def test_cannot_revoke_access_token(client, oauth_client, encoded_jwt): """ Test that attempting to revoke an access token fails and return a 200 (per RFC 7009). """ headers = create_basic_header_for_client(oauth_client) data = {"token": encoded_jwt} response = client.post("/oauth2/revoke", headers=headers, data=data) assert response.status_code == 200, response.data
def test_cannot_revoke_access_token(client, oauth_client, encoded_jwt): """ Test that attempting to revoke an access token fails and returns 400. """ headers = create_basic_header_for_client(oauth_client) data = {'token': encoded_jwt} response = client.post('/oauth2/revoke', headers=headers, data=data) assert response.status_code == 400, response.data
def test_blacklisted_token(client, oauth_client, encoded_jwt_refresh_token): """ Revoke a JWT and test that it registers as blacklisted. """ headers = create_basic_header_for_client(oauth_client) data = {'token': encoded_jwt_refresh_token} response = client.post('/oauth2/revoke', headers=headers, data=data) print encoded_jwt_refresh_token import jwt print jwt.decode(encoded_jwt_refresh_token, verify=False) assert response.status_code == 204, response.data assert is_token_blacklisted(encoded_jwt_refresh_token)
def test_login( app, fence_client_app, fence_oauth_client, fence_oauth_client_url, mock_get, example_keys_response, monkeypatch, ): """ Test that: 1. the ``/login/fence`` client endpoint redirects to the ``/oauth2/authorize`` endpoint on the IDP fence, 2. POST-ing to ``/oauth2/authorize`` on the IDP fence redirects to the configured client URL with the code in the query string arguments """ # Disable the keys refreshing since requests will not work with the client # app. monkeypatch.setattr("authutils.token.keys.refresh_jwt_public_keys", lambda: None) with fence_client_app.test_client() as fence_client_client: # Part 1. redirect_url_quote = urllib.quote("/login/fence/login") path = "/login/fence?redirect_uri={}".format(redirect_url_quote) response_login_fence = fence_client_client.get(path) # This should be pointing at ``/oauth2/authorize`` of the IDP fence. assert "/oauth2/authorize" in response_login_fence.location with app.test_client() as client: # Part 2. # Remove the QS from the URL so we can use POST instead. url = remove_qs(response_login_fence.location) # should now have ``url == 'http://localhost:50000/oauth2/authorize``. # de-listify the QS arguments authorize_params = urlparse.parse_qs( urlparse.urlparse(response_login_fence.location).query) authorize_params = {k: v[0] for k, v in authorize_params.iteritems()} authorize_params["confirm"] = "yes" headers = oauth2.create_basic_header_for_client(fence_oauth_client) # Normally this would just redirect back to the configured client URL # with the code as a query string argument. authorize_response = client.post(url, headers=headers, data=authorize_params) assert authorize_response.status_code == 200 assert "redirect" in authorize_response.json authorize_redirect = authorize_response.json["redirect"] assert remove_qs(authorize_redirect) == fence_oauth_client_url assert "code" in authorize_redirect
def test_no_redirect_uri(client, oauth_client): """ Test that if the token request has no ``redirect_uri`` that an error is raised, with the ``invalid_request`` code. """ code = oauth2.get_access_code(client, oauth_client) headers = oauth2.create_basic_header_for_client(oauth_client) # Note no ``redirect_uri`` in the data. data = { 'client_id': oauth_client.client_id, 'client_secret': oauth_client.client_secret, 'code': code, 'grant_type': 'authorization_code', } token_response = client.post('/oauth2/token', headers=headers, data=data) assert token_response.status_code == 400 assert 'error' in token_response.json assert token_response.json['error'] == 'invalid_request'
def test_invalid_redirect_uri(client, oauth_client): """ Test that if the token request has a different redirect_uri than the one the client is suppsed to be using that an error is raised, with the ``invalid_request`` code. """ code = oauth2.get_access_code(client, oauth_client) headers = oauth2.create_basic_header_for_client(oauth_client) wrong_redirect_uri = oauth_client.url + '/some-garbage' data = { 'client_id': oauth_client.client_id, 'client_secret': oauth_client.client_secret, 'code': code, 'grant_type': 'authorization_code', 'redirect_uri': wrong_redirect_uri, } token_response = client.post('/oauth2/token', headers=headers, data=data) assert token_response.status_code == 400 assert 'error' in token_response.json assert token_response.json['error'] == 'invalid_request'