From 44a32a55ad80eb8e85e93864c52124e385a0ac43 Mon Sep 17 00:00:00 2001
From: juanifioren <juanifioren@gmail.com>
Date: Tue, 19 Jan 2016 16:08:13 -0300
Subject: [PATCH] Add tests for Implicit Flow.

---
 .../tests/test_authorize_endpoint.py          | 60 +++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/oidc_provider/tests/test_authorize_endpoint.py b/oidc_provider/tests/test_authorize_endpoint.py
index 45367c6..76c5df0 100644
--- a/oidc_provider/tests/test_authorize_endpoint.py
+++ b/oidc_provider/tests/test_authorize_endpoint.py
@@ -296,3 +296,63 @@ class AuthorizationCodeFlowTestCase(TestCase):
         response = AuthorizeView.as_view()(request)
 
         self.assertEqual(scope_test in response.content.decode('utf-8'), True)
+
+
+class ImplicitFlowTestCase(TestCase):
+    """
+    Test cases for Authorize Endpoint using Implicit Grant Flow.
+    """
+
+    def setUp(self):
+        self.factory = RequestFactory()
+        self.user = create_fake_user()
+        self.client = create_fake_client(response_type='id_token token')
+        self.state = uuid.uuid4().hex
+        self.nonce = uuid.uuid4().hex
+
+    def test_missing_nonce(self):
+        """
+        The `nonce` parameter is REQUIRED if you use the Implicit Flow.
+        """
+        query_str = urlencode({
+            'client_id': self.client.client_id,
+            'response_type': self.client.response_type,
+            'redirect_uri': self.client.default_redirect_uri,
+            'scope': 'openid email',
+            'state': self.state,
+        }).replace('+', '%20')
+
+        url = reverse('oidc_provider:authorize') + '?' + query_str
+
+        request = self.factory.get(url)
+        # Simulate that the user is logged.
+        request.user = self.user
+
+        response = AuthorizeView.as_view()(request)
+        
+        self.assertEqual('#error=invalid_request' in response['Location'], True)   
+
+    def test_access_token_response(self):
+        """
+        Unlike the Authorization Code flow, in which the client makes
+        separate requests for authorization and for an access token, the client
+        receives the access token as the result of the authorization request.
+        """
+        post_data = {
+            'client_id': self.client.client_id,
+            'redirect_uri': self.client.default_redirect_uri,
+            'response_type': self.client.response_type,
+            'scope': 'openid email',
+            'state': self.state,
+            'nonce': self.nonce,
+            'allow': 'Accept',
+        }
+
+        request = self.factory.post(reverse('oidc_provider:authorize'),
+                                    data=post_data)
+        # Simulate that the user is logged.
+        request.user = self.user
+
+        response = AuthorizeView.as_view()(request)
+        
+        self.assertEqual('access_token' in response['Location'], True)