def test_id_token_hint(client, oauth_client):
"""
Test ``id_token_hint`` parameter when hinted user is logged in
"""
token_response = oauth2.get_token_response(client, oauth_client).json
id_token = validate_jwt(token_response["id_token"], {"openid"})
# Now use that id_token as a hint to the authorize endpoint
data = {"id_token_hint": str(id_token)}
new_token_response = oauth2.get_token_response(client,
oauth_client,
code_request_data=data)
new_id_token = validate_jwt(token_response["id_token"], {"openid"})
assert new_token_response.status_code == 200
assert new_id_token["sub"] == id_token["sub"]
def test_confidential_client_valid(client, oauth_client):
"""
Test that a confidential client including a basic authorization header in
the request containing its secret is successfully issued a token.
"""
token_response = oauth2.get_token_response(client, oauth_client)
# This function does the asserts.
oauth2.check_token_response(token_response)
def test_acr_values(client, oauth_client):
"""
Test the very basic requirement that including the ``acr_values`` parameter
does not cause any errors and the acr claim is represented in the resulting token.
"""
data = {'acr_values': ''}
token_response = oauth2.get_token_response(client,
oauth_client,
code_request_data=data).json
id_token = validate_jwt(token_response['id_token'], {'openid'})
assert 'acr' in id_token
def test_id_token_contains_auth_time(client, oauth_client):
"""
Test that if ``max_age`` is included in the authentication request, then
the ID token returned contains an ``auth_time`` claim.
"""
data = {'max_age': 3600}
token_response = oauth2.get_token_response(client,
oauth_client,
code_request_data=data).json
id_token = validate_jwt(token_response['id_token'], {'openid'})
assert 'auth_time' in id_token
def test_id_token_has_nonce(client, oauth_client):
nonce = random_str(10)
data = {
'client_id': oauth_client.client_id,
'redirect_uri': oauth_client.url,
'response_type': 'code',
'scope': 'openid user',
'state': random_str(10),
'confirm': 'yes',
'nonce': nonce,
}
response_json = (
oauth2.get_token_response(client, oauth_client, code_request_data=data)
.json
)
id_token = validate_jwt(response_json['id_token'], {'openid'})
assert 'nonce' in id_token
assert nonce == id_token['nonce']
def test_id_token_hint_not_logged_in(app, client, oauth_client, monkeypatch):
"""
Test ``id_token_hint`` parameter when hinted user is not logged in.
TODO: This should attempt to log the user in
"""
# test user is logged in right now
token_response = oauth2.get_token_response(client, oauth_client).json
id_token = validate_jwt(token_response["id_token"], {"openid"})
# don't mock auth so there isn't a logged in user any more
monkeypatch.setitem(config, "MOCK_AUTH", False)
# Now use that id_token as a hint to the authorize endpoint
data = {"id_token_hint": str(id_token)}
auth_response = oauth2.post_authorize(client, oauth_client, data=data, confirm=True)
assert auth_response.status_code == 302
assert "Location" in auth_response.headers
query_params = parse_qs(urlparse(auth_response.headers["Location"]).query)
assert "error" in query_params
assert query_params["error"][0] == "access_denied"
def token_response(client, oauth_client):
"""
Return a successful token response.
"""
return oauth2.get_token_response(client, oauth_client)