-
-
Notifications
You must be signed in to change notification settings - Fork 560
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
providers/oauth2: initial client_credentials grant support
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
- Loading branch information
Showing
7 changed files
with
326 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
174 changes: 174 additions & 0 deletions
174
authentik/providers/oauth2/tests/test_token_client_credentials.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,174 @@ | ||
"""Test token view""" | ||
from json import loads | ||
|
||
from django.test import RequestFactory | ||
from django.urls import reverse | ||
from jwt import decode | ||
|
||
from authentik.core.models import USER_ATTRIBUTE_SA, Application, Group, Token, TokenIntents | ||
from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow | ||
from authentik.lib.generators import generate_id, generate_key | ||
from authentik.managed.manager import ObjectManager | ||
from authentik.policies.models import PolicyBinding | ||
from authentik.providers.oauth2.constants import ( | ||
GRANT_TYPE_CLIENT_CREDENTIALS, | ||
SCOPE_OPENID, | ||
SCOPE_OPENID_EMAIL, | ||
SCOPE_OPENID_PROFILE, | ||
) | ||
from authentik.providers.oauth2.errors import TokenError | ||
from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping | ||
from authentik.providers.oauth2.tests.utils import OAuthTestCase | ||
|
||
|
||
class TestTokenClientCredentials(OAuthTestCase): | ||
"""Test token (client_credentials) view""" | ||
|
||
def setUp(self) -> None: | ||
super().setUp() | ||
ObjectManager().run() | ||
self.factory = RequestFactory() | ||
self.provider = OAuth2Provider.objects.create( | ||
name="test", | ||
client_id=generate_id(), | ||
client_secret=generate_key(), | ||
authorization_flow=create_test_flow(), | ||
redirect_uris="http://testserver", | ||
signing_key=create_test_cert(), | ||
) | ||
self.provider.property_mappings.set(ScopeMapping.objects.all()) | ||
self.app = Application.objects.create(name="test", slug="test", provider=self.provider) | ||
self.user = create_test_admin_user("sa") | ||
self.user.attributes[USER_ATTRIBUTE_SA] = True | ||
self.user.save() | ||
self.token = Token.objects.create( | ||
identifier="sa-token", | ||
user=self.user, | ||
intent=TokenIntents.INTENT_APP_PASSWORD, | ||
expiring=False, | ||
) | ||
|
||
def test_wrong_user(self): | ||
"""test invalid username""" | ||
response = self.client.post( | ||
reverse("authentik_providers_oauth2:token"), | ||
{ | ||
"grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, | ||
"scope": SCOPE_OPENID, | ||
"client_id": self.provider.client_id, | ||
"username": "saa", | ||
"password": self.token.key, | ||
}, | ||
) | ||
self.assertEqual(response.status_code, 400) | ||
self.assertJSONEqual( | ||
response.content.decode(), | ||
{"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]}, | ||
) | ||
|
||
def test_wrong_token(self): | ||
"""test invalid token""" | ||
response = self.client.post( | ||
reverse("authentik_providers_oauth2:token"), | ||
{ | ||
"grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, | ||
"scope": SCOPE_OPENID, | ||
"client_id": self.provider.client_id, | ||
"username": "sa", | ||
"password": self.token.key + "foo", | ||
}, | ||
) | ||
self.assertEqual(response.status_code, 400) | ||
self.assertJSONEqual( | ||
response.content.decode(), | ||
{"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]}, | ||
) | ||
|
||
def test_non_sa(self): | ||
"""test non service-account""" | ||
self.user.attributes[USER_ATTRIBUTE_SA] = False | ||
self.user.save() | ||
response = self.client.post( | ||
reverse("authentik_providers_oauth2:token"), | ||
{ | ||
"grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, | ||
"scope": SCOPE_OPENID, | ||
"client_id": self.provider.client_id, | ||
"username": "sa", | ||
"password": self.token.key, | ||
}, | ||
) | ||
self.assertEqual(response.status_code, 400) | ||
self.assertJSONEqual( | ||
response.content.decode(), | ||
{"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]}, | ||
) | ||
|
||
def test_no_provider(self): | ||
"""test no provider""" | ||
self.app.provider = None | ||
self.app.save() | ||
response = self.client.post( | ||
reverse("authentik_providers_oauth2:token"), | ||
{ | ||
"grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, | ||
"scope": SCOPE_OPENID, | ||
"client_id": self.provider.client_id, | ||
"username": "sa", | ||
"password": self.token.key, | ||
}, | ||
) | ||
self.assertEqual(response.status_code, 400) | ||
self.assertJSONEqual( | ||
response.content.decode(), | ||
{"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]}, | ||
) | ||
|
||
def test_permission_denied(self): | ||
"""test permission denied""" | ||
group = Group.objects.create(name="foo") | ||
PolicyBinding.objects.create( | ||
group=group, | ||
target=self.app, | ||
order=0, | ||
) | ||
response = self.client.post( | ||
reverse("authentik_providers_oauth2:token"), | ||
{ | ||
"grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, | ||
"scope": SCOPE_OPENID, | ||
"client_id": self.provider.client_id, | ||
"username": "sa", | ||
"password": self.token.key, | ||
}, | ||
) | ||
self.assertEqual(response.status_code, 400) | ||
self.assertJSONEqual( | ||
response.content.decode(), | ||
{"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]}, | ||
) | ||
|
||
def test_successful(self): | ||
"""test successful""" | ||
response = self.client.post( | ||
reverse("authentik_providers_oauth2:token"), | ||
{ | ||
"grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, | ||
"scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", | ||
"client_id": self.provider.client_id, | ||
"username": "sa", | ||
"password": self.token.key, | ||
}, | ||
) | ||
self.assertEqual(response.status_code, 200) | ||
body = loads(response.content.decode()) | ||
self.assertEqual(body["token_type"], "bearer") | ||
_, alg = self.provider.get_jwt_key() | ||
jwt = decode( | ||
body["access_token"], | ||
key=self.provider.signing_key.public_key, | ||
algorithms=[alg], | ||
audience=self.provider.client_id, | ||
) | ||
self.assertEqual(jwt["given_name"], self.user.name) | ||
self.assertEqual(jwt["preferred_username"], self.user.username) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.