| 261 |
261 |
if extra_id_token:
|
| 262 |
262 |
id_token.update(extra_id_token)
|
| 263 |
263 |
|
| 264 |
|
if oidc_provider.idtoken_algo in (OIDCProvider.ALGO_RSA,
|
| 265 |
|
OIDCProvider.ALGO_EC):
|
|
264 |
if oidc_provider.idtoken_algo in (OIDCProvider.ALGO_RSA, OIDCProvider.ALGO_EC):
|
| 266 |
265 |
alg = {
|
| 267 |
266 |
OIDCProvider.ALGO_RSA: 'RS256',
|
| 268 |
267 |
OIDCProvider.ALGO_EC: 'ES256',
|
| ... | ... | |
| 270 |
269 |
jwk = None
|
| 271 |
270 |
for key in oidc_provider_jwkset['keys']:
|
| 272 |
271 |
if key.key_type == {
|
| 273 |
|
OIDCProvider.ALGO_RSA: 'RSA',
|
| 274 |
|
OIDCProvider.ALGO_EC: 'EC',
|
| 275 |
|
}.get(oidc_provider.idtoken_algo):
|
|
272 |
OIDCProvider.ALGO_RSA: 'RSA',
|
|
273 |
OIDCProvider.ALGO_EC: 'EC',
|
|
274 |
}.get(oidc_provider.idtoken_algo):
|
| 276 |
275 |
jwk = key
|
| 277 |
276 |
break
|
| 278 |
277 |
if provides_kid_header:
|
| ... | ... | |
| 281 |
280 |
header = {'alg': alg, 'kid': jwk.key_id}
|
| 282 |
281 |
jwt = JWT(header=header, claims=id_token)
|
| 283 |
282 |
jwt.make_signed_token(jwk)
|
| 284 |
|
else: # hmac
|
|
283 |
else: # hmac
|
| 285 |
284 |
jwt = JWT(header={'alg': 'HS256'},
|
| 286 |
285 |
claims=id_token)
|
| 287 |
286 |
k = base64url_encode(oidc_provider.client_secret.encode('utf-8'))
|
| ... | ... | |
| 381 |
380 |
|
| 382 |
381 |
|
| 383 |
382 |
def test_login_with_conditional_authenticators(oidc_provider, app, settings, caplog):
|
| 384 |
|
oidc2_provider = OIDCProvider.objects.create(
|
|
383 |
OIDCProvider.objects.create(
|
| 385 |
384 |
id=2,
|
| 386 |
385 |
ou=get_default_ou(),
|
| 387 |
386 |
name='My IDP',
|
| ... | ... | |
| 482 |
481 |
assert response['Location'] == '/accounts/oidc/login/%s/' % oidc_provider.pk
|
| 483 |
482 |
|
| 484 |
483 |
|
| 485 |
|
|
| 486 |
484 |
def test_sso(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
|
| 487 |
485 |
OU = get_ou_model()
|
| 488 |
486 |
cassis = OU.objects.create(name='Cassis', slug='cassis')
|
| ... | ... | |
| 751 |
749 |
|
| 752 |
750 |
# test invalid kid
|
| 753 |
751 |
with utils.check_log(caplog, message='not in key set', levelname='WARNING'):
|
| 754 |
|
with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code, nonce=nonce, provides_kid_header=True, kid='coin'):
|
| 755 |
|
response = app.get(login_callback_url(oidc_provider_rsa), params={'code': code, 'state': query['state']})
|
|
752 |
with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code,
|
|
753 |
nonce=nonce, provides_kid_header=True,
|
|
754 |
kid='coin'):
|
|
755 |
response = app.get(login_callback_url(oidc_provider_rsa),
|
|
756 |
params={'code': code, 'state': query['state']})
|
| 756 |
757 |
|
| 757 |
758 |
# test missing kid
|
| 758 |
759 |
with utils.check_log(caplog, message='Key ID None not in key set', levelname='WARNING'):
|
| 759 |
|
with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code, nonce=nonce, provides_kid_header=True, kid=None):
|
| 760 |
|
response = app.get(login_callback_url(oidc_provider_rsa), params={'code': code, 'state': query['state']})
|
|
760 |
with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code,
|
|
761 |
nonce=nonce, provides_kid_header=True,
|
|
762 |
kid=None):
|
|
763 |
response = app.get(login_callback_url(oidc_provider_rsa),
|
|
764 |
params={'code': code, 'state': query['state']})
|
| 761 |
765 |
|
| 762 |
766 |
|
| 763 |
767 |
def test_templated_claim_mapping(app, caplog, code, oidc_provider, oidc_provider_jwkset):
|
| ... | ... | |
| 816 |
820 |
nonce = app.session['auth_oidc'][state]['request']['nonce']
|
| 817 |
821 |
|
| 818 |
822 |
with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, nonce=nonce):
|
| 819 |
|
response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': query['state']}).maybe_follow()
|
|
823 |
response = app.get(login_callback_url(oidc_provider),
|
|
824 |
params={'code': code, 'state': query['state']}).maybe_follow()
|
| 820 |
825 |
|
| 821 |
826 |
assert User.objects.count() == 1
|
| 822 |
827 |
user = User.objects.first()
|
| 823 |
|
-
|