authentik.providers.oauth2.tests.test_token_cc_standard_compat
Test token view
1"""Test token view""" 2 3from base64 import b64encode 4from json import loads 5from urllib.parse import quote 6 7from django.test import RequestFactory 8from django.urls import reverse 9from jwt import decode 10 11from authentik.blueprints.tests import apply_blueprint 12from authentik.common.oauth.constants import ( 13 GRANT_TYPE_CLIENT_CREDENTIALS, 14 GRANT_TYPE_PASSWORD, 15 SCOPE_OPENID, 16 SCOPE_OPENID_EMAIL, 17 SCOPE_OPENID_PROFILE, 18 TOKEN_TYPE, 19) 20from authentik.core.models import Application, Group, Token, TokenIntents, UserTypes 21from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow 22from authentik.policies.models import PolicyBinding 23from authentik.providers.oauth2.errors import TokenError 24from authentik.providers.oauth2.models import ( 25 GrantType, 26 OAuth2Provider, 27 RedirectURI, 28 RedirectURIMatchingMode, 29 ScopeMapping, 30) 31from authentik.providers.oauth2.tests.utils import OAuthTestCase 32 33 34class TestTokenClientCredentialsStandardCompat(OAuthTestCase): 35 """Test token (client_credentials) view""" 36 37 @apply_blueprint("system/providers-oauth2.yaml") 38 def setUp(self) -> None: 39 super().setUp() 40 self.factory = RequestFactory() 41 self.provider = OAuth2Provider.objects.create( 42 name="test", 43 authorization_flow=create_test_flow(), 44 redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], 45 signing_key=create_test_cert(), 46 grant_types=[GrantType.CLIENT_CREDENTIALS, GrantType.PASSWORD], 47 ) 48 self.provider.property_mappings.set(ScopeMapping.objects.all()) 49 self.app = Application.objects.create(name="test", slug="test", provider=self.provider) 50 self.user = create_test_admin_user("sa") 51 self.user.type = UserTypes.SERVICE_ACCOUNT 52 self.user.save() 53 self.token = Token.objects.create( 54 identifier="sa-token", 55 user=self.user, 56 intent=TokenIntents.INTENT_APP_PASSWORD, 57 expiring=False, 58 ) 59 60 def test_wrong_user(self): 61 """test invalid username""" 62 response = self.client.post( 63 reverse("authentik_providers_oauth2:token"), 64 { 65 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 66 "scope": SCOPE_OPENID, 67 "client_id": self.provider.client_id, 68 "client_secret": b64encode(f"saa:{self.token.key}".encode()).decode(), 69 }, 70 ) 71 self.assertEqual(response.status_code, 400) 72 self.assertJSONEqual( 73 response.content.decode(), 74 { 75 "error": "invalid_grant", 76 "error_description": TokenError.errors["invalid_grant"], 77 "request_id": response.headers["X-authentik-id"], 78 }, 79 ) 80 81 def test_wrong_token(self): 82 """test invalid token""" 83 response = self.client.post( 84 reverse("authentik_providers_oauth2:token"), 85 { 86 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 87 "scope": SCOPE_OPENID, 88 "client_id": self.provider.client_id, 89 "client_secret": b64encode(f"sa:{self.token.key}foo".encode()).decode(), 90 }, 91 ) 92 self.assertEqual(response.status_code, 400) 93 self.assertJSONEqual( 94 response.content.decode(), 95 { 96 "error": "invalid_grant", 97 "error_description": TokenError.errors["invalid_grant"], 98 "request_id": response.headers["X-authentik-id"], 99 }, 100 ) 101 102 def test_no_provider(self): 103 """test no provider""" 104 self.app.provider = None 105 self.app.save() 106 response = self.client.post( 107 reverse("authentik_providers_oauth2:token"), 108 { 109 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 110 "scope": SCOPE_OPENID, 111 "client_id": self.provider.client_id, 112 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 113 }, 114 ) 115 self.assertEqual(response.status_code, 400) 116 self.assertJSONEqual( 117 response.content.decode(), 118 { 119 "error": "invalid_grant", 120 "error_description": TokenError.errors["invalid_grant"], 121 "request_id": response.headers["X-authentik-id"], 122 }, 123 ) 124 125 def test_permission_denied(self): 126 """test permission denied""" 127 group = Group.objects.create(name="foo") 128 PolicyBinding.objects.create( 129 group=group, 130 target=self.app, 131 order=0, 132 ) 133 response = self.client.post( 134 reverse("authentik_providers_oauth2:token"), 135 { 136 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 137 "scope": SCOPE_OPENID, 138 "client_id": self.provider.client_id, 139 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 140 }, 141 ) 142 self.assertEqual(response.status_code, 400) 143 self.assertJSONEqual( 144 response.content.decode(), 145 { 146 "error": "invalid_grant", 147 "error_description": TokenError.errors["invalid_grant"], 148 "request_id": response.headers["X-authentik-id"], 149 }, 150 ) 151 152 def test_successful(self): 153 """test successful""" 154 response = self.client.post( 155 reverse("authentik_providers_oauth2:token"), 156 { 157 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 158 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 159 "client_id": self.provider.client_id, 160 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 161 }, 162 ) 163 self.assertEqual(response.status_code, 200) 164 body = loads(response.content.decode()) 165 self.assertEqual(body["token_type"], TOKEN_TYPE) 166 _, alg = self.provider.jwt_key 167 jwt = decode( 168 body["access_token"], 169 key=self.provider.signing_key.public_key, 170 algorithms=[alg], 171 audience=self.provider.client_id, 172 ) 173 self.assertEqual(jwt["given_name"], self.user.name) 174 self.assertEqual(jwt["preferred_username"], self.user.username) 175 jwt = decode( 176 body["id_token"], 177 key=self.provider.signing_key.public_key, 178 algorithms=[alg], 179 audience=self.provider.client_id, 180 ) 181 self.assertEqual(jwt["given_name"], self.user.name) 182 self.assertEqual(jwt["preferred_username"], self.user.username) 183 184 def test_successful_basic_auth_urlencoded_client_secret(self): 185 """test successful with URL-encoded Basic auth credentials""" 186 client_secret = b64encode(f"sa:{self.token.key}".encode()).decode() 187 header = b64encode( 188 f"{quote(self.provider.client_id, safe='')}:{quote(client_secret, safe='')}".encode() 189 ).decode() 190 response = self.client.post( 191 reverse("authentik_providers_oauth2:token"), 192 { 193 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 194 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 195 }, 196 HTTP_AUTHORIZATION=f"Basic {header}", 197 ) 198 self.assertEqual(response.status_code, 200) 199 body = loads(response.content.decode()) 200 self.assertEqual(body["token_type"], TOKEN_TYPE) 201 _, alg = self.provider.jwt_key 202 jwt = decode( 203 body["access_token"], 204 key=self.provider.signing_key.public_key, 205 algorithms=[alg], 206 audience=self.provider.client_id, 207 ) 208 self.assertEqual(jwt["given_name"], self.user.name) 209 self.assertEqual(jwt["preferred_username"], self.user.username) 210 jwt = decode( 211 body["id_token"], 212 key=self.provider.signing_key.public_key, 213 algorithms=[alg], 214 audience=self.provider.client_id, 215 ) 216 self.assertEqual(jwt["given_name"], self.user.name) 217 self.assertEqual(jwt["preferred_username"], self.user.username) 218 219 def test_successful_password(self): 220 """test successful (password grant)""" 221 response = self.client.post( 222 reverse("authentik_providers_oauth2:token"), 223 { 224 "grant_type": GRANT_TYPE_PASSWORD, 225 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 226 "client_id": self.provider.client_id, 227 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 228 }, 229 ) 230 self.assertEqual(response.status_code, 200) 231 body = loads(response.content.decode()) 232 self.assertEqual(body["token_type"], TOKEN_TYPE) 233 _, alg = self.provider.jwt_key 234 jwt = decode( 235 body["access_token"], 236 key=self.provider.signing_key.public_key, 237 algorithms=[alg], 238 audience=self.provider.client_id, 239 ) 240 self.assertEqual(jwt["given_name"], self.user.name) 241 self.assertEqual(jwt["preferred_username"], self.user.username)
class
TestTokenClientCredentialsStandardCompat(authentik.providers.oauth2.tests.utils.OAuthTestCase):
35class TestTokenClientCredentialsStandardCompat(OAuthTestCase): 36 """Test token (client_credentials) view""" 37 38 @apply_blueprint("system/providers-oauth2.yaml") 39 def setUp(self) -> None: 40 super().setUp() 41 self.factory = RequestFactory() 42 self.provider = OAuth2Provider.objects.create( 43 name="test", 44 authorization_flow=create_test_flow(), 45 redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], 46 signing_key=create_test_cert(), 47 grant_types=[GrantType.CLIENT_CREDENTIALS, GrantType.PASSWORD], 48 ) 49 self.provider.property_mappings.set(ScopeMapping.objects.all()) 50 self.app = Application.objects.create(name="test", slug="test", provider=self.provider) 51 self.user = create_test_admin_user("sa") 52 self.user.type = UserTypes.SERVICE_ACCOUNT 53 self.user.save() 54 self.token = Token.objects.create( 55 identifier="sa-token", 56 user=self.user, 57 intent=TokenIntents.INTENT_APP_PASSWORD, 58 expiring=False, 59 ) 60 61 def test_wrong_user(self): 62 """test invalid username""" 63 response = self.client.post( 64 reverse("authentik_providers_oauth2:token"), 65 { 66 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 67 "scope": SCOPE_OPENID, 68 "client_id": self.provider.client_id, 69 "client_secret": b64encode(f"saa:{self.token.key}".encode()).decode(), 70 }, 71 ) 72 self.assertEqual(response.status_code, 400) 73 self.assertJSONEqual( 74 response.content.decode(), 75 { 76 "error": "invalid_grant", 77 "error_description": TokenError.errors["invalid_grant"], 78 "request_id": response.headers["X-authentik-id"], 79 }, 80 ) 81 82 def test_wrong_token(self): 83 """test invalid token""" 84 response = self.client.post( 85 reverse("authentik_providers_oauth2:token"), 86 { 87 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 88 "scope": SCOPE_OPENID, 89 "client_id": self.provider.client_id, 90 "client_secret": b64encode(f"sa:{self.token.key}foo".encode()).decode(), 91 }, 92 ) 93 self.assertEqual(response.status_code, 400) 94 self.assertJSONEqual( 95 response.content.decode(), 96 { 97 "error": "invalid_grant", 98 "error_description": TokenError.errors["invalid_grant"], 99 "request_id": response.headers["X-authentik-id"], 100 }, 101 ) 102 103 def test_no_provider(self): 104 """test no provider""" 105 self.app.provider = None 106 self.app.save() 107 response = self.client.post( 108 reverse("authentik_providers_oauth2:token"), 109 { 110 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 111 "scope": SCOPE_OPENID, 112 "client_id": self.provider.client_id, 113 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 114 }, 115 ) 116 self.assertEqual(response.status_code, 400) 117 self.assertJSONEqual( 118 response.content.decode(), 119 { 120 "error": "invalid_grant", 121 "error_description": TokenError.errors["invalid_grant"], 122 "request_id": response.headers["X-authentik-id"], 123 }, 124 ) 125 126 def test_permission_denied(self): 127 """test permission denied""" 128 group = Group.objects.create(name="foo") 129 PolicyBinding.objects.create( 130 group=group, 131 target=self.app, 132 order=0, 133 ) 134 response = self.client.post( 135 reverse("authentik_providers_oauth2:token"), 136 { 137 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 138 "scope": SCOPE_OPENID, 139 "client_id": self.provider.client_id, 140 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 141 }, 142 ) 143 self.assertEqual(response.status_code, 400) 144 self.assertJSONEqual( 145 response.content.decode(), 146 { 147 "error": "invalid_grant", 148 "error_description": TokenError.errors["invalid_grant"], 149 "request_id": response.headers["X-authentik-id"], 150 }, 151 ) 152 153 def test_successful(self): 154 """test successful""" 155 response = self.client.post( 156 reverse("authentik_providers_oauth2:token"), 157 { 158 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 159 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 160 "client_id": self.provider.client_id, 161 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 162 }, 163 ) 164 self.assertEqual(response.status_code, 200) 165 body = loads(response.content.decode()) 166 self.assertEqual(body["token_type"], TOKEN_TYPE) 167 _, alg = self.provider.jwt_key 168 jwt = decode( 169 body["access_token"], 170 key=self.provider.signing_key.public_key, 171 algorithms=[alg], 172 audience=self.provider.client_id, 173 ) 174 self.assertEqual(jwt["given_name"], self.user.name) 175 self.assertEqual(jwt["preferred_username"], self.user.username) 176 jwt = decode( 177 body["id_token"], 178 key=self.provider.signing_key.public_key, 179 algorithms=[alg], 180 audience=self.provider.client_id, 181 ) 182 self.assertEqual(jwt["given_name"], self.user.name) 183 self.assertEqual(jwt["preferred_username"], self.user.username) 184 185 def test_successful_basic_auth_urlencoded_client_secret(self): 186 """test successful with URL-encoded Basic auth credentials""" 187 client_secret = b64encode(f"sa:{self.token.key}".encode()).decode() 188 header = b64encode( 189 f"{quote(self.provider.client_id, safe='')}:{quote(client_secret, safe='')}".encode() 190 ).decode() 191 response = self.client.post( 192 reverse("authentik_providers_oauth2:token"), 193 { 194 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 195 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 196 }, 197 HTTP_AUTHORIZATION=f"Basic {header}", 198 ) 199 self.assertEqual(response.status_code, 200) 200 body = loads(response.content.decode()) 201 self.assertEqual(body["token_type"], TOKEN_TYPE) 202 _, alg = self.provider.jwt_key 203 jwt = decode( 204 body["access_token"], 205 key=self.provider.signing_key.public_key, 206 algorithms=[alg], 207 audience=self.provider.client_id, 208 ) 209 self.assertEqual(jwt["given_name"], self.user.name) 210 self.assertEqual(jwt["preferred_username"], self.user.username) 211 jwt = decode( 212 body["id_token"], 213 key=self.provider.signing_key.public_key, 214 algorithms=[alg], 215 audience=self.provider.client_id, 216 ) 217 self.assertEqual(jwt["given_name"], self.user.name) 218 self.assertEqual(jwt["preferred_username"], self.user.username) 219 220 def test_successful_password(self): 221 """test successful (password grant)""" 222 response = self.client.post( 223 reverse("authentik_providers_oauth2:token"), 224 { 225 "grant_type": GRANT_TYPE_PASSWORD, 226 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 227 "client_id": self.provider.client_id, 228 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 229 }, 230 ) 231 self.assertEqual(response.status_code, 200) 232 body = loads(response.content.decode()) 233 self.assertEqual(body["token_type"], TOKEN_TYPE) 234 _, alg = self.provider.jwt_key 235 jwt = decode( 236 body["access_token"], 237 key=self.provider.signing_key.public_key, 238 algorithms=[alg], 239 audience=self.provider.client_id, 240 ) 241 self.assertEqual(jwt["given_name"], self.user.name) 242 self.assertEqual(jwt["preferred_username"], self.user.username)
Test token (client_credentials) view
@apply_blueprint('system/providers-oauth2.yaml')
def
setUp(self) -> None:
38 @apply_blueprint("system/providers-oauth2.yaml") 39 def setUp(self) -> None: 40 super().setUp() 41 self.factory = RequestFactory() 42 self.provider = OAuth2Provider.objects.create( 43 name="test", 44 authorization_flow=create_test_flow(), 45 redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")], 46 signing_key=create_test_cert(), 47 grant_types=[GrantType.CLIENT_CREDENTIALS, GrantType.PASSWORD], 48 ) 49 self.provider.property_mappings.set(ScopeMapping.objects.all()) 50 self.app = Application.objects.create(name="test", slug="test", provider=self.provider) 51 self.user = create_test_admin_user("sa") 52 self.user.type = UserTypes.SERVICE_ACCOUNT 53 self.user.save() 54 self.token = Token.objects.create( 55 identifier="sa-token", 56 user=self.user, 57 intent=TokenIntents.INTENT_APP_PASSWORD, 58 expiring=False, 59 )
Hook method for setting up the test fixture before exercising it.
def
test_wrong_user(self):
61 def test_wrong_user(self): 62 """test invalid username""" 63 response = self.client.post( 64 reverse("authentik_providers_oauth2:token"), 65 { 66 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 67 "scope": SCOPE_OPENID, 68 "client_id": self.provider.client_id, 69 "client_secret": b64encode(f"saa:{self.token.key}".encode()).decode(), 70 }, 71 ) 72 self.assertEqual(response.status_code, 400) 73 self.assertJSONEqual( 74 response.content.decode(), 75 { 76 "error": "invalid_grant", 77 "error_description": TokenError.errors["invalid_grant"], 78 "request_id": response.headers["X-authentik-id"], 79 }, 80 )
test invalid username
def
test_wrong_token(self):
82 def test_wrong_token(self): 83 """test invalid token""" 84 response = self.client.post( 85 reverse("authentik_providers_oauth2:token"), 86 { 87 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 88 "scope": SCOPE_OPENID, 89 "client_id": self.provider.client_id, 90 "client_secret": b64encode(f"sa:{self.token.key}foo".encode()).decode(), 91 }, 92 ) 93 self.assertEqual(response.status_code, 400) 94 self.assertJSONEqual( 95 response.content.decode(), 96 { 97 "error": "invalid_grant", 98 "error_description": TokenError.errors["invalid_grant"], 99 "request_id": response.headers["X-authentik-id"], 100 }, 101 )
test invalid token
def
test_no_provider(self):
103 def test_no_provider(self): 104 """test no provider""" 105 self.app.provider = None 106 self.app.save() 107 response = self.client.post( 108 reverse("authentik_providers_oauth2:token"), 109 { 110 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 111 "scope": SCOPE_OPENID, 112 "client_id": self.provider.client_id, 113 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 114 }, 115 ) 116 self.assertEqual(response.status_code, 400) 117 self.assertJSONEqual( 118 response.content.decode(), 119 { 120 "error": "invalid_grant", 121 "error_description": TokenError.errors["invalid_grant"], 122 "request_id": response.headers["X-authentik-id"], 123 }, 124 )
test no provider
def
test_permission_denied(self):
126 def test_permission_denied(self): 127 """test permission denied""" 128 group = Group.objects.create(name="foo") 129 PolicyBinding.objects.create( 130 group=group, 131 target=self.app, 132 order=0, 133 ) 134 response = self.client.post( 135 reverse("authentik_providers_oauth2:token"), 136 { 137 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 138 "scope": SCOPE_OPENID, 139 "client_id": self.provider.client_id, 140 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 141 }, 142 ) 143 self.assertEqual(response.status_code, 400) 144 self.assertJSONEqual( 145 response.content.decode(), 146 { 147 "error": "invalid_grant", 148 "error_description": TokenError.errors["invalid_grant"], 149 "request_id": response.headers["X-authentik-id"], 150 }, 151 )
test permission denied
def
test_successful(self):
153 def test_successful(self): 154 """test successful""" 155 response = self.client.post( 156 reverse("authentik_providers_oauth2:token"), 157 { 158 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 159 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 160 "client_id": self.provider.client_id, 161 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 162 }, 163 ) 164 self.assertEqual(response.status_code, 200) 165 body = loads(response.content.decode()) 166 self.assertEqual(body["token_type"], TOKEN_TYPE) 167 _, alg = self.provider.jwt_key 168 jwt = decode( 169 body["access_token"], 170 key=self.provider.signing_key.public_key, 171 algorithms=[alg], 172 audience=self.provider.client_id, 173 ) 174 self.assertEqual(jwt["given_name"], self.user.name) 175 self.assertEqual(jwt["preferred_username"], self.user.username) 176 jwt = decode( 177 body["id_token"], 178 key=self.provider.signing_key.public_key, 179 algorithms=[alg], 180 audience=self.provider.client_id, 181 ) 182 self.assertEqual(jwt["given_name"], self.user.name) 183 self.assertEqual(jwt["preferred_username"], self.user.username)
test successful
def
test_successful_basic_auth_urlencoded_client_secret(self):
185 def test_successful_basic_auth_urlencoded_client_secret(self): 186 """test successful with URL-encoded Basic auth credentials""" 187 client_secret = b64encode(f"sa:{self.token.key}".encode()).decode() 188 header = b64encode( 189 f"{quote(self.provider.client_id, safe='')}:{quote(client_secret, safe='')}".encode() 190 ).decode() 191 response = self.client.post( 192 reverse("authentik_providers_oauth2:token"), 193 { 194 "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS, 195 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 196 }, 197 HTTP_AUTHORIZATION=f"Basic {header}", 198 ) 199 self.assertEqual(response.status_code, 200) 200 body = loads(response.content.decode()) 201 self.assertEqual(body["token_type"], TOKEN_TYPE) 202 _, alg = self.provider.jwt_key 203 jwt = decode( 204 body["access_token"], 205 key=self.provider.signing_key.public_key, 206 algorithms=[alg], 207 audience=self.provider.client_id, 208 ) 209 self.assertEqual(jwt["given_name"], self.user.name) 210 self.assertEqual(jwt["preferred_username"], self.user.username) 211 jwt = decode( 212 body["id_token"], 213 key=self.provider.signing_key.public_key, 214 algorithms=[alg], 215 audience=self.provider.client_id, 216 ) 217 self.assertEqual(jwt["given_name"], self.user.name) 218 self.assertEqual(jwt["preferred_username"], self.user.username)
test successful with URL-encoded Basic auth credentials
def
test_successful_password(self):
220 def test_successful_password(self): 221 """test successful (password grant)""" 222 response = self.client.post( 223 reverse("authentik_providers_oauth2:token"), 224 { 225 "grant_type": GRANT_TYPE_PASSWORD, 226 "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}", 227 "client_id": self.provider.client_id, 228 "client_secret": b64encode(f"sa:{self.token.key}".encode()).decode(), 229 }, 230 ) 231 self.assertEqual(response.status_code, 200) 232 body = loads(response.content.decode()) 233 self.assertEqual(body["token_type"], TOKEN_TYPE) 234 _, alg = self.provider.jwt_key 235 jwt = decode( 236 body["access_token"], 237 key=self.provider.signing_key.public_key, 238 algorithms=[alg], 239 audience=self.provider.client_id, 240 ) 241 self.assertEqual(jwt["given_name"], self.user.name) 242 self.assertEqual(jwt["preferred_username"], self.user.username)
test successful (password grant)