def invalidate_refresh_token(self, request): """Remove a used token from the storage.""" refresh_token = request._params.get("refresh_token") # The request may have no token in parameters which means that the # authorization code was used. if not refresh_token: return r_token = refresh_token_api.refresh_token_get_by_token(refresh_token) token_api.access_token_delete( refresh_token_api.get_access_token_id(r_token.id) ) # Cascades
def _resolve_user_id(self, request): # Try authorization code code = request._params.get("code") if code: code_info = auth_api.authorization_code_get(code) return code_info.user_id # Try refresh token refresh_token = request._params.get("refresh_token") refresh_token_entry = \ refresh_token_api.refresh_token_get_by_token(refresh_token) if refresh_token_entry: return refresh_token_entry.user_id return None
def _access_token_by_refresh_token(self): refresh_token = request.params.get("refresh_token") refresh_token_info = \ refresh_token_api.refresh_token_get_by_token(refresh_token) headers, body, code = SERVER.create_token_response( uri=request.url, http_method=request.method, body=request.body, headers=request.headers) response.headers = dict( (str(k), str(v)) for k, v in six.iteritems(headers)) response.status_code = code json_body = json.loads(body) # Update a body with user_id only if a response is 2xx if code / 100 == 2: json_body.update({'id_token': refresh_token_info.user_id}) response.json = json_body return response
def _access_token_by_refresh_token(self): refresh_token = request.params.get("refresh_token") refresh_token_info = \ refresh_token_api.refresh_token_get_by_token(refresh_token) headers, body, code = SERVER.create_token_response( uri=request.url, http_method=request.method, body=request.body, headers=request.headers) response.headers = dict((str(k), str(v)) for k, v in six.iteritems(headers)) response.status_code = code json_body = json.loads(body) # Update a body with user_id only if a response is 2xx if code / 100 == 2: json_body.update({ 'id_token': refresh_token_info.user_id }) response.json = json_body return response
def test_valid_refresh_token(self): """This test ensures that a valid refresh token can be converted into a valid access token, and cleans up after itself. """ # Generate a valid access code with base.HybridSessionManager(): authorization_code = auth_api.authorization_code_save({ 'user_id': 2, 'state': 'test_state', 'code': 'test_valid_code' }) content_type = 'application/x-www-form-urlencoded' # Generate an auth and a refresh token. resp_1 = self.app.post('/v1/openid/token', params={ 'code': authorization_code.code, 'grant_type': 'authorization_code' }, content_type=content_type, expect_errors=True) # Assert that this is a successful response self.assertEqual(200, resp_1.status_code) # Assert that the token came back in the response t1 = resp_1.json # Assert that both are in the database. with base.HybridSessionManager(): access_token = \ token_api.access_token_get_by_token(t1['access_token']) self.assertIsNotNone(access_token) with base.HybridSessionManager(): refresh_token = refresh_tokens.refresh_token_get_by_token( t1['refresh_token']) self.assertIsNotNone(refresh_token) content_type = 'application/x-www-form-urlencoded' # Issue a refresh token request. resp_2 = self.app.post('/v1/openid/token', params={ 'refresh_token': t1['refresh_token'], 'grant_type': 'refresh_token' }, content_type=content_type, expect_errors=True) # Assert that the response is good. self.assertEqual(200, resp_2.status_code) # Assert that the token came back in the response t2 = resp_2.json self.assertIsNotNone(t2['access_token']) self.assertIsNotNone(t2['expires_in']) self.assertIsNotNone(t2['id_token']) self.assertIsNotNone(t2['refresh_token']) self.assertIsNotNone(t2['token_type']) self.assertEqual('Bearer', t2['token_type']) # Assert that the access token is in the database with base.HybridSessionManager(): new_access_token = \ token_api.access_token_get_by_token(t2['access_token']) self.assertIsNotNone(new_access_token) # Assert that system configured values is owned by the correct user. self.assertEqual(2, new_access_token.user_id) self.assertEqual(t2['id_token'], new_access_token.user_id) self.assertEqual(t2['expires_in'], CONF.oauth.access_token_ttl) self.assertEqual(t2['expires_in'], new_access_token.expires_in) self.assertEqual(t2['access_token'], new_access_token.access_token) # Assert that the refresh token is in the database with base.HybridSessionManager(): new_refresh_token = refresh_tokens.refresh_token_get_by_token( t2['refresh_token']) self.assertIsNotNone(new_refresh_token) # Assert that system configured values is owned by the correct user. self.assertEqual(2, new_refresh_token.user_id) self.assertEqual(CONF.oauth.refresh_token_ttl, new_refresh_token.expires_in) self.assertEqual(t2['refresh_token'], new_refresh_token.refresh_token) # Assert that the old access tokens are no longer in the database and # have been cleaned up. with base.HybridSessionManager(): no_access_token = \ token_api.access_token_get_by_token(t1['access_token']) with base.HybridSessionManager(): no_refresh_token = \ refresh_tokens.refresh_token_get_by_token(t1['refresh_token']) self.assertIsNone(no_refresh_token) self.assertIsNone(no_access_token)
def test_valid_access_request(self): """This test ensures that the access token request may execute properly with a valid token. """ # Generate a valid auth token with base.HybridSessionManager(): authorization_code = auth_api.authorization_code_save({ 'user_id': 2, 'state': 'test_state', 'code': 'test_valid_code' }) content_type = 'application/x-www-form-urlencoded' # POST with content: application/x-www-form-urlencoded response = self.app.post('/v1/openid/token', params={ 'code': authorization_code.code, 'grant_type': 'authorization_code' }, content_type=content_type, expect_errors=True) # Assert that this is a successful response self.assertEqual(200, response.status_code) # Assert that the token came back in the response token = response.json self.assertIsNotNone(token['access_token']) self.assertIsNotNone(token['expires_in']) self.assertIsNotNone(token['id_token']) self.assertIsNotNone(token['refresh_token']) self.assertIsNotNone(token['token_type']) self.assertEqual('Bearer', token['token_type']) # Assert that the access token is in the database with base.HybridSessionManager(): access_token = \ token_api.access_token_get_by_token(token['access_token']) self.assertIsNotNone(access_token) # Assert that system configured values is owned by the correct user. self.assertEqual(2, access_token.user_id) self.assertEqual(token['id_token'], access_token.user_id) self.assertEqual(token['expires_in'], CONF.oauth.access_token_ttl) self.assertEqual(token['expires_in'], access_token.expires_in) self.assertEqual(token['access_token'], access_token.access_token) # Assert that the refresh token is in the database with base.HybridSessionManager(): refresh_token = \ refresh_tokens.refresh_token_get_by_token( token['refresh_token']) self.assertIsNotNone(refresh_token) # Assert that system configured values is owned by the correct user. self.assertEqual(2, refresh_token.user_id) self.assertEqual(CONF.oauth.refresh_token_ttl, refresh_token.expires_in) self.assertEqual(token['refresh_token'], refresh_token.refresh_token) # Assert that the authorization code is no longer in the database. with base.HybridSessionManager(): none_code = \ auth_api.authorization_code_get(authorization_code.code) self.assertIsNone(none_code)