def create_client(self):
config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {
'response_types': ['code']
},
'add_ons': {
"dpop": {
"function": "oidcrp.oauth2.add_on.dpop.add_support",
"kwargs": {
"signing_algorithms": ["ES256", "ES512"]
}
}
}
}
self.client = Client(keyjar=CLI_KEY,
config=config,
services=DEFAULT_OAUTH2_SERVICES)
self.client.client_get("service_context").provider_info = {
"authorization_endpoint": "https://example.com/auth",
"token_endpoint": "https://example.com/token",
"dpop_signing_alg_values_supported": ["RS256", "ES256"]
}
def create_client(self):
self.redirect_uri = "http://example.com/redirect"
KEYSPEC = [
{
"type": "RSA",
"use": ["sig"]
},
{
"type": "EC",
"crv": "P-256",
"use": ["sig"]
},
]
conf = {
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
'rp_keys': {
'private_path': 'private/jwks.json',
'key_defs': KEYSPEC,
'public_path': 'static/jwks.json',
# this will create the jwks files if they are absent
'read_only': False
}
}
rp_conf = RPConfiguration(conf)
self.client = Client(config=rp_conf)
assert self.client
def __init__(self,
client_authn_factory: Optional[Callable] = None,
keyjar: Optional[KeyJar] = None,
config: Optional[Union[dict, Configuration]] = None,
services: Optional[dict] = None,
jwks_uri: Optional[str] = '',
httpc_params: Optional[dict] = None,
httpc: Optional[Callable] = None,
cwd: Optional[str] = "",
httplib: Optional[Callable] = None):
Client.__init__(self,
client_authn_factory=client_authn_factory,
keyjar=keyjar,
config=config,
services=services,
jwks_uri=jwks_uri,
httpc_params=httpc_params)
if httpc is None and httplib:
httpc = httplib
fed_conf = config.get("federation")
if fed_conf:
self._service_context.federation_entity = FederationEntity(
config=fed_conf, httpc=httpc, cwd=cwd)
def create_client(self):
self.redirect_uri = "http://example.com/redirect"
conf = {
'issuer': 'https://op.example.com',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
'db_conf': {
'keyjar': {
'handler':
'oidcmsg.storage.abfile.LabeledAbstractFileSystem',
'fdir': 'db/keyjar',
'key_conv': 'oidcmsg.storage.converter.QPKey',
'value_conv': 'cryptojwt.serialize.item.KeyIssuer',
'label': 'keyjar'
},
'default': {
'handler': 'oidcmsg.storage.abfile.AbstractFileSystem',
'fdir': 'db',
'key_conv': 'oidcmsg.storage.converter.QPKey',
'value_conv': 'oidcmsg.storage.converter.JSON'
}
}
}
self.client = Client(config=conf)
def create_client(self):
self.redirect_uri = "http://example.com/redirect"
conf = {
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop'
}
self.client = Client(DB(), config=conf)
class TestDPoPWithoutUserinfo:
@pytest.fixture(autouse=True)
def create_client(self):
config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {
'response_types': ['code']
},
'add_ons': {
"dpop": {
"function": "oidcrp.oauth2.add_on.dpop.add_support",
"kwargs": {
"signing_algorithms": ["ES256", "ES512"]
}
}
}
}
self.client = Client(keyjar=CLI_KEY,
config=config,
services=DEFAULT_OAUTH2_SERVICES)
self.client.client_get("service_context").provider_info = {
"authorization_endpoint": "https://example.com/auth",
"token_endpoint": "https://example.com/token",
"dpop_signing_alg_values_supported": ["RS256", "ES256"]
}
def test_add_header(self):
token_serv = self.client.client_get("service", "accesstoken")
req_args = {
"grant_type": "authorization_code",
"code": "SplxlOBeZQQYbYS6WxSbIA",
"redirect_uri": "https://client/example.com/cb"
}
headers = token_serv.get_headers(request=req_args, http_method="POST")
assert headers
assert "dpop" in headers
# Now for the content of the DPoP proof
_jws = factory(headers["dpop"])
_payload = _jws.jwt.payload()
assert _payload["htu"] == "https://example.com/token"
assert _payload["htm"] == "POST"
_header = _jws.jwt.headers
assert "jwk" in _header
assert _header["typ"] == "dpop+jwt"
assert _header["alg"] == "ES256"
assert _header["jwk"]["kty"] == "EC"
assert _header["jwk"]["crv"] == "P-256"
def create_client(self):
config = {
'client_id': 'client_id',
'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {
'response_types': ['code']
},
'add_ons': {
"dpop": {
"function": "oidcrp.oauth2.add_on.dpop.add_support",
"kwargs": {
"signing_algorithms": ["ES256", "ES512"]
}
}
}
}
services = {
"discovery": {
'class':
'oidcrp.oauth2.provider_info_discovery.ProviderInfoDiscovery'
},
'authorization': {
'class': 'oidcrp.oauth2.authorization.Authorization'
},
'access_token': {
'class': 'oidcrp.oauth2.access_token.AccessToken'
},
'refresh_access_token': {
'class':
'oidcrp.oauth2.refresh_access_token.RefreshAccessToken'
},
'userinfo': {
'class': 'oidcrp.oidc.userinfo.UserInfo'
}
}
self.client = Client(keyjar=CLI_KEY, config=config, services=services)
self.client.client_get("service_context").provider_info = {
"authorization_endpoint": "https://example.com/auth",
"token_endpoint": "https://example.com/token",
"dpop_signing_alg_values_supported": ["RS256", "ES256"],
"userinfo_endpoint": "https://example.com/user",
}
def test_construct_accesstoken_request(self):
# Client 1 starts the chain of event
client_1 = Client(config=CONF)
_context_1 = client_1.client_get("service_context")
_state = _context_1.state.create_state('issuer')
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state=_state)
_context_1.state.store_item(auth_request, 'auth_request', _state)
# Client 2 carries on
client_2 = Client(config=CONF)
_state_dump = _context_1.dump()
_context2 = client_2.client_get("service_context")
_context2.load(_state_dump)
auth_response = AuthorizationResponse(code='access_code')
_context2.state.store_item(auth_response, 'auth_response', _state)
msg = client_2.client_get("service",
'accesstoken').construct(request_args={},
state=_state)
assert isinstance(msg, AccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'code': 'access_code',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'authorization_code',
'redirect_uri': 'https://example.com/cli/authz_cb',
'state': _state
}
class TestPushedAuth:
@pytest.fixture(autouse=True)
def create_client(self):
config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {'response_types': ['code']},
'add_ons': {
"pushed_authorization": {
"function":
"oidcrp.oauth2.add_on.pushed_authorization.add_support",
"kwargs": {
"body_format": "jws",
"signing_algorithm": "RS256",
"http_client": None,
"merge_rule": "lax"
}
}
}
}
self.entity = Client(keyjar=CLI_KEY, config=config, services=DEFAULT_OAUTH2_SERVICES)
self.entity.client_get("service_context").provider_info = {
"pushed_authorization_request_endpoint": "https://as.example.com/push"
}
def test_authorization(self):
auth_service = self.entity.client_get("service","authorization")
req_args = {'foo': 'bar', "response_type": "code"}
with responses.RequestsMock() as rsps:
_resp = {
"request_uri": "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2",
"expires_in": 3600
}
rsps.add("GET",
auth_service.client_get("service_context").provider_info[
"pushed_authorization_request_endpoint"],
body=json.dumps(_resp), status=200)
_req = auth_service.construct(request_args=req_args, state='state')
assert set(_req.keys()) == {"request_uri", "response_type", "client_id"}
def create_client(self):
config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'behaviour': {'response_types': ['code']},
'add_ons': {
"pushed_authorization": {
"function":
"oidcrp.oauth2.add_on.pushed_authorization.add_support",
"kwargs": {
"body_format": "jws",
"signing_algorithm": "RS256",
"http_client": None,
"merge_rule": "lax"
}
}
}
}
self.entity = Client(keyjar=CLI_KEY, config=config, services=DEFAULT_OAUTH2_SERVICES)
self.entity.client_get("service_context").provider_info = {
"pushed_authorization_request_endpoint": "https://as.example.com/push"
}
class TestClient2(object):
@pytest.fixture(autouse=True)
def create_client(self):
self.redirect_uri = "http://example.com/redirect"
KEYSPEC = [
{
"type": "RSA",
"use": ["sig"]
},
{
"type": "EC",
"crv": "P-256",
"use": ["sig"]
},
]
conf = {
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
'rp_keys': {
'private_path': 'private/jwks.json',
'key_defs': KEYSPEC,
'public_path': 'static/jwks.json',
# this will create the jwks files if they are absent
'read_only': False
}
}
rp_conf = RPConfiguration(conf)
self.client = Client(config=rp_conf)
assert self.client
def test_keyjar(self):
req_args = {
'state': 'ABCDE',
'redirect_uri': 'https://example.com/auth_cb',
'response_type': ['code']
}
_context = self.client.client_get("service_context")
assert len(_context.keyjar) == 1 # one issuer
assert len(_context.keyjar[""]) == 2
assert len(_context.keyjar.get("sig")) == 2
class TestClient(object):
@pytest.fixture(autouse=True)
def create_client(self):
self.redirect_uri = "http://example.com/redirect"
conf = {
'redirect_uris': ['https://example.com/cli/authz_cb'],
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop'
}
self.client = Client(DB(), config=conf)
def test_construct_authorization_request(self):
req_args = {
'state': 'ABCDE',
'redirect_uri': 'https://example.com/auth_cb',
'response_type': ['code']
}
self.client.session_interface.create_state('issuer', key='ABCDE')
msg = self.client.service['authorization'].construct(
request_args=req_args)
assert isinstance(msg, AuthorizationRequest)
assert msg['client_id'] == 'client_1'
assert msg['redirect_uri'] == 'https://example.com/auth_cb'
def test_construct_accesstoken_request(self):
# Bind access code to state
req_args = {}
self.client.session_interface.create_state('issuer', 'ABCDE')
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='ABCDE')
self.client.session_interface.store_item(auth_request, 'auth_request',
'ABCDE')
auth_response = AuthorizationResponse(code='access_code')
self.client.session_interface.store_item(auth_response,
'auth_response', 'ABCDE')
msg = self.client.service['accesstoken'].construct(
request_args=req_args, state='ABCDE')
assert isinstance(msg, AccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'code': 'access_code',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'authorization_code',
'redirect_uri': 'https://example.com/cli/authz_cb',
'state': 'ABCDE'
}
def test_construct_refresh_token_request(self):
self.client.session_interface.create_state('issuer', 'ABCDE')
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state='state')
self.client.session_interface.store_item(auth_request, 'auth_request',
'ABCDE')
auth_response = AuthorizationResponse(code='access_code')
self.client.session_interface.store_item(auth_response,
'auth_response', 'ABCDE')
token_response = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access")
self.client.session_interface.store_item(token_response,
'token_response', 'ABCDE')
req_args = {}
msg = self.client.service['refresh_token'].construct(
request_args=req_args, state='ABCDE')
assert isinstance(msg, RefreshAccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'refresh_token',
'refresh_token': 'refresh_with_me'
}
def test_error_response(self):
err = ResponseMessage(error='Illegal')
http_resp = MockResponse(400, err.to_urlencoded())
resp = self.client.parse_request_response(
self.client.service['authorization'], http_resp)
assert resp['error'] == 'Illegal'
assert resp['status_code'] == 400
def test_error_response_500(self):
err = ResponseMessage(error='Illegal')
http_resp = MockResponse(500, err.to_urlencoded())
with pytest.raises(ParseError):
self.client.parse_request_response(
self.client.service['authorization'], http_resp)
def test_error_response_2(self):
err = ResponseMessage(error='Illegal')
http_resp = MockResponse(
400,
err.to_json(),
headers={'content-type': 'application/x-www-form-urlencoded'})
with pytest.raises(OidcServiceError):
self.client.parse_request_response(
self.client.service['authorization'], http_resp)
def test_construct_refresh_token_request(self):
# Client 1 starts the chain event
client_1 = Client(config=CONF)
_state = client_1.client_get("service_context").state.create_state(
'issuer')
auth_request = AuthorizationRequest(
redirect_uri='https://example.com/cli/authz_cb', state=_state)
client_1.client_get("service_context").state.store_item(
auth_request, 'auth_request', _state)
# Client 2 carries on
client_2 = Client(config=CONF)
_state_dump = client_1.client_get("service_context").dump()
client_2.client_get("service_context").load(_state_dump)
auth_response = AuthorizationResponse(code='access_code')
client_2.client_get("service_context").state.store_item(
auth_response, 'auth_response', _state)
token_response = AccessTokenResponse(refresh_token="refresh_with_me",
access_token="access")
client_2.client_get("service_context").state.store_item(
token_response, 'token_response', _state)
# Next up is Client 1
_state_dump = client_2.client_get("service_context").dump()
client_1.client_get("service_context").load(_state_dump)
req_args = {}
msg = client_1.client_get("service", 'refresh_token').construct(
request_args=req_args, state=_state)
assert isinstance(msg, RefreshAccessTokenRequest)
assert msg.to_dict() == {
'client_id': 'client_1',
'client_secret': 'abcdefghijklmnop',
'grant_type': 'refresh_token',
'refresh_token': 'refresh_with_me'
}