From 23cad5480203015af3f5f4fc442c16e8bf802969 Mon Sep 17 00:00:00 2001 From: Aditya Hase Date: Tue, 21 Jun 2022 21:23:39 +0530 Subject: [PATCH] test(oauth): Send id_token of the authorized user instead of Guest This only affects OAuth clients that use `id_token` obtained from `frappe.integrations.oauth2.get_token`. Doesn't affect OAuth clients that ignore id_token and explicitly use `frappe.integrations.oauth2.openid_profile` endpoint for getting user details. e.g. Frappe OAuth client. A simple way to replicate this is to setup Frappe-Frappe OAuth client-server pair and use `login_via_oauth2_id_token` instead of `login_via_oauth2` in `login_via_frappe`. --- frappe/tests/test_oauth20.py | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/frappe/tests/test_oauth20.py b/frappe/tests/test_oauth20.py index b809630204..a634ace62a 100644 --- a/frappe/tests/test_oauth20.py +++ b/frappe/tests/test_oauth20.py @@ -16,7 +16,9 @@ class TestOAuth20(unittest.TestCase): def setUp(self): make_test_records("OAuth Client") make_test_records("User") - self.client_id = frappe.get_all("OAuth Client", fields=["*"])[0].get("client_id") + client = frappe.get_all("OAuth Client", fields=["*"])[0] + self.client_id = client.get("client_id") + self.client_secret = client.get("client_secret") self.form_header = {"content-type": "application/x-www-form-urlencoded"} self.scope = "all openid" self.redirect_uri = "http://localhost" @@ -90,6 +92,9 @@ class TestOAuth20(unittest.TestCase): self.assertTrue(bearer_token.get("token_type") == "Bearer") self.assertTrue(check_valid_openid_response(bearer_token.get("access_token"))) + decoded_token = self.decode_id_token(bearer_token.get("id_token")) + self.assertEqual(decoded_token["email"], "test@example.com") + def test_login_using_authorization_code_with_pkce(self): update_client_for_auth_code_grant(self.client_id) @@ -142,6 +147,9 @@ class TestOAuth20(unittest.TestCase): self.assertTrue(bearer_token.get("access_token")) self.assertTrue(bearer_token.get("id_token")) + decoded_token = self.decode_id_token(bearer_token.get("id_token")) + self.assertEqual(decoded_token["email"], "test@example.com") + def test_revoke_token(self): client = frappe.get_doc("OAuth Client", self.client_id) client.grant_type = "Authorization Code" @@ -316,16 +324,19 @@ class TestOAuth20(unittest.TestCase): # Parse bearer token json bearer_token = token_response.json() - id_token = bearer_token.get("id_token") - payload = jwt.decode( + payload = self.decode_id_token(bearer_token.get("id_token")) + self.assertEqual(payload["email"], "test@example.com") + + self.assertTrue(payload.get("nonce") == nonce) + + def decode_id_token(self, id_token): + return jwt.decode( id_token, - audience=client.client_id, - key=client.client_secret, + audience=self.client_id, + key=self.client_secret, algorithms=["HS256"], ) - self.assertTrue(payload.get("nonce") == nonce) - def check_valid_openid_response(access_token=None): """Return True for valid response."""