def test_authz_req(): areq = AuthorizationRequest( **{'state': 'vMTF1dV5yyEiPFR6', 'redirect_uri': 'https://localhost:8088/authz_cb', 'response_type': 'code', 'client_id': u'iSKYyH32tzC5', 'scope': 'openid', 'claims': {'id_token': {'sub': {"value": "-fdfb4a841dce167"}}}}) print areq.to_urlencoded()
def test_server_authorization_endpoint_id_token(): provider = provider_init bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"] } req = AuthorizationRequest(**bib) areq = AuthorizationRequest(response_type="code", client_id="client_1", redirect_uri="http://example.com/authz", scope=["openid"], state="state000") sdb = provider.sdb ae = AuthnEvent("userX") sid = sdb.create_authz_session(ae, areq) sdb.do_sub(sid) _info = sdb[sid] # All this is jut removed when the id_token is constructed # The proper information comes from the session information _user_info = IdToken(iss="https://foo.example.om", sub="foo", aud=bib["client_id"], exp=epoch_in_a_while(minutes=10), acr="2", nonce=bib["nonce"]) print provider.keyjar.issuer_keys print _user_info.to_dict() idt = provider.id_token_as_signed_jwt(_info, access_token="access_token", user_info=_user_info) req["id_token"] = idt query_string = req.to_urlencoded() # client_id not in id_token["aud"] so login required resp = provider.authorization_endpoint(request=query_string, cookie="FAIL") print resp assert "error=login_required" in resp.message req["client_id"] = "client_1" query_string = req.to_urlencoded() # client_id is in id_token["aud"] so no login required resp = provider.authorization_endpoint(request=query_string, cookie="FAIL") print resp.message assert resp.message.startswith("http://localhost:8087/authz")
def test_authorization_endpoint_id_token(self): bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"], } req = AuthorizationRequest(**bib) areq = AuthorizationRequest( response_type="code", client_id="client_1", redirect_uri="http://example.com/authz", scope=["openid"], state="state000", ) sdb = self.provider.sdb ae = AuthnEvent("userX", "salt") sid = sdb.create_authz_session(ae, areq) sdb.do_sub(sid, "client_salt") _info = sdb[sid] # All this is jut removed when the id_token is constructed # The proper information comes from the session information _user_info = IdToken( iss="https://foo.example.om", sub="foo", aud=bib["client_id"], exp=epoch_in_a_while(minutes=10), acr="2", nonce=bib["nonce"], ) idt = self.provider.id_token_as_signed_jwt(_info, access_token="access_token", user_info=_user_info) req["id_token"] = idt query_string = req.to_urlencoded() # client_id not in id_token["aud"] so login required resp = self.provider.authorization_endpoint(request=query_string, cookie="FAIL") parsed_resp = parse_qs(urlparse(resp.message).fragment) assert parsed_resp["error"][0] == "login_required" req["client_id"] = "client_1" query_string = req.to_urlencoded() # client_id is in id_token["aud"] so no login required resp = self.provider.authorization_endpoint(request=query_string, cookie="FAIL") assert resp.message.startswith("http://localhost:8087/authz")
def test_handle_authn_response_returns_id_token_for_verified_affiliation( self, signing_key_path, context, scope_value, affiliation): authn_req = AuthorizationRequest( scope='openid ' + scope_value, client_id='client1', redirect_uri='https://client.example.com', response_type='id_token') context.state[self.frontend.name] = { 'oidc_request': authn_req.to_urlencoded() } internal_response = InternalResponse( AuthenticationInformation(None, str(datetime.now()), 'https://idp.example.com')) internal_response.attributes['affiliation'] = [affiliation] internal_response.user_id = 'user1' resp = self.frontend.handle_authn_response(context, internal_response) auth_resp = AuthorizationResponse().from_urlencoded( urlparse(resp.message).fragment) id_token = IdToken().from_jwt( auth_resp['id_token'], key=[RSAKey(key=rsa_load(signing_key_path))]) assert id_token['iss'] == self.frontend.base_url assert id_token['aud'] == ['client1'] assert id_token['auth_time'] == internal_response.auth_info.timestamp
def test_parse_authz_req(self): ar = AuthorizationRequest( response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold", nonce="NONCE", scope=["openid"], ) # query string uencq = ar.to_urlencoded() areq = self.srv.parse_authorization_request(query=uencq) assert isinstance(areq, AuthorizationRequest) assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold" # urlencoded urluenc = "https://example.com/authz?{}".format(uencq) areq = self.srv.parse_authorization_request(url=urluenc) assert isinstance(areq, AuthorizationRequest) assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold"
def test_server_authorization_endpoint_request(): server = provider_init bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"]} req = AuthorizationRequest(**bib) ic = {"claims": {"sub": { "value":"username" }}} _keys = server.keyjar.get_signing_key(type="rsa") req["request"] = make_openid_request(req, _keys, idtoken_claims=ic, algorithm="RS256") environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = req.to_urlencoded() resp = server.authorization_endpoint(environ, start_response) print resp line = resp[0] assert "error=login_required" in line
def test_session_state_in_auth_req_for_session_support(self): provider = Provider(SERVER_INFO["issuer"], SessionDB(SERVER_INFO["issuer"]), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=KEYJAR) provider.capabilities.update( {"check_session_iframe": "https://op.example.com/check_session"}) req_args = { "scope": ["openid"], "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "number5" } areq = AuthorizationRequest(**req_args) resp = provider.authorization_endpoint(request=areq.to_urlencoded()) aresp = self.cons.parse_response(AuthorizationResponse, resp.message, sformat="urlencoded") assert "session_state" in aresp
def test_server_parse_parse_authorization_request(): srv = Server() srv.keyjar = KEYJ ar = AuthorizationRequest(response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold", nonce="NONCE", scope=["openid"]) uencq = ar.to_urlencoded() areq = srv.parse_authorization_request(query=uencq) assert areq.type() == "AuthorizationRequest" assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold" urluenc = "%s?%s" % ("https://example.com/authz", uencq) areq = srv.parse_authorization_request(url=urluenc) assert areq.type() == "AuthorizationRequest" assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold"
def test_server_parse_parse_authorization_request(): srv = Server() srv.keyjar = KEYJ ar = AuthorizationRequest( response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold", nonce="NONCE", scope=["openid"]) uencq = ar.to_urlencoded() areq = srv.parse_authorization_request(query=uencq) assert areq.type() == "AuthorizationRequest" assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold" urluenc = "%s?%s" % ("https://example.com/authz", uencq) areq = srv.parse_authorization_request(url=urluenc) assert areq.type() == "AuthorizationRequest" assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold"
def test_server_authorization_endpoint_request(): server = provider_init bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"] } req = AuthorizationRequest(**bib) # want to be someone else ! ic = {"sub": {"value": "userX"}} _keys = server.keyjar.get_signing_key(key_type="RSA") req["request"] = make_openid_request(req, _keys, idtoken_claims=ic, algorithm="RS256") try: resp = server.authorization_endpoint(request=req.to_urlencoded()) except FailedAuthentication: pass else: assert False
def test_session_state_in_auth_req_for_session_support(self): provider = Provider( "foo", SessionDB(SERVER_INFO["issuer"]), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=KEYJAR, capabilities={"check_session_iframe": "https://op.example.com/check_session"}, ) req_args = { "scope": ["openid"], "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "a1b2c3", } areq = AuthorizationRequest(**req_args) resp = provider.authorization_endpoint(request=areq.to_urlencoded()) aresp = self.cons.parse_response(AuthorizationResponse, resp.message, sformat="urlencoded") assert "session_state" in aresp
def test_scope_who_am_i(provider): registration_params = { "application_type": "web", "response_types": ["code", "token"], "redirect_uris": "http://example.org" } reg_req = RegistrationRequest(**registration_params) resp = provider.registration_endpoint(reg_req.to_urlencoded()) reg_resp = RegistrationResponse().from_json(resp.message) auth_req = AuthorizationRequest( **{ "client_id": reg_resp["client_id"], "scope": "openid who_am_i", "response_type": "code token", "redirect_uri": "http://example.org", "state": "state0", "nonce": "nonce0" }) resp = provider.authorization_endpoint(auth_req.to_urlencoded()) auth_resp = AuthorizationResponse().from_urlencoded(resp.message) userinfo_req = UserInfoRequest( **{"access_token": auth_resp["access_token"]}) resp = provider.userinfo_endpoint(userinfo_req.to_urlencoded()) userinfo_resp = AuthorizationResponse().from_json(resp.message) assert userinfo_resp["given_name"] == "Bruce" assert userinfo_resp["family_name"] == "Lee"
def test_full_flow(self, context, frontend_with_extra_scopes): redirect_uri = "https://client.example.com/redirect" response_type = "code id_token token" mock_callback = Mock() frontend_with_extra_scopes.auth_req_callback_func = mock_callback # discovery http_response = frontend_with_extra_scopes.provider_config(context) provider_config = ProviderConfigurationResponse().deserialize(http_response.message, "json") # client registration registration_request = RegistrationRequest(redirect_uris=[redirect_uri], response_types=[response_type]) context.request = registration_request.to_dict() http_response = frontend_with_extra_scopes.client_registration(context) registration_response = RegistrationResponse().deserialize(http_response.message, "json") # authentication request authn_req = AuthorizationRequest( redirect_uri=redirect_uri, client_id=registration_response["client_id"], response_type=response_type, scope="openid email eduperson", state="state", nonce="nonce", ) context.request = dict(parse_qsl(authn_req.to_urlencoded())) frontend_with_extra_scopes.handle_authn_request(context) assert mock_callback.call_count == 1 # fake authentication response from backend internal_response = self.setup_for_authn_response( context, frontend_with_extra_scopes, authn_req ) http_response = frontend_with_extra_scopes.handle_authn_response( context, internal_response ) authn_resp = AuthorizationResponse().deserialize(urlparse(http_response.message).fragment, "urlencoded") assert "code" in authn_resp assert "access_token" in authn_resp assert "id_token" in authn_resp # token request context.request = AccessTokenRequest(redirect_uri=authn_req["redirect_uri"], code=authn_resp["code"]).to_dict() credentials = "{}:{}".format(registration_response["client_id"], registration_response["client_secret"]) basic_auth = urlsafe_b64encode(credentials.encode("utf-8")).decode("utf-8") context.request_authorization = "Basic {}".format(basic_auth) http_response = frontend_with_extra_scopes.token_endpoint(context) parsed = AccessTokenResponse().deserialize(http_response.message, "json") assert "access_token" in parsed assert "id_token" in parsed # userinfo request context.request = {} context.request_authorization = "Bearer {}".format(parsed["access_token"]) http_response = frontend_with_extra_scopes.userinfo_endpoint(context) parsed = OpenIDSchema().deserialize(http_response.message, "json") assert "email" in parsed assert "eduperson_principal_name" in parsed assert "eduperson_scoped_affiliation" in parsed
def test_authz_req(): areq = AuthorizationRequest( **{ 'state': 'vMTF1dV5yyEiPFR6', 'redirect_uri': 'https://localhost:8088/authz_cb', 'response_type': 'code', 'client_id': u'iSKYyH32tzC5', 'scope': 'openid', 'claims': { 'id_token': { 'sub': { "value": "-fdfb4a841dce167" } } } }) print areq.to_urlencoded()
def test_parse_authorization_request(self): areq = AuthorizationRequest(response_type="code", client_id="client_id", redirect_uri="http://example.com/authz", scope=["openid"], state="state0", nonce="N0nce") qdict = self.srv.parse_authorization_request(query=areq.to_urlencoded()) assert _eq(qdict.keys(), ['nonce', 'state', 'redirect_uri', 'response_type', 'client_id', 'scope']) assert qdict["state"] == "state0"
def _authz_req(self): req_args = {"scope": ["openid", "profile"], "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "client1" } areq = AuthorizationRequest(**req_args) resp = self.provider.authorization_endpoint(areq.to_urlencoded()) return AuthorizationResponse().deserialize( urlparse(resp.message).query, "urlencoded")
def test_full_flow(self, context, frontend): redirect_uri = "https://client.example.com/redirect" response_type = "code id_token token" mock_callback = Mock() frontend.auth_req_callback_func = mock_callback # discovery http_response = frontend.provider_config(context) provider_config = ProviderConfigurationResponse().deserialize(http_response.message, "json") # client registration registration_request = RegistrationRequest(redirect_uris=[redirect_uri], response_types=[response_type]) context.request = registration_request.to_dict() http_response = frontend.client_registration(context) registration_response = RegistrationResponse().deserialize(http_response.message, "json") # authentication request authn_req = AuthorizationRequest( redirect_uri=redirect_uri, client_id=registration_response["client_id"], response_type=response_type, scope="openid email", state="state", nonce="nonce", ) context.request = dict(parse_qsl(authn_req.to_urlencoded())) frontend.handle_authn_request(context) assert mock_callback.call_count == 1 # fake authentication response from backend internal_response = self.setup_for_authn_response(context, frontend, authn_req) http_response = frontend.handle_authn_response(context, internal_response) authn_resp = AuthorizationResponse().deserialize(urlparse(http_response.message).fragment, "urlencoded") assert "code" in authn_resp assert "access_token" in authn_resp assert "id_token" in authn_resp # token request context.request = AccessTokenRequest(redirect_uri=authn_req["redirect_uri"], code=authn_resp["code"]).to_dict() credentials = "{}:{}".format(registration_response["client_id"], registration_response["client_secret"]) basic_auth = urlsafe_b64encode(credentials.encode("utf-8")).decode("utf-8") context.request_authorization = "Basic {}".format(basic_auth) http_response = frontend.token_endpoint(context) parsed = AccessTokenResponse().deserialize(http_response.message, "json") assert "access_token" in parsed assert "id_token" in parsed # userinfo request context.request = {} context.request_authorization = "Bearer {}".format(parsed["access_token"]) http_response = frontend.userinfo_endpoint(context) parsed = OpenIDSchema().deserialize(http_response.message, "json") assert "email" in parsed
def test_authorization_endpoint_bad_scope(self): bib = {"scope": ["openid", "offline_access"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "a1b2c3"} arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint(request=arq.to_urlencoded()) assert resp.status == "303 See Other" parsed = parse_qs(urlparse(resp.message).query) assert parsed["error"][0] == "invalid_request" assert parsed["error_description"][0] == "consent in prompt"
def test_handle_authn_response_returns_error_access_denied_for_wrong_affiliation(self, context, scope_value, affiliation): authn_req = AuthorizationRequest(scope='openid ' + scope_value, client_id='client1', redirect_uri='https://client.example.com', response_type='id_token') context.state[self.frontend.name] = {'oidc_request': authn_req.to_urlencoded()} internal_response = InternalResponse() internal_response.attributes['affiliation'] = [affiliation] internal_response.user_id = 'user1' resp = self.frontend.handle_authn_response(context, internal_response) auth_resp = AuthorizationErrorResponse().from_urlencoded(urlparse(resp.message).fragment) assert auth_resp['error'] == 'access_denied'
def test_server_authorization_endpoint(self): bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "a1b2c3", "nonce": "Nonce"} arq = AuthorizationRequest(**bib) resp = self.server.authorization_endpoint(request=arq.to_urlencoded()) print resp.message assert resp.message
def test_handle_backend_error(self, context, frontend): redirect_uri = "https://client.example.com" areq = AuthorizationRequest(client_id=CLIENT_ID, scope="openid", response_type="id_token", redirect_uri=redirect_uri) context.state[frontend.name] = {"oidc_request": areq.to_urlencoded()} # fake an error message = "test error" error = SATOSAAuthenticationError(context.state, message) resp = frontend.handle_backend_error(error) assert resp.message.startswith(redirect_uri) error_response = AuthorizationErrorResponse().deserialize(urlparse(resp.message).fragment) error_response["error"] = "access_denied" error_response["error_description"] == message
def test_authorization_endpoint(self): bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "a1b2c3", "nonce": "Nonce"} arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint(request=arq.to_urlencoded()) parsed = parse_qs(urlparse(resp.message).query) assert parsed["scope"] == ["openid"] assert parsed["state"][0] == "id-6da9ca0cc23959f5f33e8becd9b08cae" assert "code" in parsed
def test_server_authorization_endpoint(self): bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "a1b2c3", "nonce": "Nonce" } arq = AuthorizationRequest(**bib) resp = self.server.authorization_endpoint(request=arq.to_urlencoded()) print resp.message assert resp.message
def test_server_authorization_endpoint_id_token(): provider = provider_init bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"] } req = AuthorizationRequest(**bib) AREQ = AuthorizationRequest(response_type="code", client_id="client_1", redirect_uri="http://example.com/authz", scope=["openid"], state="state000") sdb = SessionDB() sid = sdb.create_authz_session("userX", AREQ) _info = sdb[sid] _user_info = IdToken(iss="https://foo.example.om", sub="foo", aud=bib["client_id"], exp=epoch_in_a_while(minutes=10), acr="2", nonce=bib["nonce"]) print provider.keyjar.issuer_keys print _user_info.to_dict() idt = provider.id_token_as_signed_jwt(_info, access_token="access_token", user_info=_user_info) req["id_token"] = idt QUERY_STRING = req.to_urlencoded() resp = provider.authorization_endpoint(request=QUERY_STRING) print resp assert "error=login_required" in resp.message
def test_handle_authn_response_returns_id_token_for_verified_affiliation( self, signing_key_path, context, scope_value, affiliation): authn_req = AuthorizationRequest(scope='openid ' + scope_value, client_id='client1', redirect_uri='https://client.example.com', response_type='id_token') context.state[self.frontend.name] = {'oidc_request': authn_req.to_urlencoded()} internal_response = InternalResponse(AuthenticationInformation(None, str(datetime.now()), 'https://idp.example.com')) internal_response.attributes['affiliation'] = [affiliation] internal_response.user_id = 'user1' resp = self.frontend.handle_authn_response(context, internal_response) auth_resp = AuthorizationResponse().from_urlencoded(urlparse(resp.message).fragment) id_token = IdToken().from_jwt(auth_resp['id_token'], key=[RSAKey(key=rsa_load(signing_key_path))]) assert id_token['iss'] == self.frontend.base_url assert id_token['aud'] == ['client1'] assert id_token['auth_time'] == internal_response.auth_info.timestamp
def test_authorization_endpoint_request(self): bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"]} req = AuthorizationRequest(**bib) # want to be someone else ! ic = {"sub": {"value": "userX"}} _keys = self.provider.keyjar.get_signing_key(key_type="RSA") req["request"] = make_openid_request(req, _keys, idtoken_claims=ic, request_object_signing_alg="RS256") with pytest.raises(FailedAuthentication): self.provider.authorization_endpoint(request=req.to_urlencoded())
def test_handle_authn_response_returns_error_access_denied_for_wrong_affiliation( self, context, scope_value, affiliation): authn_req = AuthorizationRequest( scope='openid ' + scope_value, client_id='client1', redirect_uri='https://client.example.com', response_type='id_token') context.state[self.frontend.name] = { 'oidc_request': authn_req.to_urlencoded() } internal_response = InternalResponse() internal_response.attributes['affiliation'] = [affiliation] internal_response.user_id = 'user1' resp = self.frontend.handle_authn_response(context, internal_response) auth_resp = AuthorizationErrorResponse().from_urlencoded( urlparse(resp.message).fragment) assert auth_resp['error'] == 'access_denied'
def test_server_authorization_endpoint(): server = provider_init bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "a1b2c3", "nonce": "Nonce"} arq = AuthorizationRequest(**bib) environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = arq.to_urlencoded() resp = server.authorization_endpoint(environ, start_response) print resp line = resp[0] assert line.startswith("<form>") assert line.endswith("</form>")
def test_server_authorization_endpoint_id_token(): provider = provider_init bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"]} req = AuthorizationRequest(**bib) AREQ = AuthorizationRequest(response_type="code", client_id="client_1", redirect_uri="http://example.com/authz", scope=["openid"], state="state000") sdb = SessionDB() sid = sdb.create_authz_session("username", AREQ) _info = sdb[sid] _user_info = IdToken(iss="https://foo.example.om", sub="foo", aud=bib["client_id"], exp=epoch_in_a_while(minutes=10), acr="2", nonce=bib["nonce"]) print provider.keyjar.issuer_keys print _user_info.to_dict() idt = provider.id_token_as_signed_jwt(_info, access_token="access_token", user_info=_user_info) req["id_token"] = idt environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = req.to_urlencoded() resp = provider.authorization_endpoint(environ, start_response) print resp line = resp[0] assert "error=login_required" in line
def test_server_authorization_endpoint_request(): server = provider_init bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"]} req = AuthorizationRequest(**bib) # want to be someone else ! ic = {"sub": {"value": "userX"}} _keys = server.keyjar.get_signing_key(key_type="RSA") req["request"] = make_openid_request(req, _keys, idtoken_claims=ic, algorithm="RS256") resp = server.authorization_endpoint(request=req.to_urlencoded()) print resp assert "error=login_required" in resp.message
def test_scope_who_am_i(provider): registration_params = { "application_type": "web", "response_types": ["code", "token"], "redirect_uris": "http://example.org"} reg_req = RegistrationRequest(**registration_params) resp = provider.registration_endpoint(reg_req.to_urlencoded()) reg_resp = RegistrationResponse().from_json(resp.message) auth_req = AuthorizationRequest( **{"client_id": reg_resp["client_id"], "scope": "openid who_am_i", "response_type": "code token", "redirect_uri": "http://example.org", "state": "state0", "nonce": "nonce0"}) resp = provider.authorization_endpoint(auth_req.to_urlencoded()) auth_resp = AuthorizationResponse().from_urlencoded(resp.message) userinfo_req = UserInfoRequest(**{"access_token": auth_resp["access_token"]}) resp = provider.userinfo_endpoint(userinfo_req.to_urlencoded()) userinfo_resp = AuthorizationResponse().from_json(resp.message) assert userinfo_resp["given_name"] == "Bruce" assert userinfo_resp["family_name"] == "Lee"
def test_parse_authz_req(self): ar = AuthorizationRequest(response_type=["code"], client_id="foobar", redirect_uri="http://foobar.example.com/oaclient", state="cold", nonce="NONCE", scope=["openid"]) # query string uencq = ar.to_urlencoded() areq = self.srv.parse_authorization_request(query=uencq) assert isinstance(areq, AuthorizationRequest) assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold" # urlencoded urluenc = "https://example.com/authz?{}".format(uencq) areq = self.srv.parse_authorization_request(url=urluenc) assert isinstance(areq, AuthorizationRequest) assert areq["response_type"] == ["code"] assert areq["client_id"] == "foobar" assert areq["redirect_uri"] == "http://foobar.example.com/oaclient" assert areq["state"] == "cold"