From 85e6902e5b2476323b0b7c3453133f73a7d11c25 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Thu, 23 Jan 2020 00:22:12 +0100 Subject: [PATCH 3/3] ajustements 2 --- src/authentic2_idp_oidc/utils.py | 3 ++- src/authentic2_idp_oidc/views.py | 7 +++++-- tests/test_idp_oidc.py | 23 +++++++++++++++++++++-- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/src/authentic2_idp_oidc/utils.py b/src/authentic2_idp_oidc/utils.py index 39041baf..edfe9645 100644 --- a/src/authentic2_idp_oidc/utils.py +++ b/src/authentic2_idp_oidc/utils.py @@ -181,8 +181,9 @@ def normalize_claim_values(values): def create_user_info(request, client, user, scope_set, id_token=False): '''Create user info dictionary''' user_info = { - 'sub': make_sub(client, user) } + if 'openid' in scope_set: + user_info['sub'] = make_sub(client, user) attributes = get_attributes({ 'user': user, 'request': request, diff --git a/src/authentic2_idp_oidc/views.py b/src/authentic2_idp_oidc/views.py index 159ff097..1ffda8d0 100644 --- a/src/authentic2_idp_oidc/views.py +++ b/src/authentic2_idp_oidc/views.py @@ -426,7 +426,7 @@ def idtoken_from_user_credential(request): return invalid_request_response( 'wrong content type. request content type must be \'application/x-www-form-urlencoded\'') username = request.POST.get('username') - scope = request.POST.get('scope', '') + scope = request.POST.get('scope') # scope is ignored, we used the configured scope @@ -473,7 +473,10 @@ def idtoken_from_user_credential(request): return access_denied_response('invalid resource owner credentials') # limit requested scopes - scopes = utils.scope_set(scope) & client.scope_set() + if scope is not None: + scopes = utils.scope_set(scope) & client.scope_set() + else: + scopes = client.scope_set() exponential_backoff.success(*backoff_keys) start = now() diff --git a/tests/test_idp_oidc.py b/tests/test_idp_oidc.py index cd4d5133..fd0c2b67 100644 --- a/tests/test_idp_oidc.py +++ b/tests/test_idp_oidc.py @@ -1171,6 +1171,7 @@ def test_filter_api_users(app, oidc_client, admin, simple_user, role_random): def test_resource_owner_password_credential_grant(app, oidc_client, admin, simple_user): cache.clear() oidc_client.authorization_flow = OIDCClient.FLOW_RESOURCE_OWNER_CRED + oidc_client.scope = 'openid' oidc_client.save() token_url = make_url('oidc-token') if oidc_client.idtoken_algo == OIDCClient.ALGO_HMAC: @@ -1194,7 +1195,8 @@ def test_resource_owner_password_credential_grant(app, oidc_client, admin, simpl jwt.deserialize(token, key=jwk) claims = json.loads(jwt.claims) # xxx already verified by jwcrypto deserialization? - assert all(claims.get(key) for key in ('acr', 'aud', 'auth_time', 'exp', 'iat', 'iss', 'sub')) + assert set(claims) == set(['acr', 'aud', 'auth_time', 'exp', 'iat', 'iss', 'sub']) + assert all(claims.values()) # 2. test basic authz params.pop('client_id') @@ -1208,7 +1210,8 @@ def test_resource_owner_password_credential_grant(app, oidc_client, admin, simpl jwt.deserialize(token, key=jwk) claims = json.loads(jwt.claims) # xxx already verified by jwcrypto deserialization? - assert all(claims.get(key) for key in ('acr', 'aud', 'auth_time', 'exp', 'iat', 'iss', 'sub')) + assert set(claims) == set(['acr', 'aud', 'auth_time', 'exp', 'iat', 'iss', 'sub']) + assert all(claims.values()) def test_resource_owner_password_credential_grant_ratelimitation_invalid_client( @@ -1311,6 +1314,22 @@ def test_credentials_grant_retrytimout( assert 'id_token' in response.json +def test_credentials_grant_invalid_flow( + app, oidc_client, admin, simple_user, settings): + cache.clear() + params = { + 'client_id': oidc_client.client_id, + 'client_secret': oidc_client.client_secret, + 'grant_type': 'password', + 'username': simple_user.username, + 'password': u'SurelyNotTheRightPassword', + } + token_url = make_url('oidc-token') + response = app.post(token_url, params=params, status=400) + assert response.json['error'] == 'unauthorized_client' + assert 'is not configured' in response.json['error_description'] + + def test_credentials_grant_invalid_client( app, oidc_client, admin, simple_user, settings): cache.clear() -- 2.24.0