def test_jws_authn_method_wrong_key(): client_keyjar = KeyJar() client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""] # Fake symmetric key client_keyjar.add_symmetric("", "client_secret:client_secret", ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") _assertion = _jwt.pack({"aud": [conf["issuer"]]}) request = { "client_assertion": _assertion, "client_assertion_type": JWT_BEARER } with pytest.raises(AuthnFailure): JWSAuthnMethod(endpoint_context).verify(request)
def test_jws_authn_method_aud_iss(): client_keyjar = KeyJar() client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""] # The only own key the client has a this point client_keyjar.add_symmetric("", client_secret, ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") # Audience is OP issuer ID aud = conf["issuer"] _assertion = _jwt.pack({"aud": [aud]}) request = { "client_assertion": _assertion, "client_assertion_type": JWT_BEARER } assert JWSAuthnMethod(endpoint_context).verify(request)
def test_jws_authn_method_aud_userinfo_endpoint(): client_keyjar = KeyJar() client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""] # The only own key the client has a this point client_keyjar.add_symmetric("", client_secret, ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") # audience is the OP - not specifically the user info endpoint _assertion = _jwt.pack({"aud": [conf["issuer"]]}) request = { "client_assertion": _assertion, "client_assertion_type": JWT_BEARER } assert JWSAuthnMethod(endpoint_context).verify(request, endpoint="userinfo")
def test_jws_authn_method_aud_not_me(): client_keyjar = KeyJar() client_keyjar[conf["issuer"]] = KEYJAR.issuer_keys[""] # The only own key the client has a this point client_keyjar.add_symmetric("", client_secret, ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") # Other audiences not OK aud = "https://example.org" _assertion = _jwt.pack({"aud": [aud]}) request = { "client_assertion": _assertion, "client_assertion_type": JWT_BEARER } with pytest.raises(NotForMe): JWSAuthnMethod(endpoint_context).verify(request)
def create_method(self): self.method = JWSAuthnMethod(endpoint_context)
class TestJWSAuthnMethod(): @pytest.fixture(autouse=True) def create_method(self): self.method = JWSAuthnMethod(endpoint_context) def test_jws_authn_method_wrong_key(self): client_keyjar = KeyJar() client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""] # Fake symmetric key client_keyjar.add_symmetric("", "client_secret:client_secret", ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") _assertion = _jwt.pack({"aud": [CONF["issuer"]]}) request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER} with pytest.raises(NoSuitableSigningKeys): self.method.verify(request=request, key_type='private_key') def test_jws_authn_method_aud_iss(self): client_keyjar = KeyJar() client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""] # The only own key the client has a this point client_keyjar.add_symmetric("", client_secret, ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") # Audience is OP issuer ID aud = CONF["issuer"] _assertion = _jwt.pack({"aud": [aud]}) request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER} assert self.method.verify(request=request, key_type='client_secret') def test_jws_authn_method_aud_token_endpoint(self): client_keyjar = KeyJar() client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""] # The only own key the client has a this point client_keyjar.add_symmetric("", client_secret, ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") # audience is OP token endpoint - that's OK aud = "{}token".format(CONF["issuer"]) _assertion = _jwt.pack({"aud": [aud]}) request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER} assert self.method.verify(request=request, endpoint="token", key_type='client_secret') def test_jws_authn_method_aud_not_me(self): client_keyjar = KeyJar() client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""] # The only own key the client has a this point client_keyjar.add_symmetric("", client_secret, ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") # Other audiences not OK aud = "https://example.org" _assertion = _jwt.pack({"aud": [aud]}) request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER} with pytest.raises(NotForMe): self.method.verify(request=request, key_type='client_secret') def test_jws_authn_method_aud_userinfo_endpoint(self): client_keyjar = KeyJar() client_keyjar[CONF["issuer"]] = KEYJAR.issuer_keys[""] # The only own key the client has a this point client_keyjar.add_symmetric("", client_secret, ["sig"]) _jwt = JWT(client_keyjar, iss=client_id, sign_alg="HS256") # audience is the OP - not specifically the user info endpoint _assertion = _jwt.pack({"aud": [CONF["issuer"]]}) request = {"client_assertion": _assertion, "client_assertion_type": JWT_BEARER} assert self.method.verify(request=request, endpoint="userinfo", key_type='client_secret')