def test_parse_request_response_no_match_strict(self):
req_resp = Response(
200,
ProviderConfigurationResponse(
issuer=self._iss,
response_types_supported=['code'],
subject_types_supported=['pairwise'],
authorization_endpoint='https://example.com/op/authz',
jwks_uri='https://example.com/op/jwks.json',
token_endpoint='https://example.com/op/token',
id_token_signing_alg_values_supported=[
'RS256', 'RS384', 'RS512'
],
userinfo_signing_alg_values_supported=[
'RS256', 'RS384', 'RS512'
]).to_json(),
headers={'content-type': "application/json"})
self.cli_info.client_prefs[
'token_endpoint_auth_method'] = 'client_secret_basic'
self.cli_info.client_prefs[
'token_endpoint_auth_method'] = 'client_secret_basic'
self.cli_info.client_prefs['grant_types'] = ['authorization_code']
self.cli_info.client_prefs['request_object_signing_alg'] = ['ES256']
self.cli_info.strict_on_preferences = True
with pytest.raises(ConfigurationError):
resp = self.req.parse_request_response(req_resp,
self.cli_info,
response_body_type='json')
def test_deserialize(self):
resp = {
"authorization_endpoint":
"https://server.example.com/connect/authorize",
"issuer":
"https://server.example.com",
"token_endpoint":
"https://server.example.com/connect/token",
"token_endpoint_auth_methods_supported":
["client_secret_basic", "private_key_jwt"],
"userinfo_endpoint":
"https://server.example.com/connect/user",
"check_id_endpoint":
"https://server.example.com/connect/check_id",
"refresh_session_endpoint":
"https://server.example.com/connect/refresh_session",
"end_session_endpoint":
"https://server.example.com/connect/end_session",
"jwk_url":
"https://server.example.com/jwk.json",
"registration_endpoint":
"https://server.example.com/connect/register",
"scopes_supported":
["openid", "profile", "email", "address", "phone"],
"response_types_supported":
["code", "code id_token", "token id_token"],
"acrs_supported":
["1", "2", "http://id.incommon.org/assurance/bronze"],
"user_id_types_supported": ["public", "pairwise"],
"userinfo_algs_supported":
["HS256", "RS256", "A128CBC", "A128KW", "RSA1_5"],
"id_token_algs_supported":
["HS256", "RS256", "A128CBC", "A128KW", "RSA1_5"],
"request_object_algs_supported":
["HS256", "RS256", "A128CBC", "A128KW", "RSA1_5"]
}
pcr = ProviderConfigurationResponse().deserialize(
json.dumps(resp), "json")
with pytest.raises(MissingRequiredAttribute):
assert pcr.verify()
assert _eq(pcr["user_id_types_supported"], ["public", "pairwise"])
assert _eq(pcr["acrs_supported"],
["1", "2", "http://id.incommon.org/assurance/bronze"])
def test_token_endpoint_is_not_required_for_implicit_flow_only(self):
provider_config = {
"issuer": "https://server.example.com",
"authorization_endpoint":
"https://server.example.com/connect/authorize",
"jwks_uri": "https://server.example.com/jwks.json",
"response_types_supported": ["id_token", "token id_token"],
"subject_types_supported": ["public", "pairwise"],
"id_token_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
}
# should not raise an exception
assert ProviderConfigurationResponse(**provider_config).verify()
def test_token_endpoint_is_required_for_other_than_implicit_flow_only(
self):
provider_config = {
"issuer": "https://server.example.com",
"authorization_endpoint":
"https://server.example.com/connect/authorize",
"jwks_uri": "https://server.example.com/jwks.json",
"response_types_supported": ["code", "id_token"],
"subject_types_supported": ["public", "pairwise"],
"id_token_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
}
with pytest.raises(MissingRequiredAttribute):
ProviderConfigurationResponse(**provider_config).verify()
def test_parse_request_response_no_match(self):
req_resp = Response(
200,
ProviderConfigurationResponse(
issuer=self._iss,
response_types_supported=['code'],
subject_types_supported=['pairwise'],
authorization_endpoint='https://example.com/op/authz',
jwks_uri='https://example.com/op/jwks.json',
token_endpoint='https://example.com/op/token',
id_token_signing_alg_values_supported=[
'RS256', 'RS384', 'RS512'
],
userinfo_signing_alg_values_supported=[
'RS256', 'RS384', 'RS512'
]).to_json(),
headers={'content-type': "application/json"})
self.cli_info.client_prefs[
'token_endpoint_auth_method'] = 'client_secret_basic'
self.cli_info.client_prefs[
'token_endpoint_auth_method'] = 'client_secret_basic'
self.cli_info.client_prefs['grant_types'] = ['authorization_code']
self.cli_info.client_prefs['request_object_signing_alg'] = ['ES256']
resp = self.req.parse_request_response(req_resp,
self.cli_info,
response_body_type='json')
assert isinstance(resp, ProviderConfigurationResponse)
assert set(resp.keys()) == {
'issuer', 'response_types_supported', 'version',
'grant_types_supported', 'subject_types_supported',
'authorization_endpoint', 'jwks_uri',
'id_token_signing_alg_values_supported',
'request_uri_parameter_supported', 'request_parameter_supported',
'claims_parameter_supported', 'token_endpoint',
'token_endpoint_auth_methods_supported',
'require_request_uri_registration',
'userinfo_signing_alg_values_supported'
}
assert self.cli_info.behaviour == {
'id_token_signed_response_alg': 'RS384',
'userinfo_signed_response_alg': 'RS384',
'token_endpoint_auth_method': 'client_secret_basic',
'grant_types': ['authorization_code'],
'request_object_signing_alg': 'ES256'
}
def test_required_parameters(self, required_param):
provider_config = {
"issuer":
"https://server.example.com",
"authorization_endpoint":
"https://server.example.com/connect/authorize",
"jwks_uri":
"https://server.example.com/jwks.json",
"response_types_supported":
["code", "code id_token", "id_token", "token id_token"],
"subject_types_supported": ["public", "pairwise"],
"id_token_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
}
del provider_config[required_param]
with pytest.raises(MissingRequiredAttribute):
ProviderConfigurationResponse(**provider_config).verify()
def test_example_response(self):
resp = {
"version":
"3.0",
"issuer":
"https://server.example.com",
"authorization_endpoint":
"https://server.example.com/connect/authorize",
"token_endpoint":
"https://server.example.com/connect/token",
"token_endpoint_auth_methods_supported":
["client_secret_basic", "private_key_jwt"],
"token_endpoint_alg_values_supported": ["RS256", "ES256"],
"userinfo_endpoint":
"https://server.example.com/connect/userinfo",
"check_session_iframe":
"https://server.example.com/connect/check_session",
"end_session_endpoint":
"https://server.example.com/connect/end_session",
"jwks_uri":
"https://server.example.com/jwks.json",
"registration_endpoint":
"https://server.example.com/connect/register",
"scopes_supported": [
"openid", "profile", "email", "address", "phone",
"offline_access"
],
"response_types_supported":
["code", "code id_token", "id_token", "token id_token"],
"acr_values_supported":
["urn:mace:incommon:iap:silver", "urn:mace:incommon:iap:bronze"],
"subject_types_supported": ["public", "pairwise"],
"userinfo_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
"userinfo_encryption_alg_values_supported": ["RSA1_5", "A128KW"],
"userinfo_encryption_enc_values_supported":
["A128CBC+HS256", "A128GCM"],
"id_token_signing_alg_values_supported":
["RS256", "ES256", "HS256"],
"id_token_encryption_alg_values_supported": ["RSA1_5", "A128KW"],
"id_token_encryption_enc_values_supported":
["A128CBC+HS256", "A128GCM"],
"request_object_signing_alg_values_supported":
["none", "RS256", "ES256"],
"display_values_supported": ["page", "popup"],
"claim_types_supported": ["normal", "distributed"],
"claims_supported": [
"sub", "iss", "auth_time", "acr", "name", "given_name",
"family_name", "nickname", "profile", "picture", "website",
"email", "email_verified", "locale", "zoneinfo",
"http://example.info/claims/groups"
],
"claims_parameter_supported":
True,
"service_documentation":
"http://server.example.com/connect/service_documentation.html",
"ui_locales_supported":
["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
}
pcr = ProviderConfigurationResponse().deserialize(
json.dumps(resp), "json")
assert pcr.verify()
rk = list(resp.keys())
# parameters with default value if missing
rk.extend([
"grant_types_supported", "request_parameter_supported",
"request_uri_parameter_supported",
"require_request_uri_registration"
])
assert sorted(rk) == sorted(list(pcr.keys()))