def test_oauth2_implicit_flow_token_is_reused_if_only_nonce_differs(
token_cache, responses: RequestsMock, browser_mock: BrowserMock):
auth1 = requests_auth.OAuth2Implicit(
"http://provide_token?response_type=custom_token&nonce=1",
token_field_name="custom_token",
)
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=custom_token&state=67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F&nonce=%5B%271%27%5D",
reply_url="http://localhost:5000",
data=
f"custom_token={token}&state=67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2",
)
assert get_header(responses,
auth1).get("Authorization") == f"Bearer {token}"
auth2 = requests_auth.OAuth2Implicit(
"http://provide_token?response_type=custom_token&nonce=2",
token_field_name="custom_token",
)
response = requests.get("http://authorized_only", auth=auth2)
# Return headers received on this dummy URL
assert response.request.headers.get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2. You may close this tab."
)
def test_oauth2_implicit_flow_token_is_not_reused_if_a_url_parameter_is_changing(
token_cache, responses: RequestsMock, browser_mock: BrowserMock):
auth1 = requests_auth.OAuth2Implicit(
"http://provide_token?response_type=custom_token&fake_param=1",
token_field_name="custom_token",
)
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
first_token = create_token(expiry_in_1_hour)
tab1 = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=custom_token&fake_param=1&state=5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"custom_token={first_token}&state=5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe",
)
assert get_header(responses,
auth1).get("Authorization") == f"Bearer {first_token}"
# Ensure that the new token is different than previous one
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(
hours=1, seconds=1)
auth2 = requests_auth.OAuth2Implicit(
"http://provide_token?response_type=custom_token&fake_param=2",
token_field_name="custom_token",
)
second_token = create_token(expiry_in_1_hour)
tab2 = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=custom_token&fake_param=2&state=5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"custom_token={second_token}&state=5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9",
)
response = requests.get("http://authorized_only", auth=auth2)
# Return headers received on this dummy URL
assert response.request.headers.get(
"Authorization") == f"Bearer {second_token}"
tab1.assert_success(
"You are now authenticated on 5652a8138e3a99dab7b94532c73ed5b10f19405316035d1efdc8bf7e0713690485254c2eaff912040eac44031889ef0a5ed5730c8a111541120d64a898c31afe. You may close this tab."
)
tab2.assert_success(
"You are now authenticated on 5c3940ccf78ac6e7d6d8d06782d9fd95a533aa5425b616eaa38dc3ec9508fbd55152c58a0d8dd8a087e76b77902559285819a41cb78ce8713e5a3b974bf07ce9. You may close this tab."
)
def test_oauth2_implicit_flow_token_is_requested_again_if_expired(
token_cache, responses: RequestsMock, browser_mock: BrowserMock):
auth = requests_auth.OAuth2Implicit("http://provide_token")
# This token will expires in 100 milliseconds
expiry_in_1_second = datetime.datetime.utcnow() + datetime.timedelta(
milliseconds=100)
first_token = create_token(expiry_in_1_second)
tab1 = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"access_token={first_token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
assert get_header(responses,
auth).get("Authorization") == f"Bearer {first_token}"
# Wait to ensure that the token will be considered as expired
time.sleep(0.2)
# Token should now be expired, a new one should be requested
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
second_token = create_token(expiry_in_1_hour)
tab2 = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"access_token={second_token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
response = requests.get("http://authorized_only", auth=auth)
# Return headers received on this dummy URL
assert response.request.headers.get(
"Authorization") == f"Bearer {second_token}"
tab1.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)
tab2.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)
def test_state_change(token_cache, responses: RequestsMock,
browser_mock: BrowserMock):
auth = requests_auth.OAuth2Implicit("http://provide_token")
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=f"access_token={token}&state=123456",
)
assert get_header(responses,
auth).get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 123456. You may close this tab.")
def test_oauth2_implicit_flow_expects_token_in_id_token_if_response_type_in_url_is_id_token(
token_cache, responses: RequestsMock, browser_mock: BrowserMock):
auth = requests_auth.OAuth2Implicit(
"http://provide_token?response_type=id_token")
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=id_token&state=87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"id_token={token}&state=87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a",
)
assert get_header(responses,
auth).get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 87c4108ec0eb03599335333a40434a36674269690b6957fef684bfb6c5a849ce660ef7031aa874c44d67cd3eada8febdfce41efb1ed3bc53a0a7e716cbba025a. You may close this tab."
)
def test_oauth2_implicit_flow_post_failure_if_state_is_not_provided(
token_cache, browser_mock: BrowserMock):
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=f"access_token={token}",
)
with pytest.raises(requests_auth.StateNotProvided) as exception_info:
requests.get(
"http://authorized_only",
auth=requests_auth.OAuth2Implicit("http://provide_token"),
)
assert (str(exception_info.value) ==
f"state not provided within {{'access_token': ['{token}']}}.")
tab.assert_failure(
f"Unable to properly perform authentication: state not provided within {{'access_token': ['{token}']}}."
)
def test_oauth2_implicit_flow_token_can_be_requested_on_a_custom_server_port(
token_cache, responses: RequestsMock, browser_mock: BrowserMock):
# TODO Should use a method to retrieve a free port instead
available_port = 5002
auth = requests_auth.OAuth2Implicit("http://provide_token",
redirect_uri_port=available_port)
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5002%2F",
reply_url="http://localhost:5002",
data=
f"access_token={token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
assert get_header(responses,
auth).get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)
def test_oauth2_implicit_flow_can_send_a_custom_response_type_and_expects_token_to_be_received_with_this_name(
token_cache, responses: RequestsMock, browser_mock: BrowserMock):
auth = requests_auth.OAuth2Implicit(
"http://provide_token",
response_type="custom_token",
token_field_name="custom_token",
)
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=custom_token&state=67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"custom_token={token}&state=67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2",
)
assert get_header(responses,
auth).get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 67b95d2c7555751d1d72c97c7cd9ad6630c8395e0eaa51ee86ac7e451211ded9cd98a7190848789fe93632d8960425710e93f1f5549c6c6bc328bf3865a85ff2. You may close this tab."
)
def test_oauth2_implicit_flow_token_is_reused_if_not_expired(
token_cache, responses: RequestsMock, browser_mock: BrowserMock):
auth1 = requests_auth.OAuth2Implicit("http://provide_token")
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url=
"http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=
f"access_token={token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
assert get_header(responses,
auth1).get("Authorization") == f"Bearer {token}"
oauth2 = requests_auth.OAuth2Implicit("http://provide_token")
response = requests.get("http://authorized_only", auth=oauth2)
# Return headers received on this dummy URL
assert response.request.headers.get("Authorization") == f"Bearer {token}"
tab.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)
def test_oauth2_implicit_and_multiple_authentication_can_be_combined(
token_cache, responses: RequestsMock, browser_mock: BrowserMock
):
implicit_auth = requests_auth.OAuth2Implicit("http://provide_token")
expiry_in_1_hour = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
token = create_token(expiry_in_1_hour)
tab = browser_mock.add_response(
opened_url="http://provide_token?response_type=token&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F",
reply_url="http://localhost:5000",
data=f"access_token={token}&state=42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521",
)
api_key_auth = requests_auth.HeaderApiKey("my_provided_api_key")
api_key_auth2 = requests_auth.HeaderApiKey(
"my_provided_api_key2", header_name="X-Api-Key2"
)
header = get_header(responses, implicit_auth & (api_key_auth & api_key_auth2))
assert header.get("Authorization") == f"Bearer {token}"
assert header.get("X-Api-Key") == "my_provided_api_key"
assert header.get("X-Api-Key2") == "my_provided_api_key2"
tab.assert_success(
"You are now authenticated on 42a85b271b7a652ca3cc4c398cfd3f01b9ad36bf9c945ba823b023e8f8b95c4638576a0e3dcc96838b838bec33ec6c0ee2609d62ed82480b3b8114ca494c0521. You may close this tab."
)