def test_private_key_jwt_reusage_other_endpoint():
# Own dynamic keys
client_keyjar = build_keyjar(KEYDEFS)
# The servers keys
client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""]
_jwks = client_keyjar.export_jwks()
endpoint_context.keyjar.import_jwks(_jwks, client_id)
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack(
{"aud": [endpoint_context.endpoint["token"].full_path]})
request = {
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
}
# This should be OK
PrivateKeyJWT(endpoint_context).verify(request, endpoint="token")
# This should NOT be OK
with pytest.raises(NotForMe):
PrivateKeyJWT(endpoint_context).verify(request,
endpoint="authorization")
# This should NOT be OK
with pytest.raises(MultipleUsage):
PrivateKeyJWT(endpoint_context).verify(request, endpoint="token")
def add_support(endpoint, **kwargs):
"""
:param endpoint:
:param kwargs:
:return:
"""
for endp in kwargs.get('where', []): # ["authorization", "pushed_authorization"]
auth_endpoint = endpoint.get(endp)
if auth_endpoint is None and endp == 'authorization':
auth_endpoint = endpoint.get('federation_{}'.format(endp))
if auth_endpoint:
auto_reg = registration.Registration(auth_endpoint.endpoint_context, **kwargs)
auth_endpoint.automatic_registration_endpoint = auto_reg
if endp == 'authorization':
if not auth_endpoint.client_authn_method:
auth_endpoint.client_authn_method = [
RequestParam(auth_endpoint.endpoint_context)]
else: # pushed_authorization
if not auth_endpoint.client_authn_method:
auth_endpoint.client_authn_method = [
PrivateKeyJWT(auth_endpoint.endpoint_context)]
_pi = auth_endpoint.endpoint_context.provider_info
_supported = kwargs.get('client_registration_authn_methods_supported')
if _supported:
_pi['client_registration_authn_methods_supported'] = _supported
def test_private_key_jwt():
# Own dynamic keys
client_keyjar = build_keyjar(KEYDEFS)[1]
# The servers keys
client_keyjar[conf['issuer']] = KEYJAR.issuer_keys['']
_jwks = client_keyjar.export_jwks()
endpoint_context.keyjar.import_jwks(_jwks, client_id)
_jwt = JWT(client_keyjar, iss=client_id, sign_alg='RS256')
_assertion = _jwt.pack({'aud': [conf['issuer']]})
request = {'client_assertion': _assertion,
'client_assertion_type': JWT_BEARER}
authn_info = PrivateKeyJWT(endpoint_context).verify(request)
assert authn_info['client_id'] == client_id
assert 'jwt' in authn_info
def test_private_key_jwt():
# Own dynamic keys
client_keyjar = build_keyjar(KEYDEFS)
# The servers keys
client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""]
_jwks = client_keyjar.export_jwks()
endpoint_context.keyjar.import_jwks(_jwks, client_id)
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="RS256")
_assertion = _jwt.pack({"aud": [conf["issuer"]]})
request = {
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
}
authn_info = PrivateKeyJWT(endpoint_context).verify(request)
assert authn_info["client_id"] == client_id
assert "jwt" in authn_info
def create_method(self):
self.method = PrivateKeyJWT(endpoint_context)
class TestPrivateKeyJWT():
@pytest.fixture(autouse=True)
def create_method(self):
self.method = PrivateKeyJWT(endpoint_context)
def test_private_key_jwt(self):
# Own dynamic keys
client_keyjar = build_keyjar(KEYDEFS)
# The servers keys
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
_jwks = client_keyjar.export_jwks()
endpoint_context.keyjar.import_jwks(_jwks, client_id)
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack({"aud": [CONF["issuer"]]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
assert self.method.is_usable(request=request)
authn_info = self.method.verify(request=request)
assert authn_info["client_id"] == client_id
assert "jwt" in authn_info
def test_private_key_jwt_reusage_other_endpoint(self):
# Own dynamic keys
client_keyjar = build_keyjar(KEYDEFS)
# The servers keys
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
_jwks = client_keyjar.export_jwks()
endpoint_context.keyjar.import_jwks(_jwks, client_id)
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack({"aud": [endpoint_context.endpoint["token"].full_path]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
# This should be OK
assert self.method.is_usable(request=request)
self.method.verify(request=request, endpoint="token")
# This should NOT be OK
with pytest.raises(NotForMe):
self.method.verify(request, endpoint="authorization")
# This should NOT be OK because this is the second time the token appears
with pytest.raises(MultipleUsage):
self.method.verify(request, endpoint="token")
def test_private_key_jwt_auth_endpoint(self):
# Own dynamic keys
client_keyjar = build_keyjar(KEYDEFS)
# The servers keys
client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""]
_jwks = client_keyjar.export_jwks()
endpoint_context.keyjar.import_jwks(_jwks, client_id)
_jwt = JWT(client_keyjar, iss=client_id, sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack({"aud": [endpoint_context.endpoint["authorization"].full_path]})
request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER}
assert self.method.is_usable(request=request)
authn_info = self.method.verify(request=request, endpoint="authorization")
assert authn_info["client_id"] == client_id
assert "jwt" in authn_info