def test_find_valid_key(self):
access_token = self.generate_access_token()
id_token = self.generate_id_token(access_token)
inst = OneLoginOIDC()
inst.get_jwks_keys = mock.MagicMock(return_value=[self.pub_key])
ret = inst.find_valid_key(id_token)
self.assertEqual(self.pub_key, ret)
def test_validate_and_return_id_token__no_valid_key(self):
access_token = self.generate_access_token()
id_token = self.generate_id_token(access_token)
inst = OneLoginOIDC()
inst.find_valid_key = mock.MagicMock(return_value=None)
with self.assertRaises(AuthTokenError) as cm:
inst.validate_and_return_id_token(id_token, access_token)
self.assertEqual(str(cm.exception),
'Token error: Signature verification failed')
def test_oidc_endpoint__no_subdomain(self):
inst = OneLoginOIDC()
with self.assertRaises(ValueError) as exc:
inst.OIDC_ENDPOINT
self.assertEqual(
'You must specify your OneLogin subdomain via the "SOCIAL_AUTH_ONELOGIN_OIDC_SUBDOMAIN" '
'setting (e.g. https://my-org.onelogin.com).', str(exc))
def test_validate_and_return_id_token(self):
access_token = self.generate_access_token()
id_token = self.generate_id_token(access_token)
inst = OneLoginOIDC()
inst.find_valid_key = mock.MagicMock(return_value=self.pub_key)
inst.id_token_issuer = mock.MagicMock(return_value=self.issuer)
inst.validate_claims = mock.MagicMock()
inst.validate_and_return_id_token(id_token, access_token)
def test_validate_and_return_id_token__jwt_error(self, mock_decode):
access_token = self.generate_access_token()
id_token = self.generate_id_token(access_token)
inst = OneLoginOIDC()
inst.find_valid_key = mock.MagicMock(return_value=self.pub_key)
inst.id_token_issuer = mock.MagicMock(return_value=self.issuer)
mock_decode.side_effect = JWTError
with self.assertRaises(AuthTokenError) as cm:
inst.validate_and_return_id_token(id_token, access_token)
self.assertEqual(str(cm.exception), 'Token error: Invalid signature')
def test_validate_and_return_id_token__claims_error(self):
# Generate id_token with an invalid access token hash
access_token = self.generate_access_token()
id_token = self.generate_id_token(access_token,
at_hash='iNvAlIdAtHaSh')
inst = OneLoginOIDC()
inst.find_valid_key = mock.MagicMock(return_value=self.pub_key)
inst.id_token_issuer = mock.MagicMock(return_value=self.issuer)
with self.assertRaises(AuthTokenError) as cm:
inst.validate_and_return_id_token(id_token, access_token)
self.assertEqual(
str(cm.exception),
'Token error: at_hash claim does not match access_token.')
def test_validate_and_return_id_token__expired_signature(self):
# Backdate iat and exp parameters 1 day to make them expired
self.iat = dt.datetime.utcnow() - dt.timedelta(days=1)
self.id_exp = self.iat + dt.timedelta(hours=3)
self.access_exp = self.iat + dt.timedelta(hours=1)
access_token = self.generate_access_token()
id_token = self.generate_id_token(access_token)
inst = OneLoginOIDC()
inst.find_valid_key = mock.MagicMock(return_value=self.pub_key)
inst.id_token_issuer = mock.MagicMock(return_value=self.issuer)
with self.assertRaises(AuthTokenError) as cm:
inst.validate_and_return_id_token(id_token, access_token)
self.assertEqual(str(cm.exception),
'Token error: Signature has expired')
def test_oidc_endpoint__subdomain_no_end_slash(self):
inst = OneLoginOIDC()
ret = inst.OIDC_ENDPOINT
self.assertEqual('https://my-org.onelogin.mok/oidc/2', ret)