django-oidc-provider/oidc_provider/tests/test_token_endpoint.py

import json
try:
    from urllib.parse import urlencode
except ImportError:
    from urllib import urlencode
import uuid

from django.core.urlresolvers import reverse
from django.test import RequestFactory
from django.test import TestCase
from jwkest.jwk import KEYS
from jwkest.jws import JWS
from jwkest.jwt import JWT

from oidc_provider.lib.utils.token import *
from oidc_provider.tests.app.utils import *
from oidc_provider.views import *


class TokenTestCase(TestCase):
    """
    To obtain an Access Token and an ID Token, the RP Client sends a
    Token Request to the Token Endpoint to obtain a Token Response
    when using the Authorization Code Flow.
    """

    def setUp(self):
        self.factory = RequestFactory()
        self.user = create_fake_user()
        self.client = create_fake_client(response_type='code')

    def _post_data(self, code):
        """
        All the data that will be POSTed to the Token Endpoint.
        """
        post_data = {
            'client_id': self.client.client_id,
            'client_secret': self.client.client_secret,
            'redirect_uri': self.client.default_redirect_uri,
            'grant_type': 'authorization_code',
            'code': code,
            'state': uuid.uuid4().hex,
        }

        return post_data

    def _post_request(self, post_data):
        """
        Makes a request to the token endpoint by sending the
        `post_data` parameters using the 'application/x-www-form-urlencoded'
        format.
        """
        url = reverse('oidc_provider:token')

        request = self.factory.post(url,
            data=urlencode(post_data),
            content_type='application/x-www-form-urlencoded')

        response = TokenView.as_view()(request)

        return response

    def _create_code(self):
        """
        Generate a valid grant code.
        """
        code = create_code(
            user=self.user,
            client=self.client,
            scope=['openid', 'email'],
            nonce=FAKE_NONCE)
        code.save()

        return code

    def test_request_methods(self):
        """
        Client sends an HTTP POST request to the Token Endpoint. Other request
        methods MUST NOT be allowed.
        """
        url = reverse('oidc_provider:token')

        requests = [
            self.factory.get(url),
            self.factory.put(url),
            self.factory.delete(url),
        ]

        for request in requests:
            response = TokenView.as_view()(request)

            self.assertEqual(response.status_code == 405, True,
                msg=request.method+' request does not return a 405 status.')

        request = self.factory.post(url)

        response = TokenView.as_view()(request)

        self.assertEqual(response.status_code == 400, True,
                msg=request.method+' request does not return a 400 status.')

    def test_client_authentication(self):
        """
        The authorization server support including the
        client credentials in the request-body using the `client_id` and
        `client_secret`parameters.

        See: http://tools.ietf.org/html/rfc6749#section-2.3.1
        """
        code = self._create_code()

        # Test a valid request to the token endpoint.
        post_data = self._post_data(code=code.code)

        response = self._post_request(post_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        self.assertEqual('access_token' in response_dic, True,
                msg='"access_token" key is missing in response.')
        self.assertEqual('error' in response_dic, False,
                msg='"error" key should not exists in response.')

        # Now, test with an invalid client_id.
        invalid_data = post_data.copy()
        invalid_data['client_id'] = self.client.client_id * 2 # Fake id.

        # Create another grant code.
        code = self._create_code()
        invalid_data['code'] = code.code

        response = self._post_request(invalid_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        self.assertEqual('error' in response_dic, True,
                msg='"error" key should exists in response.')
        self.assertEqual(response_dic.get('error') == 'invalid_client', True,
                msg='"error" key value should be "invalid_client".')

    def test_access_token_contains_nonce(self):
        """
        If present in the Authentication Request, Authorization Servers MUST
        include a nonce Claim in the ID Token with the Claim Value being the
        nonce value sent in the Authentication Request.
        If the client does not supply a nonce parameter, it SHOULD not be
        included in the `id_token`.

        See http://openid.net/specs/openid-connect-core-1_0.html#IDToken
        """
        code = self._create_code()

        post_data = self._post_data(code=code.code)

        response = self._post_request(post_data)

        response_dic = json.loads(response.content.decode('utf-8'))
        id_token = JWT().unpack(response_dic['id_token'].encode('utf-8')).payload()

        self.assertEqual(id_token.get('nonce'), FAKE_NONCE)

        # Client does not supply a nonce parameter.
        code.nonce = ''
        code.save()

        response = self._post_request(post_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        id_token = JWT().unpack(response_dic['id_token'].encode('utf-8')).payload()

        self.assertEqual(id_token.get('nonce'), None)

    def test_idtoken_sign_validation(self):
        """
        We MUST validate the signature of the ID Token according to JWS
        using the algorithm specified in the alg Header Parameter of
        the JOSE Header.
        """
        # Get public key from discovery.
        request = self.factory.get(reverse('oidc_provider:jwks'))
        response = JwksView.as_view()(request)
        jwks_dic = json.loads(response.content.decode('utf-8'))
        SIGKEYS = KEYS()
        SIGKEYS.load_dict(jwks_dic)
        RSAKEYS = [ k for k in SIGKEYS if k.kty == 'RSA' ]

        code = self._create_code()

        post_data = self._post_data(code=code.code)

        response = self._post_request(post_data)
        response_dic = json.loads(response.content.decode('utf-8'))

        id_token = JWS().verify_compact(response_dic['id_token'].encode('utf-8'), RSAKEYS)
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`import json`
Add urllib compatibility. 2015-07-01 15:53:41 +00:00			`try:`
			`from urllib.parse import urlencode`
Add urllib and change iteritems() with items(). 2015-07-01 19:43:35 +00:00			`except ImportError:`
			`from urllib import urlencode`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`import uuid`

Add import for reverse function in tests. 2015-05-07 18:47:00 +00:00			`from django.core.urlresolvers import reverse`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`from django.test import RequestFactory`
			`from django.test import TestCase`
Fix tests with pyjwkest package. 2015-07-27 14:35:05 +00:00			`from jwkest.jwk import KEYS`
			`from jwkest.jws import JWS`
			`from jwkest.jwt import JWT`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`from oidc_provider.lib.utils.token import *`
Fix imports in tests. 2015-07-14 17:52:48 +00:00			`from oidc_provider.tests.app.utils import *`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`from oidc_provider.views import *`


			`class TokenTestCase(TestCase):`
			`"""`
			`To obtain an Access Token and an ID Token, the RP Client sends a`
			`Token Request to the Token Endpoint to obtain a Token Response`
			`when using the Authorization Code Flow.`
			`"""`

			`def setUp(self):`
			`self.factory = RequestFactory()`
			`self.user = create_fake_user()`
			`self.client = create_fake_client(response_type='code')`
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00
			`def _post_data(self, code):`
			`"""`
			`All the data that will be POSTed to the Token Endpoint.`
			`"""`
			`post_data = {`
			`'client_id': self.client.client_id,`
			`'client_secret': self.client.client_secret,`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'grant_type': 'authorization_code',`
			`'code': code,`
			`'state': uuid.uuid4().hex,`
			`}`

			`return post_data`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00
			`def _post_request(self, post_data):`
			`"""`
			`Makes a request to the token endpoint by sending the`
			`post_data` parameters using the 'application/x-www-form-urlencoded'
			`format.`
			`"""`
			`url = reverse('oidc_provider:token')`

			`request = self.factory.post(url,`
			`data=urlencode(post_data),`
			`content_type='application/x-www-form-urlencoded')`

			`response = TokenView.as_view()(request)`

			`return response`

			`def _create_code(self):`
			`"""`
			`Generate a valid grant code.`
			`"""`
			`code = create_code(`
			`user=self.user,`
			`client=self.client,`
Fix tests for using nonce parameter. 2015-07-16 18:04:33 +00:00			`scope=['openid', 'email'],`
			`nonce=FAKE_NONCE)`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`code.save()`

			`return code`

			`def test_request_methods(self):`
			`"""`
			`Client sends an HTTP POST request to the Token Endpoint. Other request`
			`methods MUST NOT be allowed.`
			`"""`
			`url = reverse('oidc_provider:token')`

			`requests = [`
			`self.factory.get(url),`
			`self.factory.put(url),`
			`self.factory.delete(url),`
			`]`

			`for request in requests:`
			`response = TokenView.as_view()(request)`

			`self.assertEqual(response.status_code == 405, True,`
			`msg=request.method+' request does not return a 405 status.')`

			`request = self.factory.post(url)`

			`response = TokenView.as_view()(request)`

			`self.assertEqual(response.status_code == 400, True,`
			`msg=request.method+' request does not return a 400 status.')`

			`def test_client_authentication(self):`
			`"""`
			`The authorization server support including the`
			client credentials in the request-body using the `client_id` and
			`client_secret`parameters.

			`See: http://tools.ietf.org/html/rfc6749#section-2.3.1`
			`"""`
			`code = self._create_code()`

			`# Test a valid request to the token endpoint.`
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00			`post_data = self._post_data(code=code.code)`

Add test_token_endpoint. 2015-03-12 15:43:21 +00:00			`response = self._post_request(post_data)`
Use decode with utf-8 encoding. 2015-07-01 20:20:16 +00:00			`response_dic = json.loads(response.content.decode('utf-8'))`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00
			`self.assertEqual('access_token' in response_dic, True,`
			`msg='"access_token" key is missing in response.')`
			`self.assertEqual('error' in response_dic, False,`
			`msg='"error" key should not exists in response.')`

			`# Now, test with an invalid client_id.`
			`invalid_data = post_data.copy()`
			`invalid_data['client_id'] = self.client.client_id * 2 # Fake id.`

			`# Create another grant code.`
			`code = self._create_code()`
			`invalid_data['code'] = code.code`

			`response = self._post_request(invalid_data)`
Use decode with utf-8 encoding. 2015-07-01 20:20:16 +00:00			`response_dic = json.loads(response.content.decode('utf-8'))`
Add test_token_endpoint. 2015-03-12 15:43:21 +00:00
			`self.assertEqual('error' in response_dic, True,`
			`msg='"error" key should exists in response.')`
			`self.assertEqual(response_dic.get('error') == 'invalid_client', True,`
			`msg='"error" key value should be "invalid_client".')`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Fix tests for using nonce parameter. 2015-07-16 18:04:33 +00:00			`def test_access_token_contains_nonce(self):`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00			`"""`
			`If present in the Authentication Request, Authorization Servers MUST`
			`include a nonce Claim in the ID Token with the Claim Value being the`
			`nonce value sent in the Authentication Request.`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00			`If the client does not supply a nonce parameter, it SHOULD not be`
			included in the `id_token`.
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
			`See http://openid.net/specs/openid-connect-core-1_0.html#IDToken`
			`"""`
			`code = self._create_code()`

Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00			`post_data = self._post_data(code=code.code)`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
			`response = self._post_request(post_data)`

			`response_dic = json.loads(response.content.decode('utf-8'))`
Encode id_token in tests. 2015-07-27 18:51:19 +00:00			`id_token = JWT().unpack(response_dic['id_token'].encode('utf-8')).payload()`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Fix tests with pyjwkest package. 2015-07-27 14:35:05 +00:00			`self.assertEqual(id_token.get('nonce'), FAKE_NONCE)`
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00			`# Client does not supply a nonce parameter.`
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00			`code.nonce = ''`
			`code.save()`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
			`response = self._post_request(post_data)`
			`response_dic = json.loads(response.content.decode('utf-8'))`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00
Encode id_token in tests. 2015-07-27 18:51:19 +00:00			`id_token = JWT().unpack(response_dic['id_token'].encode('utf-8')).payload()`
Add nonce in id_token when included in auth request http://openid.net/specs/openid-connect-core-1_0.html#IDToken If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. This patch adds the nonce to the id_token. 2015-07-10 12:44:26 +00:00
Add one test for request not containing nonce parameter. 2015-07-16 18:58:33 +00:00			`self.assertEqual(id_token.get('nonce'), None)`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00
			`def test_idtoken_sign_validation(self):`
			`"""`
			`We MUST validate the signature of the ID Token according to JWS`
			`using the algorithm specified in the alg Header Parameter of`
			`the JOSE Header.`
			`"""`
			`# Get public key from discovery.`
			`request = self.factory.get(reverse('oidc_provider:jwks'))`
			`response = JwksView.as_view()(request)`
Fix tests with pyjwkest package. 2015-07-27 14:35:05 +00:00			`jwks_dic = json.loads(response.content.decode('utf-8'))`
			`SIGKEYS = KEYS()`
			`SIGKEYS.load_dict(jwks_dic)`
			`RSAKEYS = [ k for k in SIGKEYS if k.kty == 'RSA' ]`
Add idtoken_sign_validation test. 2015-07-22 21:22:46 +00:00
			`code = self._create_code()`

			`post_data = self._post_data(code=code.code)`

			`response = self._post_request(post_data)`
			`response_dic = json.loads(response.content.decode('utf-8'))`

Encode id_token in tests. 2015-07-27 18:51:19 +00:00			`id_token = JWS().verify_compact(response_dic['id_token'].encode('utf-8'), RSAKEYS)`