def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[''] = [kb]
_sdb = SessionDB("https://example.com/",
db={},
code_factory=DefaultToken('supersecret',
'verybadpassword',
typ='A',
lifetime=600),
token_factory=JWTToken('T',
keyjar=kj,
lt_pattern={
'code': 3600,
'token': 900
},
iss='https://example.com/as',
sign_alg='RS256'),
refresh_token_factory=JWTToken(
'R',
keyjar=kj,
lt_pattern={'': 24 * 3600},
iss='https://example.com/as'))
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider("as",
_sdb,
CDB,
AUTHN_BROKER,
AUTHZ,
verify_client,
baseurl='https://example.com/as')
def test_pkce_verify_256(self, session_db_factory):
_cli = Client(
config={"code_challenge": {
"method": "S256",
"length": 64
}})
args, cv = _cli.add_code_challenge()
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
_prov = Provider(
"as",
session_db_factory("https://connect-op.heroku.com"),
{},
authn_broker,
Implicit(),
verify_client,
)
assert _prov.verify_code_challenge(cv, args["code_challenge"]) is True
assert _prov.verify_code_challenge(cv, args["code_challenge"],
"S256") is True
resp = _prov.verify_code_challenge("XXX", args["code_challenge"])
assert isinstance(resp, Response)
assert resp.info()["status_code"] == 401
def __init__(self, name, sdb, cdb, authn_broker, authz,
client_authn, symkey, urlmap=None, keyjar=None,
hostname="", configuration=None, base_url="",
client_authn_methods=None, authn_at_registration="",
client_info_url="", secret_lifetime=86400,
default_acr=""):
OAUTH2Provider.__init__(self, name, sdb, cdb, authn_broker, authz,
client_authn, symkey=symkey, urlmap=urlmap,
client_authn_methods=client_authn_methods,
authn_at_registration=authn_at_registration,
client_info_url=client_info_url,
secret_lifetime=secret_lifetime)
UmaAS.__init__(self, configuration, baseurl=base_url)
if keyjar:
self.keyjar = keyjar
else:
self.keyjar = KeyJar()
self.hostname = hostname or socket.gethostname
self.jwks_uri = []
self.endp = UmaAS.endp[:]
self.endp.extend(OAUTH2Provider.endp)
self.default_acr = default_acr
def test_pkce_verify_512():
_cli = Client(config={'code_challenge': {'method': 'S512', 'length': 96}})
args, cv = _cli.add_code_challenge()
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
_prov = Provider("as",
sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
authn_broker, Implicit(), verify_client)
assert _prov.verify_code_challenge(cv, args['code_challenge'],'S512') is True
def test_pkce_verify_512():
_cli = Client(config={'code_challenge': {'method': 'S512', 'length': 96}})
args, cv = _cli.add_code_challenge()
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
_prov = Provider("as", sdb.SessionDB(SERVER_INFO["issuer"]), CDB,
authn_broker, Implicit(), verify_client)
assert _prov.verify_code_challenge(cv, args['code_challenge'],
'S512') is True
def test_pkce_verify_512(self, session_db_factory):
_cli = Client(config={'code_challenge': {'method': 'S512', 'length': 96}})
args, cv = _cli.add_code_challenge()
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
_prov = Provider("as",
session_db_factory('https://connect-op.heroku.com'), {},
authn_broker, Implicit(), verify_client)
assert _prov.verify_code_challenge(cv, args['code_challenge'], 'S512') is True
resp = _prov.verify_code_challenge('XXX', args['code_challenge'])
assert isinstance(resp, Response)
assert resp.info()['status_code'] == 401
def test_pkce_verify_512(self, session_db_factory):
_cli = Client(config={'code_challenge': {'method': 'S512', 'length': 96}})
args, cv = _cli.add_code_challenge()
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
_prov = Provider("as",
session_db_factory('https://connect-op.heroku.com'), {},
authn_broker, Implicit(), verify_client)
assert _prov.verify_code_challenge(cv, args['code_challenge'], 'S512') is True
resp = _prov.verify_code_challenge('XXX', args['code_challenge'])
assert isinstance(resp, Response)
assert resp.info()['status_code'] == 401
def test_pkce_verify_256(session_db_factory):
_cli = Client(config={'code_challenge': {'method': 'S256', 'length': 64}})
args, cv = _cli.add_code_challenge()
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
_prov = Provider("as",
session_db_factory(SERVER_INFO["issuer"]), CDB,
authn_broker, Implicit(), verify_client)
assert _prov.verify_code_challenge(cv, args['code_challenge']) is True
assert _prov.verify_code_challenge(cv, args['code_challenge'], 'S256') is True
resp = _prov.verify_code_challenge('XXX', args['code_challenge'])
assert isinstance(resp, Response)
assert resp.info()['status_code'] == 401
def test_pkce_verify_256(session_db_factory):
_cli = Client(config={'code_challenge': {'method': 'S256', 'length': 64}})
args, cv = _cli.add_code_challenge()
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
_prov = Provider("as", session_db_factory(SERVER_INFO["issuer"]), CDB,
authn_broker, Implicit(), verify_client)
assert _prov.verify_code_challenge(cv, args['code_challenge']) is True
assert _prov.verify_code_challenge(cv, args['code_challenge'],
'S256') is True
resp = _prov.verify_code_challenge('XXX', args['code_challenge'])
assert isinstance(resp, Response)
assert resp.info()['status_code'] == 401
def create_provider(self, session_db_factory):
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
self.provider = Provider("pyoicserv",
session_db_factory(
TestProvider.SERVER_INFO["issuer"]),
TestProvider.CDB,
authn_broker,
Implicit(),
verify_client,
client_info_url="https://example.com/as",
client_authn_methods={
"client_secret_post": ClientSecretPost,
"client_secret_basic": ClientSecretBasic,
"bearer_header": BearerHeader
})
def __init__(self,
name,
sdb,
cdb,
authn_broker,
authz,
client_authn,
symkey,
urlmap=None,
keyjar=None,
hostname="",
configuration=None,
base_url="",
client_authn_methods=None,
authn_at_registration="",
client_info_url="",
secret_lifetime=86400,
default_acr=""):
OAUTH2Provider.__init__(self,
name,
sdb,
cdb,
authn_broker,
authz,
client_authn,
symkey=symkey,
urlmap=urlmap,
client_authn_methods=client_authn_methods,
authn_at_registration=authn_at_registration,
client_info_url=client_info_url,
secret_lifetime=secret_lifetime)
UmaAS.__init__(self, configuration, baseurl=base_url)
if keyjar:
self.keyjar = keyjar
else:
self.keyjar = KeyJar()
self.hostname = hostname or socket.gethostname
self.jwks_uri = []
self.endp = UmaAS.endp[:]
self.endp.extend(OAUTH2Provider.endp)
self.default_acr = default_acr
def test_pkce_verify_512(session_db_factory):
_cli = Client(config={"code_challenge": {"method": "S512", "length": 96}})
args, cv = _cli.add_code_challenge()
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
_prov = Provider(
"as",
session_db_factory(SERVER_INFO["issuer"]),
CDB,
authn_broker,
Implicit(),
verify_client,
)
assert _prov.verify_code_challenge(cv, args["code_challenge"],
"S512") is True
resp = _prov.verify_code_challenge("XXX", args["code_challenge"])
assert isinstance(resp, Response)
assert resp.info()["status_code"] == 401
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[""] = [kb]
_sdb = SessionDB(
"https://example.com/",
db=DictSessionBackend(),
code_factory=DefaultToken("supersecret",
"verybadpassword",
typ="A",
lifetime=600),
token_factory=JWTToken(
"T",
keyjar=kj,
lt_pattern={
"code": 3600,
"token": 900
},
iss="https://example.com/as",
sign_alg="RS256",
),
refresh_token_factory=JWTToken(
"R",
keyjar=kj,
lt_pattern={"": 24 * 3600},
iss="https://example.com/as",
token_storage={},
),
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider(
"as",
_sdb,
CDB,
AUTHN_BROKER,
AUTHZ,
verify_client,
baseurl="https://example.com/as",
)
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[""] = [kb]
_sdb = SessionDB(
"https://example.com/",
token_factory=JWTToken(
"T", keyjar=kj, lifetime={"code": 3600, "token": 900}, iss="https://example.com/as", sign_alg="RS256"
),
refresh_token_factory=JWTToken("R", keyjar=kj, lifetime={"": 24 * 3600}, iss="https://example.com/as"),
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider("as", _sdb, CDB, AUTHN_BROKER, AUTHZ, verify_client, baseurl="https://example.com/as")
def create_provider(self):
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
self.provider = Provider("pyoicserv",
sdb.SessionDB(
TestProvider.SERVER_INFO["issuer"]),
TestProvider.CDB,
authn_broker, Implicit(),
verify_client,
client_info_url="https://example.com/as",
client_authn_methods={
"client_secret_post": ClientSecretPost,
"client_secret_basic": ClientSecretBasic,
"bearer_header": BearerHeader})
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[''] = [kb]
_sdb = SessionDB(
"https://example.com/",
token_factory=JWTToken('T', keyjar=kj,
lt_pattern={'code': 3600, 'token': 900},
iss='https://example.com/as',
sign_alg='RS256'),
refresh_token_factory=JWTToken(
'R', keyjar=kj, lt_pattern={'': 24 * 3600},
iss='https://example.com/as')
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider("as", _sdb, CDB, AUTHN_BROKER, AUTHZ,
verify_client,
baseurl='https://example.com/as')
class TestProvider(object):
SERVER_INFO = {
"version": "3.0",
"issuer": "https://connect-op.heroku.com",
"authorization_endpoint": "http://localhost:8088/authorization",
"token_endpoint": "http://localhost:8088/token",
"flows_supported": ["code", "token", "code token"],
}
CDB = {
"a1b2c3": {
"password": "******",
"client_secret": "drickyoughurt"
},
"client1": {
"client_secret": "hemlighet",
"redirect_uris": [("http://localhost:8087/authz", None)]
}
}
@pytest.fixture(autouse=True)
def create_provider(self, session_db_factory):
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
self.provider = Provider("pyoicserv",
session_db_factory(
TestProvider.SERVER_INFO["issuer"]),
TestProvider.CDB,
authn_broker,
Implicit(),
verify_client,
client_info_url="https://example.com/as",
client_authn_methods={
"client_secret_post": ClientSecretPost,
"client_secret_basic": ClientSecretBasic,
"bearer_header": BearerHeader
})
def test_registration_endpoint(self):
request = RegistrationRequest(
client_name="myself",
redirect_uris=["https://example.com/rp"],
grant_type=['authorization_code', 'implicit'])
resp = self.provider.registration_endpoint(request=request.to_json())
assert isinstance(resp, Response)
data = json.loads(resp.message)
assert data["client_name"] == "myself"
assert _eq(data["redirect_uris"], ["https://example.com/rp"])
_resp = ClientInfoResponse().from_json(resp.message)
assert "client_id" in _resp
def test_registration_uri_error(self):
args = {
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name":
"My Example Client",
"client_name#ja-Jpan-JP":
"\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method":
"client_secret_basic",
"scope":
"read write dolphin",
# invalid logo_uri
"logo_uri":
"https://client.example.org/logo.png",
"jwks_uri":
"https://client.example.org/my_public_keys.jwks"
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json())
_resp = ClientRegistrationError().from_json(resp.message)
assert "error" in _resp
assert _resp["error"] == "invalid_client_metadata"
def test_client_registration_utf_8_client_name(self):
args = {
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name":
"My Example Client",
"client_name#ja-Jpan-JP":
"\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method":
"client_secret_basic",
"scope":
"read write dolphin",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json())
_resp = ClientInfoResponse().from_json(resp.message)
assert _resp[
"client_name#ja-Jpan-JP"] == "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D"
assert _resp["client_name"] == "My Example Client"
def test_client_user_info_get(self):
args = {
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name":
"My Example Client",
"client_name#ja-Jpan-JP":
"\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method":
"client_secret_basic",
"scope":
"read write dolphin",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json())
_resp = ClientInfoResponse().from_json(resp.message)
resp = self.provider.client_info_endpoint(
"GET",
environ={
"HTTP_AUTHORIZATION":
"Bearer %s" % (_resp["registration_access_token"], )
},
query="client_id=%s" % _resp["client_id"],
request=request.to_json())
_resp_cir = ClientInfoResponse().from_json(resp.message)
assert _resp == _resp_cir
def test_client_registration_update(self):
args = {
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name":
"My Example Client",
"client_name#ja-Jpan-JP":
"\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method":
"client_secret_basic",
"scope":
"read write dolphin",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json(),
environ={})
_resp = ClientInfoResponse().from_json(resp.message)
update = {
"client_id":
_resp["client_id"],
"client_secret":
_resp["client_secret"],
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/alt"
],
"scope":
"read write dolphin",
"grant_types": ["authorization_code", "refresh_token"],
"token_endpoint_auth_method":
"client_secret_basic",
"jwks_uri":
"https://client.example.org/my_public_keys.jwks",
"client_name":
"My New Example",
"client_name#fr":
"Mon Nouvel Exemple",
}
update_req = RegistrationRequest(**update)
resp = self.provider.client_info_endpoint(
request=update_req.to_json(),
environ={
"HTTP_AUTHORIZATION":
"Bearer %s" % (_resp["registration_access_token"], )
},
method="PUT",
query="client_id=%s" % _resp["client_id"])
_resp_up = ClientInfoResponse().from_json(resp.message)
assert _resp_up["client_id"] == update["client_id"]
assert _resp_up["client_secret"] == update["client_secret"]
assert _resp_up["redirect_uris"] == update["redirect_uris"]
assert _resp_up["scope"] == update["scope"].split()
assert _resp_up["grant_types"] == update["grant_types"]
assert _resp_up["token_endpoint_auth_method"] == update[
"token_endpoint_auth_method"]
assert _resp_up["jwks_uri"] == update["jwks_uri"]
assert _resp_up["client_name"] == update["client_name"]
assert _resp_up["client_name#fr"] == update["client_name#fr"]
#
def test_client_registration_delete(self):
args = {
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name":
"My Example Client",
"client_name#ja-Jpan-JP":
"\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method":
"client_secret_basic",
"scope":
"read write dolphin",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json(),
environ={})
_resp = ClientInfoResponse().from_json(resp.message)
resp = self.provider.client_info_endpoint(
request=request.to_json(),
environ={
"HTTP_AUTHORIZATION":
"Bearer %s" % (_resp["registration_access_token"], )
},
method="DELETE",
query="client_id=%s" % _resp["client_id"])
assert isinstance(resp, NoContent)
# A read should fail
resp = self.provider.client_info_endpoint(
"",
environ={
"HTTP_AUTHORIZATION":
"Bearer %s" % (_resp["registration_access_token"], )
},
query="client_id=%s" % _resp["client_id"])
assert isinstance(resp, Unauthorized)
def test_client_registration_with_software_statement(self):
jwks, keyjar, kidd = build_keyjar(KEYS)
fed_operator = 'https://fedop.example.org'
self.provider.keyjar[fed_operator] = keyjar['']
ss = make_software_statement(keyjar, fed_operator, client_id='foxtrot')
args = {
"redirect_uris": [
"https://client.example.org/callback",
"https://client.example.org/callback2"
],
"client_name":
"XYZ Service B",
"token_endpoint_auth_method":
"client_secret_basic",
"scope":
"read write dolphin",
'software_statement':
ss
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json(),
environ={})
cli_resp = ClientInfoResponse().from_json(resp.message)
assert cli_resp
authz = Implicit()
try:
capabilities = config.CAPABILITIES
except AttributeError:
capabilities = None
if args.insecure:
kwargs = {'verify_ssl': False}
else:
kwargs = {}
# Initiate the Provider
oas = Provider(config.issuer, None, cdb, broker, authz,
baseurl=config.issuer, client_authn=verify_client,
symkey=config.SYM_KEY, hostname=config.HOST,
capabilities=capabilities,
behavior=config.BEHAVIOR, **kwargs)
try:
jwks = keyjar_init(oas, config.keys, kid_template="op%d")
except Exception as err:
LOGGER.error("Key setup failed: {}".format(err))
print("Key setup failed: {}".format(err))
exit()
# oas.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
else:
jwks_file_name = JWKS_FILE_NAME
f = open(jwks_file_name, "w")
for key in jwks["keys"]:
class TestProvider(object):
@pytest.fixture(autouse=True)
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[""] = [kb]
_sdb = SessionDB(
"https://example.com/",
db={},
code_factory=DefaultToken(
"supersecret", "verybadpassword", typ="A", lifetime=600
),
token_factory=JWTToken(
"T",
keyjar=kj,
lt_pattern={"code": 3600, "token": 900},
iss="https://example.com/as",
sign_alg="RS256",
),
refresh_token_factory=JWTToken(
"R",
keyjar=kj,
lt_pattern={"": 24 * 3600},
iss="https://example.com/as",
token_storage={},
),
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider(
"as",
_sdb,
CDB,
AUTHN_BROKER,
AUTHZ,
verify_client,
baseurl="https://example.com/as",
)
def test_authorization_endpoint_faulty_redirect_uri(self):
bib = {
"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
# faulty redirect uri
"redirect_uri": "http://localhost:8087/cb",
"response_type": ["code"],
"client_id": "a1b2c3",
}
arq = AuthorizationRequest(**bib)
resp = self.provider.authorization_endpoint(request=arq.to_urlencoded())
assert resp.status_code == 400
msg = json.loads(resp.message)
assert msg["error"] == "invalid_request"
def test_authenticated(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = "https://example.com/as"
sid = rndstr(8)
args = {
"redirect_uri": "http://localhost:8087/authz",
"state": sid,
"response_type": "code",
}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, "GET", request_args=args
)
resp = self.provider.authorization_endpoint(urlparse(url).query)
assert resp.status_code == 303
resp = urlparse(resp.message).query
aresp = client.parse_authz_response(resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ["state", "code", "client_id", "iss"])
assert _eq(
client.grant[sid].keys(),
["tokens", "code", "exp_in", "seed", "id_token", "grant_expiration_time"],
)
def test_authenticated_token(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = "https://example.com/as"
sid = rndstr(8)
args = {
"redirect_uri": "http://localhost:8087/authz",
"state": sid,
"response_type": "token",
}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, "GET", request_args=args
)
QUERY_STRING = url.split("?")[1]
resp = self.provider.authorization_endpoint(QUERY_STRING)
auth_resp = parse_qs(urlparse(resp.message).fragment)
assert "access_token" in auth_resp
assert auth_resp["token_type"][0] == "Bearer"
def test_token_endpoint(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client1"
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ["access_token", "token_type"])
def test_token_endpoint_no_cache(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client1"
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
assert resp.headers == [
("Pragma", "no-cache"),
("Cache-Control", "no-store"),
("Content-type", "application/json"),
]
def test_token_endpoint_unauth(self):
authreq = AuthorizationRequest(
state="state",
redirect_uri="http://example.com/authz",
client_id="client1",
response_type="code",
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client2",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ["error_description", "error"])
def test_token_introspection(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client1"
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenIntrospectionRequest(
token=atr["access_token"],
client_id="client1",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["active"] is True
def test_token_introspection_bad_access_token(self):
req = TokenIntrospectionRequest(
token="access_token",
client_id="client1",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["active"] is False
def test_token_introspection_bad_token_no_hint(self):
req = TokenIntrospectionRequest(
token="access_token", client_id="client1", client_secret="hemlighet"
)
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["active"] is False
def test_token_introspection_missing(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client2"
)
_sdb = self.provider.sdb
self.provider.cdb["client2"] = {
"client_secret": "hemlighet",
"redirect_uris": [("http://localhost:8087/authz", None)],
"token_endpoint_auth_method": "client_secret_post",
"response_types": ["code", "token"],
}
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client2",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client2",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
# Delete the client
del self.provider.cdb["client2"]
req = TokenIntrospectionRequest(
token=atr["access_token"],
client_id="client2",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["error"] == "unauthorized_client"
def test_token_revocation_and_introspection(self):
authreq = AuthorizationRequest(
state="state", redirect_uri="http://example.com/authz", client_id="client1"
)
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory["code"](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
"response_type": ["code"],
}
# Construct Access token request
areq = AccessTokenRequest(
code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type="authorization_code",
)
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenRevocationRequest(
token=atr["access_token"],
client_id="client1",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.revocation_endpoint(request=req.to_urlencoded())
assert resp.status_code == 200
req2 = TokenIntrospectionRequest(
token=atr["access_token"],
client_id="client1",
client_secret="hemlighet",
token_type_hint="access_token",
)
resp = self.provider.introspection_endpoint(request=req2.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json")
assert ti_resp["active"] is False
def test_password_grant_type_ok(self):
# Set a not so dummy Authn method and token policy
self.provider.authn_broker = AUTHN_BROKER2
self.provider.set_token_policy("client1", {"grant_type": ["password"]})
areq = ROPCAccessTokenRequest(
grant_type="password", username="******", password="******"
)
areq[
"client_id"
] = "client1" # Token endpoint would fill that in based on client_authn
resp = self.provider.password_grant_type(areq)
atr = AccessTokenResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ["access_token", "token_type", "refresh_token"])
def test_password_grant_type_no_authn(self):
# Set a blank AuthnBroker
self.provider.authn_broker = AuthnBroker()
self.provider.set_token_policy("client1", {"grant_type": ["password"]})
areq = ROPCAccessTokenRequest(
grant_type="password", username="******", password="******"
)
areq[
"client_id"
] = "client1" # Token endpoint would fill that in based on client_authn
resp = self.provider.password_grant_type(areq)
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert atr["error"] == "invalid_grant"
def test_password_grant_type_bad(self):
# Set a not so dummy Authn method and token policy
self.provider.authn_broker = AUTHN_BROKER2
self.provider.set_token_policy("client1", {"grant_type": ["password"]})
areq = ROPCAccessTokenRequest(
grant_type="password", username="******", password="******"
)
areq[
"client_id"
] = "client1" # Token endpoint would fill that in based on client_authn
resp = self.provider.password_grant_type(areq)
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert atr["error"] == "invalid_grant"
# chooses which authentication method that is to be used.
broker = authn_setup(config)
# dealing with authorization, this is just everything goes.
authz = Implicit()
try:
capabilities = config.CAPABILITIES
except AttributeError:
capabilities = None
# Initiate the Provider
OAS = Provider(config.issuer, None, cdb, broker, authz,
baseurl=config.issuer, client_authn=verify_client,
symkey=config.SYM_KEY, hostname=config.HOST,
capabilities=capabilities,
behavior=config.BEHAVIOR)
try:
jwks = keyjar_init(OAS, config.keys, kid_template="op%d")
except Exception as err:
LOGGER.error("Key setup failed: {}".format(err))
print("Key setup failed: {}".format(err))
exit()
#OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
else:
jwks_file_name = JWKS_FILE_NAME
f = open(jwks_file_name, "w")
for key in jwks["keys"]:
class TestProvider(object):
SERVER_INFO = {
"version": "3.0",
"issuer": "https://connect-op.heroku.com",
"authorization_endpoint": "http://localhost:8088/authorization",
"token_endpoint": "http://localhost:8088/token",
"flows_supported": ["code", "token", "code token"],
}
CDB = {
"a1b2c3": {"password": "******", "client_secret": "drickyoughurt"},
"client1": {"client_secret": "hemlighet", "redirect_uris": [("http://localhost:8087/authz", None)]},
}
@pytest.fixture(autouse=True)
def create_provider(self):
authn_broker = AuthnBroker()
authn_broker.add("UNDEFINED", DummyAuthn(None, "username"))
self.provider = Provider(
"pyoicserv",
sdb.SessionDB(TestProvider.SERVER_INFO["issuer"]),
TestProvider.CDB,
authn_broker,
Implicit(),
verify_client,
client_info_url="https://example.com/as",
client_authn_methods={
"client_secret_post": ClientSecretPost,
"client_secret_basic": ClientSecretBasic,
"bearer_header": BearerHeader,
},
)
def test_registration_endpoint(self):
request = RegistrationRequest(client_name="myself", redirect_uris=["https://example.com/rp"])
resp = self.provider.registration_endpoint(request=request.to_json())
assert isinstance(resp, Response)
data = json.loads(resp.message)
assert data["client_name"] == "myself"
assert _eq(data["redirect_uris"], ["https://example.com/rp"])
_resp = ClientInfoResponse().from_json(resp.message)
assert "client_id" in _resp
def test_registration_uri_error(self):
args = {
"redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"],
"client_name": "My Example Client",
"client_name#ja-Jpan-JP": "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method": "client_secret_basic",
"scope": "read write dolphin",
# invalid logo_uri
"logo_uri": "https://client.example.org/logo.png",
"jwks_uri": "https://client.example.org/my_public_keys.jwks",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json())
_resp = ClientRegistrationError().from_json(resp.message)
assert "error" in _resp
assert _resp["error"] == "invalid_client_metadata"
def test_client_registration_utf_8_client_name(self):
args = {
"redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"],
"client_name": "My Example Client",
"client_name#ja-Jpan-JP": "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method": "client_secret_basic",
"scope": "read write dolphin",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json())
_resp = ClientInfoResponse().from_json(resp.message)
assert _resp["client_name#ja-Jpan-JP"] == "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D"
assert _resp["client_name"] == "My Example Client"
def test_client_user_info_get(self):
args = {
"redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"],
"client_name": "My Example Client",
"client_name#ja-Jpan-JP": "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method": "client_secret_basic",
"scope": "read write dolphin",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json())
_resp = ClientInfoResponse().from_json(resp.message)
resp = self.provider.client_info_endpoint(
"GET",
environ={"HTTP_AUTHORIZATION": "Bearer %s" % (_resp["registration_access_token"],)},
query="client_id=%s" % _resp["client_id"],
request=request.to_json(),
)
_resp_cir = ClientInfoResponse().from_json(resp.message)
assert _resp == _resp_cir
def test_client_registration_update(self):
args = {
"redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"],
"client_name": "My Example Client",
"client_name#ja-Jpan-JP": "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method": "client_secret_basic",
"scope": "read write dolphin",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json(), environ={})
_resp = ClientInfoResponse().from_json(resp.message)
update = {
"client_id": _resp["client_id"],
"client_secret": _resp["client_secret"],
"redirect_uris": ["https://client.example.org/callback", "https://client.example.org/alt"],
"scope": "read write dolphin",
"grant_types": ["authorization_code", "refresh_token"],
"token_endpoint_auth_method": "client_secret_basic",
"jwks_uri": "https://client.example.org/my_public_keys.jwks",
"client_name": "My New Example",
"client_name#fr": "Mon Nouvel Exemple",
}
update_req = RegistrationRequest(**update)
resp = self.provider.client_info_endpoint(
request=update_req.to_json(),
environ={"HTTP_AUTHORIZATION": "Bearer %s" % (_resp["registration_access_token"],)},
method="PUT",
query="client_id=%s" % _resp["client_id"],
)
_resp_up = ClientInfoResponse().from_json(resp.message)
assert _resp_up["client_id"] == update["client_id"]
assert _resp_up["client_secret"] == update["client_secret"]
assert _resp_up["redirect_uris"] == update["redirect_uris"]
assert _resp_up["scope"] == update["scope"].split()
assert _resp_up["grant_types"] == update["grant_types"]
assert _resp_up["token_endpoint_auth_method"] == update["token_endpoint_auth_method"]
assert _resp_up["jwks_uri"] == update["jwks_uri"]
assert _resp_up["client_name"] == update["client_name"]
assert _resp_up["client_name#fr"] == update["client_name#fr"]
#
def test_client_registration_delete(self):
args = {
"redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"],
"client_name": "My Example Client",
"client_name#ja-Jpan-JP": "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
"token_endpoint_auth_method": "client_secret_basic",
"scope": "read write dolphin",
}
request = RegistrationRequest(**args)
resp = self.provider.registration_endpoint(request=request.to_json(), environ={})
_resp = ClientInfoResponse().from_json(resp.message)
resp = self.provider.client_info_endpoint(
request=request.to_json(),
environ={"HTTP_AUTHORIZATION": "Bearer %s" % (_resp["registration_access_token"],)},
method="DELETE",
query="client_id=%s" % _resp["client_id"],
)
assert isinstance(resp, NoContent)
# A read should fail
resp = self.provider.client_info_endpoint(
"",
environ={"HTTP_AUTHORIZATION": "Bearer %s" % (_resp["registration_access_token"],)},
query="client_id=%s" % _resp["client_id"],
)
assert isinstance(resp, Unauthorized)
class TestProvider(object):
@pytest.fixture(autouse=True)
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[''] = [kb]
_sdb = SessionDB(
"https://example.com/",
token_factory=JWTToken('T', keyjar=kj,
lt_pattern={'code': 3600, 'token': 900},
iss='https://example.com/as',
sign_alg='RS256'),
refresh_token_factory=JWTToken(
'R', keyjar=kj, lt_pattern={'': 24 * 3600},
iss='https://example.com/as')
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider("as", _sdb, CDB, AUTHN_BROKER, AUTHZ,
verify_client,
baseurl='https://example.com/as')
def test_authorization_endpoint_faulty_redirect_uri(self):
bib = {"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
# faulty redirect uri
"redirect_uri": "http://localhost:8087/cb",
"response_type": ["code"],
"client_id": "a1b2c3"}
arq = AuthorizationRequest(**bib)
resp = self.provider.authorization_endpoint(request=arq.to_urlencoded())
assert resp.status == "400 Bad Request"
msg = json.loads(resp.message)
assert msg["error"] == "invalid_request"
def test_authenticated(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {
'redirect_uri': "http://localhost:8087/authz",
"state": sid, "response_type": 'code'}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, 'GET', request_args=args)
resp = self.provider.authorization_endpoint(urlparse(url).query)
assert resp.status == "303 See Other"
resp = urlparse(resp.message).query
aresp = client.parse_authz_response(resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss'])
assert _eq(client.grant[sid].keys(), ['tokens', 'code', 'exp_in',
'seed', 'id_token',
'grant_expiration_time'])
def test_authenticated_token(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {'redirect_uri': "http://localhost:8087/authz", "state": sid,
"response_type": 'token'}
url, body, ht_args, csi = client.request_info(AuthorizationRequest,
'GET', request_args=args)
QUERY_STRING = url.split("?")[1]
resp = self.provider.authorization_endpoint(QUERY_STRING)
auth_resp = parse_qs(urlparse(resp.message).fragment)
assert "access_token" in auth_resp
assert auth_resp["token_type"][0] == "Bearer"
def test_token_endpoint(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ['access_token', 'token_type'])
def test_token_endpoint_unauth(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1",
response_type='code')
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client2",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ['error_description', 'error'])
def test_token_introspection(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenIntrospectionRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json')
assert ti_resp['active'] is True
def test_token_revocation_and_introspection(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenRevocationRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.revocation_endpoint(request=req.to_urlencoded())
assert resp.status == '200 OK'
req = TokenIntrospectionRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json')
assert ti_resp['active'] is False
# chooses which authentication method that is to be used.
broker = authn_setup(config)
# dealing with authorization, this is just everything goes.
authz = Implicit()
try:
capabilities = config.CAPABILITIES
except AttributeError:
capabilities = None
# Initiate the Provider
OAS = Provider(config.issuer, None, cdb, broker, authz,
baseurl=config.issuer, client_authn=verify_client,
symkey=config.SYM_KEY, hostname=config.HOST,
capabilities=capabilities,
behavior=config.BEHAVIOR)
try:
jwks = keyjar_init(OAS, config.keys, kid_template="op%d")
except Exception as err:
LOGGER.error("Key setup failed: {}".format(err))
print("Key setup failed: {}".format(err))
exit()
#OAS.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
else:
jwks_file_name = JWKS_FILE_NAME
f = open(jwks_file_name, "w")
for key in jwks["keys"]:
capabilities = config.CAPABILITIES
except AttributeError:
capabilities = None
if args.insecure:
kwargs = {'verify_ssl': False}
else:
kwargs = {}
# Initiate the Provider
oas = Provider(config.issuer,
None,
cdb,
broker,
authz,
baseurl=config.issuer,
client_authn=verify_client,
symkey=config.SYM_KEY,
hostname=config.HOST,
capabilities=capabilities,
behavior=config.BEHAVIOR,
**kwargs)
try:
jwks = keyjar_init(oas, config.keys, kid_template="op%d")
except Exception as err:
LOGGER.error("Key setup failed: {}".format(err))
print("Key setup failed: {}".format(err))
exit()
# oas.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
else:
jwks_file_name = JWKS_FILE_NAME
class TestProvider(object):
@pytest.fixture(autouse=True)
def create_provider(self):
kb = KeyBundle(JWKS["keys"])
kj = KeyJar()
kj.issuer_keys[''] = [kb]
_sdb = SessionDB(
"https://example.com/",
db={},
code_factory=DefaultToken('supersecret', 'verybadpassword',
typ='A', lifetime=600),
token_factory=JWTToken('T', keyjar=kj,
lt_pattern={'code': 3600, 'token': 900},
iss='https://example.com/as',
sign_alg='RS256'),
refresh_token_factory=JWTToken(
'R', keyjar=kj, lt_pattern={'': 24 * 3600},
iss='https://example.com/as')
)
# name, sdb, cdb, authn_broker, authz, client_authn,
self.provider = Provider("as", _sdb, CDB, AUTHN_BROKER, AUTHZ,
verify_client,
baseurl='https://example.com/as')
def test_authorization_endpoint_faulty_redirect_uri(self):
bib = {"state": "id-6da9ca0cc23959f5f33e8becd9b08cae",
# faulty redirect uri
"redirect_uri": "http://localhost:8087/cb",
"response_type": ["code"],
"client_id": "a1b2c3"}
arq = AuthorizationRequest(**bib)
resp = self.provider.authorization_endpoint(request=arq.to_urlencoded())
assert resp.status == "400 Bad Request"
msg = json.loads(resp.message)
assert msg["error"] == "invalid_request"
def test_authenticated(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {
'redirect_uri': "http://localhost:8087/authz",
"state": sid, "response_type": 'code'}
url, body, ht_args, csi = client.request_info(
AuthorizationRequest, 'GET', request_args=args)
resp = self.provider.authorization_endpoint(urlparse(url).query)
assert resp.status == "303 See Other"
resp = urlparse(resp.message).query
aresp = client.parse_authz_response(resp)
assert isinstance(aresp, AuthorizationResponse)
assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss'])
assert _eq(client.grant[sid].keys(), ['tokens', 'code', 'exp_in',
'seed', 'id_token',
'grant_expiration_time'])
def test_authenticated_token(self):
client = Client(**CLIENT_CONFIG)
client.authorization_endpoint = 'https://example.com/as'
sid = rndstr(8)
args = {'redirect_uri': "http://localhost:8087/authz", "state": sid,
"response_type": 'token'}
url, body, ht_args, csi = client.request_info(AuthorizationRequest,
'GET', request_args=args)
QUERY_STRING = url.split("?")[1]
resp = self.provider.authorization_endpoint(QUERY_STRING)
auth_resp = parse_qs(urlparse(resp.message).fragment)
assert "access_token" in auth_resp
assert auth_resp["token_type"][0] == "Bearer"
def test_token_endpoint(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ['access_token', 'token_type'])
def test_token_endpoint_no_cache(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
assert resp.headers == [('Pragma', 'no-cache'), ('Cache-Control', 'no-store'),
('Content-type', 'application/json')]
def test_token_endpoint_unauth(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1",
response_type='code')
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client2",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = TokenErrorResponse().deserialize(resp.message, "json")
assert _eq(atr.keys(), ['error_description', 'error'])
def test_token_introspection(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenIntrospectionRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json')
assert ti_resp['active'] is True
def test_token_revocation_and_introspection(self):
authreq = AuthorizationRequest(state="state",
redirect_uri="http://example.com/authz",
client_id="client1")
_sdb = self.provider.sdb
sid = _sdb.access_token.key(user="******", areq=authreq)
access_grant = _sdb.token_factory['code'](sid=sid)
_sdb[sid] = {
"oauth_state": "authz",
"sub": "sub",
"authzreq": authreq.to_json(),
"client_id": "client1",
"code": access_grant,
"code_used": False,
"redirect_uri": "http://example.com/authz",
'response_type': ['code']
}
# Construct Access token request
areq = AccessTokenRequest(code=access_grant,
redirect_uri="http://example.com/authz",
client_id="client1",
client_secret="hemlighet",
grant_type='authorization_code')
resp = self.provider.token_endpoint(request=areq.to_urlencoded())
atr = AccessTokenResponse().deserialize(resp.message, "json")
req = TokenRevocationRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.revocation_endpoint(request=req.to_urlencoded())
assert resp.status == '200 OK'
req = TokenIntrospectionRequest(token=atr['access_token'],
client_id="client1",
client_secret="hemlighet",
token_type_hint='access_token')
resp = self.provider.introspection_endpoint(request=req.to_urlencoded())
assert resp
ti_resp = TokenIntrospectionResponse().deserialize(resp.message, 'json')
assert ti_resp['active'] is False