def test_verify_client_bearer_header():
endpoint_context.registration_access_token["1234567890"] = client_id
token = "Bearer 1234567890"
request = {"client_id": client_id}
res = verify_client(
endpoint_context,
request,
authorization_info=token,
get_client_id_from_token=get_client_id_from_token,
)
res = verify_client(endpoint_context, request, token,
get_client_id_from_token)
assert set(res.keys()) == {"token", "method", "client_id"}
assert res["method"] == "bearer_header"
def client_authentication(self, request, auth=None, **kwargs):
"""
Do client authentication
:param endpoint_context: A
:py:class:`oidcendpoint.endpoint_context.SrvInfo` instance
:param request: Parsed request, a self.request_cls class instance
:param authn: Authorization info
:return: client_id or raise an exception
"""
try:
authn_info = verify_client(self.endpoint_context, request, auth,
self.get_client_id_from_token, **kwargs)
except UnknownOrNoAuthnMethod:
if self.client_authn_method is None:
return {}
else:
if "none" in self.client_authn_method:
return {}
else:
raise
if authn_info == {} and self.client_authn_method and len(
self.client_authn_method):
raise UnAuthorizedClient("Authorization failed")
return authn_info
def client_authentication(self, request, auth=None, **kwargs):
"""
Deal with client authentication
:param request: The refresh access token request
:param auth: Client authentication information
:param kwargs: Extra keyword arguments
:return: dictionary containing client id, client authentication method
and possibly access token.
"""
try:
auth_info = verify_client(self.endpoint_context, request, auth)
msg = ""
except Exception as err:
msg = "Failed to verify client due to: {}".format(err)
logger.error(msg)
return self.error_cls(error="unauthorized_client",
error_description=msg)
else:
if "client_id" not in auth_info:
logger.error("No client_id, authentication failed")
return self.error_cls(error="unauthorized_client",
error_description="unknown client")
return auth_info
def client_authentication(self, request, auth=None, **kwargs):
"""
Do client authentication
:param endpoint_context: A
:py:class:`oidcendpoint.endpoint_context.SrvInfo` instance
:param request: Parsed request, a self.request_cls class instance
:param authn: Authorization info
:return: client_id or raise an exception
"""
try:
authn_info = verify_client(self.endpoint_context, request, auth,
self.get_client_id_from_token, **kwargs)
except UnknownOrNoAuthnMethod:
if self.client_authn_method is None:
return {}
else:
if "none" in self.client_authn_method:
return {}
else:
raise
if authn_info["method"] not in self.client_authn_method:
LOGGER.warning("Wrong client authentication method was used")
raise WrongAuthnMethod("Wrong authn method")
return authn_info
def test_verify_client_client_secret_basic():
_token = "{}:{}".format(client_id, client_secret)
token = as_unicode(base64.b64encode(as_bytes(_token)))
authz_token = "Basic {}".format(token)
res = verify_client(endpoint_context, {}, authz_token)
assert set(res.keys()) == {"method", "client_id"}
assert res["method"] == "client_secret_basic"
def test_verify_client_bearer_body():
request = {"access_token": "1234567890", "client_id": client_id}
endpoint_context.registration_access_token["1234567890"] = client_id
res = verify_client(endpoint_context,
request,
get_client_id_from_token=get_client_id_from_token)
assert set(res.keys()) == {"token", "method", "client_id"}
assert res["method"] == "bearer_body"
def test_verify_client_registration_none(self):
# This is when no special auth method is configured
request = {"redirect_uris": ["https://example.com/cb"]}
res = verify_client(
self.endpoint_context,
request,
authorization_info=None,
endpoint="registration"
)
assert res == {}
def client_authentication(self, request, auth=None, **kwargs):
"""
:param endpoint_context: A
:py:class:`oidcendpoint.endpoint_context.SrvInfo` instance
:param request: Parsed request, a self.request_cls class instance
:param authn: Authorization info
:return: client_id or raise and exception
"""
return verify_client(self.endpoint_context, request, auth)
def test_verify_client_authorization_none(self):
# This is when it's explicitly said that no client auth method is allowed
request = {"client_id": client_id}
res = verify_client(
self.endpoint_context,
request,
authorization_info=None,
endpoint="authorization"
)
assert res["method"] == "none"
assert res["client_id"] == "client_id"
def test_verify_client_bearer_header(self):
# A prerequisite for the get_client_id_from_token function
self.endpoint_context.registration_access_token["1234567890"] = client_id
token = "Bearer 1234567890"
request = {"client_id": client_id}
res = verify_client(
self.endpoint_context,
request,
authorization_info=token,
get_client_id_from_token=get_client_id_from_token,
endpoint="authorization"
)
assert set(res.keys()) == {"token", "method", "client_id"}
assert res["method"] == "bearer_header"
def client_authentication(self, request, auth=None, **kwargs):
try:
auth_info = verify_client(self.endpoint_context, request, auth)
msg = ''
except Exception as err:
msg = "Failed to verify client due to: {}".format(err)
logger.error(msg)
return self.error_cls(error="unauthorized_client",
error_description=msg)
else:
if 'client_id' not in auth_info:
logger.error('No client_id, authentication failed')
return self.error_cls(error="unauthorized_client",
error_description='unknown client')
return auth_info
def test_verify_client_jws_authn_method(self):
client_keyjar = KeyJar()
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# Audience is OP issuer ID
aud = CONF["issuer"] + "token"
_assertion = _jwt.pack({"aud": [aud]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
res = verify_client(self.endpoint_context, request, endpoint="token")
assert res["method"] == "client_secret_jwt"
assert res["client_id"] == "client_id"
def test_verify_client_client_secret_post():
request = {"client_id": client_id, "client_secret": client_secret}
res = verify_client(endpoint_context, request)
assert set(res.keys()) == {"method", "client_id"}
assert res["method"] == "client_secret_post"
