def test_client_endpoint():
cli = Client()
cli.authorization_endpoint = "https://example.org/oauth2/as"
cli.token_endpoint = "https://example.org/oauth2/token"
cli.token_revocation_endpoint = "https://example.org/oauth2/token_rev"
ae = cli._endpoint("authorization_endpoint")
assert ae == "https://example.org/oauth2/as"
te = cli._endpoint("token_endpoint")
assert te == "https://example.org/oauth2/token"
tre = cli._endpoint("token_revocation_endpoint")
assert tre == "https://example.org/oauth2/token_rev"
ae = cli._endpoint("authorization_endpoint", **{"authorization_endpoint": "https://example.com/as"})
assert ae == "https://example.com/as"
cli.token_endpoint = ""
raises(Exception, 'cli._endpoint("token_endpoint")')
raises(Exception, 'cli._endpoint("foo_endpoint")')
def test_client_endpoint():
cli = Client()
cli.authorization_endpoint = "https://example.org/oauth2/as"
cli.token_endpoint = "https://example.org/oauth2/token"
cli.token_revocation_endpoint = "https://example.org/oauth2/token_rev"
ae = cli._endpoint("authorization_endpoint")
assert ae == "https://example.org/oauth2/as"
te = cli._endpoint("token_endpoint")
assert te == "https://example.org/oauth2/token"
tre = cli._endpoint("token_revocation_endpoint")
assert tre == "https://example.org/oauth2/token_rev"
ae = cli._endpoint("authorization_endpoint",
**{"authorization_endpoint": "https://example.com/as"})
assert ae == "https://example.com/as"
cli.token_endpoint = ""
raises(Exception, 'cli._endpoint("token_endpoint")')
raises(Exception, 'cli._endpoint("foo_endpoint")')
def phaseN(self, environ, info, server_env, sid):
session = server_env["CACHE"][sid]
callback = server_env["base_url"] + self.social_endpoint
client = Client(client_id=self.client_id,
client_authn_method=CLIENT_AUTHN_METHOD)
response = client.parse_response(AuthorizationResponse, info, "dict")
logger.info("Response: %s" % response)
if isinstance(response, ErrorResponse):
logger.info("%s" % response)
session["authentication"] = "FAILED"
return False, "Authentication failed or permission not granted"
req_args = {
"redirect_uri": callback,
"client_secret": self.client_secret,
}
client.token_endpoint = self.extra["token_endpoint"]
tokenresp = client.do_access_token_request(
scope=self._scope,
body_type=self.token_response_body_type,
request_args=req_args,
authn_method="client_secret_post",
state=response["state"],
response_cls=self.access_token_response)
if isinstance(tokenresp, ErrorResponse):
logger.info("%s" % tokenresp)
session["authentication"] = "FAILED"
return False, "Authentication failed or permission not granted"
# Download the user profile and cache a local instance of the
# basic profile info
result = client.fetch_protected_resource(
self.userinfo_endpoint(tokenresp), token=tokenresp["access_token"])
logger.info("Userinfo: %s" % result.text)
root = ET.fromstring(result.text)
jsontext = json.dumps(root.attrib)
profile = json.loads(jsontext)
profile = self.convert(profile)
logger.info("PROFILE: %s" % (profile, ))
session["service"] = self.name
session["authentication"] = "OK"
session["status"] = "SUCCESS"
session["authn_auth"] = self.authenticating_authority
session["permanent_id"] = profile["uid"]
server_env["CACHE"][sid] = session
return True, profile, session
def phaseN(self, environ, info, server_env, sid):
session = server_env["CACHE"][sid]
callback = server_env["base_url"] + self.social_endpoint
client = Client(client_id=self.client_id,
client_authn_method=CLIENT_AUTHN_METHOD)
response = client.parse_response(AuthorizationResponse, info, "dict")
logger.info("Response: %s" % response)
if isinstance(response, ErrorResponse):
logger.info("%s" % response)
session["authentication"] = "FAILED"
return False, "Authentication failed or permission not granted"
req_args = {
"redirect_uri": callback,
"client_secret": self.client_secret,
}
client.token_endpoint = self.extra["token_endpoint"]
tokenresp = client.do_access_token_request(
scope=self._scope,
body_type=self.token_response_body_type,
request_args=req_args,
authn_method="client_secret_post",
state=response["state"],
response_cls=self.access_token_response)
if isinstance(tokenresp, ErrorResponse):
logger.info("%s" % tokenresp)
session["authentication"] = "FAILED"
return False, "Authentication failed or permission not granted"
# Download the user profile and cache a local instance of the
# basic profile info
result = client.fetch_protected_resource(
self.userinfo_endpoint(tokenresp), token=tokenresp["access_token"])
logger.info("Userinfo: %s" % result.text)
profile = json.loads(result.text)
logger.info("PROFILE: %s" % (profile, ))
session["service"] = self.name
session["authentication"] = "OK"
session["status"] = "SUCCESS"
session["authn_auth"] = self.authenticating_authority
session["permanent_id"] = profile["id"]
server_env["CACHE"][sid] = session
return True, self.convert(profile), session
def test_private_key_jwt():
cli = Client("FOO")
cli.token_endpoint = "https://example.com/token"
cli.keyjar[""] = KC_RSA
cis = AccessTokenRequest()
pkj = PrivateKeyJWT(cli)
http_args = pkj.construct(cis, algorithm="RS256")
assert http_args == {}
cas = cis["client_assertion"]
header, claim, crypto, header_b64, claim_b64 = jwkest.unpack(cas)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
print header
assert header == {'alg': 'RS256'}
def phaseN(self, environ, query, server_env, session):
callback = server_env["base_url"] + self.opKey
client = Client(client_id=self.client_id,
client_authn_method=CLIENT_AUTHN_METHOD)
response = client.parse_response(AuthorizationResponse, query, "dict")
logger.info("Response: %s" % response)
if isinstance(response, ErrorResponse):
logger.info("%s" % response)
return (False, "Authentication failed or permission not granted")
req_args = {
"redirect_uri": callback,
"client_secret": self.client_secret,
}
client.token_endpoint = self.extra["token_endpoint"]
tokenresp = client.do_access_token_request(
scope=self._scope,
body_type=self.token_response_body_type,
request_args=req_args,
authn_method="client_secret_post",
state=response["state"],
response_cls=self.access_token_response)
if isinstance(tokenresp, ErrorResponse):
logger.info("%s" % tokenresp)
return (False, "Authentication failed or permission not granted")
# Download the user profile and cache a local instance of the
# basic profile info
result = client.fetch_protected_resource(
self.userinfo_endpoint(tokenresp), token=tokenresp["access_token"])
logger.info("Userinfo: %s" % result.text)
profile = json.loads(result.text)
return True, profile, tokenresp["access_token"], client
def test_client_secret_jwt():
cli = Client("Foo")
cli.token_endpoint = "https://example.com/token"
cli.client_secret = "foobar"
csj = ClientSecretJWT(cli)
cis = AccessTokenRequest()
http_args = csj.construct(cis, algorithm="HS256")
print http_args
assert cis["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in cis
cas = cis["client_assertion"]
_jwt = JWT().unpack(cas)
jso = json.loads(_jwt.part[1])
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
print _jwt.headers
assert _jwt.headers == {'alg': 'HS256'}
_rj = JWS()
info = _rj.verify_compact(cas, [SYMKey(key=cli.client_secret)])
assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
def test_client_secret_jwt():
cli = Client("Foo")
cli.token_endpoint = "https://example.com/token"
cli.client_secret = "foobar"
csj = ClientSecretJWT(cli)
cis = AccessTokenRequest()
http_args = csj.construct(cis, algorithm="HS256")
print http_args
assert cis["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in cis
cas = cis["client_assertion"]
_jwt = JWT().unpack(cas)
jso = json.loads(_jwt.part[1])
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
print _jwt.headers
assert _jwt.headers == {'alg': 'HS256'}
_rj = JWS()
info = _rj.verify_compact(cas, [SYMKey(key=cli.client_secret)])
assert _eq(info.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
def test_client_secret_jwt():
cli = Client("Foo")
cli.token_endpoint = "https://example.com/token"
cli.client_secret = "foobar"
csj = ClientSecretJWT(cli)
cis = AccessTokenRequest()
http_args = csj.construct(cis, algorithm="HS256")
print http_args
assert cis["client_assertion_type"] == JWT_BEARER
assert "client_assertion" in cis
cas = cis["client_assertion"]
header, claim, crypto, header_b64, claim_b64 = jwkest.unpack(cas)
jso = json.loads(claim)
assert _eq(jso.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])
print header
assert header == {'alg': 'HS256'}
_rj = JWS()
info = _rj.verify_compact(cas, [SYM_key(key=cli.client_secret)])
_dict = json.loads(info)
assert _eq(_dict.keys(), ["aud", "iss", "sub", "jti", "exp", "iat"])