def test_verify_id_token_bad_tokens(self):
private_key = datafile("privatekey.p12")
# Wrong number of segments
self._check_jwt_failure("foo", "Wrong number of segments")
# Not json
self._check_jwt_failure("foo.bar.baz", "Can't parse token")
# Bad signature
jwt = "foo.%s.baz" % crypt._urlsafe_b64encode('{"a":"b"}')
self._check_jwt_failure(jwt, "Invalid token signature")
# No expiration
signer = crypt.Signer.from_string(private_key)
audience = "https:#www.googleapis.com/auth/id?client_id=" + "*****@*****.**"
jwt = crypt.make_signed_jwt(signer, {"aud": "audience", "iat": time.time()})
self._check_jwt_failure(jwt, "No exp field in token")
# No issued at
jwt = crypt.make_signed_jwt(signer, {"aud": "audience", "exp": time.time() + 400})
self._check_jwt_failure(jwt, "No iat field in token")
# Too early
jwt = crypt.make_signed_jwt(signer, {"aud": "audience", "iat": time.time() + 301, "exp": time.time() + 400})
self._check_jwt_failure(jwt, "Token used too early")
# Too late
jwt = crypt.make_signed_jwt(signer, {"aud": "audience", "iat": time.time() - 500, "exp": time.time() - 301})
self._check_jwt_failure(jwt, "Token used too late")
# Wrong target
jwt = crypt.make_signed_jwt(signer, {"aud": "somebody else", "iat": time.time(), "exp": time.time() + 300})
self._check_jwt_failure(jwt, "Wrong recipient")
def test_verify_id_token_bad_tokens(self):
private_key = datafile('privatekey.%s' % self.format)
# Wrong number of segments
self._check_jwt_failure('foo', 'Wrong number of segments')
# Not json
self._check_jwt_failure('foo.bar.baz',
'Can\'t parse token')
# Bad signature
jwt = 'foo.%s.baz' % crypt._urlsafe_b64encode('{"a":"b"}')
self._check_jwt_failure(jwt, 'Invalid token signature')
# No expiration
signer = self.signer.from_string(private_key)
audience = 'https:#www.googleapis.com/auth/id?client_id=' + \
'*****@*****.**'
jwt = crypt.make_signed_jwt(signer, {
'aud': 'audience',
'iat': time.time(),
}
)
self._check_jwt_failure(jwt, 'No exp field in token')
# No issued at
jwt = crypt.make_signed_jwt(signer, {
'aud': 'audience',
'exp': time.time() + 400,
}
)
self._check_jwt_failure(jwt, 'No iat field in token')
# Too early
jwt = crypt.make_signed_jwt(signer, {
'aud': 'audience',
'iat': time.time() + 301,
'exp': time.time() + 400,
})
self._check_jwt_failure(jwt, 'Token used too early')
# Too late
jwt = crypt.make_signed_jwt(signer, {
'aud': 'audience',
'iat': time.time() - 500,
'exp': time.time() - 301,
})
self._check_jwt_failure(jwt, 'Token used too late')
# Wrong target
jwt = crypt.make_signed_jwt(signer, {
'aud': 'somebody else',
'iat': time.time(),
'exp': time.time() + 300,
})
self._check_jwt_failure(jwt, 'Wrong recipient')
