def test_no_registered_client_metadata_is_handled(self):
config = ProviderConfiguration(
provider_metadata=self.PROVIDER_METADATA,
client_registration_info=ClientRegistrationInfo(),
)
facade = PyoidcFacade(config, self.REDIRECT_URI)
assert not facade._client.registration_response
def test_is_registered(self):
unregistered = ProviderConfiguration(provider_metadata=self.PROVIDER_METADATA,
client_registration_info=ClientRegistrationInfo())
registered = ProviderConfiguration(provider_metadata=self.PROVIDER_METADATA,
client_metadata=self.CLIENT_METADATA)
assert PyoidcFacade(unregistered, self.REDIRECT_URI).is_registered() is False
assert PyoidcFacade(registered, self.REDIRECT_URI).is_registered() is True
def test_should_register_dynamic_client_if_client_registration_info_is_given(
self):
registration_endpoint = self.PROVIDER_BASEURL + '/register'
responses.add(responses.POST,
registration_endpoint,
json={
'client_id': 'client1',
'client_secret': 'secret1'
})
provider_config = ProviderConfiguration(
provider_metadata=self.provider_metadata(
registration_endpoint=registration_endpoint),
client_registration_info=ClientRegistrationInfo())
extra_args = {'extra_args': 'should be passed'}
redirect_uris = ['https://client.example.com/redirect']
provider_config.register_client(redirect_uris, extra_args)
assert provider_config._client_metadata['client_id'] == 'client1'
assert provider_config._client_metadata['client_secret'] == 'secret1'
assert provider_config._client_metadata[
'redirect_uris'] == redirect_uris
expected_registration_request = {'redirect_uris': redirect_uris}
expected_registration_request.update(extra_args)
assert json.loads(responses.calls[0].request.body.decode(
'utf-8')) == expected_registration_request
def test_register(self):
registration_endpoint = self.PROVIDER_BASEURL + '/register'
redirect_uris = ['https://client.example.com/redirect']
post_logout_redirect_uris = ['https://client.example.com/logout']
client_registration_response = {
'client_id': 'client1',
'client_secret': 'secret1',
'client_name': 'Test Client',
'redirect_uris': redirect_uris,
'post_logout_redirect_uris': post_logout_redirect_uris
}
responses.add(responses.POST,
registration_endpoint,
json=client_registration_response)
provider_metadata = self.PROVIDER_METADATA.copy(
registration_endpoint=registration_endpoint)
unregistered = ProviderConfiguration(
provider_metadata=provider_metadata,
client_registration_info=ClientRegistrationInfo(
redirect_uris=redirect_uris,
post_logout_redirect_uris=post_logout_redirect_uris))
facade = PyoidcFacade(unregistered, REDIRECT_URI)
facade.register()
assert facade.is_registered() is True
def test_should_register_dynamic_client_if_client_registration_info_is_given(
self):
registration_endpoint = self.PROVIDER_BASEURL + '/register'
redirect_uris = [
'https://client.example.com/redirect',
'https://client.example.com/redirect2'
]
post_logout_redirect_uris = ['https://client.example.com/logout']
responses.add(responses.POST,
registration_endpoint,
json={
'client_id': 'client1',
'client_secret': 'secret1',
'redirect_uris': redirect_uris,
'post_logout_redirect_uris':
post_logout_redirect_uris
})
provider_config = ProviderConfiguration(
provider_metadata=self.provider_metadata(
registration_endpoint=registration_endpoint),
client_registration_info=ClientRegistrationInfo(
redirect_uris=redirect_uris,
post_logout_redirect_uris=post_logout_redirect_uris))
provider_config.register_client(Client(CLIENT_AUTHN_METHOD))
assert provider_config._client_metadata['client_id'] == 'client1'
assert provider_config._client_metadata['client_secret'] == 'secret1'
assert provider_config._client_metadata[
'redirect_uris'] == redirect_uris
assert provider_config._client_metadata[
'post_logout_redirect_uris'] == post_logout_redirect_uris
def test_should_not_fetch_provider_metadata_if_given(self):
provider_metadata = self.provider_metadata()
provider_config = ProviderConfiguration(
provider_metadata=provider_metadata,
client_registration_info=ClientRegistrationInfo())
provider_config.ensure_provider_metadata()
assert provider_config._provider_metadata == provider_metadata
def test_missing_provider_metadata_raises_exception(self):
with pytest.raises(ValueError) as exc_info:
ProviderConfiguration(
client_registration_info=ClientRegistrationInfo())
exc_message = str(exc_info.value)
assert 'issuer' in exc_message
assert 'provider_metadata' in exc_message
def test_should_raise_exception_for_non_registered_client_when_missing_registration_endpoint(
self):
provider_config = ProviderConfiguration(
provider_metadata=self.provider_metadata(),
client_registration_info=ClientRegistrationInfo())
with pytest.raises(ValueError) as exc_info:
provider_config.register_client([])
assert 'registration_endpoint' in str(exc_info.value)
def test_should_raise_exception_for_non_registered_client_when_missing_registration_endpoint(
self):
provider_config = ProviderConfiguration(
provider_metadata=self.provider_metadata(),
client_registration_info=ClientRegistrationInfo())
assert provider_config._provider_metadata[
'registration_endpoint'] is None
with pytest.raises(ValueError):
provider_config.register_client(None)
def test_register(self):
registration_endpoint = self.PROVIDER_BASEURL + '/register'
responses.add(responses.POST, registration_endpoint, json=self.CLIENT_METADATA.to_dict())
provider_metadata = self.PROVIDER_METADATA.copy(registration_endpoint=registration_endpoint)
unregistered = ProviderConfiguration(provider_metadata=provider_metadata,
client_registration_info=ClientRegistrationInfo())
facade = PyoidcFacade(unregistered, self.REDIRECT_URI)
facade.register()
assert facade.is_registered() is True
def test_should_register_client_if_not_registered_before(
self, post_logout_redirect_uris):
registration_endpoint = self.PROVIDER_BASEURL + '/register'
provider_metadata = ProviderMetadata(
self.PROVIDER_BASEURL,
self.PROVIDER_BASEURL + '/auth',
self.PROVIDER_BASEURL + '/jwks',
registration_endpoint=registration_endpoint)
client_metadata = {}
if post_logout_redirect_uris:
client_metadata[
'post_logout_redirect_uris'] = post_logout_redirect_uris
provider_configurations = {
self.PROVIDER_NAME:
ProviderConfiguration(
provider_metadata=provider_metadata,
client_registration_info=ClientRegistrationInfo(
**client_metadata))
}
authn = OIDCAuthentication(provider_configurations)
authn.init_app(self.app)
# register logout view to force 'post_logout_redirect_uris' to be included in registration request
logout_view_mock = self.get_view_mock()
self.app.add_url_rule('/logout', view_func=logout_view_mock)
authn.oidc_logout(logout_view_mock)
responses.add(responses.POST,
registration_endpoint,
json={
'client_id': 'client1',
'client_secret': 'secret1'
})
view_mock = self.get_view_mock()
with self.app.test_request_context('/'):
auth_redirect = authn.oidc_auth(self.PROVIDER_NAME)(view_mock)()
self.assert_auth_redirect(auth_redirect)
registration_request = json.loads(
responses.calls[0].request.body.decode('utf-8'))
with self.app.app_context():
full_redirect_uri = flask.url_for(
registration_request['redirect_uris'][0])
registration_request['redirect_uris'] = full_redirect_uri
expected_post_logout_redirect_uris = post_logout_redirect_uris if post_logout_redirect_uris else [
'http://{}/logout'.format(self.CLIENT_DOMAIN)
]
expected_registration_request = {
'redirect_uris':
'http://{}/redirect_uri'.format(self.CLIENT_DOMAIN),
'post_logout_redirect_uris': expected_post_logout_redirect_uris
}
assert registration_request == expected_registration_request
def test_register_client_should_register_dynamic_client_if_initial_access_token_present(
self):
registration_endpoint = self.PROVIDER_BASEURL + '/register'
redirect_uris = [
'https://client.example.com/redirect',
'https://client.example.com/redirect2'
]
post_logout_redirect_uris = ['https://client.example.com/logout']
client_registration_response = {
'client_id': 'client1',
'client_secret': 'secret1',
'client_name': 'Test Client',
'redirect_uris': redirect_uris,
'post_logout_redirect_uris': post_logout_redirect_uris,
'registration_client_uri':
'https://op.example.com/register/client1',
'registration_access_token': 'registration_access_token1'
}
responses.add(responses.POST,
registration_endpoint,
json=client_registration_response)
provider_config = ProviderConfiguration(
provider_metadata=self.provider_metadata(
registration_endpoint=registration_endpoint),
client_registration_info=ClientRegistrationInfo(
client_name='Test Client',
redirect_uris=redirect_uris,
post_logout_redirect_uris=post_logout_redirect_uris,
registration_token='initial_access_token'))
provider_config.register_client(Client(CLIENT_AUTHN_METHOD))
assert provider_config._client_metadata['client_id'] == 'client1'
assert provider_config._client_metadata['client_secret'] == 'secret1'
assert provider_config._client_metadata['client_name'] == 'Test Client'
assert provider_config._client_metadata[
'registration_client_uri'] == 'https://op.example.com/register/client1'
assert provider_config._client_metadata[
'registration_access_token'] == 'registration_access_token1'
assert provider_config._client_metadata[
'redirect_uris'] == redirect_uris
assert provider_config._client_metadata[
'post_logout_redirect_uris'] == post_logout_redirect_uris
assert responses.calls[0].request.headers['Authorization'] == \
f"Bearer {base64.b64encode('initial_access_token'.encode()).decode()}"
def test_register_client_should_register_client_even_if_post_logout_redirect_uris_missing(
self):
registration_endpoint = self.PROVIDER_BASEURL + '/register'
redirect_uris = [
'https://client.example.com/redirect',
'https://client.example.com/redirect2'
]
client_registration_response = {
'client_id': 'client1',
'client_secret': 'secret1',
'client_name': 'Test Client',
'redirect_uris': redirect_uris,
'registration_client_uri':
'https://op.example.com/register/client1',
'registration_access_token': 'registration_access_token1'
}
responses.add(responses.POST,
registration_endpoint,
json=client_registration_response)
provider_config = ProviderConfiguration(
provider_metadata=self.provider_metadata(
registration_endpoint=registration_endpoint),
client_registration_info=ClientRegistrationInfo(
client_name='Test Client',
redirect_uris=redirect_uris,
post_logout_redirect_uris=[],
registration_token='initial_access_token'))
provider_config.register_client(client=Client(CLIENT_AUTHN_METHOD))
assert provider_config._client_metadata['client_id'] == 'client1'
assert provider_config._client_metadata['client_secret'] == 'secret1'
assert provider_config._client_metadata['client_name'] == 'Test Client'
assert provider_config._client_metadata[
'registration_client_uri'] == 'https://op.example.com/register/client1'
assert provider_config._client_metadata[
'registration_access_token'] == 'registration_access_token1'
assert provider_config._client_metadata[
'redirect_uris'] == redirect_uris
assert provider_config._client_metadata.get(
'post_logout_redirect_uris') is None
def test_should_fetch_provider_metadata_if_not_given(self):
provider_metadata = {
'issuer': self.PROVIDER_BASEURL,
'authorization_endpoint': self.PROVIDER_BASEURL + '/auth',
'jwks_uri': self.PROVIDER_BASEURL + '/jwks'
}
responses.add(responses.GET,
self.PROVIDER_BASEURL +
'/.well-known/openid-configuration',
json=provider_metadata)
provider_config = ProviderConfiguration(
issuer=self.PROVIDER_BASEURL,
client_registration_info=ClientRegistrationInfo())
provider_config.ensure_provider_metadata()
assert provider_config._provider_metadata[
'issuer'] == self.PROVIDER_BASEURL
assert provider_config._provider_metadata[
'authorization_endpoint'] == self.PROVIDER_BASEURL + '/auth'
assert provider_config._provider_metadata[
'jwks_uri'] == self.PROVIDER_BASEURL + '/jwks'
