Merge pull request #49 from akatsoulas/auth-headers-userinfo

Pass token in Authorization header.
mozilla · Nov 15, 2016 · f7be3e8 · f7be3e8
2 parents 3de64a9 + 825e7bd
commit f7be3e8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 15 deletions.
diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -4,11 +4,6 @@
 import logging
 import requests
 
-try:
-    from urllib import urlencode
-except ImportError:
-    from urllib.parse import urlencode
-
 try:
     from django.utils.encoding import smart_bytes
 except ImportError:
@@ -98,7 +93,7 @@ def authenticate(self, code=None, state=None):
 
         # Get the token
         response = requests.post(self.OIDC_OP_TOKEN_ENDPOINT,
-                                 json=token_payload,
+                                 data=token_payload,
                                  verify=import_from_settings('OIDC_VERIFY_SSL', True))
         response.raise_for_status()
 
@@ -107,11 +102,11 @@ def authenticate(self, code=None, state=None):
         payload = self.verify_token(token_response.get('id_token'))
 
         if payload:
-            query = urlencode({
-                'access_token': token_response.get('access_token')
-            })
-            user_response = requests.get('{url}?{query}'.format(url=self.OIDC_OP_USER_ENDPOINT,
-                                                                query=query))
+            access_token = token_response.get('access_token')
+            user_response = requests.get(self.OIDC_OP_USER_ENDPOINT,
+                                         headers={
+                                             'Authorization': 'Bearer {0}'.format(access_token)
+                                         })
             user_response.raise_for_status()
             user_info = user_response.json()
             email = user_info.get('email')

diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -83,10 +83,11 @@ def test_successful_authentication_existing_user(self, token_mock, request_mock)
         self.assertEqual(self.backend.authenticate(code='foo', state='bar'), user)
         token_mock.assert_called_once_with('id_token')
         request_mock.post.assert_called_once_with('https://server.example.com/token',
-                                                  json=post_data,
+                                                  data=post_data,
                                                   verify=True)
         request_mock.get.assert_called_once_with(
-            'https://server.example.com/user?access_token=access_granted'
+            'https://server.example.com/user',
+            headers={'Authorization': 'Bearer access_granted'}
         )
 
     @patch.object(settings, 'OIDC_USERNAME_ALGO')
@@ -126,10 +127,11 @@ def test_successful_authentication_new_user(self, token_mock, request_mock, algo
 
         token_mock.assert_called_once_with('id_token')
         request_mock.post.assert_called_once_with('https://server.example.com/token',
-                                                  json=post_data,
+                                                  data=post_data,
                                                   verify=True)
         request_mock.get.assert_called_once_with(
-            'https://server.example.com/user?access_token=access_granted'
+            'https://server.example.com/user',
+            headers={'Authorization': 'Bearer access_granted'}
         )
 
     def test_authenticate_no_code_no_state(self):