def test_token_endpoint_unauth(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1", response_type='code') _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.token_factory['code'](sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": authreq.to_json(), "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", 'response_type': ['code'] } # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client2", client_secret="hemlighet", grant_type='authorization_code') resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = TokenErrorResponse().deserialize(resp.message, "json") assert _eq(atr.keys(), ['error_description', 'error'])
def test_json_serialize_deserialize(self): ar = AuthorizationRequest(response_type=["code"], client_id="foobar") jtxt = ar.serialize(method="json") ar2 = AuthorizationRequest().deserialize(jtxt, "json") assert ar == ar2
def test_deserialize_urlencoded(self): ar = AuthorizationRequest(response_type=["code"], client_id="foobar") urlencoded = ar.to_urlencoded() ar2 = AuthorizationRequest().deserialize(urlencoded, "urlencoded") assert ar == ar2
def test_parse_jwt_request(self): ar = AuthorizationRequest( response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold" ) self.srv.keyjar["foobar"] = KeyBundle( [ {"kty": "oct", "key": "A1B2C3D4".encode("utf-8"), "use": "ver"}, {"kty": "oct", "key": "A1B2C3D4".encode("utf-8"), "use": "sig"}, ] ) self.srv.keyjar[""] = KeyBundle( [ {"kty": "oct", "key": "A1B2C3D4".encode("utf-8"), "use": "ver"}, {"kty": "oct", "key": "A1B2C3D4".encode("utf-8"), "use": "sig"}, ] ) keys = self.srv.keyjar.get_signing_key(owner="foobar") _jwt = ar.to_jwt(key=keys, algorithm="HS256") req = self.srv.parse_jwt_request(txt=_jwt) assert isinstance(req, AuthorizationRequest) assert req["response_type"] == ["code"] assert req["client_id"] == "foobar" assert req["redirect_uri"] == "http://foobar.example.com/oaclient" assert req["state"] == "cold"
def test_token_endpoint_no_cache(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.token_factory['code'](sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": authreq.to_json(), "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", 'response_type': ['code'] } # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client1", client_secret="hemlighet", grant_type='authorization_code') resp = self.provider.token_endpoint(request=areq.to_urlencoded()) assert resp.headers == [('Pragma', 'no-cache'), ('Cache-Control', 'no-store'), ('Content-type', 'application/json')]
def test_token_introspection(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.token_factory["code"](sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": authreq.to_json(), "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", "response_type": ["code"], } # Construct Access token request areq = AccessTokenRequest( code=access_grant, redirect_uri="http://example.com/authz", client_id="client1", client_secret="hemlighet", grant_type="authorization_code", ) resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = AccessTokenResponse().deserialize(resp.message, "json") req = TokenIntrospectionRequest( token=atr["access_token"], client_id="client1", client_secret="hemlighet", token_type_hint="access_token" ) resp = self.provider.introspection_endpoint(request=req.to_urlencoded()) assert resp ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json") assert ti_resp["active"] is True
def test_urlencoded_with_scope(self): ar = AuthorizationRequest(response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", scope=["foo", "bar"], state="cold") ue = ar.to_urlencoded() assert query_string_compare(ue, "scope=foo+bar&state=cold&redirect_uri=http%3A%2F%2Ffoobar.example.com%2Foaclient&response_type=code&client_id=foobar")
def test_urlencoded_resp_type_token(self): ar = AuthorizationRequest(response_type=["token"], client_id="s6BhdRkqt3", redirect_uri="https://client.example.com/cb", state="xyz") ue = ar.to_urlencoded() assert query_string_compare(ue, "state=xyz&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb&response_type=token&client_id=s6BhdRkqt3")
def test_deserialize_urlencoded_multiple_params(self): ar = AuthorizationRequest(response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", scope=["foo", "bar"], state="cold") urlencoded = ar.to_urlencoded() ar2 = AuthorizationRequest().deserialize(urlencoded, "urlencoded") assert ar == ar2
def test_req_json_serialize(self): ar = AuthorizationRequest(response_type=["code"], client_id="foobar") js_obj = json.loads(ar.serialize(method="json")) expected_js_obj = { "response_type": "code", "client_id": "foobar" } assert js_obj == expected_js_obj
def test_authorization_endpoint_faulty_redirect_uri(self): bib = {"state": "id-6da9ca0cc23959f5f33e8becd9b08cae", # faulty redirect uri "redirect_uri": "http://localhost:8087/cb", "response_type": ["code"], "client_id": "a1b2c3"} arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint(request=arq.to_urlencoded()) assert resp.status == "400 Bad Request" msg = json.loads(resp.message) assert msg["error"] == "invalid_request"
def test_authorization_endpoint_faulty_redirect_uri_nwalker(self): bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": " https://example.com.evil.com", # faulty redirect uri "response_type": ["code"], "client_id": "a1b2c3"} arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint(request=arq.to_urlencoded()) assert resp.status_code == 400 msg = json.loads(resp.message) assert msg["error"] == "invalid_request"
def test_multiple_response_types_urlencoded(self): ar = AuthorizationRequest(response_type=["code", "token"], client_id="foobar") ue = ar.to_urlencoded() ue_splits = ue.split('&') expected_ue_splits = "response_type=code+token&client_id=foobar".split( '&') assert _eq(ue_splits, expected_ue_splits) are = AuthorizationRequest().deserialize(ue, "urlencoded") assert _eq(are.keys(), ["response_type", "client_id"]) assert _eq(are["response_type"], ["code", "token"])
def test_multiple_response_types_json(self): ar = AuthorizationRequest(response_type=["code", "token"], client_id="foobar") ue = ar.to_json() ue_obj = json.loads(ue) expected_ue_obj = { "response_type": "code token", "client_id": "foobar" } assert ue_obj == expected_ue_obj are = AuthorizationRequest().deserialize(ue, "json") assert _eq(are.keys(), ["response_type", "client_id"]) assert _eq(are["response_type"], ["code", "token"])
def test_json_resp_type_token(self): ar = AuthorizationRequest(response_type=["token"], client_id="s6BhdRkqt3", redirect_uri="https://client.example.com/cb", state="xyz") ue_obj = json.loads(ar.serialize(method="json")) expected_ue_obj = { "state": "xyz", "redirect_uri": "https://client.example.com/cb", "response_type": "token", "client_id": "s6BhdRkqt3" } assert ue_obj == expected_ue_obj
def test_json_multiple_params(self): ar = AuthorizationRequest(response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold") ue_obj = json.loads(ar.serialize(method="json")) expected_ue_obj = { "response_type": "code", "state": "cold", "redirect_uri": "http://foobar.example.com/oaclient", "client_id": "foobar" } assert ue_obj == expected_ue_obj
def test_urlencoded_with_scope(self): ar = AuthorizationRequest( response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", scope=["foo", "bar"], state="cold", ) ue = ar.to_urlencoded() assert query_string_compare( ue, "scope=foo+bar&state=cold&redirect_uri=http%3A%2F%2Ffoobar.example.com%2Foaclient&" "response_type=code&client_id=foobar", )
def test_json_multiple_params(self): ar = AuthorizationRequest( response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold") ue_obj = json.loads(ar.serialize(method="json")) expected_ue_obj = { "response_type": "code", "state": "cold", "redirect_uri": "http://foobar.example.com/oaclient", "client_id": "foobar" } assert ue_obj == expected_ue_obj
def test_authorization_endpoint_faulty_redirect_uri(self): bib = { "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", # faulty redirect uri "redirect_uri": "http://localhost:8087/cb", "response_type": ["code"], "client_id": "a1b2c3" } arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint( request=arq.to_urlencoded()) assert resp.status == "400 Bad Request" msg = json.loads(resp.message) assert msg["error"] == "invalid_request"
def test_token_introspection_missing(self): authreq = AuthorizationRequest( state="state", redirect_uri="http://example.com/authz", client_id="client2" ) _sdb = self.provider.sdb self.provider.cdb["client2"] = { "client_secret": "hemlighet", "redirect_uris": [("http://localhost:8087/authz", None)], "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token"], } sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.token_factory["code"](sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": authreq.to_json(), "client_id": "client2", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", "response_type": ["code"], } # Construct Access token request areq = AccessTokenRequest( code=access_grant, redirect_uri="http://example.com/authz", client_id="client2", client_secret="hemlighet", grant_type="authorization_code", ) resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = AccessTokenResponse().deserialize(resp.message, "json") # Delete the client del self.provider.cdb["client2"] req = TokenIntrospectionRequest( token=atr["access_token"], client_id="client2", client_secret="hemlighet", token_type_hint="access_token", ) resp = self.provider.introspection_endpoint(request=req.to_urlencoded()) assert resp ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json") assert ti_resp["error"] == "unauthorized_client"
def test_authorization_endpoint_wronge_response_mode(self): bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://example.com", "response_type": ["code"], "response_mode": "fragment", "client_id": "a1b2c3" } arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint( request=arq.to_urlencoded()) assert resp.status == "400 Bad Request" msg = json.loads(resp.message) assert msg["error"] == "invalid_request"
def duplicate(self, sinfo): _dic = copy.copy(sinfo) areq = AuthorizationRequest().from_json(_dic["authzreq"]) sid = self.token_factory["code"].key(user=_dic["sub"], areq=areq) _dic["code"] = self.token_factory["code"](sid=sid, sinfo=sinfo) _dic["code_used"] = False for key in [ "access_token", "access_token_scope", "oauth_state", "token_type", "token_expires_at", "expires_in", "client_id_issued_at", "id_token", "oidreq", "refresh_token", ]: try: del _dic[key] except KeyError: pass self._db[sid] = _dic self._db.update(sid, "sub", _dic["sub"]) return sid
def test_token_endpoint_no_cache(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": "", "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz" } # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client1", client_secret="hemlighet", grant_type='authorization_code') resp = self.provider.token_endpoint(request=areq.to_urlencoded()) assert resp.headers == [('Pragma', 'no-cache'), ('Cache-Control', 'no-store'), ('Content-type', 'application/json')]
def test_json_resp_type_token(self): ar = AuthorizationRequest( response_type=["token"], client_id="s6BhdRkqt3", redirect_uri="https://client.example.com/cb", state="xyz", ) ue_obj = json.loads(ar.serialize(method="json")) expected_ue_obj = { "state": "xyz", "redirect_uri": "https://client.example.com/cb", "response_type": "token", "client_id": "s6BhdRkqt3", } assert ue_obj == expected_ue_obj
def test_json_serizalize_deserialize_multiple_params(self): argv = {"scope": ["openid"], "state": "id-b0be8bb64118c3ec5f70093a1174b039", "redirect_uri": "http://localhost:8087authz", "response_type": ["code"], "client_id": "a1b2c3"} arq = AuthorizationRequest(**argv) jstr = arq.serialize(method="json") jarq = AuthorizationRequest().deserialize(jstr, "json") assert jarq["scope"] == ["openid"] assert jarq["response_type"] == ["code"] assert jarq["redirect_uri"] == "http://localhost:8087authz" assert jarq["state"] == "id-b0be8bb64118c3ec5f70093a1174b039" assert jarq["client_id"] == "a1b2c3"
def test_token_endpoint_unauth(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": "", "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz" } # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id='<REDACTED>', client_secret="hemlighet", grant_type='authorization_code') resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = TokenErrorResponse().deserialize(resp.message, "json") assert _eq(atr.keys(), ['error_description', 'error'])
def test_authorization_endpoint_faulty_redirect_uri_nwalker(self): bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": " https://example.com.evil.com", # faulty redirect uri "response_type": ["code"], "client_id": "a1b2c3" } arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint( request=arq.to_urlencoded()) assert resp.status_code == 400 msg = json.loads(resp.message) assert msg["error"] == "invalid_request"
def test_token_endpoint_password(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": "", "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", "token_endpoint_auth_method": "client_secret_basic", } areq = ROPCAccessTokenRequest(grant_type="password", username="******", password="******") authn = "Basic Y2xpZW50Mjp2ZXJ5c2VjcmV0=" resp = self.provider.token_endpoint(request=areq.to_urlencoded(), authn=authn) parsed = TokenErrorResponse().from_json(resp.message) assert parsed["error"] == "unsupported_grant_type"
def test_urlencoded_invalid_scope(self): args = {"response_type": [10], "client_id": "foobar", "redirect_uri": "http://foobar.example.com/oaclient", "scope": ["foo", "bar"], "state": "cold"} with pytest.raises(DecodeError): AuthorizationRequest(**args)
def test_urlencoded_deserialize_state(self): txt = "scope=foo+bar&state=-11&redirect_uri=http%3A%2F%2Ffoobar" \ ".example.com%2Foaclient&response_type=code&" \ "client_id=foobar" ar = AuthorizationRequest().deserialize(txt, "urlencoded") assert ar["state"] == "-11"
def test_urlencoded_deserialize_response_type(self): txt = "scope=openid&state=id-6a3fc96caa7fd5cb1c7d00ed66937134&" \ "redirect_uri=http%3A%2F%2Flocalhost%3A8087authz&response_type=code&client_id=a1b2c3" ar = AuthorizationRequest().deserialize(txt, "urlencoded") assert ar["scope"] == ["openid"] assert ar["response_type"] == ["code"]
def test_code_grant_type_used(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id='client1', response_type="code", scope=["openid"]) _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "authn_event": '', "authzreq": '', "client_id": 'client1', "code": access_grant, "code_used": True, "scope": ["openid"], "redirect_uri": "http://example.com/authz", } # Construct Access token request areq = AccessTokenRequest(code=access_grant, client_id='client1', redirect_uri="http://example.com/authz", client_secret='hemlighet', grant_type='authorization_code') txt = areq.to_urlencoded() resp = self.provider.token_endpoint(request=txt) atr = TokenErrorResponse().deserialize(resp.message, "json") assert atr['error'] == "invalid_grant"
def test_token_endpoint(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": "", "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz" } # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client1", client_secret="hemlighet", grant_type='authorization_code') with LogCapture(level=logging.DEBUG) as logcap: resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = AccessTokenResponse().deserialize(resp.message, "json") assert _eq(atr.keys(), ['access_token', 'token_type', 'refresh_token']) expected = ( 'token_request: code=<REDACTED>&client_secret=<REDACTED>&grant_type=authorization_code' '&client_id=client1&redirect_uri=http%3A%2F%2Fexample.com%2Fauthz') assert _eq(parse_qs(logcap.records[1].msg[15:]), parse_qs(expected[15:])) expected = {u'code': '<REDACTED>', u'client_secret': '<REDACTED>', u'redirect_uri': u'http://example.com/authz', u'client_id': 'client1', u'grant_type': 'authorization_code'} # Don't try this at home, kids! # We have to eval() to a dict here because otherwise the arbitrary # ordering of the string causes the test to fail intermittently. assert _eq(eval(logcap.records[2].msg[4:]), expected) assert _eq(logcap.records[3].msg, 'Verified Client ID: client1') expected = {'redirect_uri': u'http://example.com/authz', 'client_secret': '<REDACTED>', 'code': u'<REDACTED>', 'client_id': 'client1', 'grant_type': 'authorization_code'} assert eval(logcap.records[4].msg[20:]) == expected expected = {'code': '<REDACTED>', 'authzreq': '', 'sub': 'sub', 'access_token': '<REDACTED>', 'token_type': 'Bearer', 'redirect_uri': 'http://example.com/authz', 'code_used': True, 'client_id': 'client1', 'oauth_state': 'token', 'refresh_token': '<REDACTED>', 'access_token_scope': '?'} assert _eq(eval(logcap.records[5].msg[7:]), expected) expected = {'access_token': u'<REDACTED>', 'token_type': 'Bearer', 'refresh_token': '<REDACTED>'} assert _eq(eval(logcap.records[6].msg[21:]), expected)
def test_response_types(self, response_types): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1", response_type='id_token token') self.provider.cdb = { "client1": { "client_secret": "hemlighet", "redirect_uris": [("http://example.com/authz", None)], 'token_endpoint_auth_method': 'client_secret_post', 'response_types': response_types } } res = self.provider.auth_init(authreq.to_urlencoded()) assert isinstance(res, dict) and "areq" in res
def test_token_revocation_and_introspection(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.token_factory['code'](sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": authreq.to_json(), "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", 'response_type': ['code'] } # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client1", client_secret="hemlighet", grant_type='authorization_code') resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = AccessTokenResponse().deserialize(resp.message, "json") req = TokenRevocationRequest(token=atr['access_token'], client_id="client1", client_secret="hemlighet", token_type_hint='access_token') resp = self.provider.revocation_endpoint(request=req.to_urlencoded()) assert resp.status_code == 200 req = TokenIntrospectionRequest(token=atr['access_token'], client_id="client1", client_secret="hemlighet", token_type_hint='access_token') resp = self.provider.introspection_endpoint( request=req.to_urlencoded()) assert resp ti_resp = TokenIntrospectionResponse().deserialize( resp.message, 'json') assert ti_resp['active'] is False
def test_provider_authorization_endpoint(): provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ, verify_client) bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087authz", "response_type": ["code"], "client_id": "a1b2c3"} arq = AuthorizationRequest(**bib) QUERY_STRING = arq.to_urlencoded() resp = provider.authorization_endpoint(request=QUERY_STRING) assert isinstance(resp, Response)
def test_provider_authorization_endpoint(): provider = Provider("pyoicserv", sdb.SessionDB(), CDB, FUNCTIONS) bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087authz", "response_type": ["code"], "client_id": "a1b2c3"} arq = AuthorizationRequest(**bib) environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = arq.to_urlencoded() resp = provider.authorization_endpoint(environ, start_response) print resp assert resp[0].startswith("FORM with")
def test_token_introspection_missing(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client2") _sdb = self.provider.sdb self.provider.cdb["client2"] = { "client_secret": "hemlighet", "redirect_uris": [("http://localhost:8087/authz", None)], "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token"] } sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.token_factory["code"](sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": authreq.to_json(), "client_id": "client2", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", "response_type": ["code"] } # Construct Access token request areq = AccessTokenRequest(code=access_grant, redirect_uri="http://example.com/authz", client_id="client2", client_secret="hemlighet", grant_type="authorization_code") resp = self.provider.token_endpoint(request=areq.to_urlencoded()) atr = AccessTokenResponse().deserialize(resp.message, "json") # Delete the client del self.provider.cdb["client2"] req = TokenIntrospectionRequest(token=atr["access_token"], client_id="client2", client_secret="hemlighet", token_type_hint="access_token") resp = self.provider.introspection_endpoint(request=req.to_urlencoded()) assert resp ti_resp = TokenIntrospectionResponse().deserialize(resp.message, "json") assert ti_resp["error"] == "unauthorized_client"
def test_parse_jwt_request(self): ar = AuthorizationRequest( response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold", ) self.srv.keyjar["foobar"] = KeyBundle([ { "kty": "oct", "key": "A1B2C3D4".encode("utf-8"), "use": "ver" }, { "kty": "oct", "key": "A1B2C3D4".encode("utf-8"), "use": "sig" }, ]) self.srv.keyjar[""] = KeyBundle([ { "kty": "oct", "key": "A1B2C3D4".encode("utf-8"), "use": "ver" }, { "kty": "oct", "key": "A1B2C3D4".encode("utf-8"), "use": "sig" }, ]) keys = self.srv.keyjar.get_signing_key(owner="foobar") _jwt = ar.to_jwt(key=keys, algorithm="HS256") req = self.srv.parse_jwt_request(txt=_jwt) assert isinstance(req, AuthorizationRequest) assert req["response_type"] == ["code"] assert req["client_id"] == "foobar" assert req["redirect_uri"] == "http://foobar.example.com/oaclient" assert req["state"] == "cold"
def begin(self, environ, server_env, start_response, session): state = rndstr() #server_env["CACHE"].alternate_sid(sid, state) callback = server_env["base_url"] + self.opKey # redirect the user to facebook for the authentication ar = AuthorizationRequest().from_dict({"client_id": self.client_id, "redirect_uri": callback, "state": state, "response_type": ["code"], "scope": self._scope}) url = ar.request(self.extra["authorization_endpoint"]) logger.info("[OAuth2] callback url: %s" % url) #if cookie: # resp = Redirect(url, headers=[cookie]) #else: resp = Redirect(url) return resp(environ, start_response)
def test_provider_authorization_endpoint(): provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ, verify_client) bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087authz", "response_type": ["code"], "client_id": "a1b2c3" } arq = AuthorizationRequest(**bib) QUERY_STRING = arq.to_urlencoded() resp = provider.authorization_endpoint(request=QUERY_STRING) assert isinstance(resp, Response)
def test_response_types_fail(self, response_types): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1", response_type='code') self.provider.cdb = { "client1": { "client_secret": "hemlighet", "redirect_uris": [("http://example.com/authz", None)], 'token_endpoint_auth_method': 'client_secret_post', 'response_types': response_types } } res = self.provider.auth_init(authreq.to_urlencoded()) assert isinstance(res, Response) _res = json.loads(res.message) assert _res['error'] == 'invalid_request'
def begin(self, environ, server_env, start_response, cookie, sid, info): state = rndstr() server_env["CACHE"].alternate_sid(sid, state) callback = server_env["base_url"] + self.social_endpoint # redirect the user to facebook for the authentication ar = AuthorizationRequest().from_dict({"client_id": self.client_id, "redirect_uri": callback, "state": state, "response_type": ["code"], "scope": self._scope}) url = ar.request(self.extra["authorization_endpoint"]) logger.info("[OAuth2] callback url: %s" % url) if cookie: resp = Redirect(url, headers=[cookie]) else: resp = Redirect(url) return resp(environ, start_response)
def test_load_dict(self): bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087authz", "response_type": ["code"], "client_id": "a1b2c3"} arq = AuthorizationRequest(**bib) assert arq["scope"] == bib["scope"] assert arq["response_type"] == bib["response_type"] assert arq["redirect_uri"] == bib["redirect_uri"] assert arq["state"] == bib["state"] assert arq["client_id"] == bib["client_id"]
def test_parse_authz_req(self): ar = AuthorizationRequest( response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold" ) uencq = ar.to_urlencoded() areq = self.srv.parse_authorization_request(query=uencq) assert isinstance(areq, AuthorizationRequest) assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold" urluenc = "%s?%s" % ("https://example.com/authz", uencq) areq = self.srv.parse_authorization_request(url=urluenc) assert isinstance(areq, AuthorizationRequest) assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold"
def test_multiple_response_types_json(self): ar = AuthorizationRequest(response_type=["code", "token"], client_id="foobar") ue = ar.to_json() ue_obj = json.loads(ue) expected_ue_obj = {"response_type": "code token", "client_id": "foobar"} assert ue_obj == expected_ue_obj are = AuthorizationRequest().deserialize(ue, "json") assert _eq(are.keys(), ["response_type", "client_id"]) assert _eq(are["response_type"], ["code", "token"])
def test_multiple_response_types_urlencoded(self): ar = AuthorizationRequest(response_type=["code", "token"], client_id="foobar") ue = ar.to_urlencoded() ue_splits = ue.split("&") expected_ue_splits = "response_type=code+token&client_id=foobar".split("&") assert _eq(ue_splits, expected_ue_splits) are = AuthorizationRequest().deserialize(ue, "urlencoded") assert _eq(are.keys(), ["response_type", "client_id"]) assert _eq(are["response_type"], ["code", "token"])
def test_token_endpoint(): provider = Provider("pyoicserv", sdb.SessionDB(), CDB, AUTHN_BROKER, AUTHZ, verify_client, symkey=rndstr(16)) authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = provider.sdb sid = _sdb.token.key(user="******", areq=authreq) access_grant = _sdb.token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": "", "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz" } # Construct Access token request areq = AccessTokenRequest( code=access_grant, redirect_uri="http://example.com/authz", client_id="client1", client_secret="hemlighet", ) print areq.to_dict() resp = provider.token_endpoint(request=areq.to_urlencoded()) print resp.message atr = AccessTokenResponse().deserialize(resp.message, "json") print atr.keys() assert _eq(atr.keys(), ['access_token', 'expires_in', 'token_type', 'refresh_token'])
def test_token_endpoint_ok_state(self): authreq = AuthorizationRequest( state="state", redirect_uri="http://example.com/authz", client_id="client1", response_type="code", scope=["openid"], ) _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) ae = AuthnEvent("user", "salt") _sdb[sid] = { "oauth_state": "authz", "authn_event": ae.to_json(), "authzreq": "", "client_id": "client1", "code": access_grant, "state": "state", "code_used": False, "scope": ["openid"], "redirect_uri": "http://example.com/authz", } _sdb.do_sub(sid, "client_salt") # Construct Access token request areq = AccessTokenRequest( code=access_grant, client_id="client1", redirect_uri="http://example.com/authz", client_secret="hemlighet", grant_type="authorization_code", state="state", ) txt = areq.to_urlencoded() resp = self.provider.token_endpoint(request=txt) atr = AccessTokenResponse().deserialize(resp.message, "json") assert atr["token_type"] == "Bearer"
def test_token_endpoint_other(self): authreq = AuthorizationRequest(state="state", redirect_uri="http://example.com/authz", client_id="client1") _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "sub": "sub", "authzreq": "", "client_id": "client1", "code": access_grant, "code_used": False, "redirect_uri": "http://example.com/authz", 'token_endpoint_auth_method': 'client_secret_basic', } areq = Message(grant_type='some_other') authn = 'Basic Y2xpZW50Mjp2ZXJ5c2VjcmV0=' with pytest.raises(UnSupported): self.provider.token_endpoint(request=areq.to_urlencoded(), authn=authn)
def test_token_endpoint_bad_redirect_uri(self): authreq = AuthorizationRequest( state="state", redirect_uri="http://example.com/authz", client_id="client1", response_type="code", scope=["openid"], ) _sdb = self.provider.sdb sid = _sdb.access_token.key(user="******", areq=authreq) access_grant = _sdb.access_token(sid=sid) _sdb[sid] = { "oauth_state": "authz", "authzreq": "", "client_id": "client1", "code": access_grant, "code_used": False, "scope": ["openid"], "redirect_uri": "http://example.com/authz", } # Construct Access token request areq = AccessTokenRequest( code=access_grant, client_id="client1", redirect_uri="http://example.com/authz2", client_secret="hemlighet", grant_type="authorization_code", ) txt = areq.to_urlencoded() resp = self.provider.token_endpoint(request=txt) atr = TokenErrorResponse().deserialize(resp.message, "json") assert atr["error"] == "unauthorized_client"
def test_urlencoded_missing_required(self): ar = AuthorizationRequest(response_type=["code"]) with pytest.raises(MissingRequiredAttribute): ar.verify()
def test_verify(self): query = 'redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauthz&response_type=code&client_id=0123456789' ar = AuthorizationRequest().deserialize(query, "urlencoded") assert ar.verify()
def authorization_endpoint(self, request="", cookie="", authn="", **kwargs): """ The AuthorizationRequest endpoint :param request: The client request """ logger.debug("Request: '%s'" % request) # Same serialization used for GET and POST try: areq = self.server.parse_authorization_request(query=request) except MissingRequiredAttribute, err: logger.debug("%s" % err) return self._error("invalid_request", "%s" % err) except KeyError: areq = AuthorizationRequest().deserialize(request, "urlencoded") # verify the redirect_uri try: self.get_redirect_uri(areq) except (RedirectURIError, ParameterError), err: return self._error("invalid_request", "%s" % err) except Exception, err: message = traceback.format_exception(*sys.exc_info()) logger.error(message) logger.debug("Bad request: %s (%s)" % (err, err.__class__.__name__)) return BadRequest("%s" % err) if not areq: logger.debug("No AuthzRequest") return self._error("invalid_request", "No parsable AuthzRequest")
def test_authz_req_urlencoded(self): ar = AuthorizationRequest(response_type=["code"], client_id="foobar") ue = ar.to_urlencoded() assert query_string_compare(ue, "response_type=code&client_id=foobar")