Пример #1
    def setUp(self):
        super(OauthTestIssue24, self).setUp()

        #setting the access key/secret to made-up strings
        self.access_token = Token(key="key",
Пример #2
    def setUp(self):
        super(OauthTestIssue24, self).setUp()

        # setting the access key/secret to made-up strings
        self.access_token = Token(
            key="key", secret="secret", consumer=self.consumer, user=self.jane, token_type=2, scope=self.scope
Пример #3
    def setUp(self):
        self.faketime = 525942870
        self.client = Client()

        # create a Consumer (and associated stuff)
            u = User.objects.get(username='******')
        except User.DoesNotExist:
            u = User(username='******')

            c = Consumer.objects.get(name='Test Consumer')
        except Consumer.DoesNotExist:
            c = Consumer(name='Test Consumer')

        c.description = 'Consumer to do some tests with'
        c.status = ACCEPTED
        c.user = u
        c.xauth_allowed = False
        self.consumer = c

        i = ConsumerInfo(consumer=c)
        i.admin_contact = '*****@*****.**'
        i.permissions = ['courses']
        i.timestamp = self.faketime - 10  # make sure the ConsumerInfo was there "before" the Token was created
        self.consumerinfo = i

        # create an access token so we can jump in to requests
            t = Token.objects.get(token_type=Token.ACCESS, consumer=c, user=u)
        except Token.DoesNotExist:
            t = Token(token_type=Token.ACCESS,

        t.is_approved = True
        t.verifier = VERIFIER
        self.token = t
Пример #4
    def setUp(self):
        self.faketime = 525942870
        self.client = Client()

        # create a Consumer (and associated stuff)
            u = User.objects.get(username='******')
        except User.DoesNotExist:
            u = User(username='******')

            c = Consumer.objects.get(name='Test Consumer')
        except Consumer.DoesNotExist:
            c = Consumer(name='Test Consumer')

        c.description = 'Consumer to do some tests with'
        c.status = ACCEPTED
        c.user = u
        c.xauth_allowed = False
        self.consumer = c

        i = ConsumerInfo(consumer=c)
        i.admin_contact = '*****@*****.**'
        i.permissions = ['courses']
        i.timestamp = self.faketime - 10 # make sure the ConsumerInfo was there "before" the Token was created
        self.consumerinfo = i

        # create an access token so we can jump in to requests
            t = Token.objects.get(token_type=Token.ACCESS, consumer=c, user=u)
        except Token.DoesNotExist:
            t = Token(token_type=Token.ACCESS, consumer=c, user=u, timestamp=self.faketime)
        t.is_approved = True
        t.verifier = VERIFIER
        self.token = t
Пример #5
class OauthTestIssue24(BaseOAuthTestCase):
    See https://bitbucket.org/david/django-oauth-plus/issue/24/utilspy-initialize_server_request-should
    def setUp(self):
        super(OauthTestIssue24, self).setUp()

        #setting the access key/secret to made-up strings
        self.access_token = Token(

    def __make_querystring_with_HMAC_SHA1(self, http_method, path, data, content_type):
        Utility method for creating a request which is signed using HMAC_SHA1 method
        consumer = oauth.Consumer(key=self.CONSUMER_KEY, secret=self.CONSUMER_SECRET)
        token = oauth.Token(key=self.access_token.key, secret=self.access_token.secret)

        url = "http://testserver:80" + path

        #if data is json, we want it in the body, else as parameters (i.e. queryparams on get)
        body = ""
        if content_type=="application/json":
            body = data
            parameters = data

        request = oauth.Request.from_consumer_and_token(

        # Sign the request.
        signature_method = oauth.SignatureMethod_HMAC_SHA1()
        request.sign_request(signature_method, consumer, token)
        return request.to_url()

    def test_that_initialize_server_request_when_custom_content_type(self):
        """Chceck if post data is not included in params when constent type
        is not application/x-www-form-urlencoded. It would cause problems only when signature method is

        data = json.dumps({"data": {"foo": "bar"}})
        content_type = "application/json"
        querystring = self.__make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)

        #we're just using the request, don't bother faking sending it
        rf = RequestFactory()
        request = rf.post(querystring, data, content_type)

        #this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
        oauth_request = utils.get_oauth_request(request)

        consumer_key = oauth_request.get_parameter('oauth_consumer_key')
        consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)

        token_param = oauth_request.get_parameter('oauth_token')
        token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)

        oauth_server, oauth_request = utils.initialize_server_request(request)

        #check that this does not throw an oauth.Error
        oauth_server.verify_request(oauth_request, consumer, token)

    def test_post_using_in_authorization_header_and_PLAINTEXT(self):

        parameters = {
            'oauth_consumer_key': self.CONSUMER_KEY,
            'oauth_signature_method': "PLAINTEXT",
            'oauth_version': "1.0",
            'oauth_token': self.ACCESS_TOKEN_KEY,
            'oauth_timestamp': str(int(time.time())),
            'oauth_nonce': str(int(time.time()))+"nonce",
            'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
        header = self._get_http_authorization_header(parameters)
        response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header)

        self.assertEqual(response.status_code, 200)

    def test_post_using_auth_in_post_body_and_PLAINTEXT(self):
        """Check if auth works when authorization data is in post body when
        content type is pplication/x-www-form-urlencoded

        parameters = {
            'oauth_consumer_key': self.CONSUMER_KEY,
            'oauth_signature_method': "PLAINTEXT",
            'oauth_version': "1.0",
            'oauth_token': self.ACCESS_TOKEN_KEY,
            'oauth_timestamp': str(int(time.time())),
            'oauth_nonce': str(int(time.time()))+"nonce",
            'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
            "additional_data": "whoop" # additional data
        response = self.c.post("/oauth/photo/", urllib.urlencode(parameters, True),
        self.assertEqual(response.status_code, 200)

    def test_post_using_auth_in_header_with_content_type_json_and_PLAINTEXT(self):

        parameters = {
            'oauth_consumer_key': self.CONSUMER_KEY,
            'oauth_signature_method': "PLAINTEXT",
            'oauth_version': "1.0",
            'oauth_token': self.ACCESS_TOKEN_KEY,
            'oauth_timestamp': str(int(time.time())),
            'oauth_nonce': str(int(time.time()))+"nonce",
            'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),

        header = self._get_http_authorization_header(parameters)
        response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header, CONTENT_TYPE="application/json")

        self.assertEqual(response.status_code, 200)

    def test_post_using_auth_in_body_content_type_and_application_x_www_form_urlencoded(self):
        """Opposite of test_that_initialize_server_request_when_custom_content_type,
        If content type is application/x-www-form-urlencoded, post data should be added to params,
        and it affects signature

        data={"foo": "bar"}
        content_type = "application/x-www-form-urlencoded"
        querystring = self.__make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)

        #we're just using the request, don't bother faking sending it
        rf = RequestFactory()
        request = rf.post(querystring, urllib.urlencode(data), content_type)

        #this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
        oauth_request = utils.get_oauth_request(request)

        consumer_key = oauth_request.get_parameter('oauth_consumer_key')
        consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)

        token_param = oauth_request.get_parameter('oauth_token')
        token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)

        oauth_server, oauth_request = utils.initialize_server_request(request)

        #check that this does not throw an oauth.Error
        oauth_server.verify_request(oauth_request, consumer, token)
Пример #6
def test_oauth1_0():
    Test to veriy OAuth 1.0 flow
    After Jane informs printer.example.com that she would like to print her 
    vacation photo stored at photos.example.net, the printer website tries to 
    access the photo and receives HTTP 401 Unauthorized indicating it is private. 
    The Service Provider includes the following header with the response::

    #TODO - not able to handle /request_token/ - returns 404
    #TODO - add test for reuse of nonce for the request token stage?
    #TODO - add test for oauth params in Authorization, GET and POST
    response = app.get('/request_token', status=401)
    assert response.status == '401 Invalid request parameters.'
    assert response.headers[
        'WWW-Authenticate'] == 'OAuth realm="http://events.example.net/"'
    assert response.body == 'Invalid request parameters.'
    The Consumer sends the following HTTP POST request to the Service Provider::
    import time
    parameters = {
        'oauth_consumer_key': CONSUMER_KEY,
        'oauth_signature_method': 'PLAINTEXT',
        'oauth_signature': '%s&' % CONSUMER_SECRET,
        'oauth_timestamp': str(int(time.time())),
        'oauth_nonce': 'requestnonce',
        'oauth_version': '1.0',
        #'scope': 'default', # custom argument to specify Protected Resource

    response = app.post('/request_token', parameters)
    The Service Provider checks the signature and replies with an unauthorized 
    Request Token in the body of the HTTP response::
    assert response.status == '200 OK'

    tokens = Token.all().fetch(1000)
    #double checking the sanity of the test - there should only be one token in
    #the store at this stage

    assert len(tokens) == 1
    token = tokens[0]
    assert 'oauth_token_secret=%s&oauth_token=%s' % (
        token.secret, token.key_) == response.body

    #Ensure that the token returned is unauthorized request token
    assert token.is_approved == False
    assert token.token_type == Token.REQUEST
    If you try to access a resource with a wrong scope, it will return an error::

    #the scope related tests are not here as they the scope
    #function has not been implemented yet
    #>> parameters['scope'] = 'videos'
    #>>> response = c.get("/oauth/request_token/", parameters)
    #>>> response.status_code
    #>>> response.content
    #'Resource videos does not exist.'
    Requesting User Authorization
    The Consumer redirects Jane's browser to the Service Provider User 
    Authorization URL to obtain Jane's approval for accessing her private photos.
    The Service Provider asks Jane to sign-in using her username and password::
    parameters = {
        'oauth_token': token.key_,
        'oauth_callback': 'http://test.com/request_token_ready',
        'authorize_access': 1,

    response = app.post('/authorize', parameters)
    assert response.status == '302 Moved Temporarily'
    assert response.location ==\

    #the token details should not be altered by this call
    tokens = Token.all().fetch(1000)
    assert len(tokens) == 1
    token = tokens[0]

    assert token.is_approved == False
    assert token.token_type == Token.REQUEST

    #In reality the user would of been redirected to the Google login page and
    #then redirected to a page where they will be given an opportunity to
    #authorize the application or otherwise.

    #Here we simulate the user being logged (by setting the
    #os.environ['USER_EMAIL']) variable and the user giving authorizing by
    #setting the 'authorize_access' parameter
    #and redirect manually to the authorization page
    os.environ['USER_EMAIL'] = '*****@*****.**'
    response = app.post('/authorize', parameters)

    #verify that the request token is now approved
    tokens = Token.all().fetch(1000)
    assert len(tokens) == 1
    token = tokens[0]

    assert token.is_approved == True
    assert token.token_type == Token.REQUEST

    #verify the response - now that we are approved we should get
    assert response.status == '302 Moved Temporarily'
    assert response.location == 'http://test.com/request_token_ready?oauth_token=%s' % (

    #TODO add test for case where the user rejects the approval,
    #now the flow assumes that it will always be approved upon logging in
    Obtaining an Access Token
    Now that the Consumer knows Jane approved the Request Token, it asks the 
    Service Provider to exchange it for an Access Token::

    parameters = {
        'oauth_consumer_key': CONSUMER_KEY,
        'oauth_token': token.key_,
        'oauth_signature_method': 'PLAINTEXT',
        'oauth_signature': '%s&%s' % (CONSUMER_SECRET, token.secret),
        'oauth_timestamp': str(int(time.time())),
        'oauth_nonce': 'accessnonce',
        'oauth_version': '1.0',
    response = app.post("/access_token", parameters)
    The Service Provider checks the signature and replies with an Access Token in 
    the body of the HTTP response::

    response.status == '200 OK'
    #verify the access token now

    access_tokens = Token.all()\
        .filter('token_type =',Token.ACCESS).fetch(1000)
    #double checking the sanity of the test - there should only be one token in
    #the store at this stage

    assert len(access_tokens) == 1
    access_token = access_tokens[0]
    assert 'oauth_token_secret=%s&oauth_token=%s' % (
        access_token.secret, access_token.key_) == response.body

    assert str(access_token.user) == '*****@*****.**'
    The Consumer will not be able to request another Access Token with the same

    nonces = Nonce.all().fetch(1000)
    assert nonces[0].key_ == "accessnonce"

    response = app.post("/access_token", parameters, status=401)

    assert response.status == '401 Nonce already used: accessnonce'
    assert response.body == 'Nonce already used: accessnonce'
    The Consumer will not be able to request an Access Token if the token is not

    token.is_approved = False

    parameters['oauth_nonce'] = 'anotheraccessnonce'
    response = app.post("/access_token", parameters, status=401)
    response.status == "401 Consumer key or token key does not match. Make sure your request token is approved. Check your verifier too if you use OAuth 1.0a."
    response.body == 'Consumer key or token key does not match. Make sure your request token is approved. Check your verifier too if you use OAuth 1.0a.'
    Accessing Protected Resources
    The Consumer is now ready to request the private photo. Since the photo URL is 
    not secure (HTTP), it must use HMAC-SHA1.
    Generating Signature Base String
    To generate the signature, it first needs to generate the Signature Base 
    String. The request contains the following parameters (oauth_signature 
    excluded) which are ordered and concatenated into a normalized string::

    parameters = {
        'oauth_consumer_key': CONSUMER_KEY,
        'oauth_token': access_token.key_,
        'oauth_signature_method': 'HMAC-SHA1',
        'oauth_timestamp': str(int(time.time())),
        'oauth_nonce': 'accessresourcenonce',
        'oauth_version': '1.0',
    Calculating Signature Value
    HMAC-SHA1 produces the following digest value as a base64-encoded string 
    (using the Signature Base String as text and kd94hf93k423kf44&pfkkdhi9sl3r4s00 
    as key)::

    consumer = Consumer.all().fetch(1000)[0]

    #we dont use the OAuthRequest.from_token_and_callback function as how the
    #original method does as it does a token.key instead of token.key_

    oauth_request = OAuthRequest('POST', 'http://localhost/protected',
    signature_method = OAuthSignatureMethod_HMAC_SHA1()
    signature = signature_method.build_signature(oauth_request, consumer,
    Requesting Protected Resource
    All together, the Consumer request for the photo is::

    parameters['oauth_signature'] = signature
    response = app.post("/protected", parameters)

    assert response.status == '200 OK'
    assert response.body == 'Protected Resource access!'
    Otherwise, an explicit error will be raised::

    parameters['oauth_signature'] = 'wrongsignature'
    parameters['oauth_nonce'] = 'anotheraccessresourcenonce'
    response = app.post("/protected", parameters, status=401)

    assert '401 Invalid signature. Expected signature base string: POST' in response.status
    assert 'Invalid signature. Expected signature base string: POST' in response.body

    response = app.post("/protected", status=401)

    #TODO - why are we getting "Invalid OAuth parameters instead of Invalid request parameters"
    assert response.status == '401 Invalid OAuth parameters'
    assert response.headers[
        'WWW-Authenticate'] == 'OAuth realm="http://events.example.net/"'
    assert response.body == 'Invalid OAuth parameters'
    Revoking Access
    If Jane deletes the Access Token of printer.example.com, the Consumer will not 
    be able to access the Protected Resource anymore::
    access_token_key = access_token.key_
    parameters['oauth_nonce'] = 'yetanotheraccessresourcenonce'

    oauth_request = OAuthRequest('POST', 'http://localhost/protected',
    signature_method = OAuthSignatureMethod_HMAC_SHA1()
    signature = signature_method.build_signature(oauth_request, consumer,

    parameters['oauth_signature'] = signature

    response = app.post("/protected", parameters, status=401)

    assert response.status == '401 Invalid access token: %s' % (
    assert response.body == 'Invalid access token: %s' % (access_token_key)
Пример #7
class OauthTestIssue24(BaseOAuthTestCase):
    See https://bitbucket.org/david/django-oauth-plus/issue/24/utilspy-initialize_server_request-should
    def setUp(self):
        super(OauthTestIssue24, self).setUp()

        #setting the access key/secret to made-up strings
        self.access_token = Token(

    def test_that_initialize_server_request_when_custom_content_type(self):
        """Chceck if post data is not included in params when constent type
        is not application/x-www-form-urlencoded. It would cause problems only when signature method is

        data = json.dumps({"data": {"foo": "bar"}})
        content_type = "application/json"
        querystring = self._make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)

        #we're just using the request, don't bother faking sending it
        rf = RequestFactory()
        request = rf.post(querystring, data, content_type)

        #this is basically a "remake" of the relevant parts of OAuthAuthentication in django-rest-framework
        oauth_request = utils.get_oauth_request(request)

        consumer_key = oauth_request.get_parameter('oauth_consumer_key')
        consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)

        token_param = oauth_request.get_parameter('oauth_token')
        token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)

        oauth_server, oauth_request = utils.initialize_server_request(request)

        #check that this does not throw an oauth.Error
        oauth_server.verify_request(oauth_request, consumer, token)

    def test_post_using_in_authorization_header_and_PLAINTEXT(self):

        parameters = {
            'oauth_consumer_key': self.CONSUMER_KEY,
            'oauth_signature_method': "PLAINTEXT",
            'oauth_version': "1.0",
            'oauth_token': self.ACCESS_TOKEN_KEY,
            'oauth_timestamp': str(int(time.time())),
            'oauth_nonce': str(int(time.time()))+"nonce",
            'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
        header = self._get_http_authorization_header(parameters)
        response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header)

        self.assertEqual(response.status_code, 200)

    def test_post_using_auth_in_post_body_and_PLAINTEXT(self):
        """Check if auth works when authorization data is in post body when
        content type is pplication/x-www-form-urlencoded

        parameters = {
            'oauth_consumer_key': self.CONSUMER_KEY,
            'oauth_signature_method': "PLAINTEXT",
            'oauth_version': "1.0",
            'oauth_token': self.ACCESS_TOKEN_KEY,
            'oauth_timestamp': str(int(time.time())),
            'oauth_nonce': str(int(time.time()))+"nonce",
            'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),
            "additional_data": "whoop"  # additional data
        response = self.c.post("/oauth/photo/", urllib.urlencode(parameters, True),
        self.assertEqual(response.status_code, 200)

    def test_post_using_auth_in_header_with_content_type_json_and_PLAINTEXT(self):

        parameters = {
            'oauth_consumer_key': self.CONSUMER_KEY,
            'oauth_signature_method': "PLAINTEXT",
            'oauth_version': "1.0",
            'oauth_token': self.ACCESS_TOKEN_KEY,
            'oauth_timestamp': str(int(time.time())),
            'oauth_nonce': str(int(time.time()))+"nonce",
            'oauth_signature': "%s&%s" % (self.CONSUMER_SECRET, self.ACCESS_TOKEN_SECRET),

        header = self._get_http_authorization_header(parameters)
        response = self.c.post("/oauth/photo/", HTTP_AUTHORIZATION=header, CONTENT_TYPE="application/json")

        self.assertEqual(response.status_code, 200)

    def test_post_using_auth_in_body_content_type_and_application_x_www_form_urlencoded(self):
        """Opposite of test_that_initialize_server_request_when_custom_content_type,
        If content type is application/x-www-form-urlencoded, post data should be added to params,
        and it affects signature

        data = {"foo": "bar"}
        content_type = "application/x-www-form-urlencoded"
        querystring = self._make_querystring_with_HMAC_SHA1("POST", "/path/to/post", data, content_type)

        #we're just using the request, don't bother faking sending it
        rf = RequestFactory()
        request = rf.post(querystring, urllib.urlencode(data), content_type)

        # this is basically a "remake" of the relevant parts of
        # OAuthAuthentication in django-rest-framework
        oauth_request = utils.get_oauth_request(request)

        consumer_key = oauth_request.get_parameter('oauth_consumer_key')
        consumer = oauth_provider_store.get_consumer(request, oauth_request, consumer_key)

        token_param = oauth_request.get_parameter('oauth_token')
        token = oauth_provider_store.get_access_token(request, oauth_request, consumer, token_param)

        oauth_server, oauth_request = utils.initialize_server_request(request)

        #check that this does not throw an oauth.Error
        oauth_server.verify_request(oauth_request, consumer, token)
Пример #8
def test_oauth1_0():
    Test to veriy OAuth 1.0 flow

    After Jane informs printer.example.com that she would like to print her 
    vacation photo stored at photos.example.net, the printer website tries to 
    access the photo and receives HTTP 401 Unauthorized indicating it is private. 
    The Service Provider includes the following header with the response::
    #TODO - not able to handle /request_token/ - returns 404
    #TODO - add test for reuse of nonce for the request token stage?
    #TODO - add test for oauth params in Authorization, GET and POST
    response = app.get('/request_token',status=401)
    assert response.status == '401 Invalid request parameters.'
    assert response.headers['WWW-Authenticate'] == 'OAuth realm="http://events.example.net/"'
    assert response.body == 'Invalid request parameters.'
    The Consumer sends the following HTTP POST request to the Service Provider::
    import time
    parameters = {
        'oauth_consumer_key': CONSUMER_KEY,
        'oauth_signature_method': 'PLAINTEXT',
        'oauth_signature': '%s&' % CONSUMER_SECRET,
        'oauth_timestamp': str(int(time.time())),
        'oauth_nonce': 'requestnonce',
        'oauth_version': '1.0',
        #'scope': 'default', # custom argument to specify Protected Resource
    response = app.post('/request_token',parameters) 
    The Service Provider checks the signature and replies with an unauthorized 
    Request Token in the body of the HTTP response::
    assert response.status == '200 OK'
    tokens = Token.all().fetch(1000)
    #double checking the sanity of the test - there should only be one token in 
    #the store at this stage
    assert len(tokens) == 1
    token = tokens[0]
    assert 'oauth_token_secret=%s&oauth_token=%s'%(token.secret,token.key_) == response.body
    #Ensure that the token returned is unauthorized request token
    assert token.is_approved == False
    assert token.token_type == Token.REQUEST
    If you try to access a resource with a wrong scope, it will return an error::

    #the scope related tests are not here as they the scope
    #function has not been implemented yet
    #>> parameters['scope'] = 'videos'
    #>>> response = c.get("/oauth/request_token/", parameters)
    #>>> response.status_code
    #>>> response.content
    #'Resource videos does not exist.'
    Requesting User Authorization
    The Consumer redirects Jane's browser to the Service Provider User 
    Authorization URL to obtain Jane's approval for accessing her private photos.
    The Service Provider asks Jane to sign-in using her username and password::
    parameters = {
        'oauth_token' : token.key_,
        'oauth_callback' : 'http://test.com/request_token_ready'
    response = app.post('/authorize', parameters)
    assert response.status == '302 Moved Temporarily'
    assert response.location ==\

    #the token details should not be altered by this call
    tokens = Token.all().fetch(1000)
    assert len(tokens) == 1
    token = tokens[0]
    assert token.is_approved == False
    assert token.token_type == Token.REQUEST
    #In reality the user would of been redirected to the Google login page and 
    #then redirected to the authorization url. We simulate the user being logged
    #in and redirect manually to the authorization page
    #simulate logged in 
    os.environ['USER_EMAIL'] = '*****@*****.**'
    response = app.post('/authorize', parameters)
    #verify that the request token is now approved
    tokens = Token.all().fetch(1000)
    assert len(tokens) == 1
    token = tokens[0]
    assert token.is_approved == True
    assert token.token_type == Token.REQUEST
    #verify the response - now that we are approved we should get 
    assert response.status == '302 Moved Temporarily'
    assert response.location == 'http://test.com/request_token_ready?oauth_token=%s'%(token.key_)
    #TODO add test for case where the user rejects the approval, 
    #now the flow assumes that it will always be approved upon logging in
    Obtaining an Access Token
    Now that the Consumer knows Jane approved the Request Token, it asks the 
    Service Provider to exchange it for an Access Token::
    parameters = {
         'oauth_consumer_key': CONSUMER_KEY,
         'oauth_token': token.key_,
         'oauth_signature_method': 'PLAINTEXT',
         'oauth_signature': '%s&%s' % (CONSUMER_SECRET, token.secret),
         'oauth_timestamp': str(int(time.time())),
         'oauth_nonce': 'accessnonce',
         'oauth_version': '1.0',
    response = app.post("/access_token", parameters)
    The Service Provider checks the signature and replies with an Access Token in 
    the body of the HTTP response::
    response.status == '200 OK'
    #verify the access token now 
    access_tokens = Token.all()\
        .filter('token_type =',Token.ACCESS).fetch(1000)
    #double checking the sanity of the test - there should only be one token in 
    #the store at this stage
    assert len(access_tokens) == 1
    access_token = access_tokens[0]
    assert 'oauth_token_secret=%s&oauth_token=%s'%(access_token.secret,access_token.key_) == response.body

    assert str(access_token.user) == '*****@*****.**'
    The Consumer will not be able to request another Access Token with the same
    nonces = Nonce.all().fetch(1000)
    assert nonces[0].key_ == "accessnonce"
    response = app.post("/access_token", parameters,status=401)
    assert response.status == '401 Nonce already used: accessnonce'
    assert response.body == 'Nonce already used: accessnonce'
    The Consumer will not be able to request an Access Token if the token is not
    token.is_approved = False
    parameters['oauth_nonce'] = 'anotheraccessnonce'
    response = app.post("/access_token", parameters,status=401)
    response.status == "401 Consumer key or token key does not match. Make sure your request token is approved. Check your verifier too if you use OAuth 1.0a."
    response.body == 'Consumer key or token key does not match. Make sure your request token is approved. Check your verifier too if you use OAuth 1.0a.'
    Accessing Protected Resources
    The Consumer is now ready to request the private photo. Since the photo URL is 
    not secure (HTTP), it must use HMAC-SHA1.
    Generating Signature Base String
    To generate the signature, it first needs to generate the Signature Base 
    String. The request contains the following parameters (oauth_signature 
    excluded) which are ordered and concatenated into a normalized string::
    parameters = {
         'oauth_consumer_key': CONSUMER_KEY,
         'oauth_token': access_token.key_,
         'oauth_signature_method': 'HMAC-SHA1',
         'oauth_timestamp': str(int(time.time())),
         'oauth_nonce': 'accessresourcenonce',
         'oauth_version': '1.0',
    Calculating Signature Value
    HMAC-SHA1 produces the following digest value as a base64-encoded string 
    (using the Signature Base String as text and kd94hf93k423kf44&pfkkdhi9sl3r4s00 
    as key)::
    consumer = Consumer.all().fetch(1000)[0]
    #we dont use the OAuthRequest.from_token_and_callback function as how the 
    #original method does as it does a token.key instead of token.key_
    oauth_request = OAuthRequest('POST','http://localhost/protected',parameters)
    signature_method = OAuthSignatureMethod_HMAC_SHA1()
    signature = signature_method.build_signature(oauth_request, consumer, 

    Requesting Protected Resource
    All together, the Consumer request for the photo is::

    parameters['oauth_signature'] = signature
    response = app.post("/protected", parameters)
    assert response.status == '200 OK'
    assert response.body == 'Protected Resource access!'
    Otherwise, an explicit error will be raised::
    parameters['oauth_signature'] = 'wrongsignature'
    parameters['oauth_nonce'] = 'anotheraccessresourcenonce'
    response = app.post("/protected", parameters,status=401)

    assert '401 Invalid signature. Expected signature base string: POST' in response.status 
    assert 'Invalid signature. Expected signature base string: POST' in response.body

    response = app.post("/protected",status=401)

    #TODO - why are we getting "Invalid OAuth parameters instead of Invalid request parameters"
    assert response.status == '401 Invalid OAuth parameters'
    assert response.headers['WWW-Authenticate'] == 'OAuth realm="http://events.example.net/"'
    assert response.body == 'Invalid OAuth parameters'
    Revoking Access
    If Jane deletes the Access Token of printer.example.com, the Consumer will not 
    be able to access the Protected Resource anymore::
    access_token_key = access_token.key_
    parameters['oauth_nonce'] = 'yetanotheraccessresourcenonce'
    oauth_request = OAuthRequest('POST','http://localhost/protected',parameters)
    signature_method = OAuthSignatureMethod_HMAC_SHA1()
    signature = signature_method.build_signature(oauth_request, consumer, 
    parameters['oauth_signature'] = signature

    response = app.post("/protected", parameters,status=401)

    assert response.status == '401 Invalid access token: %s'%(access_token_key)
    assert response.body == 'Invalid access token: %s'%(access_token_key)
