def create_op(self):
op_root_key = rsa_key()
op_registration_data = dict(root_key=json.dumps(op_root_key.serialize(private=False)))
op_software_statement = Federation(TestOP.federation_key).create_software_statement(op_registration_data)
self.op = OP(
ISSUER,
op_root_key,
[op_software_statement],
[TestOP.federation_key],
"{}/signed_jwks".format(ISSUER),
Provider(ISSUER, None, {}, None, None, None, None, None),
)
class TestOP(object):
federation_key = sym_key()
@pytest.fixture(autouse=True)
def create_op(self):
op_root_key = rsa_key()
op_registration_data = dict(root_key=json.dumps(op_root_key.serialize(private=False)))
op_software_statement = Federation(TestOP.federation_key).create_software_statement(op_registration_data)
self.op = OP(
ISSUER,
op_root_key,
[op_software_statement],
[TestOP.federation_key],
"{}/signed_jwks".format(ISSUER),
Provider(ISSUER, None, {}, None, None, None, None, None),
)
def test_provider_configuration(self):
provider_config = json.loads(self.op.provider_configuration().message)
assert provider_config["issuer"] == ISSUER
assert provider_config["software_statements"] == self.op.software_statements_jws
assert provider_config["signing_key"] == self.op.signed_intermediate_key
assert provider_config["signed_jwks_uri"] == self.op.signed_jwks_uri
_jws = JWS()
assert _jws.is_jws(provider_config["signed_metadata"])
assert _jws.jwt.headers["kid"] == self.op.intermediate_key.kid
expected_metadata_parameters = set(provider_config.keys())
expected_metadata_parameters.remove("signed_metadata")
actual_metadata_parameters = (
JWS().verify_compact(provider_config["signed_metadata"], keys=[self.op.intermediate_key]).keys()
)
assert set(actual_metadata_parameters) == expected_metadata_parameters
def test_register_client(self):
federation = Federation(TestOP.federation_key)
rp_root_key = rsa_key()
rp_intermediate_key = rsa_key()
rp_signed_intermediate_key = JWS(
json.dumps(rp_intermediate_key.serialize(private=False)), alg=rp_root_key.alg
).sign_compact(keys=[rp_root_key])
rp_software_statement = federation.create_software_statement(
dict(root_key=rp_root_key.serialize(private=False), response_types=["code"])
)
client_metadata = {
"signing_key": rp_signed_intermediate_key,
"signed_jwks_uri": "https://rp.example.com/signed_jwks",
"software_statements": [rp_software_statement],
"redirect_uris": ["https://rp.example.com"],
"response_types": ["id_token"],
}
req = FederationRegistrationRequest(**client_metadata)
signature = SignedHttpRequest(rp_intermediate_key).sign(rp_intermediate_key.alg, body=req.to_json())
response = self.op.register_client("pop {}".format(signature), req.to_json())
client_metadata = json.loads(response.message)
registration_response = FederationRegistrationResponse().from_dict(client_metadata)
assert registration_response.verify()
assert "client_id" in registration_response
assert registration_response["provider_software_statement"] == self.op.software_statements_jws[0]
assert registration_response["response_types"] == ["code"]
@pytest.mark.parametrize("authz_header", [None, ""])
def test_register_client_reject_request_without_authorization(self, authz_header):
with pytest.raises(OIDCFederationError) as exc:
self.op.register_client(authz_header, None)
assert "Authorization" in str(exc.value)
def test_register_client_rejects_request_with_wrong_auth_scheme(self):
with pytest.raises(OIDCFederationError) as exc:
self.op.register_client("Basic foobar", None)
assert "Authentication scheme" in str(exc.value)
