Refactoring create_id_token function.
This commit is contained in:
parent
5836774f6b
commit
8a63c83514
7 changed files with 41 additions and 15 deletions
|
@ -12,6 +12,7 @@ All notable changes to this project will be documented in this file.
|
||||||
##### Fixed
|
##### Fixed
|
||||||
- CORS in discovery and userinfo endpoint.
|
- CORS in discovery and userinfo endpoint.
|
||||||
- Client type public bug when created using the admin.
|
- Client type public bug when created using the admin.
|
||||||
|
- Missing OIDC_TOKEN_EXPIRE setting on implicit flow.
|
||||||
|
|
||||||
### [0.3.7] - 2016-08-31
|
### [0.3.7] - 2016-08-31
|
||||||
|
|
||||||
|
|
|
@ -151,6 +151,7 @@ class AuthorizeEndpoint(object):
|
||||||
'aud': self.client.client_id,
|
'aud': self.client.client_id,
|
||||||
'nonce': self.params.nonce,
|
'nonce': self.params.nonce,
|
||||||
'request': self.request,
|
'request': self.request,
|
||||||
|
'scope': self.params.scope,
|
||||||
}
|
}
|
||||||
# Include at_hash when access_token is being returned.
|
# Include at_hash when access_token is being returned.
|
||||||
if 'access_token' in query_fragment:
|
if 'access_token' in query_fragment:
|
||||||
|
|
|
@ -153,6 +153,7 @@ class TokenEndpoint(object):
|
||||||
nonce=self.code.nonce,
|
nonce=self.code.nonce,
|
||||||
at_hash=token.at_hash,
|
at_hash=token.at_hash,
|
||||||
request=self.request,
|
request=self.request,
|
||||||
|
scope=self.params.scope,
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
id_token_dic = {}
|
id_token_dic = {}
|
||||||
|
@ -188,6 +189,7 @@ class TokenEndpoint(object):
|
||||||
nonce=None,
|
nonce=None,
|
||||||
at_hash=token.at_hash,
|
at_hash=token.at_hash,
|
||||||
request=self.request,
|
request=self.request,
|
||||||
|
scope=self.params.scope,
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
id_token_dic = {}
|
id_token_dic = {}
|
||||||
|
|
|
@ -17,7 +17,7 @@ from oidc_provider.models import (
|
||||||
from oidc_provider import settings
|
from oidc_provider import settings
|
||||||
|
|
||||||
|
|
||||||
def create_id_token(user, aud, nonce, at_hash=None, request=None):
|
def create_id_token(user, aud, nonce, at_hash=None, request=None, scope=[]):
|
||||||
"""
|
"""
|
||||||
Creates the id_token dictionary.
|
Creates the id_token dictionary.
|
||||||
See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken
|
See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken
|
||||||
|
@ -50,7 +50,7 @@ def create_id_token(user, aud, nonce, at_hash=None, request=None):
|
||||||
if at_hash:
|
if at_hash:
|
||||||
dic['at_hash'] = at_hash
|
dic['at_hash'] = at_hash
|
||||||
|
|
||||||
if getattr(user, 'email', None):
|
if ('email' in scope) and getattr(user, 'email', None):
|
||||||
dic['email'] = user.email
|
dic['email'] = user.email
|
||||||
|
|
||||||
processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')
|
processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')
|
||||||
|
|
|
@ -11,7 +11,10 @@ import uuid
|
||||||
from django.contrib.auth.models import AnonymousUser
|
from django.contrib.auth.models import AnonymousUser
|
||||||
from django.core.management import call_command
|
from django.core.management import call_command
|
||||||
from django.core.urlresolvers import reverse
|
from django.core.urlresolvers import reverse
|
||||||
from django.test import RequestFactory
|
from django.test import (
|
||||||
|
RequestFactory,
|
||||||
|
override_settings,
|
||||||
|
)
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
from jwkest.jwt import JWT
|
from jwkest.jwt import JWT
|
||||||
|
|
||||||
|
@ -457,12 +460,8 @@ class AuthorizationHybridFlowTestCase(TestCase, AuthorizeEndpointMixin):
|
||||||
self.state = uuid.uuid4().hex
|
self.state = uuid.uuid4().hex
|
||||||
self.nonce = uuid.uuid4().hex
|
self.nonce = uuid.uuid4().hex
|
||||||
|
|
||||||
def test_code_idtoken_token_response(self):
|
# Base data for the auth request.
|
||||||
"""
|
self.data = {
|
||||||
Implicit client requesting `id_token token` receives both id token
|
|
||||||
and access token as the result of the authorization request.
|
|
||||||
"""
|
|
||||||
data = {
|
|
||||||
'client_id': self.client_code_idtoken_token.client_id,
|
'client_id': self.client_code_idtoken_token.client_id,
|
||||||
'redirect_uri': self.client_code_idtoken_token.default_redirect_uri,
|
'redirect_uri': self.client_code_idtoken_token.default_redirect_uri,
|
||||||
'response_type': self.client_code_idtoken_token.response_type,
|
'response_type': self.client_code_idtoken_token.response_type,
|
||||||
|
@ -472,7 +471,12 @@ class AuthorizationHybridFlowTestCase(TestCase, AuthorizeEndpointMixin):
|
||||||
'allow': 'Accept',
|
'allow': 'Accept',
|
||||||
}
|
}
|
||||||
|
|
||||||
response = self._auth_request('post', data, is_user_authenticated=True)
|
def test_code_idtoken_token_response(self):
|
||||||
|
"""
|
||||||
|
Implicit client requesting `id_token token` receives both id token
|
||||||
|
and access token as the result of the authorization request.
|
||||||
|
"""
|
||||||
|
response = self._auth_request('post', self.data, is_user_authenticated=True)
|
||||||
|
|
||||||
self.assertIn('#', response['Location'])
|
self.assertIn('#', response['Location'])
|
||||||
self.assertIn('access_token', response['Location'])
|
self.assertIn('access_token', response['Location'])
|
||||||
|
@ -485,3 +489,12 @@ class AuthorizationHybridFlowTestCase(TestCase, AuthorizeEndpointMixin):
|
||||||
user=self.user,
|
user=self.user,
|
||||||
client=self.client_code_idtoken_token)
|
client=self.client_code_idtoken_token)
|
||||||
self.assertEqual(is_code_ok, True, msg='Code returned is invalid.')
|
self.assertEqual(is_code_ok, True, msg='Code returned is invalid.')
|
||||||
|
|
||||||
|
@override_settings(OIDC_TOKEN_EXPIRE=36000)
|
||||||
|
def test_access_token_expiration(self):
|
||||||
|
"""
|
||||||
|
Add ten hours of expiration to access_token. Check for the expires_in query in fragment.
|
||||||
|
"""
|
||||||
|
response = self._auth_request('post', self.data, is_user_authenticated=True)
|
||||||
|
|
||||||
|
self.assertIn('expires_in=36000', response['Location'])
|
||||||
|
|
|
@ -10,7 +10,10 @@ except ImportError:
|
||||||
|
|
||||||
from django.core.management import call_command
|
from django.core.management import call_command
|
||||||
from django.core.urlresolvers import reverse
|
from django.core.urlresolvers import reverse
|
||||||
from django.test import RequestFactory, override_settings
|
from django.test import (
|
||||||
|
RequestFactory,
|
||||||
|
override_settings,
|
||||||
|
)
|
||||||
from django.test import TestCase
|
from django.test import TestCase
|
||||||
from django.utils import timezone
|
from django.utils import timezone
|
||||||
from jwkest.jwk import KEYS
|
from jwkest.jwk import KEYS
|
||||||
|
@ -148,7 +151,7 @@ class TokenTestCase(TestCase):
|
||||||
self.assertEqual(response_dic['token_type'], 'bearer')
|
self.assertEqual(response_dic['token_type'], 'bearer')
|
||||||
self.assertEqual(response_dic['expires_in'], 720)
|
self.assertEqual(response_dic['expires_in'], 720)
|
||||||
self.assertEqual(id_token['sub'], str(self.user.id))
|
self.assertEqual(id_token['sub'], str(self.user.id))
|
||||||
self.assertEqual(id_token['aud'], self.client.client_id)
|
self.assertEqual(id_token['aud'], self.client.client_id);
|
||||||
|
|
||||||
def test_refresh_token(self):
|
def test_refresh_token(self):
|
||||||
"""
|
"""
|
||||||
|
|
|
@ -34,14 +34,20 @@ class UserInfoTestCase(TestCase):
|
||||||
"""
|
"""
|
||||||
Generate a valid token.
|
Generate a valid token.
|
||||||
"""
|
"""
|
||||||
id_token_dic = create_id_token(self.user,
|
scope = ['openid', 'email'] + extra_scope
|
||||||
self.client.client_id, FAKE_NONCE)
|
|
||||||
|
id_token_dic = create_id_token(
|
||||||
|
user=self.user,
|
||||||
|
aud=self.client.client_id,
|
||||||
|
nonce=FAKE_NONCE,
|
||||||
|
scope=scope,
|
||||||
|
)
|
||||||
|
|
||||||
token = create_token(
|
token = create_token(
|
||||||
user=self.user,
|
user=self.user,
|
||||||
client=self.client,
|
client=self.client,
|
||||||
id_token_dic=id_token_dic,
|
id_token_dic=id_token_dic,
|
||||||
scope=['openid', 'email'] + extra_scope)
|
scope=scope)
|
||||||
token.save()
|
token.save()
|
||||||
|
|
||||||
return token
|
return token
|
||||||
|
|
Loading…
Reference in a new issue