From c6d7422a9e911220522f2046a5f07704226ac619 Mon Sep 17 00:00:00 2001 From: juanifioren Date: Mon, 27 Jul 2015 16:12:04 -0300 Subject: [PATCH 1/6] Edit travis file. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index cbe2fbe..44c88f6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,7 +6,7 @@ env: - DJANGO=1.7 - DJANGO=1.8 install: - - pip install -q Django==$DJANGO --use-mirrors + - pip install -q django==$DJANGO - pip install -e . script: - PYTHONPATH=$PYTHONPATH:$PWD django-admin.py test oidc_provider --settings=oidc_provider.tests.app.settings From 92b75ba1d9713e6270a832a18ef168a494e02a1e Mon Sep 17 00:00:00 2001 From: juanifioren Date: Mon, 27 Jul 2015 18:28:12 -0300 Subject: [PATCH 2/6] Sending access_token as query string parameter in UserInfo. --- oidc_provider/lib/endpoints/userinfo.py | 3 ++- oidc_provider/tests/test_userinfo_endpoint.py | 21 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/oidc_provider/lib/endpoints/userinfo.py b/oidc_provider/lib/endpoints/userinfo.py index 9a67c89..6f3f1b6 100644 --- a/oidc_provider/lib/endpoints/userinfo.py +++ b/oidc_provider/lib/endpoints/userinfo.py @@ -29,6 +29,7 @@ class UserInfoEndpoint(object): def _get_access_token(self): """ Get the access token using Authorization Request Header Field method. + Or try getting via GET. See: http://tools.ietf.org/html/rfc6750#section-2.1 Return a string. @@ -38,7 +39,7 @@ class UserInfoEndpoint(object): if re.compile('^Bearer\s{1}.+$').match(auth_header): access_token = auth_header.split()[1] else: - access_token = '' + access_token = self.request.GET.get('access_token', '') return access_token diff --git a/oidc_provider/tests/test_userinfo_endpoint.py b/oidc_provider/tests/test_userinfo_endpoint.py index 7165ebd..95e7635 100644 --- a/oidc_provider/tests/test_userinfo_endpoint.py +++ b/oidc_provider/tests/test_userinfo_endpoint.py @@ -1,4 +1,8 @@ from datetime import timedelta +try: + from urllib.parse import urlencode +except ImportError: + from urllib import urlencode from django.core.urlresolvers import reverse from django.test import RequestFactory @@ -93,3 +97,20 @@ class UserInfoTestCase(TestCase): except KeyError: is_header_field_ok = False self.assertEqual(is_header_field_ok, True) + + def test_accesstoken_query_string_parameter(self): + """ + Make a GET request to the UserInfo Endpoint by sending access_token + as query string parameter. + """ + token = self._create_token() + + url = reverse('oidc_provider:userinfo') + '?' + urlencode({ + 'access_token': token.access_token, + }) + + request = self.factory.get(url) + response = userinfo(request) + + self.assertEqual(response.status_code, 200) + self.assertEqual(bool(response.content), True) From cb59b99fa82577cf6332ef2eea26cc29e2cda4d9 Mon Sep 17 00:00:00 2001 From: juanifioren Date: Mon, 27 Jul 2015 18:33:34 -0300 Subject: [PATCH 3/6] Edit CHANGELOG. --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a58da4e..fab9491 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file. ### [Unreleased] +##### Added +- Sending access_token as query string parameter in UserInfo Endpoint. + ##### Changed - Use models setting instead of User. From 580c096887257a7f103a00d8cf195e6da0de9aa0 Mon Sep 17 00:00:00 2001 From: juanifioren Date: Tue, 28 Jul 2015 15:15:34 -0300 Subject: [PATCH 4/6] Edit tox file. --- tox.ini | 1 - 1 file changed, 1 deletion(-) diff --git a/tox.ini b/tox.ini index e6c7989..0f91ada 100644 --- a/tox.ini +++ b/tox.ini @@ -10,6 +10,5 @@ deps = django18: django==1.8 commands = - pip uninstall --yes django-oidc-provider pip install -e . {envbindir}/django-admin.py test oidc_provider --settings=oidc_provider.tests.app.settings From 46b0c2f24427266aa4b96695fdf5b449302e6c21 Mon Sep 17 00:00:00 2001 From: juanifioren Date: Tue, 28 Jul 2015 15:54:52 -0300 Subject: [PATCH 5/6] Add test to authorize endpoint. --- .../tests/test_authorize_endpoint.py | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/oidc_provider/tests/test_authorize_endpoint.py b/oidc_provider/tests/test_authorize_endpoint.py index 5056749..45367c6 100644 --- a/oidc_provider/tests/test_authorize_endpoint.py +++ b/oidc_provider/tests/test_authorize_endpoint.py @@ -130,7 +130,6 @@ class AuthorizationCodeFlowTestCase(TestCase): # Simulate that the user is logged. request.user = self.user - # Remove the hook, because we want to test default behaviour. response = AuthorizeView.as_view()(request) # Check if hidden inputs exists in the form, @@ -273,3 +272,27 @@ class AuthorizationCodeFlowTestCase(TestCase): client=self.client) self.assertEqual(is_code_ok, True, msg='Code returned is invalid.') + + def test_scope_with_plus(self): + """ + In query string, scope use `+` instead of the space url-encoded. + """ + scope_test = 'openid email profile' + + query_str = urlencode({ + 'client_id': self.client.client_id, + 'response_type': 'code', + 'redirect_uri': self.client.default_redirect_uri, + 'scope': scope_test, + 'state': self.state, + }) + + url = reverse('oidc_provider:authorize') + '?' + query_str + + request = self.factory.get(url) + # Simulate that the user is logged. + request.user = self.user + + response = AuthorizeView.as_view()(request) + + self.assertEqual(scope_test in response.content.decode('utf-8'), True) From 253527aa523d42c50888036f24b817b306691635 Mon Sep 17 00:00:00 2001 From: juanifioren Date: Tue, 28 Jul 2015 15:55:30 -0300 Subject: [PATCH 6/6] Refactoring in authorize endpoint. --- oidc_provider/lib/endpoints/authorize.py | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/oidc_provider/lib/endpoints/authorize.py b/oidc_provider/lib/endpoints/authorize.py index 586ffeb..a1c83ec 100644 --- a/oidc_provider/lib/endpoints/authorize.py +++ b/oidc_provider/lib/endpoints/authorize.py @@ -22,14 +22,8 @@ class AuthorizeEndpoint(object): def __init__(self, request): self.request = request - self.params = Params() - # Because in this endpoint we handle both GET - # and POST request. - self.query_dict = (self.request.POST if self.request.method == 'POST' - else self.request.GET) - self._extract_params() # Determine which flow to use. @@ -47,12 +41,17 @@ class AuthorizeEndpoint(object): See: http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest """ - self.params.client_id = self.query_dict.get('client_id', '') - self.params.redirect_uri = self.query_dict.get('redirect_uri', '') - self.params.response_type = self.query_dict.get('response_type', '') - self.params.scope = self.query_dict.get('scope', '').split() - self.params.state = self.query_dict.get('state', '') - self.params.nonce = self.query_dict.get('nonce', '') + # Because in this endpoint we handle both GET + # and POST request. + query_dict = (self.request.POST if self.request.method == 'POST' + else self.request.GET) + + self.params.client_id = query_dict.get('client_id', '') + self.params.redirect_uri = query_dict.get('redirect_uri', '') + self.params.response_type = query_dict.get('response_type', '') + self.params.scope = query_dict.get('scope', '').split() + self.params.state = query_dict.get('state', '') + self.params.nonce = query_dict.get('nonce', '') def validate_params(self):