Merge pull request #465 from skion/fragment-hybrids

Hybrid response types should be fragment-encoded

oauthlib/oauth2/rfc6749/grant_types/openid_connect.py

@@ -371,6 +371,8 @@ def __init__(self, request_validator=None, **kwargs):
 
         self.proxy_target = AuthorizationCodeGrant(
             request_validator=request_validator, **kwargs)
+        # All hybrid response types should be fragment-encoded.
+        self.proxy_target.default_response_mode = "fragment"
         self.register_response_type('code id_token')
         self.register_response_type('code token')
         self.register_response_type('code id_token token')

tests/oauth2/rfc6749/grant_types/test_authorization_code.py

@@ -66,6 +66,7 @@ def test_custom_token_validators(self):
 
     def test_create_authorization_grant(self):
         bearer = BearerToken(self.mock_validator)
+        self.request.response_mode = 'query'
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         grant = dict(Request(h['Location']).uri_query_params)
         self.assertIn('code', grant)
@@ -76,6 +77,7 @@ def test_create_authorization_grant(self):
     def test_create_authorization_grant_state(self):
         self.request.state = 'abc'
         self.request.redirect_uri = None
+        self.request.response_mode = 'query'
         self.mock_validator.get_default_redirect_uri.return_value = 'https://a.b/cb'
         bearer = BearerToken(self.mock_validator)
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
@@ -91,6 +93,7 @@ def test_create_authorization_grant_state(self):
     def test_create_authorization_response(self, generate_token):
         generate_token.return_value = 'abc'
         bearer = BearerToken(self.mock_validator)
+        self.request.response_mode = 'query'
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertURLEqual(h['Location'], 'https://a.b/cb?code=abc')
         self.request.response_mode = 'fragment'

tests/oauth2/rfc6749/grant_types/test_openid_connect.py

@@ -16,22 +16,22 @@
 
 
 class OpenIDAuthCodeInterferenceTest(AuthorizationCodeGrantTest):
-    """Test that OpenID don't interfer with normal OAuth 2 flows."""
+    """Test that OpenID don't interfere with normal OAuth 2 flows."""
 
     def setUp(self):
         super(OpenIDAuthCodeInterferenceTest, self).setUp()
         self.auth = OpenIDConnectAuthCode(request_validator=self.mock_validator)
 
 class OpenIDImplicitInterferenceTest(ImplicitGrantTest):
-    """Test that OpenID don't interfer with normal OAuth 2 flows."""
+    """Test that OpenID don't interfere with normal OAuth 2 flows."""
 
     def setUp(self):
         super(OpenIDImplicitInterferenceTest, self).setUp()
         self.auth = OpenIDConnectImplicit(request_validator=self.mock_validator)
 
 
 class OpenIDHybridInterferenceTest(AuthorizationCodeGrantTest):
-    """Test that OpenID don't interfer with normal OAuth 2 flows."""
+    """Test that OpenID don't interfere with normal OAuth 2 flows."""
 
     def setUp(self):
         super(OpenIDHybridInterferenceTest, self).setUp()
@@ -75,11 +75,18 @@ def test_authorization(self, generate_token):
 
         generate_token.return_value = 'abc'
         bearer = BearerToken(self.mock_validator)
+        self.request.response_mode = 'query'
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertURLEqual(h['Location'], self.url_query)
         self.assertEqual(b, None)
         self.assertEqual(s, 302)
 
+        self.request.response_mode = 'fragment'
+        h, b, s = self.auth.create_authorization_response(self.request, bearer)
+        self.assertURLEqual(h['Location'], self.url_fragment, parse_fragment=True)
+        self.assertEqual(b, None)
+        self.assertEqual(s, 302)
+
     @mock.patch('oauthlib.common.generate_token')
     def test_no_prompt_authorization(self, generate_token):
         generate_token.return_value = 'abc'
@@ -96,6 +103,7 @@ def test_no_prompt_authorization(self, generate_token):
         self.assertEqual(b, None)
         self.assertEqual(s, 302)
 
+        self.request.response_mode = 'query'
         self.request.id_token_hint = 'me@email.com'
         h, b, s = self.auth.create_authorization_response(self.request, bearer)
         self.assertURLEqual(h['Location'], self.url_query)