def test_jwks_uri(self):
self.server.cdb["some_cid"] = {
"client_secret": "top secret",
"jwks_uri": "https://example.com/key",
}
check_key_availability(self.server, self.jwt)
self.assertTrue("some_cid" in self.server.keyjar)
# Two symmetric and one remote
self.assertEqual(len(self.server.keyjar["some_cid"]), 3)
def test_jwks(self):
self.server.cdb["some_cid"] = {
"client_secret": "top secret",
"jwks": JWK0
}
check_key_availability(self.server, self.jwt)
self.assertTrue("some_cid" in self.server.keyjar)
# Two symmetric and one remote
self.assertEqual(len(self.server.keyjar["some_cid"]), 3)
def verify_client(inst, areq, authn, type_method=TYPE_METHOD):
"""
Guess authentication method and get client from that.
:param inst: Entity instance
:param areq: The request
:param authn: client authentication information
:return: tuple containing client id and client authentication method
"""
if authn: # HTTP Basic auth (client_secret_basic)
cid = get_client_id(inst.cdb, areq, authn)
auth_method = "client_secret_basic"
elif "client_secret" in areq: # client_secret_post
client_id = get_client_id(inst.cdb, areq, authn)
logger.debug("Verified Client ID: %s" % client_id)
cid = ClientSecretBasic(inst).verify(areq, client_id)
auth_method = "client_secret_post"
elif "client_assertion" in areq: # client_secret_jwt or private_key_jwt
check_key_availability(inst, areq["client_assertion"])
for typ, method in type_method:
if areq["client_assertion_type"] == typ:
cid, auth_method = method(inst).verify(areq)
break
else:
logger.error(
"UnknownAssertionType: {}".format(areq["client_assertion_type"])
)
raise UnknownAssertionType(areq["client_assertion_type"], areq)
else:
logger.error("Missing client authentication.")
raise FailedAuthentication("Missing client authentication.")
if isinstance(areq, AccessTokenRequest):
try:
_method = inst.cdb[cid]["token_endpoint_auth_method"]
except KeyError:
_method = "client_secret_basic"
if _method != auth_method:
logger.error(
"Wrong authentication method used: {} != {}".format(
auth_method, _method
)
)
raise FailedAuthentication("Wrong authentication method used")
# store which authn method was used where
try:
inst.cdb[cid]["auth_method"][areq.__class__.__name__] = auth_method
except KeyError:
try:
inst.cdb[cid]["auth_method"] = {areq.__class__.__name__: auth_method}
except KeyError:
pass
return cid
def verify_client(inst, areq, authn, type_method=TYPE_METHOD):
"""
Initiated Guessing !
:param inst: Entity instance
:param areq: The request
:param authn: client authentication information
:return: tuple containing client id and client authentication method
"""
if authn: # HTTP Basic auth (client_secret_basic)
cid = get_client_id(inst.cdb, areq, authn)
auth_method = 'client_secret_basic'
elif "client_secret" in areq: # client_secret_post
client_id = get_client_id(inst.cdb, areq, authn)
logger.debug("Verified Client ID: %s" % client_id)
cid = ClientSecretBasic(inst).verify(areq, client_id)
auth_method = 'client_secret_post'
elif "client_assertion" in areq: # client_secret_jwt or private_key_jwt
check_key_availability(inst, areq['client_assertion'])
for typ, method in type_method:
if areq["client_assertion_type"] == typ:
cid, auth_method = method(inst).verify(areq)
break
else:
logger.error('UnknownAssertionType: {}'.format(
areq["client_assertion_type"]))
raise UnknownAssertionType(areq["client_assertion_type"], areq)
else:
logger.error("Missing client authentication.")
raise FailedAuthentication("Missing client authentication.")
if isinstance(areq, AccessTokenRequest):
try:
_method = inst.cdb[cid]['token_endpoint_auth_method']
except KeyError:
_method = 'client_secret_basic'
if _method != auth_method:
logger.error("Wrong authentication method used: {} != {}".format(
auth_method, _method))
raise FailedAuthentication("Wrong authentication method used")
# store which authn method was used where
try:
inst.cdb[cid]['auth_method'][areq.__class__.__name__] = auth_method
except KeyError:
try:
inst.cdb[cid]['auth_method'] = {
areq.__class__.__name__: auth_method}
except KeyError:
pass
return cid
def test_none(self):
self.server.cdb["some_cid"] = {"client_secret": "top secret"}
check_key_availability(self.server, self.jwt)
self.assertTrue("some_cid" in self.server.keyjar)
# Two symmetric
self.assertEqual(len(self.server.keyjar["some_cid"]), 2)
