261 |
261 |
if extra_id_token:
|
262 |
262 |
id_token.update(extra_id_token)
|
263 |
263 |
|
264 |
|
if oidc_provider.idtoken_algo in (OIDCProvider.ALGO_RSA,
|
265 |
|
OIDCProvider.ALGO_EC):
|
|
264 |
if oidc_provider.idtoken_algo in (OIDCProvider.ALGO_RSA, OIDCProvider.ALGO_EC):
|
266 |
265 |
alg = {
|
267 |
266 |
OIDCProvider.ALGO_RSA: 'RS256',
|
268 |
267 |
OIDCProvider.ALGO_EC: 'ES256',
|
... | ... | |
270 |
269 |
jwk = None
|
271 |
270 |
for key in oidc_provider_jwkset['keys']:
|
272 |
271 |
if key.key_type == {
|
273 |
|
OIDCProvider.ALGO_RSA: 'RSA',
|
274 |
|
OIDCProvider.ALGO_EC: 'EC',
|
275 |
|
}.get(oidc_provider.idtoken_algo):
|
|
272 |
OIDCProvider.ALGO_RSA: 'RSA',
|
|
273 |
OIDCProvider.ALGO_EC: 'EC',
|
|
274 |
}.get(oidc_provider.idtoken_algo):
|
276 |
275 |
jwk = key
|
277 |
276 |
break
|
278 |
277 |
if provides_kid_header:
|
... | ... | |
281 |
280 |
header = {'alg': alg, 'kid': jwk.key_id}
|
282 |
281 |
jwt = JWT(header=header, claims=id_token)
|
283 |
282 |
jwt.make_signed_token(jwk)
|
284 |
|
else: # hmac
|
|
283 |
else: # hmac
|
285 |
284 |
jwt = JWT(header={'alg': 'HS256'},
|
286 |
285 |
claims=id_token)
|
287 |
286 |
k = base64url_encode(oidc_provider.client_secret.encode('utf-8'))
|
... | ... | |
381 |
380 |
|
382 |
381 |
|
383 |
382 |
def test_login_with_conditional_authenticators(oidc_provider, app, settings, caplog):
|
384 |
|
oidc2_provider = OIDCProvider.objects.create(
|
|
383 |
OIDCProvider.objects.create(
|
385 |
384 |
id=2,
|
386 |
385 |
ou=get_default_ou(),
|
387 |
386 |
name='My IDP',
|
... | ... | |
482 |
481 |
assert response['Location'] == '/accounts/oidc/login/%s/' % oidc_provider.pk
|
483 |
482 |
|
484 |
483 |
|
485 |
|
|
486 |
484 |
def test_sso(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
|
487 |
485 |
OU = get_ou_model()
|
488 |
486 |
cassis = OU.objects.create(name='Cassis', slug='cassis')
|
... | ... | |
751 |
749 |
|
752 |
750 |
# test invalid kid
|
753 |
751 |
with utils.check_log(caplog, message='not in key set', levelname='WARNING'):
|
754 |
|
with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code, nonce=nonce, provides_kid_header=True, kid='coin'):
|
755 |
|
response = app.get(login_callback_url(oidc_provider_rsa), params={'code': code, 'state': query['state']})
|
|
752 |
with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code,
|
|
753 |
nonce=nonce, provides_kid_header=True,
|
|
754 |
kid='coin'):
|
|
755 |
response = app.get(login_callback_url(oidc_provider_rsa),
|
|
756 |
params={'code': code, 'state': query['state']})
|
756 |
757 |
|
757 |
758 |
# test missing kid
|
758 |
759 |
with utils.check_log(caplog, message='Key ID None not in key set', levelname='WARNING'):
|
759 |
|
with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code, nonce=nonce, provides_kid_header=True, kid=None):
|
760 |
|
response = app.get(login_callback_url(oidc_provider_rsa), params={'code': code, 'state': query['state']})
|
|
760 |
with oidc_provider_mock(oidc_provider_rsa, oidc_provider_jwkset, code,
|
|
761 |
nonce=nonce, provides_kid_header=True,
|
|
762 |
kid=None):
|
|
763 |
response = app.get(login_callback_url(oidc_provider_rsa),
|
|
764 |
params={'code': code, 'state': query['state']})
|
761 |
765 |
|
762 |
766 |
|
763 |
767 |
def test_templated_claim_mapping(app, caplog, code, oidc_provider, oidc_provider_jwkset):
|
... | ... | |
816 |
820 |
nonce = app.session['auth_oidc'][state]['request']['nonce']
|
817 |
821 |
|
818 |
822 |
with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, nonce=nonce):
|
819 |
|
response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': query['state']}).maybe_follow()
|
|
823 |
response = app.get(login_callback_url(oidc_provider),
|
|
824 |
params={'code': code, 'state': query['state']}).maybe_follow()
|
820 |
825 |
|
821 |
826 |
assert User.objects.count() == 1
|
822 |
827 |
user = User.objects.first()
|
823 |
|
-
|