| |
@@ -497,3 +497,54 @@
|
| |
page = sess3.fetch_page(idpname, 'https://127.0.0.11:45081/sp/')
|
| |
check_text_results(page.text,
|
| |
'OpenID Connect Provider error: access_denied')
|
| |
+
|
| |
+ with TC.case('Set IdP authz stack to back to allow'):
|
| |
+ sess.disable_plugin(idpname, 'authz', 'deny')
|
| |
+ sess.enable_plugin(idpname, 'authz', 'allow')
|
| |
+
|
| |
+ sess4 = HttpSessions()
|
| |
+ sess4.add_server(idpname, 'https://127.0.0.10:45080', user, 'ipsilon')
|
| |
+ sess4.add_server(sp1name, 'https://127.0.0.11:45081')
|
| |
+
|
| |
+ with TC.case('Registering test client with OOB'):
|
| |
+ client_info = {
|
| |
+ 'redirect_uris': ['urn:ietf:wg:oauth:2.0:oob'],
|
| |
+ 'response_types': ['code'],
|
| |
+ 'grant_types': ['authorization_code'],
|
| |
+ 'application_type': 'native',
|
| |
+ 'client_name': 'Test suite client',
|
| |
+ 'client_uri': 'https://invalid/',
|
| |
+ 'token_endpoint_auth_method': 'none'
|
| |
+ }
|
| |
+ r = requests.post('https://127.0.0.10:45080/idp1/openidc/Registration',
|
| |
+ json=client_info)
|
| |
+ r.raise_for_status()
|
| |
+ reg_resp_oob = r.json()
|
| |
+
|
| |
+ with TC.case('Access first SP protected area with OOB'):
|
| |
+ page = sess.fetch_page(idpname,
|
| |
+ 'https://127.0.0.10:45080/idp1/openidc/'
|
| |
+ 'Authorization?scope=openid&response_type=code&'
|
| |
+ 'redirect_uri=urn:ietf:wg:oauth:2.0:oob&'
|
| |
+ 'client_id=' + reg_resp_oob['client_id'])
|
| |
+ code = sess.get_openidc_oob(page)
|
| |
+ title_value = page.first_value('/html/head/title').text
|
| |
+ if title_value != code:
|
| |
+ raise Exception(
|
| |
+ "The title of the page must contain the code as well"
|
| |
+ )
|
| |
+ code = code.replace('code=', '')
|
| |
+ # Now check that we can get a token
|
| |
+ token_resp = requests.post(
|
| |
+ 'https://127.0.0.10:45080/idp1/openidc/Token',
|
| |
+ data={'client_id': reg_resp_oob['client_id'],
|
| |
+ 'grant_type': 'authorization_code',
|
| |
+ 'redirect_uri': 'urn:ietf:wg:oauth:2.0:oob',
|
| |
+ 'code': code})
|
| |
+ if token_resp.status_code != 200:
|
| |
+ raise Exception('Unable to get token from code')
|
| |
+ anon_token = token_resp.json()
|
| |
+ if not anon_token.get('token_type') == 'Bearer':
|
| |
+ raise Exception('Invalid token type returned')
|
| |
+ if 'access_token' not in anon_token:
|
| |
+ raise Exception('Did not get access token')
|
| |
When the
redirect_uri
has a special value for OOB authentication, display a page prompting the user to copy and paste the code back to the application. Use the code as the page's title as well.This is useful when it's not practical for the client to run an HTTP server and use a
localhost
redirect uri, such as when it's executing on a remote machine.References:
- https://github.com/googleapis/google-api-python-client/blob/main/docs/oauth-installed.md#urnietfwgoauth20oob
- https://developers.google.com/identity/protocols/oauth2/native-app#step-2:-send-a-request-to-googles-oauth-2.0-server