def test_fail_when_cant_fetch_provider_configuration(id_token, rsa_key):
# fake ConnectionError for the Provider Configuration endpoint
responses.add(responses.GET, OIDCONF_PATTERN % ISSUER, body=ConnectionError('Error'))
jwt = id_token.to_jwt([rsa_key], 'RS256')
with pytest.raises(IDTokenVerificationError):
verify_signed_id_token(jwt)
def test_fail_when_cant_fetch_provider_jwks_uri(id_token, rsa_key):
jwks_uri = '{}/jwks_uri'.format(ISSUER)
responses.add(responses.GET, OIDCONF_PATTERN % ISSUER,
json={'issuer': ISSUER, 'jwks_uri': jwks_uri}, status=200)
# fake ConnectionError for the jwks_uri endpoint
responses.add(responses.GET, jwks_uri, body=ConnectionError('Error'))
jwt = id_token.to_jwt([rsa_key], 'RS256')
with pytest.raises(IDTokenVerificationError):
verify_signed_id_token(jwt)
def test_verify_with_issuer_keys(id_token, rsa_key):
jwks_uri = '{}/jwks_uri'.format(ISSUER)
responses.add(responses.GET, OIDCONF_PATTERN % ISSUER,
json={'issuer': ISSUER, 'jwks_uri': jwks_uri}, status=200)
responses.add(responses.GET, jwks_uri,
json={'keys': [rsa_key.serialize()]}, status=200)
jwt = id_token.to_jwt([rsa_key], 'RS256')
unpacked = verify_signed_id_token(jwt)
assert IdToken().from_json(unpacked) == id_token
def app(environ, start_response):
if environ['REQUEST_METHOD'] != 'POST':
start_response('405 Not Allowed', [('Content-Type', 'text/plain')])
return ['Only POST is supported.'.encode('utf-8')]
post_data = get_post(environ)
parsed_data = dict(parse_qsl(post_data))
start_response('200 OK', [('Content-Type', 'application/json')])
try:
verified_token = verify_signed_id_token(**parsed_data)
except IDTokenVerificationError as e:
return [json.dumps({"error": str(e)}).encode('utf-8')]
return [verified_token.encode('utf-8')]
def test_fail_on_symmetric_key_signature_but_key_not_provided(id_token, sym_key):
jwt = id_token.to_jwt([sym_key], 'HS256')
with pytest.raises(IDTokenVerificationError):
verify_signed_id_token(jwt) # don't pass symmetric key
def test_fail_verify_on_wrong_key(id_token, sym_key):
jwt = id_token.to_jwt([sym_key], 'HS256')
with pytest.raises(IDTokenVerificationError):
verify_signed_id_token(jwt, key=rndstr()) # pass random symmetric key and expect failure
def test_verify_jwt_signed_with_symmetric_key(id_token, sym_key):
jwt = id_token.to_jwt([sym_key], 'HS256')
unpacked = verify_signed_id_token(jwt, key=sym_key.k)
assert IdToken().from_json(unpacked) == id_token
def test_verify_unsigned_jwt(id_token):
jwt = id_token.to_jwt()
unpacked = verify_signed_id_token(jwt)
assert IdToken().from_json(unpacked) == id_token
def test_verify_with_provided_jwks(id_token, rsa_key): # for provider not supporting discovery
jwt = id_token.to_jwt([rsa_key], 'RS256')
unpacked = verify_signed_id_token(jwt, jwks=json.dumps({'keys': [rsa_key.serialize()]}))
assert IdToken().from_json(unpacked) == id_token
