470 |
470 |
|
471 |
471 |
|
472 |
472 |
@pytest.mark.parametrize('oidc_client', OIDC_CLIENT_PARAMS, indirect=True)
|
473 |
|
def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app, make_client):
|
|
473 |
def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app, make_client, app_factory):
|
474 |
474 |
redirect_uri = oidc_client.redirect_uris.split()[0]
|
475 |
475 |
if oidc_client.authorization_flow == oidc_client.FLOW_AUTHORIZATION_CODE:
|
476 |
476 |
fragment = False
|
... | ... | |
864 |
864 |
|
865 |
865 |
# check expired codes
|
866 |
866 |
if oidc_client.authorization_flow == oidc_client.FLOW_AUTHORIZATION_CODE:
|
|
867 |
rp_app = app_factory()
|
867 |
868 |
assert OIDCCode.objects.count() == 1
|
868 |
869 |
oidc_code = OIDCCode.objects.get()
|
869 |
870 |
assert oidc_code.is_valid()
|
... | ... | |
880 |
881 |
'grant_type': 'authorization_code',
|
881 |
882 |
'redirect_uri': oidc_client.redirect_uris.split()[0],
|
882 |
883 |
}
|
883 |
|
response = app.post(
|
|
884 |
response = rp_app.post(
|
884 |
885 |
token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
|
885 |
886 |
)
|
886 |
887 |
assert response.json['error'] == 'invalid_request'
|
... | ... | |
889 |
890 |
params['code'] = code
|
890 |
891 |
|
891 |
892 |
# wrong redirect_uri
|
892 |
|
response = app.post(
|
|
893 |
response = rp_app.post(
|
893 |
894 |
token_url,
|
894 |
895 |
params=dict(params, redirect_uri='https://example.com/'),
|
895 |
896 |
headers=client_authentication_headers(oidc_client),
|
... | ... | |
901 |
902 |
assert response.json['client_id'] == '1234'
|
902 |
903 |
|
903 |
904 |
# unknown code
|
904 |
|
response = app.post(
|
|
905 |
response = rp_app.post(
|
905 |
906 |
token_url,
|
906 |
907 |
params=dict(params, code='xyz'),
|
907 |
908 |
headers=client_authentication_headers(oidc_client),
|
... | ... | |
909 |
910 |
)
|
910 |
911 |
assert 'error' in response.json
|
911 |
912 |
assert response.json['error'] == 'invalid_grant'
|
912 |
|
assert response.json['error_description'] == 'Code is unknown.'
|
|
913 |
assert response.json['error_description'] == 'Code is unknown or has expired.'
|
913 |
914 |
assert response.json['client_id'] == '1234'
|
914 |
915 |
|
915 |
916 |
# code from another client
|
916 |
|
other_client = make_client(app, params={'slug': 'other', 'name': 'other', 'client_id': 'abcd'})
|
|
917 |
other_client = make_client(rp_app, params={'slug': 'other', 'name': 'other', 'client_id': 'abcd'})
|
917 |
918 |
other_oidc_code = OIDCCode.objects.create(
|
918 |
919 |
client=other_client,
|
919 |
920 |
user=oidc_code.user,
|
... | ... | |
926 |
927 |
auth_time=now(),
|
927 |
928 |
session_key=oidc_code.session_key,
|
928 |
929 |
)
|
929 |
|
response = app.post(
|
|
930 |
response = rp_app.post(
|
930 |
931 |
token_url,
|
931 |
932 |
params=dict(params, code=other_oidc_code.uuid),
|
932 |
933 |
headers=client_authentication_headers(oidc_client),
|
... | ... | |
939 |
940 |
other_oidc_code.delete()
|
940 |
941 |
other_client.delete()
|
941 |
942 |
|
|
943 |
# simulate expired session
|
|
944 |
from django.contrib.sessions.models import Session
|
|
945 |
|
|
946 |
session = Session.objects.get(session_key=oidc_code.session_key)
|
|
947 |
Session.objects.filter(pk=session.pk).delete()
|
|
948 |
response = rp_app.post(
|
|
949 |
token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
|
|
950 |
)
|
|
951 |
assert 'error' in response.json
|
|
952 |
assert response.json['error'] == 'invalid_grant'
|
|
953 |
assert response.json['error_description'] == 'User is disconnected or session was lost.'
|
|
954 |
assert response.json['client_id'] == '1234'
|
|
955 |
session.save()
|
|
956 |
|
942 |
957 |
# make code expire
|
943 |
958 |
oidc_code.expired = now() - datetime.timedelta(seconds=120)
|
944 |
959 |
assert not oidc_code.is_valid()
|
945 |
960 |
oidc_code.save()
|
946 |
961 |
|
947 |
962 |
# expired code
|
948 |
|
response = app.post(
|
|
963 |
response = rp_app.post(
|
949 |
964 |
token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
|
950 |
965 |
)
|
951 |
966 |
assert 'error' in response.json
|
952 |
967 |
assert response.json['error'] == 'invalid_grant'
|
953 |
|
assert (
|
954 |
|
response.json['error_description']
|
955 |
|
== 'Code has expired, user is disconnected or session was lost.'
|
956 |
|
)
|
|
968 |
assert response.json['error_description'] == 'Code is unknown or has expired.'
|
957 |
969 |
assert response.json['client_id'] == '1234'
|
958 |
970 |
|
959 |
971 |
# invalid logout
|
960 |
|
-
|