496 |
496 |
assert location.netloc == endpoint.netloc
|
497 |
497 |
assert location.path == endpoint.path
|
498 |
498 |
query = check_simple_qs(urlparse.parse_qs(location.query))
|
499 |
|
assert query['state'] in app.session['auth_oidc']
|
|
499 |
state = query['state'].split()[0]
|
|
500 |
assert state in app.session['auth_oidc']
|
500 |
501 |
assert query['response_type'] == 'code'
|
501 |
502 |
assert query['client_id'] == str(oidc_provider.client_id)
|
502 |
503 |
assert query['scope'] == 'openid'
|
503 |
504 |
assert query['redirect_uri'] == 'http://testserver' + reverse('oidc-login-callback')
|
504 |
505 |
# get the nonce
|
505 |
|
nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
|
|
506 |
nonce = app.session['auth_oidc'][state]['request']['nonce']
|
506 |
507 |
|
507 |
508 |
if oidc_provider.claims_parameter_supported:
|
508 |
509 |
claims = json.loads(query['claims'])
|
... | ... | |
627 |
628 |
response = response.click(oidc_provider.name)
|
628 |
629 |
location = urlparse.urlparse(response.location)
|
629 |
630 |
query = check_simple_qs(urlparse.parse_qs(location.query))
|
630 |
|
nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
|
|
631 |
state = query['state'].split()[0]
|
|
632 |
nonce = app.session['auth_oidc'][state]['request']['nonce']
|
631 |
633 |
|
632 |
634 |
# sub=john.doe, MUST not work
|
633 |
635 |
with utils.check_log(caplog, 'cannot create user'):
|
... | ... | |
669 |
671 |
response = response.click(oidc_provider.name)
|
670 |
672 |
location = urlparse.urlparse(response.location)
|
671 |
673 |
query = check_simple_qs(urlparse.parse_qs(location.query))
|
672 |
|
nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
|
|
674 |
state = query['state'].split()[0]
|
|
675 |
nonce = app.session['auth_oidc'][state]['request']['nonce']
|
673 |
676 |
|
674 |
677 |
# sub=john.doe
|
675 |
678 |
with utils.check_log(caplog, 'auth_oidc: created user'):
|
... | ... | |
743 |
746 |
response = response.click(oidc_provider_rsa.name)
|
744 |
747 |
location = urlparse.urlparse(response.location)
|
745 |
748 |
query = check_simple_qs(urlparse.parse_qs(location.query))
|
746 |
|
nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
|
|
749 |
state = query['state'].split()[0]
|
|
750 |
nonce = app.session['auth_oidc'][state]['request']['nonce']
|
747 |
751 |
|
748 |
752 |
# test invalid kid
|
749 |
753 |
with utils.check_log(caplog, message='not in key set', levelname='WARNING'):
|
... | ... | |
808 |
812 |
response = response.click(oidc_provider.name)
|
809 |
813 |
location = urlparse.urlparse(response.location)
|
810 |
814 |
query = check_simple_qs(urlparse.parse_qs(location.query))
|
811 |
|
nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
|
|
815 |
state = query['state'].split()[0]
|
|
816 |
nonce = app.session['auth_oidc'][state]['request']['nonce']
|
812 |
817 |
|
813 |
818 |
with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, nonce=nonce):
|
814 |
819 |
response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': query['state']}).maybe_follow()
|
... | ... | |
822 |
827 |
assert user.last_name == 'DOE'
|
823 |
828 |
# typo in template string, no rendering
|
824 |
829 |
assert user.first_name == '{{ given_name'
|
|
830 |
|
|
831 |
|
|
832 |
def test_lost_state(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
|
|
833 |
response = app.get('/login/?next=/whatever/')
|
|
834 |
assert oidc_provider.name in response.text
|
|
835 |
response = response.click(oidc_provider.name)
|
|
836 |
qs = urlparse.parse_qs(urlparse.urlparse(response.location).query)
|
|
837 |
state = qs['state'][0]
|
|
838 |
assert ' /whatever/' in state
|
|
839 |
nonce = app.session['auth_oidc'][state.split()[0]]['request']['nonce']
|
|
840 |
|
|
841 |
# reset the session to forget the state
|
|
842 |
app.session.flush()
|
|
843 |
|
|
844 |
caplog.clear()
|
|
845 |
with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, nonce=nonce):
|
|
846 |
response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
|
|
847 |
# not logged
|
|
848 |
assert 'auth_oidc: state lost' == caplog.records[-1].message
|
|
849 |
# event is recorded
|
|
850 |
assert '_auth_user_id' not in app.session
|
|
851 |
# we are automatically redirected to our destination
|
|
852 |
assert response.location == '/whatever/'
|
825 |
|
-
|