def test_access_and_id_token_by_reference(self, httpserver):
res = self.rph.begin(issuer_id='github')
_session = self.rph.get_session_information(res['state'])
client = self.rph.issuer2rp[_session['iss']]
_nonce = _session['auth_request']['nonce']
_iss = _session['iss']
_aud = client.client_id
idval = {'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss,
'aud': _aud}
idts = IdToken(**idval)
_signed_jwt = idts.to_jwt(
key=client.service_context.keyjar.get_signing_key('oct'),
algorithm="HS256", lifetime=300)
_info = {"access_token": "accessTok", "id_token": _signed_jwt,
"token_type": "Bearer", "expires_in": 3600}
at = AccessTokenResponse(**_info)
httpserver.serve_content(at.to_json())
client.service['accesstoken'].endpoint = httpserver.url
_response = AuthorizationResponse(code='access_code',
state=res['state'])
auth_response = self.rph.finalize_auth(client, _session['iss'],
_response.to_dict())
resp = self.rph.get_access_and_id_token(state=res['state'])
assert resp['access_token'] == 'accessTok'
assert isinstance(resp['id_token'], IdToken)
def construct_access_token_response(self, client_id):
_nonce = self.nonce
_iss = self.issuer
_aud = client_id
idval = {
'nonce': _nonce,
'sub': 'EndUserSubject',
'iss': _iss,
'aud': _aud
}
idts = IdToken(**idval)
_signed_jwt = idts.to_jwt(key=self.keyjar.get_signing_key('oct'),
algorithm="HS256",
lifetime=300)
_info = {
"access_token": "accessTok",
"id_token": _signed_jwt,
"token_type": "Bearer",
"expires_in": 3600
}
return AccessTokenResponse(**_info)
def create_jws(val):
lifetime = 3600
idts = IdToken(**val)
return idts.to_jwt(key=ISS_KEY.get_signing_key('ec', owner=ISS),
algorithm="ES256", lifetime=lifetime)
def test_get_access_token(self):
res = self.rph.begin(issuer_id='github')
_session = self.rph.get_session_information(res['state'])
client = self.rph.issuer2rp[_session['iss']]
_github_id = iss_id('github')
client.service_context.keyjar.import_jwks(
GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id)
_nonce = _session['auth_request']['nonce']
_iss = _session['iss']
_aud = client.client_id
idval = {
'nonce': _nonce,
'sub': 'EndUserSubject',
'iss': _iss,
'aud': _aud
}
idts = IdToken(**idval)
_signed_jwt = idts.to_jwt(
key=GITHUB_KEY.get_signing_key(issuer_id=_github_id),
algorithm="RS256",
lifetime=300)
_info = {
"access_token": "accessTok",
"id_token": _signed_jwt,
"token_type": "Bearer",
"expires_in": 3600
}
at = AccessTokenResponse(**_info)
_url = "https://github.com/token"
with responses.RequestsMock() as rsps:
rsps.add("POST",
_url,
body=at.to_json(),
adding_headers={"Content-Type": "application/json"},
status=200)
client.service['accesstoken'].endpoint = _url
auth_response = AuthorizationResponse(code='access_code',
state=res['state'])
resp = self.rph.finalize_auth(client, _session['iss'],
auth_response.to_dict())
resp = self.rph.get_access_token(res['state'], client)
assert set(resp.keys()) == {
'access_token', 'expires_in', 'id_token', 'token_type',
'__verified_id_token', '__expires_at'
}
atresp = client.service['accesstoken'].get_item(
AccessTokenResponse, 'token_response', res['state'])
assert set(atresp.keys()) == {
'access_token', 'expires_in', 'id_token', 'token_type',
'__verified_id_token', '__expires_at'
}
def rphandler_setup(self, httpserver):
self.rph = RPHandler(base_url=BASE_URL,
client_configs=CLIENT_CONFIG,
keyjar=CLI_KEY)
res = self.rph.begin(issuer_id='github')
_session = self.rph.get_session_information(res['state'])
client = self.rph.issuer2rp[_session['iss']]
_nonce = _session['auth_request']['nonce']
_iss = _session['iss']
_aud = client.client_id
idval = {
'nonce': _nonce,
'sub': 'EndUserSubject',
'iss': _iss,
'aud': _aud
}
_github_id = iss_id('github')
client.service_context.keyjar.import_jwks(
GITHUB_KEY.export_jwks(issuer=_github_id), _github_id)
idts = IdToken(**idval)
_signed_jwt = idts.to_jwt(key=GITHUB_KEY.get_signing_key(
'rsa', owner=_github_id),
algorithm="RS256",
lifetime=300)
_info = {
"access_token": "accessTok",
"id_token": _signed_jwt,
"token_type": "Bearer",
"expires_in": 3600,
'refresh_token': 'refreshing'
}
at = AccessTokenResponse(**_info)
httpserver.serve_content(at.to_json(),
headers={'Content-Type': 'application/json'})
client.service['accesstoken'].endpoint = httpserver.url
_response = AuthorizationResponse(code='access_code',
state=res['state'])
auth_response = self.rph.finalize_auth(client, _session['iss'],
_response.to_dict())
token_resp = self.rph.get_access_and_id_token(auth_response,
client=client)
httpserver.serve_content('{"sub":"EndUserSubject"}',
headers={'Content-Type': 'application/json'})
client.service['userinfo'].endpoint = httpserver.url
self.rph.get_user_info(res['state'], client,
token_resp['access_token'])
self.state = res['state']
def test_access_and_id_token_by_reference(self):
rph_1 = RPHandler(BASE_URL,
client_configs=CLIENT_CONFIG,
keyjar=CLI_KEY,
module_dirs=['oidc'])
res = rph_1.begin(issuer_id='github')
_session = rph_1.get_session_information(res['state'])
client = rph_1.issuer2rp[_session['iss']]
_context = client.client_get("service_context")
_nonce = _session['auth_request']['nonce']
_iss = _session['iss']
_aud = _context.client_id
idval = {
'nonce': _nonce,
'sub': 'EndUserSubject',
'iss': _iss,
'aud': _aud
}
_github_id = iss_id('github')
_context.keyjar.import_jwks(
GITHUB_KEY.export_jwks(issuer_id=_github_id), _github_id)
idts = IdToken(**idval)
_signed_jwt = idts.to_jwt(key=GITHUB_KEY.get_signing_key(
'rsa', issuer_id=_github_id),
algorithm="RS256",
lifetime=300)
_info = {
"access_token": "accessTok",
"id_token": _signed_jwt,
"token_type": "Bearer",
"expires_in": 3600
}
at = AccessTokenResponse(**_info)
_url = "https://github.com/token"
with responses.RequestsMock() as rsps:
rsps.add("POST",
_url,
body=at.to_json(),
adding_headers={"Content-Type": "application/json"},
status=200)
client.client_get("service", 'accesstoken').endpoint = _url
_response = AuthorizationResponse(code='access_code',
state=res['state'])
_ = rph_1.finalize_auth(client, _session['iss'],
_response.to_dict())
resp = rph_1.get_access_and_id_token(state=res['state'])
assert resp['access_token'] == 'accessTok'
assert isinstance(resp['id_token'], IdToken)
def test_get_access_token(self, httpserver):
res = self.rph.begin(issuer_id='github')
_session = self.rph.get_session_information(res['state'])
client = self.rph.issuer2rp[_session['iss']]
_nonce = _session['auth_request']['nonce']
_iss = _session['iss']
_aud = client.client_id
idval = {
'nonce': _nonce,
'sub': 'EndUserSubject',
'iss': _iss,
'aud': _aud
}
idts = IdToken(**idval)
_signed_jwt = idts.to_jwt(
key=client.service_context.keyjar.get_signing_key('oct'),
algorithm="HS256",
lifetime=300)
_info = {
"access_token": "accessTok",
"id_token": _signed_jwt,
"token_type": "Bearer",
"expires_in": 3600
}
at = AccessTokenResponse(**_info)
httpserver.serve_content(at.to_json(),
headers={'Content-Type': 'application/json'})
client.service['accesstoken'].endpoint = httpserver.url
auth_response = AuthorizationResponse(code='access_code',
state=res['state'])
resp = self.rph.finalize_auth(client, _session['iss'],
auth_response.to_dict())
resp = self.rph.get_access_token(res['state'], client)
assert set(resp.keys()) == {
'access_token', 'expires_in', 'id_token', 'token_type',
'__verified_id_token', '__expires_at'
}
atresp = client.service['accesstoken'].get_item(
AccessTokenResponse, 'token_response', res['state'])
assert set(atresp.keys()) == {
'access_token', 'expires_in', 'id_token', 'token_type',
'__verified_id_token', '__expires_at'
}
def test_userinfo_in_id_token(self):
rph_1 = RPHandler(BASE_URL,
client_configs=CLIENT_CONFIG,
keyjar=CLI_KEY,
module_dirs=['oidc'])
res = rph_1.begin(issuer_id='github')
_session = rph_1.get_session_information(res['state'])
client = rph_1.issuer2rp[_session['iss']]
#_context = client.client_get("service_context")
_nonce = _session['auth_request']['nonce']
_iss = _session['iss']
_aud = client.get_client_id()
idval = {
'nonce': _nonce,
'sub': 'EndUserSubject',
'iss': _iss,
'aud': _aud,
'given_name': 'Diana',
'family_name': 'Krall',
'occupation': 'Jazz pianist'
}
idts = IdToken(**idval)
userinfo = rph_1.userinfo_in_id_token(idts)
assert set(userinfo.keys()) == {
'sub', 'family_name', 'given_name', 'occupation'
}
def create_request(self):
self._iss = ISS
client_config = {
'client_id': 'client_id', 'client_secret': 'a longesh password',
'redirect_uris': ['https://example.com/cli/authz_cb'],
'issuer': self._iss, 'requests_dir': 'requests',
'base_url': 'https://example.com/cli/'
}
service_context = ServiceContext(config=client_config)
service_context.keyjar = CLI_KEY
service_context.behaviour = {
'userinfo_signed_response_alg': 'RS256',
"userinfo_encrypted_response_alg": "RSA-OAEP",
"userinfo_encrypted_response_enc": "A256GCM"
}
db = InMemoryStateDataBase()
auth_response = AuthorizationResponse(code='access_code').to_json()
idtval = {
'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'diana',
'iss': ISS, 'aud': 'client_id'
}
idt = create_jws(idtval)
ver_idt = IdToken().from_jwt(idt, CLI_KEY)
token_response = AccessTokenResponse(
access_token='access_token', id_token=idt,
__verified_id_token=ver_idt).to_json()
db.set('abcde', State(token_response=token_response,
auth_response=auth_response).to_json())
self.service = service_factory('UserInfo', ['oidc'], state_db=db,
service_context=service_context)
def construct_access_token_response(nonce, issuer, client_id, key_jar):
_aud = client_id
idval = {
'nonce': nonce,
'sub': 'EndUserSubject',
'iss': issuer,
'aud': _aud
}
idts = IdToken(**idval)
_signed_jwt = idts.to_jwt(key=key_jar.get_signing_key('rsa', owner=issuer),
algorithm="RS256",
lifetime=300)
_info = {
"access_token": "accessTok",
"id_token": _signed_jwt,
"token_type": "Bearer",
"expires_in": 3600
}
return AccessTokenResponse(**_info)
def test_userinfo_in_id_token(self):
res = self.rph.begin(issuer_id='github')
_session = self.rph.get_session_information(res['state'])
client = self.rph.issuer2rp[_session['iss']]
_nonce = _session['auth_request']['nonce']
_iss = _session['iss']
_aud = client.client_id
idval = {'nonce': _nonce, 'sub': 'EndUserSubject', 'iss': _iss,
'aud': _aud, 'given_name': 'Diana', 'family_name': 'Krall',
'occupation': 'Jazz pianist'}
idts = IdToken(**idval)
userinfo = self.rph.userinfo_in_id_token(idts)
assert set(userinfo.keys()) == {'sub', 'family_name', 'given_name',
'occupation'}
from oidcservice.exception import ParseError
from oidcrp.oauth2 import Client
sys.path.insert(0, '.')
_dirname = os.path.dirname(os.path.abspath(__file__))
BASE_PATH = os.path.join(_dirname, "data", "keys")
_key = import_private_rsa_key_from_file(os.path.join(BASE_PATH, "rsa.key"))
KC_RSA = KeyBundle({"key": _key, "kty": "RSA", "use": "sig"})
CLIENT_ID = "client_1"
IDTOKEN = IdToken(iss="http://oidc.example.org/",
sub="sub",
aud=CLIENT_ID,
exp=utc_time_sans_frac() + 86400,
nonce="N0nce",
iat=time.time())
class DB(object):
def __init__(self):
self.db = {}
def set(self, key, value):
self.db[key] = value
def get(self, item):
return self.db[item]
from oidcmsg.oidc import IdToken
from oidcmsg.oidc import verified_claim_name
from oidcmsg.oidc.session import BACK_CHANNEL_LOGOUT_EVENT
from oidcmsg.oidc.session import BackChannelLogoutRequest
from oidcmsg.oidc.session import CheckSessionRequest
from oidcmsg.oidc.session import EndSessionRequest
from oidcmsg.oidc.session import EndSessionResponse
from oidcmsg.oidc.session import LogoutToken
from oidcmsg.time_util import utc_time_sans_frac
CLIENT_ID = "client_1"
ISS = 'https://example.com'
IDTOKEN = IdToken(iss=ISS,
sub="sub",
aud=CLIENT_ID,
exp=utc_time_sans_frac() + 300,
nonce="N0nce",
iat=time.time())
KC_SYM_S = KeyBundle({
"kty": "oct",
"key": "abcdefghijklmnop".encode("utf-8"),
"use": "sig",
"alg": "HS256"
})
NOW = utc_time_sans_frac()
KEYDEF = [{
"type": "EC",
"crv": "P-256",
"use": ["sig"]