diff --git a/oidc_provider/tests/test_authorize_endpoint.py b/oidc_provider/tests/test_authorize_endpoint.py index 9a26761..dd22800 100644 --- a/oidc_provider/tests/test_authorize_endpoint.py +++ b/oidc_provider/tests/test_authorize_endpoint.py @@ -32,16 +32,16 @@ class AuthorizationCodeFlowTestCase(TestCase): self.state = uuid.uuid4().hex self.nonce = uuid.uuid4().hex - def _auth_request(self, method, params_or_data={}, is_user_authenticated=False): + def _auth_request(self, method, data={}, is_user_authenticated=False): url = reverse('oidc_provider:authorize') if method.lower() == 'get': - query_str = urlencode(params_or_data).replace('+', '%20') + query_str = urlencode(data).replace('+', '%20') if query_str: url += '?' + query_str request = self.factory.get(url) elif method.lower() == 'post': - request = self.factory.post(url, data=params_or_data) + request = self.factory.post(url, data=data) else: raise Exception('Method unsupported for an Authorization Request.') @@ -74,7 +74,7 @@ class AuthorizationCodeFlowTestCase(TestCase): See: http://openid.net/specs/openid-connect-core-1_0.html#AuthError """ # Create an authorize request with an unsupported response_type. - params = { + data = { 'client_id': self.client.client_id, 'response_type': 'something_wrong', 'redirect_uri': self.client.default_redirect_uri, @@ -82,7 +82,7 @@ class AuthorizationCodeFlowTestCase(TestCase): 'state': self.state, } - response = self._auth_request('get', params) + response = self._auth_request('get', data) self.assertEqual(response.status_code, 302) self.assertEqual(response.has_header('Location'), True) @@ -98,7 +98,7 @@ class AuthorizationCodeFlowTestCase(TestCase): See: http://openid.net/specs/openid-connect-core-1_0.html#Authenticates """ - params = { + data = { 'client_id': self.client.client_id, 'response_type': 'code', 'redirect_uri': self.client.default_redirect_uri, @@ -106,7 +106,7 @@ class AuthorizationCodeFlowTestCase(TestCase): 'state': self.state, } - response = self._auth_request('get', params) + response = self._auth_request('get', data) # Check if user was redirected to the login view. login_url_exists = settings.get('LOGIN_URL') in response['Location'] @@ -120,7 +120,7 @@ class AuthorizationCodeFlowTestCase(TestCase): See: http://openid.net/specs/openid-connect-core-1_0.html#Consent """ - params = { + data = { 'client_id': self.client.client_id, 'response_type': 'code', 'redirect_uri': self.client.default_redirect_uri, @@ -131,7 +131,7 @@ class AuthorizationCodeFlowTestCase(TestCase): 'code_challenge_method': 'S256', } - response = self._auth_request('get', params, is_user_authenticated=True) + response = self._auth_request('get', data, is_user_authenticated=True) # Check if hidden inputs exists in the form, # also if their values are valid. @@ -257,7 +257,7 @@ class AuthorizationCodeFlowTestCase(TestCase): """ It's recommended not auto-approving requests for non-confidential clients. """ - params = { + data = { 'client_id': self.client_public.client_id, 'response_type': 'code', 'redirect_uri': self.client_public.default_redirect_uri, @@ -266,7 +266,7 @@ class AuthorizationCodeFlowTestCase(TestCase): } with self.settings(OIDC_SKIP_CONSENT_ALWAYS=True): - response = self._auth_request('get', params, is_user_authenticated=True) + response = self._auth_request('get', data, is_user_authenticated=True) self.assertEqual('Request for Permission' in response.content.decode('utf-8'), True) @@ -274,7 +274,7 @@ class AuthorizationCodeFlowTestCase(TestCase): """ The `nonce` parameter is REQUIRED if you use the Implicit Flow. """ - params = { + data = { 'client_id': self.client_implicit.client_id, 'response_type': self.client_implicit.response_type, 'redirect_uri': self.client_implicit.default_redirect_uri, @@ -282,7 +282,7 @@ class AuthorizationCodeFlowTestCase(TestCase): 'state': self.state, } - response = self._auth_request('get', params, is_user_authenticated=True) + response = self._auth_request('get', data, is_user_authenticated=True) self.assertEqual('#error=invalid_request' in response['Location'], True) @@ -304,4 +304,30 @@ class AuthorizationCodeFlowTestCase(TestCase): response = self._auth_request('post', data, is_user_authenticated=True) - self.assertEqual('access_token' in response['Location'], True) + self.assertEqual('access_token' in response['Location'], True) + + + def test_prompt_parameter(self): + """ + Specifies whether the Authorization Server prompts the End-User for reauthentication and consent. + See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest + """ + data = { + 'client_id': self.client.client_id, + 'response_type': self.client.response_type, + 'redirect_uri': self.client.default_redirect_uri, + 'scope': 'openid email', + 'state': self.state, + } + + data['prompt'] = 'none' + + response = self._auth_request('get', data) + + # An error is returned if an End-User is not already authenticated. + self.assertEqual('login_required' in response['Location'], True) + + response = self._auth_request('get', data, is_user_authenticated=True) + + # An error is returned if the Client does not have pre-configured consent for the requested Claims. + self.assertEqual('interaction_required' in response['Location'], True)