1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
# -*- coding: utf-8 -*-
import json
from oauthlib.oauth2 import MetadataEndpoint, Server, TokenEndpoint
from tests.unittest import TestCase
class MetadataEndpointTest(TestCase):
def setUp(self):
self.metadata = {
"issuer": 'https://foo.bar'
}
def test_openid_oauth2_preconfigured(self):
default_claims = {
"issuer": 'https://foo.bar',
"authorization_endpoint": "https://foo.bar/authorize",
"revocation_endpoint": "https://foo.bar/revoke",
"introspection_endpoint": "https://foo.bar/introspect",
"token_endpoint": "https://foo.bar/token"
}
from oauthlib.oauth2 import Server as OAuth2Server
from oauthlib.openid import Server as OpenIDServer
endpoint = OAuth2Server(None)
metadata = MetadataEndpoint([endpoint], default_claims)
oauth2_claims = metadata.claims
endpoint = OpenIDServer(None)
metadata = MetadataEndpoint([endpoint], default_claims)
openid_claims = metadata.claims
# Pure OAuth2 Authorization Metadata are similar with OpenID but
# response_type not! (OIDC contains "id_token" and hybrid flows)
del oauth2_claims['response_types_supported']
del openid_claims['response_types_supported']
self.maxDiff = None
self.assertEqual(openid_claims, oauth2_claims)
def test_create_metadata_response(self):
endpoint = TokenEndpoint(None, None, grant_types={"password": None})
metadata = MetadataEndpoint([endpoint], {
"issuer": 'https://foo.bar',
"token_endpoint": "https://foo.bar/token"
})
headers, body, status = metadata.create_metadata_response('/', 'GET')
assert headers == {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': '*',
}
claims = json.loads(body)
assert claims['issuer'] == 'https://foo.bar'
def test_token_endpoint(self):
endpoint = TokenEndpoint(None, None, grant_types={"password": None})
metadata = MetadataEndpoint([endpoint], {
"issuer": 'https://foo.bar',
"token_endpoint": "https://foo.bar/token"
})
self.assertIn("grant_types_supported", metadata.claims)
self.assertEqual(metadata.claims["grant_types_supported"], ["password"])
def test_token_endpoint_overridden(self):
endpoint = TokenEndpoint(None, None, grant_types={"password": None})
metadata = MetadataEndpoint([endpoint], {
"issuer": 'https://foo.bar',
"token_endpoint": "https://foo.bar/token",
"grant_types_supported": ["pass_word_special_provider"]
})
self.assertIn("grant_types_supported", metadata.claims)
self.assertEqual(metadata.claims["grant_types_supported"], ["pass_word_special_provider"])
def test_mandatory_fields(self):
metadata = MetadataEndpoint([], self.metadata)
self.assertIn("issuer", metadata.claims)
self.assertEqual(metadata.claims["issuer"], 'https://foo.bar')
def test_server_metadata(self):
endpoint = Server(None)
metadata = MetadataEndpoint([endpoint], {
"issuer": 'https://foo.bar',
"authorization_endpoint": "https://foo.bar/authorize",
"introspection_endpoint": "https://foo.bar/introspect",
"revocation_endpoint": "https://foo.bar/revoke",
"token_endpoint": "https://foo.bar/token",
"jwks_uri": "https://foo.bar/certs",
"scopes_supported": ["email", "profile"]
})
expected_claims = {
"issuer": "https://foo.bar",
"authorization_endpoint": "https://foo.bar/authorize",
"introspection_endpoint": "https://foo.bar/introspect",
"revocation_endpoint": "https://foo.bar/revoke",
"token_endpoint": "https://foo.bar/token",
"jwks_uri": "https://foo.bar/certs",
"scopes_supported": ["email", "profile"],
"grant_types_supported": [
"authorization_code",
"password",
"client_credentials",
"refresh_token",
"implicit"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"response_types_supported": [
"code",
"token"
],
"response_modes_supported": [
"query",
"fragment"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"revocation_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"introspection_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
]
}
def sort_list(claims):
for k in claims.keys():
claims[k] = sorted(claims[k])
sort_list(metadata.claims)
sort_list(expected_claims)
self.assertEqual(sorted(metadata.claims.items()), sorted(expected_claims.items()))
def test_metadata_validate_issuer(self):
with self.assertRaises(ValueError):
endpoint = TokenEndpoint(
None, None, grant_types={"password": None},
)
metadata = MetadataEndpoint([endpoint], {
"issuer": 'http://foo.bar',
"token_endpoint": "https://foo.bar/token",
})
|
