def client_authentication(self,
request: Message,
http_info: Optional[dict] = None,
**kwargs):
"""
Do client authentication
:param request: Parsed request, a self.request_cls class instance
:param http_info: HTTP headers, URL used and cookies.
:return: client_id or raise an exception
"""
if "endpoint" not in kwargs:
kwargs["endpoint"] = self
authn_info = verify_client(
endpoint_context=self.server_get("endpoint_context"),
request=request,
http_info=http_info,
get_client_id_from_token=self.get_client_id_from_token,
**kwargs)
LOGGER.debug("authn_info: %s", authn_info)
if authn_info == {} and self.client_authn_method and len(
self.client_authn_method):
LOGGER.debug("client_authn_method: %s", self.client_authn_method)
raise UnAuthorizedClient("Authorization failed")
return authn_info
def test_verify_client_jws_authn_method(self):
client_keyjar = KeyJar()
client_keyjar.import_jwks(KEYJAR.export_jwks(private=True),
CONF["issuer"])
# The only own key the client has a this point
client_keyjar.add_symmetric("", client_secret, ["sig"])
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256")
# Audience is OP issuer ID
aud = "{}token".format(CONF["issuer"]) # aud == Token endpoint
_assertion = _jwt.pack({"aud": [aud]})
request = {
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
}
http_info = {"headers": {}}
res = verify_client(
self.endpoint_context,
request,
http_info=http_info,
endpoint=self.server.server_get("endpoint", "token"),
)
assert res["method"] == "client_secret_jwt"
assert res["client_id"] == "client_id"
def test_verify_client_registration_none(self):
# This is when no special auth method is configured
request = {"redirect_uris": ["https://example.com/cb"]}
res = verify_client(
self.endpoint_context,
request,
endpoint=self.server.server_get("endpoint", "registration"),
)
assert res == {}
def test_verify_client_client_secret_post(self):
request = {"client_id": client_id, "client_secret": client_secret}
res = verify_client(
self.endpoint_context,
request,
endpoint=self.server.server_get("endpoint", "token"),
)
assert set(res.keys()) == {"method", "client_id"}
assert res["method"] == "client_secret_post"
def test_verify_client_authorization_none(self):
# This is when it's explicitly said that no client auth method is allowed
request = {"client_id": client_id}
res = verify_client(
self.endpoint_context,
request,
endpoint=self.server.server_get("endpoint", "authorization"),
)
assert res["method"] == "none"
assert res["client_id"] == "client_id"
def test_verify_client_bearer_body(self):
request = {"access_token": "1234567890", "client_id": client_id}
self.endpoint_context.registration_access_token[
"1234567890"] = client_id
res = verify_client(
self.endpoint_context,
request,
get_client_id_from_token=get_client_id_from_token,
endpoint=self.server.server_get("endpoint", "userinfo"),
)
assert set(res.keys()) == {"token", "method", "client_id"}
assert res["method"] == "bearer_body"
def test_verify_client_client_secret_basic(self):
_token = "{}:{}".format(client_id, client_secret)
token = as_unicode(base64.b64encode(as_bytes(_token)))
authz_token = "Basic {}".format(token)
http_info = {"headers": {"authorization": authz_token}}
res = verify_client(
self.endpoint_context,
{},
http_info=http_info,
endpoint=self.server.server_get("endpoint", "token"),
)
assert set(res.keys()) == {"method", "client_id"}
assert res["method"] == "client_secret_basic"
def test_verify_client_bearer_header(self):
# A prerequisite for the get_client_id_from_token function
self.endpoint_context.registration_access_token[
"1234567890"] = client_id
token = "Bearer 1234567890"
http_info = {"headers": {"authorization": token}}
request = {"client_id": client_id}
res = verify_client(
self.endpoint_context,
request,
http_info=http_info,
get_client_id_from_token=get_client_id_from_token,
endpoint=self.server.server_get("endpoint", "authorization"),
)
assert set(res.keys()) == {"token", "method", "client_id"}
assert res["method"] == "bearer_header"