def test_access_and_id_token_by_reference(self, httpserver): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = client.client_id idval = {'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud} idts = IdToken(**idval) _signed_jwt = idts.to_jwt( key=client.service_context.keyjar.get_signing_key('oct'), algorithm="HS256", lifetime=300) _info = {"access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600} at = AccessTokenResponse(**_info) httpserver.serve_content(at.to_json()) client.service['accesstoken'].endpoint = httpserver.url _response = AuthorizationResponse(code='access_code', state=res['state']) auth_response = self.rph.finalize_auth(client, _session['iss'], _response.to_dict()) resp = self.rph.get_access_and_id_token(state=res['state']) assert resp['access_token'] == 'accessTok' assert isinstance(resp['id_token'], IdToken)
def test_get_access_token(self): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] _github_id = iss_id('github') client.service_context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = client.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } idts = IdToken(**idval) _signed_jwt = idts.to_jwt( key=GITHUB_KEY.get_signing_key(issuer_id=_github_id), algorithm="RS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) _url = "https://github.com/token" with responses.RequestsMock() as rsps: rsps.add("POST", _url, body=at.to_json(), adding_headers={"Content-Type": "application/json"}, status=200) client.service['accesstoken'].endpoint = _url auth_response = AuthorizationResponse(code='access_code', state=res['state']) resp = self.rph.finalize_auth(client, _session['iss'], auth_response.to_dict()) resp = self.rph.get_access_token(res['state'], client) assert set(resp.keys()) == { 'access_token', 'expires_in', 'id_token', 'token_type', '__verified_id_token', '__expires_at' } atresp = client.service['accesstoken'].get_item( AccessTokenResponse, 'token_response', res['state']) assert set(atresp.keys()) == { 'access_token', 'expires_in', 'id_token', 'token_type', '__verified_id_token', '__expires_at' }
def rphandler_setup(self, httpserver): self.rph = RPHandler(base_url=BASE_URL, client_configs=CLIENT_CONFIG, keyjar=CLI_KEY) res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = client.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') client.service_context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer=_github_id), _github_id) idts = IdToken(**idval) _signed_jwt = idts.to_jwt(key=GITHUB_KEY.get_signing_key( 'rsa', owner=_github_id), algorithm="RS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600, 'refresh_token': 'refreshing' } at = AccessTokenResponse(**_info) httpserver.serve_content(at.to_json(), headers={'Content-Type': 'application/json'}) client.service['accesstoken'].endpoint = httpserver.url _response = AuthorizationResponse(code='access_code', state=res['state']) auth_response = self.rph.finalize_auth(client, _session['iss'], _response.to_dict()) token_resp = self.rph.get_access_and_id_token(auth_response, client=client) httpserver.serve_content('{"sub":"EndUserSubject"}', headers={'Content-Type': 'application/json'}) client.service['userinfo'].endpoint = httpserver.url self.rph.get_user_info(res['state'], client, token_resp['access_token']) self.state = res['state']
def test_access_and_id_token_by_reference(self): rph_1 = RPHandler(BASE_URL, client_configs=CLIENT_CONFIG, keyjar=CLI_KEY, module_dirs=['oidc']) res = rph_1.begin(issuer_id='github') _session = rph_1.get_session_information(res['state']) client = rph_1.issuer2rp[_session['iss']] _context = client.client_get("service_context") _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = _context.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } _github_id = iss_id('github') _context.keyjar.import_jwks( GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id) idts = IdToken(**idval) _signed_jwt = idts.to_jwt(key=GITHUB_KEY.get_signing_key( 'rsa', issuer_id=_github_id), algorithm="RS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) _url = "https://github.com/token" with responses.RequestsMock() as rsps: rsps.add("POST", _url, body=at.to_json(), adding_headers={"Content-Type": "application/json"}, status=200) client.client_get("service", 'accesstoken').endpoint = _url _response = AuthorizationResponse(code='access_code', state=res['state']) _ = rph_1.finalize_auth(client, _session['iss'], _response.to_dict()) resp = rph_1.get_access_and_id_token(state=res['state']) assert resp['access_token'] == 'accessTok' assert isinstance(resp['id_token'], IdToken)
def test_refresh_access_token(self, httpserver): _session = self.rph.get_session_information(self.state) client = self.rph.issuer2rp[_session['iss']] _info = {"access_token": "2nd_accessTok", "token_type": "Bearer", "expires_in": 3600} at = AccessTokenResponse(**_info) httpserver.serve_content(at.to_json()) client.service['refresh_token'].endpoint = httpserver.url res = self.rph.refresh_access_token(self.state, client, 'openid email') assert res['access_token'] == '2nd_accessTok'
def test_get_access_token(self, httpserver): res = self.rph.begin(issuer_id='github') _session = self.rph.get_session_information(res['state']) client = self.rph.issuer2rp[_session['iss']] _nonce = _session['auth_request']['nonce'] _iss = _session['iss'] _aud = client.client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } idts = IdToken(**idval) _signed_jwt = idts.to_jwt( key=client.service_context.keyjar.get_signing_key('oct'), algorithm="HS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) httpserver.serve_content(at.to_json(), headers={'Content-Type': 'application/json'}) client.service['accesstoken'].endpoint = httpserver.url auth_response = AuthorizationResponse(code='access_code', state=res['state']) resp = self.rph.finalize_auth(client, _session['iss'], auth_response.to_dict()) resp = self.rph.get_access_token(res['state'], client) assert set(resp.keys()) == { 'access_token', 'expires_in', 'id_token', 'token_type', '__verified_id_token', '__expires_at' } atresp = client.service['accesstoken'].get_item( AccessTokenResponse, 'token_response', res['state']) assert set(atresp.keys()) == { 'access_token', 'expires_in', 'id_token', 'token_type', '__verified_id_token', '__expires_at' }
def construct_access_token_response(self, client_id): _nonce = self.nonce _iss = self.issuer _aud = client_id idval = { 'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss, 'aud': _aud } idts = IdToken(**idval) _signed_jwt = idts.to_jwt(key=self.keyjar.get_signing_key('oct'), algorithm="HS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } return AccessTokenResponse(**_info)
def test_refresh_access_token(self): _session = self.rph.get_session_information(self.state) client = self.rph.issuer2rp[_session['iss']] _info = { "access_token": "2nd_accessTok", "token_type": "Bearer", "expires_in": 3600 } at = AccessTokenResponse(**_info) _url = "https://github.com/token" with responses.RequestsMock() as rsps: rsps.add("POST", _url, body=at.to_json(), adding_headers={"Content-Type": "application/json"}, status=200) client.service['refresh_token'].endpoint = _url res = self.rph.refresh_access_token(self.state, client, 'openid email') assert res['access_token'] == '2nd_accessTok'
def _create_at(self, uid, lifetime=0, with_jti=False): _context = self.introspection_endpoint.endpoint_context session_id = setup_session( _context, AUTH_REQ, uid=uid, acr=INTERNETPROTOCOLPASSWORD, ) _token_request = TOKEN_REQ_DICT.copy() _token_request["code"] = _context.sdb[session_id]["code"] _context.sdb.update(session_id, user=uid) _req = self.token_endpoint.parse_request(_token_request) _resp = self.token_endpoint.process_request(request=_req) _resp = AccessTokenResponse(**_resp["response_args"]) return _resp["access_token"]
def construct_access_token_response(nonce, issuer, client_id, key_jar): _aud = client_id idval = { 'nonce': nonce, 'sub': 'EndUserSubject', 'iss': issuer, 'aud': _aud } idts = IdToken(**idval) _signed_jwt = idts.to_jwt(key=key_jar.get_signing_key('rsa', owner=issuer), algorithm="RS256", lifetime=300) _info = { "access_token": "accessTok", "id_token": _signed_jwt, "token_type": "Bearer", "expires_in": 3600 } return AccessTokenResponse(**_info)