_oauth2server.authorize'), data=data
)
assert r.status_code == 302
next_url, res_data = parse_redirect(r.location)
assert res_data['code']
assert res_data['state'] == 'mystate'
# Exchange one time code for access token
r = client.post(
url_for('invenio_oauth2server.access_token'), data=dict(
client_id='dev',
client_secret='dev',
grant_type='authorization_code',
code=res_data['code'],
)
)
assert r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp['access_token']
assert json_resp['refresh_token']
assert json_resp['expires_in'] > 0
assert json_resp['scope'] == 'test:scope'
assert json_resp['token_type'] == 'Bearer'
refresh_token = json_resp['refresh_token']
old_access_token = json_resp['access_token']
# Access token valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token))
assert r.status_code == 200
Token.query.filter_by(access_token=old_access_token).update(
dict(expires=datetime.utcnow() - timedelta(seconds=1))
)
db.session.commit()
# Access token is expired
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token),
follow_redirects=True)
assert r.status_code == 401
# Obtain new access token with refresh token
r = client.post(
url_for('invenio_oauth2server.access_token'), data=dict(
client_id='dev',
client_secret='dev',
grant_type='refresh_token',
refresh_token=refresh_token,
),
follow_redirects=True
)
# Only confidential clients can refresh expired token.
assert r.status_code == 401
def test_refresh_flow(provider_fixture):
app = provider_fixture
with app.test_request_context():
base_url = 'https://{0}'.format(app.config['SERVER_NAME'])
redirect_uri = url_for('oauth2test.authorized', _external=True)
with app.test_client() as client:
# First login on provider site
login(client)
data = dict(
redirect_uri=redirect_uri,
scope='test:scope',
response_type='code',
client_id='confidential',
state='mystate'
)
r = client.get(url_for('invenio_oauth2server.authorize', **data))
assert r.status_code == 200
data['confirm'] = 'yes'
data['scope'] = 'test:scope'
data['state'] = 'mystate'
# Obtain one time code
r = client.post(
url_for('invenio_oauth2server.authorize'), data=data
)
r.status_code == 302
next_url, res_data = parse_redirect(r.location)
assert res_data['code']
assert res_data['state'] == 'mystate'
# Exchange one time code for access token
r = client.post(
url_for('invenio_oauth2server.access_token'), data=dict(
client_id='confidential',
client_secret='confidential',
grant_type='authorization_code',
code=res_data['code'],
)
)
assert r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp['access_token']
assert json_resp['refresh_token']
assert json_resp['scope'] == 'test:scope'
assert json_resp['token_type'] == 'Bearer'
refresh_token = json_resp['refresh_token']
old_access_token = json_resp['access_token']
# Access token valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token))
assert r.status_code == 200
# Obtain new access token with refresh token
r = client.post(
url_for('invenio_oauth2server.access_token'), data=dict(
client_id='confidential',
client_secret='confidential',
grant_type='refresh_token',
refresh_token=refresh_token,
)
)
r.status_code == 200
json_resp = json.loads(r.get_data())
assert json_resp['access_token']
assert json_resp['refresh_token']
assert json_resp['access_token'] != old_access_token
assert json_resp['refresh_token'] != refresh_token
assert json_resp['scope'] == 'test:scope'
assert json_resp['token_type'] == 'Bearer'
# New access token valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=json_resp['access_token']))
assert r.status_code == 200
# Old access token no longer valid
r = client.get(url_for('invenio_oauth2server.info',
access_token=old_access_token,),
base_url=base_url)
assert r.status_code == 401
