def test_oidc_user_created_signal_is_sent_during_new_user_authentication(
self, rf):
self.signal_was_called = False
def handler(sender, request, oidc_user, **kwargs):
self.request = request
self.oidc_user = oidc_user
self.signal_was_called = True
oidc_user_created.connect(handler)
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
backend.authenticate(request, 'nonce')
assert self.signal_was_called is True
assert type(self.request) is WSGIRequest
assert self.oidc_user.userinfo['email'] == '*****@*****.**'
assert self.oidc_user.userinfo['sub'] == '1234'
oidc_user_created.disconnect(handler)
def test_log_out_the_user_if_the_id_token_is_not_valid(self, rf):
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
user = backend.authenticate('nonce', request)
request.session['oidc_auth_id_token_exp_timestamp'] = \
(tz.now() - dt.timedelta(minutes=1)).timestamp()
request.session['oidc_auth_refresh_token'] = 'this_is_a_refresh_token'
auth.login(request, user)
request.user = user
httpretty.register_uri(httpretty.POST,
oidc_rp_settings.PROVIDER_TOKEN_ENDPOINT,
body=json.dumps({
'id_token': 'badidtoken',
'access_token': 'accesstoken',
'refresh_token': 'refreshtoken',
}),
content_type='text/json')
middleware = OIDCRefreshIDTokenMiddleware(lambda r: 'OK')
middleware(request)
assert not request.user.is_authenticated
def test_cannot_authenticate_a_user_if_the_request_object_is_not_provided(
self, rf):
request = rf.get('/oidc/cb/', {
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
assert backend.authenticate('nonce', None) is None
def test_cannot_authenticate_a_user_if_the_code_is_not_present_in_the_request_parameters(
self, rf):
request = rf.get('/oidc/cb/', {
'state': 'state',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
with pytest.raises(SuspiciousOperation):
backend.authenticate(request, 'nonce')
def test_can_authenticate_a_new_user(self, rf):
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
user = backend.authenticate(request, 'nonce')
assert user.email == '*****@*****.**'
assert user.oidc_user.sub == '1234'
def test_cannot_authenticate_a_user_if_the_id_token_validation_shows_a_suspicious_operation(
self, rf):
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
with pytest.raises(SuspiciousOperation):
backend.authenticate(request, 'badnonce')
def test_can_authenticate_an_existing_user(self, rf):
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
user = get_user_model().objects.create_user('test', '*****@*****.**')
OIDCUser.objects.create(user=user, sub='1234')
user = backend.authenticate(request, 'nonce')
assert user.email == '*****@*****.**'
assert user.oidc_user.sub == '1234'
def test_can_authenticate_a_new_user_and_update_its_details_with_a_specific_handler(
self, rf):
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
user = backend.authenticate('nonce', request)
assert user.email == '*****@*****.**'
assert user.oidc_user.sub == '1234'
assert user.is_staff
def test_do_nothing_if_the_access_token_is_still_valid(self, rf):
request = rf.get('/oidc/cb/', {'state': 'state', 'code': 'authcode', })
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
user = backend.authenticate(request, 'nonce')
request.session['oidc_auth_id_token_exp_timestamp'] = \
(tz.now() + dt.timedelta(minutes=1)).timestamp()
request.session['oidc_auth_refresh_token'] = 'this_is_a_refresh_token'
auth.login(request, user)
request.user = user
middleware = OIDCRefreshIDTokenMiddleware(lambda r: 'OK')
middleware(request)
assert request.session['oidc_auth_refresh_token'] == 'this_is_a_refresh_token'
def test_cannot_authenticate_a_user_if_the_email_is_not_provided_by_the_userinfo_endpoint(
self, rf):
httpretty.register_uri(httpretty.GET,
oidc_rp_settings.PROVIDER_USERINFO_ENDPOINT,
body=json.dumps({
'sub': '1234',
}),
content_type='text/json')
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
assert backend.authenticate('nonce', request) is None
def test_cannot_authenticate_a_user_if_the_id_token_validation_fails(
self, rf):
httpretty.register_uri(httpretty.POST,
oidc_rp_settings.PROVIDER_TOKEN_ENDPOINT,
body=json.dumps({
'id_token': 'badidtoken',
'access_token': 'accesstoken',
'refresh_token': 'refreshtoken',
}),
content_type='text/json')
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
assert backend.authenticate(request, 'nonce') is None
def test_can_authenticate_a_new_user_even_if_no_email_is_in_userinfo_data(
self, rf):
httpretty.register_uri(
httpretty.GET,
oidc_rp_settings.PROVIDER_USERINFO_ENDPOINT,
body=json.dumps({
'sub': '1234',
}),
content_type='text/json',
)
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
user = backend.authenticate(request, 'nonce')
assert not user.email
assert user.oidc_user.sub == '1234'
def test_can_process_userinfo_included_in_the_id_token_instead_of_calling_the_userinfo_endpoint(
self, rf):
httpretty.register_uri(
httpretty.POST,
oidc_rp_settings.PROVIDER_TOKEN_ENDPOINT,
body=json.dumps({
'id_token':
self.generate_jws(email='*****@*****.**'),
'access_token':
'accesstoken',
'refresh_token':
'refreshtoken',
}),
content_type='text/json')
request = rf.get('/oidc/cb/', {
'state': 'state',
'code': 'authcode',
})
SessionMiddleware().process_request(request)
request.session.save()
backend = OIDCAuthBackend()
user = backend.authenticate(request, 'nonce')
assert user.email == '*****@*****.**'
assert user.oidc_user.sub == '1234'
