Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue759/check authz type #760

Merged
merged 4 commits into from
May 29, 2021
Merged

Issue759/check authz type #760

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7ecb5e1
failing test for Authorization: Basic
n2ygk May 26, 2021
05e671a
Fix Authorization header that is not a Bearer to not return a token
n2ygk May 26, 2021
9f2e8ff
handle another case of assuming the token starts after 'Bearer '
n2ygk May 26, 2021
5c78975
per @JonathanHuot use existing get_token_from_header()
n2ygk May 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 5 additions & 10 deletions oauthlib/openid/connect/core/tokens.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

This module contains methods for adding JWT tokens to requests.
"""
from oauthlib.oauth2.rfc6749.tokens import TokenBase, random_token_generator
from oauthlib.oauth2.rfc6749.tokens import TokenBase, random_token_generator, get_token_from_header


class JWTToken(TokenBase):
Expand Down Expand Up @@ -35,17 +35,12 @@ def create_token(self, request, refresh_token=False):
return self.request_validator.get_jwt_bearer_token(None, None, request)

def validate_request(self, request):
token = None
if 'Authorization' in request.headers:
token = request.headers.get('Authorization')[7:]
else:
token = request.access_token
token = get_token_from_header(request)
return self.request_validator.validate_jwt_bearer_token(
token, request.scopes, request)

def estimate_type(self, request):
token = request.headers.get('Authorization', '')[7:]
if token.startswith('ey') and token.count('.') in (2, 4):
token = get_token_from_header(request)
if token and token.startswith('ey') and token.count('.') in (2, 4):
return 10
else:
return 0
return 0
26 changes: 26 additions & 0 deletions tests/openid/connect/core/test_tokens.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,32 @@ def test_validate_request_token_from_headers(self):
request.scopes,
request)

def test_validate_request_token_from_headers_basic(self):
"""
Wrong kind of token (Basic) retrieved from headers. Confirm token is not parsed.
"""

with mock.patch('oauthlib.common.Request', autospec=True) as RequestMock, \
mock.patch('oauthlib.openid.RequestValidator',
autospec=True) as RequestValidatorMock:
request_validator_mock = RequestValidatorMock()

token = JWTToken(request_validator=request_validator_mock)

request = RequestMock('/uri')
# Scopes is retrieved using the __call__ method which is not picked up correctly by mock.patch
# with autospec=True
request.scopes = mock.MagicMock()
request.headers = {
'Authorization': 'Basic some-token-from-header'
}

token.validate_request(request=request)

request_validator_mock.validate_jwt_bearer_token.assert_called_once_with(None,
request.scopes,
request)

def test_validate_token_from_request(self):
"""
Token get retrieved from request object.
Expand Down