Refactoring create_id_token function.

This commit is contained in:
Ignacio Fiorentino 2016-09-09 13:10:12 -03:00
parent 5836774f6b
commit 8a63c83514
7 changed files with 41 additions and 15 deletions

View file

@ -12,6 +12,7 @@ All notable changes to this project will be documented in this file.
##### Fixed ##### Fixed
- CORS in discovery and userinfo endpoint. - CORS in discovery and userinfo endpoint.
- Client type public bug when created using the admin. - Client type public bug when created using the admin.
- Missing OIDC_TOKEN_EXPIRE setting on implicit flow.
### [0.3.7] - 2016-08-31 ### [0.3.7] - 2016-08-31

View file

@ -151,6 +151,7 @@ class AuthorizeEndpoint(object):
'aud': self.client.client_id, 'aud': self.client.client_id,
'nonce': self.params.nonce, 'nonce': self.params.nonce,
'request': self.request, 'request': self.request,
'scope': self.params.scope,
} }
# Include at_hash when access_token is being returned. # Include at_hash when access_token is being returned.
if 'access_token' in query_fragment: if 'access_token' in query_fragment:

View file

@ -153,6 +153,7 @@ class TokenEndpoint(object):
nonce=self.code.nonce, nonce=self.code.nonce,
at_hash=token.at_hash, at_hash=token.at_hash,
request=self.request, request=self.request,
scope=self.params.scope,
) )
else: else:
id_token_dic = {} id_token_dic = {}
@ -188,6 +189,7 @@ class TokenEndpoint(object):
nonce=None, nonce=None,
at_hash=token.at_hash, at_hash=token.at_hash,
request=self.request, request=self.request,
scope=self.params.scope,
) )
else: else:
id_token_dic = {} id_token_dic = {}

View file

@ -17,7 +17,7 @@ from oidc_provider.models import (
from oidc_provider import settings from oidc_provider import settings
def create_id_token(user, aud, nonce, at_hash=None, request=None): def create_id_token(user, aud, nonce, at_hash=None, request=None, scope=[]):
""" """
Creates the id_token dictionary. Creates the id_token dictionary.
See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken
@ -50,7 +50,7 @@ def create_id_token(user, aud, nonce, at_hash=None, request=None):
if at_hash: if at_hash:
dic['at_hash'] = at_hash dic['at_hash'] = at_hash
if getattr(user, 'email', None): if ('email' in scope) and getattr(user, 'email', None):
dic['email'] = user.email dic['email'] = user.email
processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK') processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')

View file

@ -11,7 +11,10 @@ import uuid
from django.contrib.auth.models import AnonymousUser from django.contrib.auth.models import AnonymousUser
from django.core.management import call_command from django.core.management import call_command
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.test import RequestFactory from django.test import (
RequestFactory,
override_settings,
)
from django.test import TestCase from django.test import TestCase
from jwkest.jwt import JWT from jwkest.jwt import JWT
@ -457,12 +460,8 @@ class AuthorizationHybridFlowTestCase(TestCase, AuthorizeEndpointMixin):
self.state = uuid.uuid4().hex self.state = uuid.uuid4().hex
self.nonce = uuid.uuid4().hex self.nonce = uuid.uuid4().hex
def test_code_idtoken_token_response(self): # Base data for the auth request.
""" self.data = {
Implicit client requesting `id_token token` receives both id token
and access token as the result of the authorization request.
"""
data = {
'client_id': self.client_code_idtoken_token.client_id, 'client_id': self.client_code_idtoken_token.client_id,
'redirect_uri': self.client_code_idtoken_token.default_redirect_uri, 'redirect_uri': self.client_code_idtoken_token.default_redirect_uri,
'response_type': self.client_code_idtoken_token.response_type, 'response_type': self.client_code_idtoken_token.response_type,
@ -472,7 +471,12 @@ class AuthorizationHybridFlowTestCase(TestCase, AuthorizeEndpointMixin):
'allow': 'Accept', 'allow': 'Accept',
} }
response = self._auth_request('post', data, is_user_authenticated=True) def test_code_idtoken_token_response(self):
"""
Implicit client requesting `id_token token` receives both id token
and access token as the result of the authorization request.
"""
response = self._auth_request('post', self.data, is_user_authenticated=True)
self.assertIn('#', response['Location']) self.assertIn('#', response['Location'])
self.assertIn('access_token', response['Location']) self.assertIn('access_token', response['Location'])
@ -485,3 +489,12 @@ class AuthorizationHybridFlowTestCase(TestCase, AuthorizeEndpointMixin):
user=self.user, user=self.user,
client=self.client_code_idtoken_token) client=self.client_code_idtoken_token)
self.assertEqual(is_code_ok, True, msg='Code returned is invalid.') self.assertEqual(is_code_ok, True, msg='Code returned is invalid.')
@override_settings(OIDC_TOKEN_EXPIRE=36000)
def test_access_token_expiration(self):
"""
Add ten hours of expiration to access_token. Check for the expires_in query in fragment.
"""
response = self._auth_request('post', self.data, is_user_authenticated=True)
self.assertIn('expires_in=36000', response['Location'])

View file

@ -10,7 +10,10 @@ except ImportError:
from django.core.management import call_command from django.core.management import call_command
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.test import RequestFactory, override_settings from django.test import (
RequestFactory,
override_settings,
)
from django.test import TestCase from django.test import TestCase
from django.utils import timezone from django.utils import timezone
from jwkest.jwk import KEYS from jwkest.jwk import KEYS
@ -148,7 +151,7 @@ class TokenTestCase(TestCase):
self.assertEqual(response_dic['token_type'], 'bearer') self.assertEqual(response_dic['token_type'], 'bearer')
self.assertEqual(response_dic['expires_in'], 720) self.assertEqual(response_dic['expires_in'], 720)
self.assertEqual(id_token['sub'], str(self.user.id)) self.assertEqual(id_token['sub'], str(self.user.id))
self.assertEqual(id_token['aud'], self.client.client_id) self.assertEqual(id_token['aud'], self.client.client_id);
def test_refresh_token(self): def test_refresh_token(self):
""" """

View file

@ -34,14 +34,20 @@ class UserInfoTestCase(TestCase):
""" """
Generate a valid token. Generate a valid token.
""" """
id_token_dic = create_id_token(self.user, scope = ['openid', 'email'] + extra_scope
self.client.client_id, FAKE_NONCE)
id_token_dic = create_id_token(
user=self.user,
aud=self.client.client_id,
nonce=FAKE_NONCE,
scope=scope,
)
token = create_token( token = create_token(
user=self.user, user=self.user,
client=self.client, client=self.client,
id_token_dic=id_token_dic, id_token_dic=id_token_dic,
scope=['openid', 'email'] + extra_scope) scope=scope)
token.save() token.save()
return token return token