async def test_introspect_revoked_token(
server: AuthorizationServer, storage: Dict[str, List], defaults: Defaults
):
client_id = defaults.client_id
client_secret = defaults.client_secret
request_url = "https://localhost"
token = storage["tokens"][0]
post = Post(
grant_type=GrantType.TYPE_REFRESH_TOKEN, refresh_token=token.refresh_token,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
# Check that refreshed token was revoked
post = Post(token=token.access_token)
request = Request(
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_introspection_response(request)
assert not response.content.active, "The refresh_token must be revoked"
async def test_expired_token(
server: AuthorizationServer, storage: Dict[str, List], defaults: Defaults
):
settings = Settings()
token = Token(
client_id=defaults.client_id,
expires_in=settings.TOKEN_EXPIRES_IN,
access_token=generate_token(42),
refresh_token=generate_token(48),
issued_at=int(time.time() - settings.TOKEN_EXPIRES_IN),
scope=defaults.scope,
)
client_id = defaults.client_id
client_secret = defaults.client_secret
storage["tokens"].append(token)
post = Post(token=token.access_token)
request = Request(
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_introspection_response(request)
assert response.status_code == HTTPStatus.OK
assert not response.content.active
async def test_expired_authorization_code(server: AuthorizationServer,
defaults: Defaults,
storage: Dict[str, List]):
request_url = "https://localhost"
settings = Settings()
authorization_code = storage["authorization_codes"][0]
storage["authorization_codes"][0] = set_values(
authorization_code,
{"auth_time": time.time() - settings.AUTHORIZATION_CODE_EXPIRES_IN},
)
post = Post(
grant_type=GrantType.TYPE_AUTHORIZATION_CODE,
redirect_uri=defaults.redirect_uri,
code=storage["authorization_codes"][0].code,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(defaults.client_id,
defaults.client_secret),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.BAD_REQUEST
assert response.content.error == ErrorType.INVALID_GRANT
async def test_invalid_grant_type(server: AuthorizationServer,
defaults: Defaults, storage):
client: Client = storage["clients"][0]
client = set_values(client,
{"grant_types": [GrantType.TYPE_AUTHORIZATION_CODE]})
storage["clients"][0] = client
client_id = defaults.client_id
client_secret = defaults.client_secret
request_url = "https://localhost"
post = Post(
grant_type=GrantType.TYPE_PASSWORD,
username=defaults.username,
password=defaults.password,
scope="test test",
)
request = Request(
post=post,
url=request_url,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.BAD_REQUEST
assert response.content.error == ErrorType.UNAUTHORIZED_CLIENT
async def test_invalid_token(server: AuthorizationServer, defaults: Defaults):
client_id = defaults.client_id
client_secret = defaults.client_secret
request_url = "https://localhost"
token = "invalid token"
post = Post(token=token)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_introspection_response(request)
assert not response.content.active
assert response.status_code == HTTPStatus.OK
async def test_valid_token(server: AuthorizationServer,
storage: Dict[str, List], defaults: Defaults):
client_id = defaults.client_id
client_secret = defaults.client_secret
token = storage["tokens"][0]
post = Post(token=token.access_token)
request = Request(
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_introspection_response(request)
assert response.status_code == HTTPStatus.OK
assert response.content.active
async def test_authorization_code_flow(server: AuthorizationServer,
defaults: Defaults):
client_id = defaults.client_id
client_secret = defaults.client_secret
request_url = "https://localhost"
user = "******"
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_CODE,
redirect_uri=defaults.redirect_uri,
scope=defaults.scope,
state=generate_token(10),
)
request = Request(
url=request_url,
query=query,
method=RequestMethod.GET,
user=user,
)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.FOUND
location = response.headers["location"]
location = urlparse(location)
query = dict(parse_qsl(location.query))
code = query["code"]
post = Post(
grant_type=GrantType.TYPE_AUTHORIZATION_CODE,
redirect_uri=defaults.redirect_uri,
code=code,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
async def test_client_credentials_flow_auth_header(server: AuthorizationServer,
defaults: Defaults):
request_url = "https://localhost"
post = Post(
grant_type=GrantType.TYPE_CLIENT_CREDENTIALS,
scope=defaults.scope,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id=defaults.client_id,
client_secret=defaults.client_secret),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
async def test_invalid_client_credentials(server: AuthorizationServer,
defaults: Defaults):
client_id = defaults.client_id
request_url = "https://localhost"
post = Post(
grant_type=GrantType.TYPE_PASSWORD,
username=defaults.username,
password=defaults.password,
)
request = Request(
post=post,
url=request_url,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, "client_secret"),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.BAD_REQUEST
assert response.content.error == ErrorType.INVALID_REQUEST
async def test_password_grant_type(server: AuthorizationServer,
defaults: Defaults):
client_id = defaults.client_id
client_secret = defaults.client_secret
request_url = "https://localhost"
post = Post(
grant_type=GrantType.TYPE_PASSWORD,
username=defaults.username,
password=defaults.password,
)
request = Request(
post=post,
url=request_url,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
await check_request_validators(request, server.create_token_response)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
async def test_expired_refresh_token(server: AuthorizationServer,
defaults: Defaults, storage: Dict[str,
List]):
settings = Settings()
token = storage["tokens"][0]
refresh_token = token.refresh_token
storage["tokens"][0] = set_values(
token, {"issued_at": time.time() - (settings.TOKEN_EXPIRES_IN * 2)})
request_url = "https://localhost"
post = Post(
grant_type=GrantType.TYPE_REFRESH_TOKEN,
refresh_token=refresh_token,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(defaults.client_id,
defaults.client_secret),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.BAD_REQUEST
assert response.content.error == ErrorType.INVALID_GRANT
async def test_authorization_code_flow_plan_code_challenge(
server: AuthorizationServer, defaults: Defaults, db: BaseDB):
code_challenge = generate_token(128)
client_id = defaults.client_id
client_secret = defaults.client_secret
scope = defaults.scope
state = generate_token(10)
redirect_uri = defaults.redirect_uri
request_url = "https://localhost"
user = "******"
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_CODE,
redirect_uri=redirect_uri,
scope=scope,
state=state,
code_challenge_method=CodeChallengeMethod.PLAIN,
code_challenge=code_challenge,
)
request = Request(
url=request_url,
query=query,
method=RequestMethod.GET,
user=user,
)
await check_request_validators(request,
server.create_authorization_response)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.FOUND
location = response.headers["location"]
location = urlparse(location)
query = dict(parse_qsl(location.query))
assert query["state"] == state
assert query["scope"] == scope
assert await db.get_authorization_code(request, client_id, query["code"])
assert "code" in query
location = response.headers["location"]
location = urlparse(location)
query = dict(parse_qsl(location.query))
code = query["code"]
post = Post(
grant_type=GrantType.TYPE_AUTHORIZATION_CODE,
redirect_uri=defaults.redirect_uri,
code=code,
code_verifier=code_challenge,
scope=scope,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
assert response.headers == default_headers
assert response.content.scope == scope
assert response.content.token_type == "Bearer"
# Check that token was created in db
assert await db.get_token(
request,
client_id,
response.content.access_token,
response.content.refresh_token,
)
access_token = response.content.access_token
refresh_token = response.content.refresh_token
post = Post(
grant_type=GrantType.TYPE_REFRESH_TOKEN,
refresh_token=refresh_token,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
await check_request_validators(request, server.create_token_response)
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
assert response.content.access_token != access_token
assert response.content.refresh_token != refresh_token
# Check that token was created in db
assert await db.get_token(
request,
client_id,
response.content.access_token,
response.content.refresh_token,
)
# Check that previous token was revoken
token_in_db = await db.get_token(request, client_id, access_token,
refresh_token)
assert token_in_db.revoked
async def test_authorization_code_flow_pkce_code_challenge(
server: AuthorizationServer, defaults: Defaults, db: BaseDB):
client_id = defaults.client_id
client_secret = defaults.client_secret
code_verifier = generate_token(128)
scope = defaults.scope
code_challenge = create_s256_code_challenge(code_verifier)
request_url = "https://localhost"
user = "******"
state = generate_token(10)
query = Query(
client_id=defaults.client_id,
response_type=ResponseType.TYPE_CODE,
redirect_uri=defaults.redirect_uri,
scope=scope,
state=state,
code_challenge_method=CodeChallengeMethod.S256,
code_challenge=code_challenge,
)
request = Request(
url=request_url,
query=query,
method=RequestMethod.GET,
user=user,
)
response = await server.create_authorization_response(request)
assert response.status_code == HTTPStatus.FOUND
location = response.headers["location"]
location = urlparse(location)
query = dict(parse_qsl(location.query))
assert query["state"] == state
assert query["scope"] == scope
assert "code" in query
code = query["code"]
post = Post(
grant_type=GrantType.TYPE_AUTHORIZATION_CODE,
redirect_uri=defaults.redirect_uri,
code=code,
scope=scope,
code_verifier=code_verifier,
)
request = Request(
url=request_url,
post=post,
method=RequestMethod.POST,
headers=encode_auth_headers(client_id, client_secret),
)
await check_request_validators(request, server.create_token_response)
code_record = await db.get_authorization_code(request, client_id, code)
assert code_record
response = await server.create_token_response(request)
assert response.status_code == HTTPStatus.OK
assert response.headers == default_headers
assert response.content.scope == scope
assert response.content.token_type == "Bearer"
code_record = await db.get_authorization_code(request, client_id, code)
assert not code_record
