canaille-globuzma/tests/oidc/test_implicit_flow.py

from urllib.parse import parse_qs
from urllib.parse import urlsplit

from authlib.jose import jwt

from canaille.app import models


def test_oauth_implicit(testclient, user, client, backend):
    client.grant_types = ["token"]
    client.token_endpoint_auth_method = "none"

    backend.save(client)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="token",
            client_id=client.client_id,
            scope="profile",
            nonce="somenonce",
        ),
    ).follow()
    assert "text/html" == res.content_type

    res.form["login"] = "user"
    res = res.form.submit(status=302).follow()

    res.form["password"] = "correct horse battery staple"
    res = res.form.submit(status=302).follow()

    assert "text/html" == res.content_type, res.json

    res = res.form.submit(name="answer", value="accept", status=302)

    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).fragment)

    access_token = params["access_token"][0]
    token = backend.get(models.Token, access_token=access_token)
    assert token is not None

    res = testclient.get(
        "/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}
    )
    assert "application/json" == res.content_type
    assert res.json["name"] == "John (johnny) Doe"

    client.grant_types = ["code"]
    client.token_endpoint_auth_method = "client_secret_basic"
    backend.save(client)


def test_oidc_implicit(testclient, keypair, user, client, trusted_client, backend):
    client.grant_types = ["token id_token"]
    client.token_endpoint_auth_method = "none"

    backend.save(client)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="id_token token",
            client_id=client.client_id,
            scope="openid profile",
            nonce="somenonce",
        ),
    ).follow()
    assert "text/html" == res.content_type

    res.form["login"] = "user"
    res = res.form.submit(status=302).follow()

    res.form["password"] = "correct horse battery staple"
    res = res.form.submit(status=302).follow()

    assert "text/html" == res.content_type, res.json

    res = res.form.submit(name="answer", value="accept", status=302)

    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).fragment)

    access_token = params["access_token"][0]
    token = backend.get(models.Token, access_token=access_token)
    assert token is not None

    id_token = params["id_token"][0]
    claims = jwt.decode(id_token, keypair[1])
    assert user.user_name == claims["sub"]
    assert user.formatted_name == claims["name"]
    assert [client.client_id, trusted_client.client_id] == claims["aud"]

    res = testclient.get(
        "/oauth/userinfo",
        headers={"Authorization": f"Bearer {access_token}"},
        status=200,
    )
    assert "application/json" == res.content_type
    assert res.json["name"] == "John (johnny) Doe"

    client.grant_types = ["code"]
    client.token_endpoint_auth_method = "client_secret_basic"
    backend.save(client)


def test_oidc_implicit_with_group(
    testclient, keypair, user, client, foo_group, trusted_client, backend
):
    client.grant_types = ["token id_token"]
    client.token_endpoint_auth_method = "none"

    backend.save(client)

    res = testclient.get(
        "/oauth/authorize",
        params=dict(
            response_type="id_token token",
            client_id=client.client_id,
            scope="openid profile groups",
            nonce="somenonce",
        ),
    ).follow()
    assert "text/html" == res.content_type

    res.form["login"] = "user"
    res = res.form.submit(status=302).follow()

    res.form["password"] = "correct horse battery staple"
    res = res.form.submit(status=302).follow()

    assert "text/html" == res.content_type, res.json

    res = res.form.submit(name="answer", value="accept", status=302)

    assert res.location.startswith(client.redirect_uris[0])
    params = parse_qs(urlsplit(res.location).fragment)

    access_token = params["access_token"][0]
    token = backend.get(models.Token, access_token=access_token)
    assert token is not None

    id_token = params["id_token"][0]
    claims = jwt.decode(id_token, keypair[1])
    assert user.user_name == claims["sub"]
    assert user.formatted_name == claims["name"]
    assert [client.client_id, trusted_client.client_id] == claims["aud"]
    assert ["foo"] == claims["groups"]

    res = testclient.get(
        "/oauth/userinfo",
        headers={"Authorization": f"Bearer {access_token}"},
        status=200,
    )
    assert "application/json" == res.content_type
    assert res.json["name"] == "John (johnny) Doe"

    client.grant_types = ["code"]
    client.token_endpoint_auth_method = "client_secret_basic"
    backend.save(client)
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from urllib.parse import parse_qs`
			`from urllib.parse import urlsplit`

oidc implicit flow test 2020-08-23 17:56:37 +00:00			`from authlib.jose import jwt`
chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
wip 2020-08-20 14:02:14 +00:00

refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`def test_oauth_implicit(testclient, user, client, backend):`
Variable renaming 2022-10-17 15:49:52 +00:00			`client.grant_types = ["token"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client.token_endpoint_auth_method = "none"`
wip 2020-08-20 14:02:14 +00:00
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
wip 2020-08-20 14:02:14 +00:00
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="token",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=client.client_id,`
wip 2020-08-20 14:02:14 +00:00			`scope="profile",`
			`nonce="somenonce",`
			`),`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`).follow()`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`assert "text/html" == res.content_type`
wip 2020-08-20 14:02:14 +00:00
Consent page UX minor enhancement. #20 2020-10-28 18:12:08 +00:00			`res.form["login"] = "user"`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`res = res.form.submit(status=302).follow()`

wip 2020-08-20 14:02:14 +00:00			`res.form["password"] = "correct horse battery staple"`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`res = res.form.submit(status=302).follow()`
wip 2020-08-20 14:02:14 +00:00
Correctly use webtest 2020-10-30 22:41:02 +00:00			`assert "text/html" == res.content_type, res.json`
wip 2020-08-20 14:02:14 +00:00
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.form.submit(name="answer", value="accept", status=302)`
wip 2020-08-20 14:02:14 +00:00
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`assert res.location.startswith(client.redirect_uris[0])`
wip 2020-08-20 14:02:14 +00:00			`params = parse_qs(urlsplit(res.location).fragment)`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
wip 2020-08-20 14:02:14 +00:00			`access_token = params["access_token"][0]`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`token = backend.get(models.Token, access_token=access_token)`
oidc implicit flow test 2020-08-23 17:56:37 +00:00			`assert token is not None`

Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
			`"/oauth/userinfo", headers={"Authorization": f"Bearer {access_token}"}`
			`)`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`assert "application/json" == res.content_type`
unit tests: userinfo 2022-12-24 00:44:16 +00:00			`assert res.json["name"] == "John (johnny) Doe"`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
Variable renaming 2022-10-17 15:49:52 +00:00			`client.grant_types = ["code"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client.token_endpoint_auth_method = "client_secret_basic"`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
wip 2020-08-20 14:02:14 +00:00
oidc implicit flow test 2020-08-23 17:56:37 +00:00
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`def test_oidc_implicit(testclient, keypair, user, client, trusted_client, backend):`
Variable renaming 2022-10-17 15:49:52 +00:00			`client.grant_types = ["token id_token"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client.token_endpoint_auth_method = "none"`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="id_token token",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=client.client_id,`
oidc implicit flow test 2020-08-23 17:56:37 +00:00			`scope="openid profile",`
			`nonce="somenonce",`
			`),`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`).follow()`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`assert "text/html" == res.content_type`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
Consent page UX minor enhancement. #20 2020-10-28 18:12:08 +00:00			`res.form["login"] = "user"`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`res = res.form.submit(status=302).follow()`

oidc implicit flow test 2020-08-23 17:56:37 +00:00			`res.form["password"] = "correct horse battery staple"`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`res = res.form.submit(status=302).follow()`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
Correctly use webtest 2020-10-30 22:41:02 +00:00			`assert "text/html" == res.content_type, res.json`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
Correctly use webtest 2020-10-30 22:41:02 +00:00			`res = res.form.submit(name="answer", value="accept", status=302)`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`assert res.location.startswith(client.redirect_uris[0])`
oidc implicit flow test 2020-08-23 17:56:37 +00:00			`params = parse_qs(urlsplit(res.location).fragment)`

			`access_token = params["access_token"][0]`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`token = backend.get(models.Token, access_token=access_token)`
wip 2020-08-20 14:02:14 +00:00			`assert token is not None`

oidc implicit flow test 2020-08-23 17:56:37 +00:00			`id_token = params["id_token"][0]`
Use private/public keys to sign JWTs 2020-08-28 14:07:39 +00:00			`claims = jwt.decode(id_token, keypair[1])`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`assert user.user_name == claims["sub"]`
			`assert user.formatted_name == claims["name"]`
tests: renamed other_client fixture in trusted_client 2023-12-23 16:23:19 +00:00			`assert [client.client_id, trusted_client.client_id] == claims["aud"]`
oidc implicit flow test 2020-08-23 17:56:37 +00:00
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`res = testclient.get(`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`"/oauth/userinfo",`
			`headers={"Authorization": f"Bearer {access_token}"},`
			`status=200,`
Userinfo endpoint 2020-09-25 09:26:41 +00:00			`)`
Correctly use webtest 2020-10-30 22:41:02 +00:00			`assert "application/json" == res.content_type`
unit tests: userinfo 2022-12-24 00:44:16 +00:00			`assert res.json["name"] == "John (johnny) Doe"`
Add groups claim and scope 2021-06-03 15:24:36 +00:00
Variable renaming 2022-10-17 15:49:52 +00:00			`client.grant_types = ["code"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client.token_endpoint_auth_method = "client_secret_basic"`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
Add groups claim and scope 2021-06-03 15:24:36 +00:00

black 2021-09-28 07:30:41 +00:00			`def test_oidc_implicit_with_group(`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`testclient, keypair, user, client, foo_group, trusted_client, backend`
black 2021-09-28 07:30:41 +00:00			`):`
Variable renaming 2022-10-17 15:49:52 +00:00			`client.grant_types = ["token id_token"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client.token_endpoint_auth_method = "none"`
Add groups claim and scope 2021-06-03 15:24:36 +00:00
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`
Add groups claim and scope 2021-06-03 15:24:36 +00:00
			`res = testclient.get(`
			`"/oauth/authorize",`
			`params=dict(`
			`response_type="id_token token",`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client_id=client.client_id,`
Add groups claim and scope 2021-06-03 15:24:36 +00:00			`scope="openid profile groups",`
			`nonce="somenonce",`
			`),`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`).follow()`
Add groups claim and scope 2021-06-03 15:24:36 +00:00			`assert "text/html" == res.content_type`

			`res.form["login"] = "user"`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`res = res.form.submit(status=302).follow()`

Add groups claim and scope 2021-06-03 15:24:36 +00:00			`res.form["password"] = "correct horse battery staple"`
feat: user login redirections if users login during the authorization phase, they get redirected to the authorization page afterwards 2023-08-31 16:49:31 +00:00			`res = res.form.submit(status=302).follow()`
Add groups claim and scope 2021-06-03 15:24:36 +00:00
			`assert "text/html" == res.content_type, res.json`

			`res = res.form.submit(name="answer", value="accept", status=302)`

LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`assert res.location.startswith(client.redirect_uris[0])`
Add groups claim and scope 2021-06-03 15:24:36 +00:00			`params = parse_qs(urlsplit(res.location).fragment)`

			`access_token = params["access_token"][0]`
refactor: move BackendModel.get to Backend.get 2024-04-14 15:30:59 +00:00			`token = backend.get(models.Token, access_token=access_token)`
Add groups claim and scope 2021-06-03 15:24:36 +00:00			`assert token is not None`

			`id_token = params["id_token"][0]`
			`claims = jwt.decode(id_token, keypair[1])`
refactor: models attributes cardinality is closer to SCIM models 2023-11-15 17:20:13 +00:00			`assert user.user_name == claims["sub"]`
			`assert user.formatted_name == claims["name"]`
tests: renamed other_client fixture in trusted_client 2023-12-23 16:23:19 +00:00			`assert [client.client_id, trusted_client.client_id] == claims["aud"]`
Add groups claim and scope 2021-06-03 15:24:36 +00:00			`assert ["foo"] == claims["groups"]`

			`res = testclient.get(`
			`"/oauth/userinfo",`
			`headers={"Authorization": f"Bearer {access_token}"},`
			`status=200,`
			`)`
			`assert "application/json" == res.content_type`
unit tests: userinfo 2022-12-24 00:44:16 +00:00			`assert res.json["name"] == "John (johnny) Doe"`
wip 2020-08-20 14:02:14 +00:00
Variable renaming 2022-10-17 15:49:52 +00:00			`client.grant_types = ["code"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`client.token_endpoint_auth_method = "client_secret_basic"`
refactor: move BackendModel.save to Backend.save 2024-04-14 18:31:43 +00:00			`backend.save(client)`