async def test_no_role_provided(self, test_app):
oauth = OauthHelper(
client_id=test_app.client_id,
client_secret=test_app.client_secret,
redirect_uri=test_app.callback_url,
)
jwt = oauth.create_jwt(kid="test-1")
token = await oauth.get_token_response(grant_type="client_credentials",
_jwt=jwt)
token = token["body"]["access_token"]
# Given
expected_status_code = 400
expected_error = "invalid role"
expected_error_description = "selected_roleid is missing in your token"
# When
response = requests.get(
url=config.USER_ROLE_SHARED_FLOW,
headers={"Authorization": f"Bearer {token}"},
)
# Then
assert_that(expected_status_code).is_equal_to(response.status_code)
assert_that(expected_error).is_equal_to(response.json()["error"])
assert_that(expected_error_description).is_equal_to(
response.json()["error_description"])
async def get_token_cis2_token_exchange(
test_app_and_product, product_1_scopes, product_2_scopes
):
"""Call identity server to get an access token"""
test_product, test_product2, test_app = test_app_and_product
await test_product.update_scopes(product_1_scopes)
await test_product2.update_scopes(product_2_scopes)
oauth = OauthHelper(
client_id=test_app.client_id,
client_secret=test_app.client_secret,
redirect_uri=test_app.callback_url,
)
claims = {
"at_hash": "tf_-lqpq36lwO7WmSBIJ6Q",
"sub": "787807429511",
"auditTrackingId": "91f694e6-3749-42fd-90b0-c3134b0d98f6-1546391",
"amr": ["N3_SMARTCARD"],
"iss": "https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/"
"openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare",
"tokenName": "id_token",
"aud": "969567331415.apps.national",
"c_hash": "bc7zzGkClC3MEiFQ3YhPKg",
"acr": "AAL3_ANY",
"org.forgerock.openidconnect.ops": "-I45NjmMDdMa-aNF2sr9hC7qEGQ",
"s_hash": "LPJNul-wow4m6Dsqxbning",
"azp": "969567331415.apps.national",
"auth_time": 1610559802,
"realm": "/NHSIdentity/Healthcare",
"exp": int(time()) + 6000,
"tokenType": "JWTToken",
"iat": int(time()) - 100,
}
with open(config.ID_TOKEN_PRIVATE_KEY_ABSOLUTE_PATH, "r") as f:
contents = f.read()
client_assertion_jwt = oauth.create_jwt(kid="test-1")
id_token_jwt = oauth.create_id_token_jwt(
kid="identity-service-tests-1", claims=claims, signing_key=contents
)
# When
token_resp = await oauth.get_token_response(
grant_type="token_exchange",
data={
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
"subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"subject_token": id_token_jwt,
"client_assertion": client_assertion_jwt,
},
)
return token_resp
async def get_token_nhs_login_token_exchange(
test_app_and_product, product_1_scopes, product_2_scopes
):
"""Call nhs login to get an access token"""
test_product, test_product2, test_app = test_app_and_product
await test_product.update_scopes(product_1_scopes)
await test_product2.update_scopes(product_2_scopes)
oauth = OauthHelper(
client_id=test_app.client_id,
client_secret=test_app.client_secret,
redirect_uri=test_app.callback_url,
)
claims = {
"sub": "8dc9fc1d-c3cb-48e1-ba62-b1532539ab6d",
"birthdate": "1939-09-26",
"nhs_number": "9482807146",
"iss": "https://internal-dev.api.service.nhs.uk",
"nonce": "randomnonce",
"vtm": "https://auth.aos.signin.nhs.uk/trustmark/auth.aos.signin.nhs.uk",
"aud": "java_test_client",
"id_status": "verified",
"token_use": "id",
"surname": "CARTHY",
"auth_time": 1617272144,
"vot": "P9.Cp.Cd",
"identity_proofing_level": "P9",
"exp": int(time()) + 6000,
"iat": int(time()) - 100,
"family_name": "CARTHY",
"jti": "b6d6a28e-b0bb-44e3-974f-bb245c0b688a",
}
with open(config.ID_TOKEN_NHS_LOGIN_PRIVATE_KEY_ABSOLUTE_PATH, "r") as f:
contents = f.read()
client_assertion_jwt = oauth.create_jwt(kid="test-1")
id_token_jwt = oauth.create_id_token_jwt(
kid="nhs-login", algorithm="RS512", claims=claims, signing_key=contents
)
# When
token_resp = await oauth.get_token_response(
grant_type="token_exchange",
data={
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
"subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"subject_token": id_token_jwt,
"client_assertion": client_assertion_jwt,
},
)
return token_resp