django-oidc-provider/oidc_provider/tests/test_token_endpoint.py

193 lines
6.2 KiB
Python
Raw Normal View History

2015-03-12 15:43:21 +00:00
import json
2015-07-01 15:53:41 +00:00
try:
from urllib.parse import urlencode
except ImportError:
from urllib import urlencode
2015-03-12 15:43:21 +00:00
import uuid
from django.core.urlresolvers import reverse
2015-03-12 15:43:21 +00:00
from django.test import RequestFactory
from django.test import TestCase
2015-07-27 14:35:05 +00:00
from jwkest.jwk import KEYS
from jwkest.jws import JWS
from jwkest.jwt import JWT
2015-03-12 15:43:21 +00:00
from oidc_provider.lib.utils.token import *
2015-07-14 17:52:48 +00:00
from oidc_provider.tests.app.utils import *
2015-03-12 15:43:21 +00:00
from oidc_provider.views import *
class TokenTestCase(TestCase):
"""
To obtain an Access Token and an ID Token, the RP Client sends a
Token Request to the Token Endpoint to obtain a Token Response
when using the Authorization Code Flow.
"""
def setUp(self):
self.factory = RequestFactory()
self.user = create_fake_user()
self.client = create_fake_client(response_type='code')
def _post_data(self, code):
"""
All the data that will be POSTed to the Token Endpoint.
"""
post_data = {
'client_id': self.client.client_id,
'client_secret': self.client.client_secret,
'redirect_uri': self.client.default_redirect_uri,
'grant_type': 'authorization_code',
'code': code,
'state': uuid.uuid4().hex,
}
return post_data
2015-03-12 15:43:21 +00:00
def _post_request(self, post_data):
"""
Makes a request to the token endpoint by sending the
`post_data` parameters using the 'application/x-www-form-urlencoded'
format.
"""
url = reverse('oidc_provider:token')
request = self.factory.post(url,
data=urlencode(post_data),
content_type='application/x-www-form-urlencoded')
response = TokenView.as_view()(request)
return response
def _create_code(self):
"""
Generate a valid grant code.
"""
code = create_code(
user=self.user,
client=self.client,
2015-07-16 18:04:33 +00:00
scope=['openid', 'email'],
nonce=FAKE_NONCE)
2015-03-12 15:43:21 +00:00
code.save()
return code
def test_request_methods(self):
"""
Client sends an HTTP POST request to the Token Endpoint. Other request
methods MUST NOT be allowed.
"""
url = reverse('oidc_provider:token')
requests = [
self.factory.get(url),
self.factory.put(url),
self.factory.delete(url),
]
for request in requests:
response = TokenView.as_view()(request)
self.assertEqual(response.status_code == 405, True,
msg=request.method+' request does not return a 405 status.')
request = self.factory.post(url)
response = TokenView.as_view()(request)
self.assertEqual(response.status_code == 400, True,
msg=request.method+' request does not return a 400 status.')
def test_client_authentication(self):
"""
The authorization server support including the
client credentials in the request-body using the `client_id` and
`client_secret`parameters.
See: http://tools.ietf.org/html/rfc6749#section-2.3.1
"""
code = self._create_code()
# Test a valid request to the token endpoint.
post_data = self._post_data(code=code.code)
2015-03-12 15:43:21 +00:00
response = self._post_request(post_data)
2015-07-01 20:20:16 +00:00
response_dic = json.loads(response.content.decode('utf-8'))
2015-03-12 15:43:21 +00:00
self.assertEqual('access_token' in response_dic, True,
msg='"access_token" key is missing in response.')
self.assertEqual('error' in response_dic, False,
msg='"error" key should not exists in response.')
# Now, test with an invalid client_id.
invalid_data = post_data.copy()
invalid_data['client_id'] = self.client.client_id * 2 # Fake id.
# Create another grant code.
code = self._create_code()
invalid_data['code'] = code.code
response = self._post_request(invalid_data)
2015-07-01 20:20:16 +00:00
response_dic = json.loads(response.content.decode('utf-8'))
2015-03-12 15:43:21 +00:00
self.assertEqual('error' in response_dic, True,
msg='"error" key should exists in response.')
self.assertEqual(response_dic.get('error') == 'invalid_client', True,
msg='"error" key value should be "invalid_client".')
2015-07-16 18:04:33 +00:00
def test_access_token_contains_nonce(self):
"""
If present in the Authentication Request, Authorization Servers MUST
include a nonce Claim in the ID Token with the Claim Value being the
nonce value sent in the Authentication Request.
2015-07-22 21:22:46 +00:00
If the client does not supply a nonce parameter, it SHOULD not be
included in the `id_token`.
See http://openid.net/specs/openid-connect-core-1_0.html#IDToken
"""
code = self._create_code()
post_data = self._post_data(code=code.code)
response = self._post_request(post_data)
response_dic = json.loads(response.content.decode('utf-8'))
2015-07-27 14:35:05 +00:00
id_token = JWT().unpack(response_dic['id_token']).payload()
2015-07-27 14:35:05 +00:00
self.assertEqual(id_token.get('nonce'), FAKE_NONCE)
2015-07-22 21:22:46 +00:00
# Client does not supply a nonce parameter.
code.nonce = ''
code.save()
response = self._post_request(post_data)
response_dic = json.loads(response.content.decode('utf-8'))
2015-07-22 21:22:46 +00:00
2015-07-27 14:35:05 +00:00
id_token = JWT().unpack(response_dic['id_token']).payload()
self.assertEqual(id_token.get('nonce'), None)
2015-07-22 21:22:46 +00:00
def test_idtoken_sign_validation(self):
"""
We MUST validate the signature of the ID Token according to JWS
using the algorithm specified in the alg Header Parameter of
the JOSE Header.
"""
# Get public key from discovery.
request = self.factory.get(reverse('oidc_provider:jwks'))
response = JwksView.as_view()(request)
2015-07-27 14:35:05 +00:00
jwks_dic = json.loads(response.content.decode('utf-8'))
SIGKEYS = KEYS()
SIGKEYS.load_dict(jwks_dic)
RSAKEYS = [ k for k in SIGKEYS if k.kty == 'RSA' ]
2015-07-22 21:22:46 +00:00
code = self._create_code()
post_data = self._post_data(code=code.code)
response = self._post_request(post_data)
response_dic = json.loads(response.content.decode('utf-8'))
2015-07-27 14:35:05 +00:00
id_token = JWS().verify_compact(response_dic['id_token'], RSAKEYS)