mirror of
https://github.com/simple-login/app.git
synced 2024-09-28 20:51:29 +02:00
test id_token,token flow
This commit is contained in:
parent
30079c895f
commit
f0c4132da4
@ -1,10 +1,11 @@
|
|||||||
import base64
|
import base64
|
||||||
|
import json
|
||||||
from urllib.parse import urlparse, parse_qs
|
from urllib.parse import urlparse, parse_qs
|
||||||
|
|
||||||
from flask import url_for
|
from flask import url_for
|
||||||
|
|
||||||
from app.extensions import db
|
from app.extensions import db
|
||||||
from app.jose_utils import verify_id_token
|
from app.jose_utils import verify_id_token, decode_id_token
|
||||||
from app.models import Client, User
|
from app.models import Client, User
|
||||||
from app.oauth.views.authorize import (
|
from app.oauth.views.authorize import (
|
||||||
get_host_name_and_scheme,
|
get_host_name_and_scheme,
|
||||||
@ -387,3 +388,91 @@ def test_authorize_id_token_flow(flask_client):
|
|||||||
|
|
||||||
# id_token must be a valid, correctly signed JWT
|
# id_token must be a valid, correctly signed JWT
|
||||||
assert verify_id_token(queries["id_token"][0])
|
assert verify_id_token(queries["id_token"][0])
|
||||||
|
|
||||||
|
|
||||||
|
def test_authorize_token_id_token_flow(flask_client):
|
||||||
|
"""make sure the authorize redirects user to correct page for the *ID-Token Token Flow*
|
||||||
|
, ie when response_type=id_token,token
|
||||||
|
The /authorize endpoint should return an id_token and access_token
|
||||||
|
id_token, once decoded, should contain *at_hash* in payload
|
||||||
|
"""
|
||||||
|
|
||||||
|
user = login(flask_client)
|
||||||
|
client = Client.create_new("test client", user.id)
|
||||||
|
|
||||||
|
db.session.commit()
|
||||||
|
|
||||||
|
# user allows client on the authorization page
|
||||||
|
r = flask_client.post(
|
||||||
|
url_for(
|
||||||
|
"oauth.authorize",
|
||||||
|
client_id=client.oauth_client_id,
|
||||||
|
state="teststate",
|
||||||
|
redirect_uri="http://localhost",
|
||||||
|
response_type="id_token token", # id_token,token flow
|
||||||
|
),
|
||||||
|
data={"button": "allow", "suggested-email": "x@y.z", "suggested-name": "AB CD"},
|
||||||
|
# user will be redirected to client page, do not allow redirection here
|
||||||
|
# to assert the redirect url
|
||||||
|
# follow_redirects=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
assert r.status_code == 302 # user gets redirected back to client page
|
||||||
|
|
||||||
|
# r.location will have this form http://localhost?state=teststate&code=knuyjepwvg
|
||||||
|
o = urlparse(r.location)
|
||||||
|
assert o.netloc == "localhost"
|
||||||
|
assert o.fragment
|
||||||
|
assert not o.query
|
||||||
|
|
||||||
|
# parse the fragment, should return something like
|
||||||
|
# {'state': ['teststate'], 'id_token': ['knuyjepwvg']}
|
||||||
|
queries = parse_qs(o.fragment)
|
||||||
|
assert len(queries) == 3
|
||||||
|
|
||||||
|
assert queries["state"] == ["teststate"]
|
||||||
|
|
||||||
|
# access_token must be returned
|
||||||
|
assert len(queries["id_token"]) == 1
|
||||||
|
assert len(queries["access_token"]) == 1
|
||||||
|
|
||||||
|
# id_token must be a valid, correctly signed JWT
|
||||||
|
id_token = queries["id_token"][0]
|
||||||
|
assert verify_id_token(id_token)
|
||||||
|
|
||||||
|
# make sure jwt has all the necessary fields
|
||||||
|
jwt = decode_id_token(id_token)
|
||||||
|
|
||||||
|
# payload should have this format
|
||||||
|
# {
|
||||||
|
# 'at_hash': 'jLDmoGpuOIHwxeyFEe9SKw',
|
||||||
|
# 'aud': 'testclient-sywcpwsyua',
|
||||||
|
# 'auth_time': 1565450736,
|
||||||
|
# 'avatar_url': None,
|
||||||
|
# 'client': 'test client',
|
||||||
|
# 'email': 'x@y.z',
|
||||||
|
# 'email_verified': True,
|
||||||
|
# 'exp': 1565454336,
|
||||||
|
# 'iat': 1565450736,
|
||||||
|
# 'id': 1,
|
||||||
|
# 'iss': 'http://localhost',
|
||||||
|
# 'name': 'AB CD',
|
||||||
|
# 'sub': '1'
|
||||||
|
# }
|
||||||
|
payload = json.loads(jwt.claims)
|
||||||
|
|
||||||
|
# at_hash MUST be present when the flow is id_token,token
|
||||||
|
assert "at_hash" in payload
|
||||||
|
|
||||||
|
assert "aud" in payload
|
||||||
|
assert "auth_time" in payload
|
||||||
|
assert "avatar_url" in payload
|
||||||
|
assert "client" in payload
|
||||||
|
assert "email" in payload
|
||||||
|
assert "email_verified" in payload
|
||||||
|
assert "exp" in payload
|
||||||
|
assert "iat" in payload
|
||||||
|
assert "id" in payload
|
||||||
|
assert "iss" in payload
|
||||||
|
assert "name" in payload
|
||||||
|
assert "sub" in payload
|
||||||
|
Loading…
Reference in New Issue
Block a user