def test_using_claim_data_in_salt(self):
jti = base64.urlsafe_b64encode(random_bytes())
claims = self.jwt_claims
claims['jti'] = jti
def generate_custom_salt(claims):
if claims is None:
return "foobar"
# Obviously you'd never do _literally_ this, but you might want
# To use some of this data to generate the salt, or to look it
# up in a db somewhere based on some of this info.
return "%s%d%s" % (claims['aud'], claims['iat'], claims['jti'])
issued_at = datetime.datetime.utcnow()
token_gen = self.token_generator
token = token_gen.issue_token(user_id='12345',
scope=['email', 'profile'],
jti=jti,
issued_at=issued_at)
# change the salt generator
joat.salt_generator = generate_custom_salt
salted_token = token_gen.issue_token(user_id='12345',
scope=['email', 'profile'],
jti=jti,
issued_at=issued_at)
self.assertNotEqual(token, salted_token)
# token with original salt shouldn't parse
self.assertIsNone(joat.parse_token(token))
# but this one should
salted_token_data = joat.parse_token(salted_token)
expected_payload = self.joat_payload
expected_payload.update({'jti': jti})
self.assertIsNotNone(salted_token_data)
self.assertDictEqual(salted_token_data, expected_payload)
# restore the original salt generator
joat.salt_generator = self.generate_salt
# custom salted token shouldnt parse anymore
self.assertIsNone(joat.parse_token(salted_token))
# but this one should
token_data = joat.parse_token(token)
self.assertIsNotNone(token_data)
self.assertDictEqual(token_data, self.joat_payload)
def test_using_claim_data_in_salt(self):
jti = base64.urlsafe_b64encode(random_bytes())
claims = self.jwt_claims
claims["jti"] = jti
def generate_custom_salt(claims):
if claims is None:
return "foobar"
# Obviously you'd never do _literally_ this, but you might want
# To use some of this data to generate the salt, or to look it
# up in a db somewhere based on some of this info.
return "%s%d%s" % (claims["aud"], claims["iat"], claims["jti"])
issued_at = datetime.datetime.utcnow()
token_gen = self.token_generator
token = token_gen.issue_token(user_id="12345", scope=["email", "profile"], jti=jti, issued_at=issued_at)
# change the salt generator
joat.salt_generator = generate_custom_salt
salted_token = token_gen.issue_token(user_id="12345", scope=["email", "profile"], jti=jti, issued_at=issued_at)
self.assertNotEqual(token, salted_token)
# token with original salt shouldn't parse
self.assertIsNone(joat.parse_token(token))
# but this one should
salted_token_data = joat.parse_token(salted_token)
expected_payload = self.joat_payload
expected_payload.update({"jti": jti})
self.assertIsNotNone(salted_token_data)
self.assertDictEqual(salted_token_data, expected_payload)
# restore the original salt generator
joat.salt_generator = self.generate_salt
# custom salted token shouldnt parse anymore
self.assertIsNone(joat.parse_token(salted_token))
# but this one should
token_data = joat.parse_token(token)
self.assertIsNotNone(token_data)
self.assertDictEqual(token_data, self.joat_payload)
def test_validate_token(self):
valid_token = jwt.encode(self.jwt_claims, self.generate_salt(self.jwt_claims))
cred = joat.parse_token(valid_token)
self.assertEqual(cred["provider"], self.jwt_claims["iss"])
self.assertEqual(cred["user_id"], self.jwt_claims["sub"])
self.assertEqual(cred["client_id"], self.jwt_claims["aud"])
self.assertListEqual(cred["authorized_scope"], self.jwt_claims["scp"])
self.assertEqual(cred["jti"], self.jwt_claims["jti"])
def test_validate_expired_token(self):
lifetime = datetime.timedelta(seconds=1)
generator = joat.TokenGenerator("My Provider")
generator.client_id = "abc123DEF"
token = generator.issue_token(user_id="12345", scope=["email", "profile"], lifetime=lifetime)
time.sleep(2)
self.assertIsNone(joat.parse_token(token))
def test_validate_token(self):
valid_token = jwt.encode(self.jwt_claims,
self.generate_salt(self.jwt_claims))
cred = joat.parse_token(valid_token)
self.assertEqual(cred['provider'], self.jwt_claims['iss'])
self.assertEqual(cred['user_id'], self.jwt_claims['sub'])
self.assertEqual(cred['client_id'], self.jwt_claims['aud'])
self.assertListEqual(cred['authorized_scope'], self.jwt_claims['scp'])
self.assertEqual(cred['jti'], self.jwt_claims['jti'])
def test_validate_expired_token(self):
lifetime = datetime.timedelta(seconds=1)
generator = joat.TokenGenerator("My Provider")
generator.client_id = 'abc123DEF'
token = generator.issue_token(user_id='12345',
scope=['email', 'profile'],
lifetime=lifetime)
time.sleep(2)
self.assertIsNone(joat.parse_token(token))
def test_validate_token_after_setting_salter(self): joat.salt_generator = self.generate_salt token = joat.parse_token(self.jwt_token)
def test_validate_token_without_setting_salter(self):
with self.assertRaises(NotImplementedError):
joat.parse_token(self.jwt_token)
def test_validate_with_incorrect_salt(self):
invalid_token = jwt.encode(self.jwt_claims, self.generate_wrong_salt(None))
credential = joat.parse_token(invalid_token)
self.assertIsNone(credential)
def test_validate_token_after_setting_salter(self):
joat.salt_generator = self.generate_salt
token = joat.parse_token(self.jwt_token)
def test_validate_token_without_setting_salter(self):
with self.assertRaises(NotImplementedError):
joat.parse_token(self.jwt_token)
def test_validate_with_incorrect_salt(self):
invalid_token = jwt.encode(self.jwt_claims,
self.generate_wrong_salt(None))
credential = joat.parse_token(invalid_token)
self.assertIsNone(credential)
