def test_cannot_revoke_access_token(client, oauth_client, encoded_jwt):
"""
Test that attempting to revoke an access token fails and return a 200 (per RFC 7009).
"""
headers = create_basic_header_for_client(oauth_client)
data = {"token": encoded_jwt}
response = client.post("/oauth2/revoke", headers=headers, data=data)
assert response.status_code == 200, response.data
def test_cannot_revoke_access_token(client, oauth_client, encoded_jwt):
"""
Test that attempting to revoke an access token fails and returns 400.
"""
headers = create_basic_header_for_client(oauth_client)
data = {'token': encoded_jwt}
response = client.post('/oauth2/revoke', headers=headers, data=data)
assert response.status_code == 400, response.data
def test_blacklisted_token(client, oauth_client, encoded_jwt_refresh_token):
"""
Revoke a JWT and test that it registers as blacklisted.
"""
headers = create_basic_header_for_client(oauth_client)
data = {'token': encoded_jwt_refresh_token}
response = client.post('/oauth2/revoke', headers=headers, data=data)
print encoded_jwt_refresh_token
import jwt
print jwt.decode(encoded_jwt_refresh_token, verify=False)
assert response.status_code == 204, response.data
assert is_token_blacklisted(encoded_jwt_refresh_token)
def test_login(
app,
fence_client_app,
fence_oauth_client,
fence_oauth_client_url,
mock_get,
example_keys_response,
monkeypatch,
):
"""
Test that:
1. the ``/login/fence`` client endpoint redirects to the
``/oauth2/authorize`` endpoint on the IDP fence,
2. POST-ing to ``/oauth2/authorize`` on the IDP fence redirects to
the configured client URL with the code in the query string
arguments
"""
# Disable the keys refreshing since requests will not work with the client
# app.
monkeypatch.setattr("authutils.token.keys.refresh_jwt_public_keys",
lambda: None)
with fence_client_app.test_client() as fence_client_client:
# Part 1.
redirect_url_quote = urllib.quote("/login/fence/login")
path = "/login/fence?redirect_uri={}".format(redirect_url_quote)
response_login_fence = fence_client_client.get(path)
# This should be pointing at ``/oauth2/authorize`` of the IDP fence.
assert "/oauth2/authorize" in response_login_fence.location
with app.test_client() as client:
# Part 2.
# Remove the QS from the URL so we can use POST instead.
url = remove_qs(response_login_fence.location)
# should now have ``url == 'http://localhost:50000/oauth2/authorize``.
# de-listify the QS arguments
authorize_params = urlparse.parse_qs(
urlparse.urlparse(response_login_fence.location).query)
authorize_params = {k: v[0] for k, v in authorize_params.iteritems()}
authorize_params["confirm"] = "yes"
headers = oauth2.create_basic_header_for_client(fence_oauth_client)
# Normally this would just redirect back to the configured client URL
# with the code as a query string argument.
authorize_response = client.post(url,
headers=headers,
data=authorize_params)
assert authorize_response.status_code == 200
assert "redirect" in authorize_response.json
authorize_redirect = authorize_response.json["redirect"]
assert remove_qs(authorize_redirect) == fence_oauth_client_url
assert "code" in authorize_redirect
def test_no_redirect_uri(client, oauth_client):
"""
Test that if the token request has no ``redirect_uri`` that an error is
raised, with the ``invalid_request`` code.
"""
code = oauth2.get_access_code(client, oauth_client)
headers = oauth2.create_basic_header_for_client(oauth_client)
# Note no ``redirect_uri`` in the data.
data = {
'client_id': oauth_client.client_id,
'client_secret': oauth_client.client_secret,
'code': code,
'grant_type': 'authorization_code',
}
token_response = client.post('/oauth2/token', headers=headers, data=data)
assert token_response.status_code == 400
assert 'error' in token_response.json
assert token_response.json['error'] == 'invalid_request'
def test_invalid_redirect_uri(client, oauth_client):
"""
Test that if the token request has a different redirect_uri than the one
the client is suppsed to be using that an error is raised, with the
``invalid_request`` code.
"""
code = oauth2.get_access_code(client, oauth_client)
headers = oauth2.create_basic_header_for_client(oauth_client)
wrong_redirect_uri = oauth_client.url + '/some-garbage'
data = {
'client_id': oauth_client.client_id,
'client_secret': oauth_client.client_secret,
'code': code,
'grant_type': 'authorization_code',
'redirect_uri': wrong_redirect_uri,
}
token_response = client.post('/oauth2/token', headers=headers, data=data)
assert token_response.status_code == 400
assert 'error' in token_response.json
assert token_response.json['error'] == 'invalid_request'
