django-oidc-provider/oidc_provider/tests/test_authorize_endpoint.py

try:
    from urllib.parse import unquote, urlencode
except ImportError:
    from urllib import unquote, urlencode
import uuid

from django.contrib.auth import REDIRECT_FIELD_NAME
from django.contrib.auth.models import AnonymousUser
from django.core.urlresolvers import reverse
from django.test import RequestFactory
from django.test import TestCase

from oidc_provider import settings
from oidc_provider.models import *
from oidc_provider.tests.app.utils import *
from oidc_provider.views import *


class AuthorizationCodeFlowTestCase(TestCase):
    """
    Test cases for Authorize Endpoint using Authorization Code Flow.
    """

    def setUp(self):
        self.factory = RequestFactory()
        self.user = create_fake_user()
        self.client = create_fake_client(response_type='code')
        self.state = uuid.uuid4().hex

    def test_missing_parameters(self):
        """
        If the request fails due to a missing, invalid, or mismatching
        redirection URI, or if the client identifier is missing or invalid,
        the authorization server SHOULD inform the resource owner of the error.

        See: https://tools.ietf.org/html/rfc6749#section-4.1.2.1
        """
        url = reverse('oidc_provider:authorize')

        request = self.factory.get(url)

        response = AuthorizeView.as_view()(request)

        self.assertEqual(response.status_code, 200)
        self.assertEqual(bool(response.content), True)

    def test_invalid_response_type(self):
        """
        The OP informs the RP by using the Error Response parameters defined
        in Section 4.1.2.1 of OAuth 2.0.

        See: http://openid.net/specs/openid-connect-core-1_0.html#AuthError
        """
        # Create an authorize request with an unsupported response_type.
        query_str = urlencode({
            'client_id': self.client.client_id,
            'response_type': 'something_wrong',
            'redirect_uri': self.client.default_redirect_uri,
            'scope': 'openid email',
            'state': self.state,
        }).replace('+', '%20')

        url = reverse('oidc_provider:authorize') + '?' + query_str

        request = self.factory.get(url)

        response = AuthorizeView.as_view()(request)

        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.has_header('Location'), True)

        # Should be an 'error' component in query.
        query_exists = 'error=' in response['Location']
        self.assertEqual(query_exists, True)

    def test_user_not_logged(self):
        """
        The Authorization Server attempts to Authenticate the End-User by
        redirecting to the login view.

        See: http://openid.net/specs/openid-connect-core-1_0.html#Authenticates
        """
        query_str = urlencode({
            'client_id': self.client.client_id,
            'response_type': 'code',
            'redirect_uri': self.client.default_redirect_uri,
            'scope': 'openid email',
            'state': self.state,
        }).replace('+', '%20')

        url = reverse('oidc_provider:authorize') + '?' + query_str

        request = self.factory.get(url)
        request.user = AnonymousUser()

        response = AuthorizeView.as_view()(request)

        # Check if user was redirected to the login view.
        login_url_exists = settings.get('LOGIN_URL') in response['Location']
        self.assertEqual(login_url_exists, True)

        # Check if the login will redirect to a valid url.
        try:
            next_value = response['Location'].split(REDIRECT_FIELD_NAME + '=')[1]
            next_url = unquote(next_value)
            is_next_ok = next_url == url
        except:
            is_next_ok = False
        self.assertEqual(is_next_ok, True)

    def test_user_consent_inputs(self):
        """
        Once the End-User is authenticated, the Authorization Server MUST
        obtain an authorization decision before releasing information to
        the Client.

        See: http://openid.net/specs/openid-connect-core-1_0.html#Consent
        """
        query_str = urlencode({
            'client_id': self.client.client_id,
            'response_type': 'code',
            'redirect_uri': self.client.default_redirect_uri,
            'scope': 'openid email',
            'state': self.state,
            # PKCE parameters.
            'code_challenge': FAKE_CODE_CHALLENGE,
            'code_challenge_method': 'S256',
        }).replace('+', '%20')

        url = reverse('oidc_provider:authorize') + '?' + query_str

        request = self.factory.get(url)
        # Simulate that the user is logged.
        request.user = self.user

        response = AuthorizeView.as_view()(request)

        # Check if hidden inputs exists in the form,
        # also if their values are valid.
        input_html = '<input name="{0}" type="hidden" value="{1}" />'

        to_check = {
            'client_id': self.client.client_id,
            'redirect_uri': self.client.default_redirect_uri,
            'response_type': 'code',
            'code_challenge': FAKE_CODE_CHALLENGE,
            'code_challenge_method': 'S256',
        }

        for key, value in iter(to_check.items()):
            is_input_ok = input_html.format(key, value) in response.content.decode('utf-8')
            self.assertEqual(is_input_ok, True,
                msg='Hidden input for "'+key+'" fails.')

    def test_user_consent_response(self):
        """
        First,
        if the user denied the consent we must ensure that
        the error response parameters are added to the query component
        of the Redirection URI.

        Second,
        if the user allow the RP then the server MUST return
        the parameters defined in Section 4.1.2 of OAuth 2.0 [RFC6749]
        by adding them as query parameters to the redirect_uri.
        """
        response_type = 'code'

        url = reverse('oidc_provider:authorize')

        post_data = {
            'client_id': self.client.client_id,
            'redirect_uri': self.client.default_redirect_uri,
            'response_type': response_type,
            'scope': 'openid email',
            'state': self.state,
            # PKCE parameters.
            'code_challenge': FAKE_CODE_CHALLENGE,
            'code_challenge_method': 'S256',
        }

        request = self.factory.post(url, data=post_data)
        # Simulate that the user is logged.
        request.user = self.user

        response = AuthorizeView.as_view()(request)

        # Because user doesn't allow app, SHOULD exists an error parameter
        # in the query.
        self.assertEqual('error=' in response['Location'], True,
            msg='error param is missing in query.')
        self.assertEqual('access_denied' in response['Location'], True,
            msg='"access_denied" code is missing in query.')

        # Simulate user authorization.
        post_data['allow'] = 'Accept' # Should be the value of the button.

        request = self.factory.post(url, data=post_data)
        # Simulate that the user is logged.
        request.user = self.user

        response = AuthorizeView.as_view()(request)

        is_code_ok = is_code_valid(url=response['Location'],
                                   user=self.user,
                                   client=self.client)
        self.assertEqual(is_code_ok, True,
            msg='Code returned is invalid.')

        # Check if the state is returned.
        state = (response['Location'].split('state='))[1].split('&')[0]
        self.assertEqual(state == self.state, True,
            msg='State change or is missing.')

    def test_user_consent_skipped(self):
        """
        If users previously gave consent to some client (for a specific
        list of scopes) and because they might be prompted for the same
        authorization multiple times, the server skip it.
        """
        post_data = {
            'client_id': self.client.client_id,
            'redirect_uri': self.client.default_redirect_uri,
            'response_type': 'code',
            'scope': 'openid email',
            'state': self.state,
            'allow': 'Accept',
        }

        request = self.factory.post(reverse('oidc_provider:authorize'),
                                    data=post_data)
        # Simulate that the user is logged.
        request.user = self.user

        with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):
            response = AuthorizeView.as_view()(request)

            self.assertEqual('code' in response['Location'], True,
                msg='Code is missing in the returned url.')

        response = AuthorizeView.as_view()(request)

        is_code_ok = is_code_valid(url=response['Location'],
                                   user=self.user,
                                   client=self.client)
        self.assertEqual(is_code_ok, True, msg='Code returned is invalid.')

        del post_data['allow']
        query_str = urlencode(post_data).replace('+', '%20')

        url = reverse('oidc_provider:authorize') + '?' + query_str

        request = self.factory.get(url)
        # Simulate that the user is logged.
        request.user = self.user

        # Ensure user consent skip is enabled.
        response = AuthorizeView.as_view()(request)

        is_code_ok = is_code_valid(url=response['Location'],
                                   user=self.user,
                                   client=self.client)
        self.assertEqual(is_code_ok, True, msg='Code returned is invalid or missing.')

    def test_response_uri_is_properly_constructed(self):
        """
        TODO
        """
        post_data = {
            'client_id': self.client.client_id,
            'redirect_uri': self.client.default_redirect_uri + "?redirect_state=xyz",
            'response_type': 'code',
            'scope': 'openid email',
            'state': self.state,
            'allow': 'Accept',
        }

        request = self.factory.post(reverse('oidc_provider:authorize'),
                                    data=post_data)
        # Simulate that the user is logged.
        request.user = self.user

        response = AuthorizeView.as_view()(request)

        is_code_ok = is_code_valid(url=response['Location'],
                                   user=self.user,
                                   client=self.client)
        self.assertEqual(is_code_ok, True,
                         msg='Code returned is invalid.')

    def test_scope_with_plus(self):
        """
        In query string, scope use `+` instead of the space url-encoded.
        """
        scope_test = 'openid email profile'

        query_str = urlencode({
            'client_id': self.client.client_id,
            'response_type': 'code',
            'redirect_uri': self.client.default_redirect_uri,
            'scope': scope_test,
            'state': self.state,
        })

        url = reverse('oidc_provider:authorize') + '?' + query_str

        request = self.factory.get(url)
        # Simulate that the user is logged.
        request.user = self.user

        response = AuthorizeView.as_view()(request)

        self.assertEqual(scope_test in response.content.decode('utf-8'), True)


class ImplicitFlowTestCase(TestCase):
    """
    Test cases for Authorize Endpoint using Implicit Grant Flow.
    """

    def setUp(self):
        self.factory = RequestFactory()
        self.user = create_fake_user()
        self.client = create_fake_client(response_type='id_token token')
        self.state = uuid.uuid4().hex
        self.nonce = uuid.uuid4().hex
        create_rsakey()

    def test_missing_nonce(self):
        """
        The `nonce` parameter is REQUIRED if you use the Implicit Flow.
        """
        query_str = urlencode({
            'client_id': self.client.client_id,
            'response_type': self.client.response_type,
            'redirect_uri': self.client.default_redirect_uri,
            'scope': 'openid email',
            'state': self.state,
        }).replace('+', '%20')

        url = reverse('oidc_provider:authorize') + '?' + query_str

        request = self.factory.get(url)
        # Simulate that the user is logged.
        request.user = self.user

        response = AuthorizeView.as_view()(request)
        
        self.assertEqual('#error=invalid_request' in response['Location'], True)   

    def test_access_token_response(self):
        """
        Unlike the Authorization Code flow, in which the client makes
        separate requests for authorization and for an access token, the client
        receives the access token as the result of the authorization request.
        """
        post_data = {
            'client_id': self.client.client_id,
            'redirect_uri': self.client.default_redirect_uri,
            'response_type': self.client.response_type,
            'scope': 'openid email',
            'state': self.state,
            'nonce': self.nonce,
            'allow': 'Accept',
        }

        request = self.factory.post(reverse('oidc_provider:authorize'),
                                    data=post_data)
        # Simulate that the user is logged.
        request.user = self.user

        response = AuthorizeView.as_view()(request)
        
        self.assertEqual('access_token' in response['Location'], True)
Add urllib compatibility. 2015-07-01 15:53:41 +00:00			`try:`
			`from urllib.parse import unquote, urlencode`
Add urllib and change iteritems() with items(). 2015-07-01 19:43:35 +00:00			`except ImportError:`
			`from urllib import unquote, urlencode`
Unnecessary assignment in test_authorize_endpoint. 2015-03-12 15:42:52 +00:00			`import uuid`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00
Add more test for the Auth Code Flow. 2015-02-12 18:04:58 +00:00			`from django.contrib.auth import REDIRECT_FIELD_NAME`
			`from django.contrib.auth.models import AnonymousUser`
Add some tests. 2015-02-11 18:37:51 +00:00			`from django.core.urlresolvers import reverse`
			`from django.test import RequestFactory`
			`from django.test import TestCase`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00
Change name of the package. 2015-02-18 18:07:22 +00:00			`from oidc_provider import settings`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`from oidc_provider.models import *`
Refactoring tests. 2015-07-14 16:27:46 +00:00			`from oidc_provider.tests.app.utils import *`
Change name of the package. 2015-02-18 18:07:22 +00:00			`from oidc_provider.views import *`
Add some tests. 2015-02-11 18:37:51 +00:00

Edit tests. 2015-02-19 18:45:51 +00:00			`class AuthorizationCodeFlowTestCase(TestCase):`
Fix in authorize endpoint tests. 2015-03-11 17:36:52 +00:00			`"""`
Fix in tests when setting a hook. 2015-03-30 18:37:48 +00:00			`Test cases for Authorize Endpoint using Authorization Code Flow.`
Fix in authorize endpoint tests. 2015-03-11 17:36:52 +00:00			`"""`
Add some tests. 2015-02-11 18:37:51 +00:00
			`def setUp(self):`
			`self.factory = RequestFactory()`
			`self.user = create_fake_user()`
			`self.client = create_fake_client(response_type='code')`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`self.state = uuid.uuid4().hex`
Add some tests. 2015-02-11 18:37:51 +00:00
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`def test_missing_parameters(self):`
Add some tests. 2015-02-11 18:37:51 +00:00			`"""`
			`If the request fails due to a missing, invalid, or mismatching`
			`redirection URI, or if the client identifier is missing or invalid,`
			`the authorization server SHOULD inform the resource owner of the error.`

			`See: https://tools.ietf.org/html/rfc6749#section-4.1.2.1`
			`"""`
Change name of the package. 2015-02-18 18:07:22 +00:00			`url = reverse('oidc_provider:authorize')`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00
Add some tests. 2015-02-11 18:37:51 +00:00			`request = self.factory.get(url)`

			`response = AuthorizeView.as_view()(request)`

			`self.assertEqual(response.status_code, 200)`
Add another test for Code Flow. 2015-02-11 20:38:37 +00:00			`self.assertEqual(bool(response.content), True)`

Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`def test_invalid_response_type(self):`
Add another test for Code Flow. 2015-02-11 20:38:37 +00:00			`"""`
			`The OP informs the RP by using the Error Response parameters defined`
			`in Section 4.1.2.1 of OAuth 2.0.`

			`See: http://openid.net/specs/openid-connect-core-1_0.html#AuthError`
			`"""`
			`# Create an authorize request with an unsupported response_type.`
Add urllib compatibility. 2015-07-01 15:53:41 +00:00			`query_str = urlencode({`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`'client_id': self.client.client_id,`
			`'response_type': 'something_wrong',`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'scope': 'openid email',`
			`'state': self.state,`
			`}).replace('+', '%20')`

			`url = reverse('oidc_provider:authorize') + '?' + query_str`
Add more test for the Auth Code Flow. 2015-02-12 18:04:58 +00:00
Add another test for Code Flow. 2015-02-11 20:38:37 +00:00			`request = self.factory.get(url)`

			`response = AuthorizeView.as_view()(request)`

			`self.assertEqual(response.status_code, 302)`
			`self.assertEqual(response.has_header('Location'), True)`

Add more test for the Auth Code Flow. 2015-02-12 18:04:58 +00:00			`# Should be an 'error' component in query.`
			`query_exists = 'error=' in response['Location']`
			`self.assertEqual(query_exists, True)`

No need of that naming in authorize tests. 2015-03-19 17:19:27 +00:00			`def test_user_not_logged(self):`
Add more test for the Auth Code Flow. 2015-02-12 18:04:58 +00:00			`"""`
			`The Authorization Server attempts to Authenticate the End-User by`
			`redirecting to the login view.`

			`See: http://openid.net/specs/openid-connect-core-1_0.html#Authenticates`
			`"""`
Add urllib compatibility. 2015-07-01 15:53:41 +00:00			`query_str = urlencode({`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`'client_id': self.client.client_id,`
			`'response_type': 'code',`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'scope': 'openid email',`
			`'state': self.state,`
			`}).replace('+', '%20')`

			`url = reverse('oidc_provider:authorize') + '?' + query_str`
Add more test for the Auth Code Flow. 2015-02-12 18:04:58 +00:00
			`request = self.factory.get(url)`
			`request.user = AnonymousUser()`

			`response = AuthorizeView.as_view()(request)`

			`# Check if user was redirected to the login view.`
			`login_url_exists = settings.get('LOGIN_URL') in response['Location']`
			`self.assertEqual(login_url_exists, True)`

			`# Check if the login will redirect to a valid url.`
			`try:`
			`next_value = response['Location'].split(REDIRECT_FIELD_NAME + '=')[1]`
Add urllib compatibility. 2015-07-01 15:53:41 +00:00			`next_url = unquote(next_value)`
Add more test for the Auth Code Flow. 2015-02-12 18:04:58 +00:00			`is_next_ok = next_url == url`
			`except:`
			`is_next_ok = False`
Start test for Auth Code Flow. 2015-02-13 13:44:09 +00:00			`self.assertEqual(is_next_ok, True)`

No need of that naming in authorize tests. 2015-03-19 17:19:27 +00:00			`def test_user_consent_inputs(self):`
Add doc to tests. 2015-02-20 17:33:18 +00:00			`"""`
			`Once the End-User is authenticated, the Authorization Server MUST`
			`obtain an authorization decision before releasing information to`
			`the Client.`

			`See: http://openid.net/specs/openid-connect-core-1_0.html#Consent`
			`"""`
Add urllib compatibility. 2015-07-01 15:53:41 +00:00			`query_str = urlencode({`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`'client_id': self.client.client_id,`
Fix in tests when setting a hook. 2015-03-30 18:37:48 +00:00			`'response_type': 'code',`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`'redirect_uri': self.client.default_redirect_uri,`
Fix in tests when setting a hook. 2015-03-30 18:37:48 +00:00			`'scope': 'openid email',`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`'state': self.state,`
Add hidden inputs for PKCE. Fix bug with AES. 2016-04-07 14:45:35 +00:00			`# PKCE parameters.`
			`'code_challenge': FAKE_CODE_CHALLENGE,`
			`'code_challenge_method': 'S256',`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`}).replace('+', '%20')`
Edit tests. 2015-02-19 18:45:51 +00:00
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`url = reverse('oidc_provider:authorize') + '?' + query_str`
Start test for Auth Code Flow. 2015-02-13 13:44:09 +00:00
			`request = self.factory.get(url)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

Remove unnecessary settings rewrite in tests. 2015-07-22 19:25:17 +00:00			`response = AuthorizeView.as_view()(request)`
Start test for Auth Code Flow. 2015-02-13 13:44:09 +00:00
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`# Check if hidden inputs exists in the form,`
			`# also if their values are valid.`
Edit tests. 2015-02-19 18:45:51 +00:00			`input_html = '<input name="{0}" type="hidden" value="{1}" />'`

			`to_check = {`
			`'client_id': self.client.client_id,`
			`'redirect_uri': self.client.default_redirect_uri,`
Fix in tests when setting a hook. 2015-03-30 18:37:48 +00:00			`'response_type': 'code',`
Add hidden inputs for PKCE. Fix bug with AES. 2016-04-07 14:45:35 +00:00			`'code_challenge': FAKE_CODE_CHALLENGE,`
			`'code_challenge_method': 'S256',`
Edit tests. 2015-02-19 18:45:51 +00:00			`}`

Add urllib and change iteritems() with items(). 2015-07-01 19:43:35 +00:00			`for key, value in iter(to_check.items()):`
Use decode with utf-8 encoding. 2015-07-01 20:20:16 +00:00			`is_input_ok = input_html.format(key, value) in response.content.decode('utf-8')`
Edit tests. 2015-02-19 18:45:51 +00:00			`self.assertEqual(is_input_ok, True,`
			`msg='Hidden input for "'+key+'" fails.')`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00
No need of that naming in authorize tests. 2015-03-19 17:19:27 +00:00			`def test_user_consent_response(self):`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`"""`
			`First,`
			`if the user denied the consent we must ensure that`
			`the error response parameters are added to the query component`
			`of the Redirection URI.`

			`Second,`
			`if the user allow the RP then the server MUST return`
			`the parameters defined in Section 4.1.2 of OAuth 2.0 [RFC6749]`
			`by adding them as query parameters to the redirect_uri.`
			`"""`
			`response_type = 'code'`

			`url = reverse('oidc_provider:authorize')`

			`post_data = {`
			`'client_id': self.client.client_id,`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'response_type': response_type,`
Unnecessary assignment in test_authorize_endpoint. 2015-03-12 15:42:52 +00:00			`'scope': 'openid email',`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`'state': self.state,`
Add hidden inputs for PKCE. Fix bug with AES. 2016-04-07 14:45:35 +00:00			`# PKCE parameters.`
			`'code_challenge': FAKE_CODE_CHALLENGE,`
			`'code_challenge_method': 'S256',`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00			`}`

			`request = self.factory.post(url, data=post_data)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

			`response = AuthorizeView.as_view()(request)`

			`# Because user doesn't allow app, SHOULD exists an error parameter`
			`# in the query.`
Add provider info test. Add some msg to tests. 2015-03-06 15:56:35 +00:00			`self.assertEqual('error=' in response['Location'], True,`
Fix test_authorize_endpoint messages. 2015-04-30 15:42:00 +00:00			`msg='error param is missing in query.')`
Add provider info test. Add some msg to tests. 2015-03-06 15:56:35 +00:00			`self.assertEqual('access_denied' in response['Location'], True,`
Fix test_authorize_endpoint messages. 2015-04-30 15:42:00 +00:00			`msg='"access_denied" code is missing in query.')`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00
			`# Simulate user authorization.`
			`post_data['allow'] = 'Accept' # Should be the value of the button.`

			`request = self.factory.post(url, data=post_data)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

			`response = AuthorizeView.as_view()(request)`

Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`is_code_ok = is_code_valid(url=response['Location'],`
			`user=self.user,`
			`client=self.client)`
Add provider info test. Add some msg to tests. 2015-03-06 15:56:35 +00:00			`self.assertEqual(is_code_ok, True,`
			`msg='Code returned is invalid.')`
Complete some tests. Also change a few things on them. 2015-02-27 20:40:17 +00:00
			`# Check if the state is returned.`
			`state = (response['Location'].split('state='))[1].split('&')[0]`
Add provider info test. Add some msg to tests. 2015-03-06 15:56:35 +00:00			`self.assertEqual(state == self.state, True,`
			`msg='State change or is missing.')`
Fix in authorize endpoint tests. 2015-03-11 17:36:52 +00:00
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`def test_user_consent_skipped(self):`
			`"""`
			`If users previously gave consent to some client (for a specific`
			`list of scopes) and because they might be prompted for the same`
			`authorization multiple times, the server skip it.`
			`"""`
			`post_data = {`
			`'client_id': self.client.client_id,`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'response_type': 'code',`
			`'scope': 'openid email',`
			`'state': self.state,`
			`'allow': 'Accept',`
			`}`

			`request = self.factory.post(reverse('oidc_provider:authorize'),`
			`data=post_data)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

Add OIDC_SKIP_CONSENT_ALWAYS setting. 2016-02-01 17:34:39 +00:00			`with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True):`
			`response = AuthorizeView.as_view()(request)`

			`self.assertEqual('code' in response['Location'], True,`
			`msg='Code is missing in the returned url.')`

Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00			`response = AuthorizeView.as_view()(request)`

			`is_code_ok = is_code_valid(url=response['Location'],`
			`user=self.user,`
			`client=self.client)`
Add OIDC_SKIP_CONSENT_ALWAYS setting. 2016-02-01 17:34:39 +00:00			`self.assertEqual(is_code_ok, True, msg='Code returned is invalid.')`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00
			`del post_data['allow']`
Add urllib compatibility. 2015-07-01 15:53:41 +00:00			`query_str = urlencode(post_data).replace('+', '%20')`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00
			`url = reverse('oidc_provider:authorize') + '?' + query_str`

			`request = self.factory.get(url)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

			`# Ensure user consent skip is enabled.`
Remove unnecessary settings rewrite in tests. 2015-07-22 19:25:17 +00:00			`response = AuthorizeView.as_view()(request)`
Add test for user consent skip feature. 2015-06-23 19:32:12 +00:00
			`is_code_ok = is_code_valid(url=response['Location'],`
			`user=self.user,`
			`client=self.client)`
Add OIDC_SKIP_CONSENT_ALWAYS setting. 2016-02-01 17:34:39 +00:00			`self.assertEqual(is_code_ok, True, msg='Code returned is invalid or missing.')`
Add support for redirect_uris with query params Some clients might add extra parameters to the redirect_uri, for instance as extra verification if proper state parameter handling is not supported. This patch adds proper handling of redirect_uris with query parameters. 2015-07-10 10:22:25 +00:00
			`def test_response_uri_is_properly_constructed(self):`
Add OIDC_SKIP_CONSENT_ALWAYS setting. 2016-02-01 17:34:39 +00:00			`"""`
			`TODO`
			`"""`
Add support for redirect_uris with query params Some clients might add extra parameters to the redirect_uri, for instance as extra verification if proper state parameter handling is not supported. This patch adds proper handling of redirect_uris with query parameters. 2015-07-10 10:22:25 +00:00			`post_data = {`
			`'client_id': self.client.client_id,`
			`'redirect_uri': self.client.default_redirect_uri + "?redirect_state=xyz",`
			`'response_type': 'code',`
			`'scope': 'openid email',`
			`'state': self.state,`
			`'allow': 'Accept',`
			`}`

			`request = self.factory.post(reverse('oidc_provider:authorize'),`
			`data=post_data)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

			`response = AuthorizeView.as_view()(request)`

			`is_code_ok = is_code_valid(url=response['Location'],`
			`user=self.user,`
			`client=self.client)`
			`self.assertEqual(is_code_ok, True,`
			`msg='Code returned is invalid.')`
Add test to authorize endpoint. 2015-07-28 18:54:52 +00:00
			`def test_scope_with_plus(self):`
			`"""`
			In query string, scope use `+` instead of the space url-encoded.
			`"""`
			`scope_test = 'openid email profile'`

			`query_str = urlencode({`
			`'client_id': self.client.client_id,`
			`'response_type': 'code',`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'scope': scope_test,`
			`'state': self.state,`
			`})`

			`url = reverse('oidc_provider:authorize') + '?' + query_str`

			`request = self.factory.get(url)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

			`response = AuthorizeView.as_view()(request)`

			`self.assertEqual(scope_test in response.content.decode('utf-8'), True)`
Add tests for Implicit Flow. 2016-01-19 19:08:13 +00:00

			`class ImplicitFlowTestCase(TestCase):`
			`"""`
			`Test cases for Authorize Endpoint using Implicit Grant Flow.`
			`"""`

			`def setUp(self):`
			`self.factory = RequestFactory()`
			`self.user = create_fake_user()`
			`self.client = create_fake_client(response_type='id_token token')`
			`self.state = uuid.uuid4().hex`
			`self.nonce = uuid.uuid4().hex`
Implementation of RSA Keys using Models. Also providing DOC. 2016-01-25 20:52:24 +00:00			`create_rsakey()`
Add tests for Implicit Flow. 2016-01-19 19:08:13 +00:00
			`def test_missing_nonce(self):`
			`"""`
			The `nonce` parameter is REQUIRED if you use the Implicit Flow.
			`"""`
			`query_str = urlencode({`
			`'client_id': self.client.client_id,`
			`'response_type': self.client.response_type,`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'scope': 'openid email',`
			`'state': self.state,`
			`}).replace('+', '%20')`

			`url = reverse('oidc_provider:authorize') + '?' + query_str`

			`request = self.factory.get(url)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

			`response = AuthorizeView.as_view()(request)`

			`self.assertEqual('#error=invalid_request' in response['Location'], True)`

			`def test_access_token_response(self):`
			`"""`
			`Unlike the Authorization Code flow, in which the client makes`
			`separate requests for authorization and for an access token, the client`
			`receives the access token as the result of the authorization request.`
			`"""`
			`post_data = {`
			`'client_id': self.client.client_id,`
			`'redirect_uri': self.client.default_redirect_uri,`
			`'response_type': self.client.response_type,`
			`'scope': 'openid email',`
			`'state': self.state,`
			`'nonce': self.nonce,`
			`'allow': 'Accept',`
			`}`

			`request = self.factory.post(reverse('oidc_provider:authorize'),`
			`data=post_data)`
			`# Simulate that the user is logged.`
			`request.user = self.user`

			`response = AuthorizeView.as_view()(request)`

			`self.assertEqual('access_token' in response['Location'], True)`