def create_op(self): op_root_key = rsa_key() op_registration_data = dict(root_key=json.dumps(op_root_key.serialize(private=False))) op_software_statement = Federation(TestOP.federation_key).create_software_statement(op_registration_data) self.op = OP( ISSUER, op_root_key, [op_software_statement], [TestOP.federation_key], "{}/signed_jwks".format(ISSUER), Provider(ISSUER, None, {}, None, None, None, None, None), )
class TestOP(object): federation_key = sym_key() @pytest.fixture(autouse=True) def create_op(self): op_root_key = rsa_key() op_registration_data = dict(root_key=json.dumps(op_root_key.serialize(private=False))) op_software_statement = Federation(TestOP.federation_key).create_software_statement(op_registration_data) self.op = OP( ISSUER, op_root_key, [op_software_statement], [TestOP.federation_key], "{}/signed_jwks".format(ISSUER), Provider(ISSUER, None, {}, None, None, None, None, None), ) def test_provider_configuration(self): provider_config = json.loads(self.op.provider_configuration().message) assert provider_config["issuer"] == ISSUER assert provider_config["software_statements"] == self.op.software_statements_jws assert provider_config["signing_key"] == self.op.signed_intermediate_key assert provider_config["signed_jwks_uri"] == self.op.signed_jwks_uri _jws = JWS() assert _jws.is_jws(provider_config["signed_metadata"]) assert _jws.jwt.headers["kid"] == self.op.intermediate_key.kid expected_metadata_parameters = set(provider_config.keys()) expected_metadata_parameters.remove("signed_metadata") actual_metadata_parameters = ( JWS().verify_compact(provider_config["signed_metadata"], keys=[self.op.intermediate_key]).keys() ) assert set(actual_metadata_parameters) == expected_metadata_parameters def test_register_client(self): federation = Federation(TestOP.federation_key) rp_root_key = rsa_key() rp_intermediate_key = rsa_key() rp_signed_intermediate_key = JWS( json.dumps(rp_intermediate_key.serialize(private=False)), alg=rp_root_key.alg ).sign_compact(keys=[rp_root_key]) rp_software_statement = federation.create_software_statement( dict(root_key=rp_root_key.serialize(private=False), response_types=["code"]) ) client_metadata = { "signing_key": rp_signed_intermediate_key, "signed_jwks_uri": "https://rp.example.com/signed_jwks", "software_statements": [rp_software_statement], "redirect_uris": ["https://rp.example.com"], "response_types": ["id_token"], } req = FederationRegistrationRequest(**client_metadata) signature = SignedHttpRequest(rp_intermediate_key).sign(rp_intermediate_key.alg, body=req.to_json()) response = self.op.register_client("pop {}".format(signature), req.to_json()) client_metadata = json.loads(response.message) registration_response = FederationRegistrationResponse().from_dict(client_metadata) assert registration_response.verify() assert "client_id" in registration_response assert registration_response["provider_software_statement"] == self.op.software_statements_jws[0] assert registration_response["response_types"] == ["code"] @pytest.mark.parametrize("authz_header", [None, ""]) def test_register_client_reject_request_without_authorization(self, authz_header): with pytest.raises(OIDCFederationError) as exc: self.op.register_client(authz_header, None) assert "Authorization" in str(exc.value) def test_register_client_rejects_request_with_wrong_auth_scheme(self): with pytest.raises(OIDCFederationError) as exc: self.op.register_client("Basic foobar", None) assert "Authentication scheme" in str(exc.value)