def introspection_endpoint(self, authn='', request=None, **kwargs): """ Implements RFC7662 :param authn: Client Authentication information :param request: The introspection request :param kwargs: :return: """ tir = TokenIntrospectionRequest().deserialize(request, "urlencoded") resp = self.get_token_info(authn, tir, 'introspection_endpoint') if isinstance(resp, Response): return resp else: client_id, token_type, _info = resp logger.info('{} token introspection: {}'.format(client_id, tir.to_dict())) ir = TokenIntrospectionResponse( active=self.sdb.token_factory[token_type].is_valid(_info), **_info.to_dict()) ir.weed() return Response(ir.to_json(), content="application/json")
def introspection_endpoint(self, authn='', request=None, **kwargs): """ Implements RFC7662 :param authn: Client Authentication information :param request: The introspection request :param kwargs: :return: """ tir = TokenIntrospectionRequest().deserialize(request, "urlencoded") resp = self.get_token_info(authn, tir, 'introspection_endpoint') if isinstance(resp, Response): return resp else: client_id, token_type, _info = resp logger.info('{} token introspection: {}'.format( client_id, tir.to_dict())) ir = TokenIntrospectionResponse( active=self.sdb.token_factory[token_type].is_valid(_info), **_info.to_dict()) ir.weed() return Response(ir.to_json(), content="application/json")
def token_introspection(self, token): jwt_constructor = JWT(self.keyjar, iss=self.me) res = jwt_constructor.unpack(token) tir = TokenIntrospectionResponse(active=True) tir["key"] = json.dumps(self.thumbprint2key[res["cnf"]["kid"]]) return tir
def test_token_introspection_bad_token_no_hint(self): req = TokenIntrospectionRequest(token='access_token', client_id="client1", client_secret="hemlighet") resp = self.provider.introspection_endpoint(request=req.to_urlencoded()) assert resp ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json') assert ti_resp['active'] is False
def test_token_introspection_bad_access_token(self): req = TokenIntrospectionRequest( token="access_token", client_id="client1", client_secret="hemlighet", token_type_hint="access_token", ) resp = self.provider.introspection_endpoint(request=req.to_urlencoded()) assert resp ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json") assert ti_resp["active"] is False
def test_token_revocation_and_introspection(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.token_factory["code"](sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": authreq.to_json(), "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", "response_type": ["code"], } # Construct Access token request areq = AccessTokenRequest( code=access_grant, redirect_uri="http://example.com/authz", client_id="client1", client_secret="hemlighet", grant_type="authorization_code", ) resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = AccessTokenResponse().deserialize(resp.message, "json") req = TokenRevocationRequest( token=atr["access_token"], client_id="client1", client_secret="hemlighet", token_type_hint="access_token", ) resp = self.provider.revocation_endpoint(request=req.to_urlencoded()) assert resp.status_code == 200 req2 = TokenIntrospectionRequest( token=atr["access_token"], client_id="client1", client_secret="hemlighet", token_type_hint="access_token", ) resp = self.provider.introspection_endpoint( request=req2.to_urlencoded()) assert resp ti_resp = TokenIntrospectionResponse().deserialize( resp.message, "json") assert ti_resp["active"] is False
def test_token_introspection_missing(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client2") _sdb = self.provider.sdb self.provider.cdb["client2"] = { "client_secret": "hemlighet", "redirect_uris": [("http://localhost:8087/authz", None)], "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token"], } sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.token_factory["code"](sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": authreq.to_json(), "client_id": "client2", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", "response_type": ["code"], } # Construct Access token request areq = AccessTokenRequest( code=access_grant, redirect_uri="http://example.com/authz", client_id="client2", client_secret="hemlighet", grant_type="authorization_code", ) resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = AccessTokenResponse().deserialize(resp.message, "json") # Delete the client del self.provider.cdb["client2"] req = TokenIntrospectionRequest( token=atr["access_token"], client_id="client2", client_secret="hemlighet", token_type_hint="access_token", ) resp = self.provider.introspection_endpoint( request=req.to_urlencoded()) assert resp ti_resp = TokenIntrospectionResponse().deserialize( resp.message, "json") assert ti_resp["error"] == "unauthorized_client"
def _return_inactive(): ir = TokenIntrospectionResponse(active=False) return Response(ir.to_json(), content="application/json")