summaryrefslogtreecommitdiff
path: root/tests/oauth2/rfc6749/endpoints
Commit message (Collapse)AuthorAgeFilesLines
* Enforce POST HTTP method on TokenEndpoint, IntrospectEndpoint and ↵Abhishek Patel2019-05-144-19/+79
| | | | | | | | RevocationEndpoint - Add validation checks for HTTP method in TokenEndpoint, IntrospectEndpoint and RevocationEndpoint. - CHANGE DEFAULT HTTP method for TokenEndpoint from 'GET' to 'POST'. - Add tests + Fix an old test in . It used to send query params to TokenEndpoint which is not allowed anymore. Fixed it so payload is sent as POST body.
* Ban all query parameters on Intropspection, Token and Revocation endpopointAbhishek Patel2019-05-143-18/+11
|
* Add tests + create a global variable for blacklisted query parametersAbhishek Patel2019-05-143-0/+59
|
* Removed useless set_state internal functionJonathan Huot2019-02-211-7/+1
| | | | Does not have purpose for /token request
* Add authorization "state" preservation back for AuthCodeJonathan Huot2019-02-211-0/+7
|
* Fix 652: removed "state" from /token response.Jonathan Huot2019-02-201-12/+0
| | | | | | Fix OIDC /token flow where &state=None was always returned, and fix OAuth2.0 /token flow where &state=foobar was returned if &state=foobar was present in the token request. Remove "save_token" from create_token() signature cuz it was not used internally. Deprecated the option to let upstream libraries have a chance to remove it, if ever used.
* Fix 644, Add tests for BasicAuth credentials for all endpoints (#645)Jonathan Huot2019-01-112-2/+57
| | | Test Introspect, Revoke, Token (web, legacy, backend) endpoints with authenticate_client and HTTP Basic Auth.
* Fix issue when using Metadata Endpoint with OIDC PreConfigured server.Jonathan Huot2018-12-141-0/+27
|
* Merge branch 'master' into 601-pkce-supportJonathan Huot2018-12-132-8/+33
|\
| * Add Content-Type and Cache headers to introspect/revocation errorsJonathan Huot2018-12-132-8/+33
| |
| * Add double-quotes to the key/values in WWW-Authenticate264-status401Jonathan Huot2018-12-122-4/+4
| |
| * Used WWW-Authenticate and auth-param values as RFC6750 described it.Jonathan Huot2018-12-122-4/+4
| | | | | | | | It misses the possibility to add scope= and realm= at the moment, but it should be a step forward into the right direction.
| * Handle 401 with WWW-Authenticate. Moved wrong 401 into 400.Jonathan Huot2018-12-042-4/+4
| | | | | | | | access_denied/unauthorized_client/consent_required/login_required MUST be 400, and not 401. Also, 401 MUST have WWW-Authenticate when set. It could have an impact of processing those in webframeworks.
* | Sort dict and list in dict values for py27/36 compatpreconf-server-metadataJonathan Huot2018-11-301-2/+10
| |
* | Add Server metadata test and fix metadata.Jonathan Huot2018-11-301-0/+53
| | | | | | | | Fix grant_types_supported which must include "implicit" even if it is not a grant_type in oauthlib sense. Removed internal "none" field value from the list of response_types.
* | Initial OAuth2.0/PKCE Provider supportJonathan Huot2018-11-295-0/+6
|/
* Allow custom provider to override oauthlib valuesoauth-metadataJonathan Huot2018-11-211-0/+10
| | | | See https://github.com/oauthlib/oauthlib/pull/605#discussion_r234438151
* Initial OAuth Authorization Server Metadata RFC8414Jonathan Huot2018-10-251-0/+28
|
* Fix test_error_catching.Theron Luhn2018-09-021-1/+3
|
* Merge branch 'master' into 445_confirm_redirectJonathan Huot2018-08-151-0/+16
|\
| * Add syntax check of get_default_redirect_uriJonathan Huot2018-07-301-0/+16
| | | | | | | | Authorization Code was missing this check, whereas Implicit was checking it.
* | Add test when no redirecturi & no defaultJonathan Huot2018-08-151-0/+9
| |
* | Restore confirm = False testJonathan Huot2018-08-151-0/+2
| |
* | confirm_r. is called after auth_clientJonathan Huot2018-07-301-1/+0
| |
* | Call get_default_redirect_uri if no redirect_uri in token reqJonathan Huot2018-07-301-0/+21
|/
* OpenID Connect split (#525)Wiliam Souza2018-06-052-190/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add command to clean up builds to makefile * Fix docs strings for endpoints pre_configured * Chnage grant_types.openid_connect to include a deprecation warning be a backward compatible * Fix doc string for rfc6749.request_validator * Remove unused import * Change import to be explicity * Move JWTTokenTestCase to openid.connect.core.test_token * Move JWTToken to oauthlib.openid.connect.core.tokens * Move to openid connect test * Move openid connect exceptions to its own file * Remove openid connect from oauth2 server * Remove JWTToken from oauth tokens * Remove grant_types.openid_connect file * Add oauthlib/openid estructure and tests
* Added initial introspect supportJonathan Huot2017-12-181-0/+132
|
* OpenID connect improvements (#484)Wiliam Souza2017-10-012-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Change create_token_response to only save access_token when it's present in request.response_type * Remove unused import, fix indentation and improve comment * Fix AuthorizationEndpoint response_type for OpenID Connect hybrid flow * Add new ImplicitTokenGrantDispatcher Changes AuthorizationEndpoint response_type `'token'`, `'id_token'` and `'id_token token'` to work with OpenID Connect and OAuth2 implicit flow in a transparent way * Add new AuthTokenGrantDispatcher Change AuthorizationEndpoint grant_types `'authorization_code'` to work with OpenID Connect and OAuth2 authorization flow in a transparent way * Change tests to include required client_id and redirect_uri * Remove AuthorizationEndpoint grant_types `'openid'` Now OpenID Connect and OAuth2 authorization flow can use `authorization_code` in a transparent way * Add sone blank lines and fix indentation * Change AuthorizationEndpoint grant type id_token and id_token token to use openid_connect_implicit direct * Change default empty value to None and fix a typo * Add assert called to AuthTokenGrantDispatcher tests * Add request to get_authorization_code_scopes
* Add test for nonce parameter preservation.Pieter Ennes2017-09-171-0/+12
|
* Sorted imports.Omer Katz2017-09-1710-43/+61
|
* adjust the test for the new exceptionOren Mazor2017-06-142-2/+2
|
* Add test for prompt=none exclusiveness.Pieter Ennes2017-04-021-0/+18
|
* Merge pull request #453 from kippandrew/fix-revocation-public-clientsOmer Katz2017-03-311-14/+24
|\ | | | | Public clients should be validated when revoking tokens
| * Python 3 fixesAndy Kipp2016-12-061-1/+1
| |
| * Fix testsAndy Kipp2016-12-061-13/+23
| |
* | Adds failing testBrendan McCollam2016-12-201-0/+50
|/
* Normalize handling of request.scopes listJoel Stevenson2016-11-211-24/+33
| | | | | | | | | | | | | | | | | | | | | Use the scope_to_list() util to initalize the request.scopes list from the request.scope request parameter in two place where it was instead being set to None. - AuthorizationEndpoint.validate_authorization_request() - TokenEndpoint.create_token_response() In both cases the Request should be properly populated before it is passed to the client's validator. In the case of the TokenEndpoint - there are OAuth2 workflows that allow an optional scope parameter so we should have been doing this for them anyway. Since scope_to_list() may return None, also update the openid_connect code to behave properly when this is the case. Fixes #436
* Reworking the handling of claims. @bjmc was quite right to question the ↵Joel Stevenson2016-05-061-0/+107
| | | | haste-y inclusion in the Resource endpoint. It is an optional parameter to the Authorization Code endpoint and so needs to be stored with both the generated authorization code grant and any subsequent access token issued to that authorization code.
* add token_type_hint to the list of default Request paramsMassimiliano Pippi2015-07-201-0/+8
|
* Add code to determine if client authentication is required for OAuth2 ↵Weipin Xia2015-07-191-0/+12
| | | | endpoint "revocation"
* Fix management of rfc6749 errorsfabio2015-07-062-55/+82
|
* Fix tests for #300 mergedHsiaoming Yang2015-07-061-5/+3
|
* Merge pull request #300 from jbkkd/masterHsiaoming Yang2015-07-061-1/+1
|\ | | | | Revocation endpoint should return empty string, not Python 'None'
| * Updated revocation testOmer Korner2014-11-261-1/+1
| |
* | Handle empty/non-parsable query stringsDan Berglund2015-06-261-0/+11
| |
* | Add code to determine if client authentication is required for OAuth2 ↵Weipin Xia2015-05-071-0/+12
|/ | | | endpoint "revocation"
* Allow invalid token_type_hint.Rodney Richardson2014-10-071-11/+2
| | | | | Invalid token_type_hints should be ignored. This looks to have been broken in 6ffcc4f2ae6b66e42c1f58b6de634fe969b473a0
* Make jsonp support in revocation endpoint optional.Ib Lundgren2014-09-251-4/+14
| | | | Also include the error in jsonp callback.
* Draft 11 Token Revocation Endpoint.Ib Lundgren2013-09-171-0/+65
|
* Restructure OAuth2 tests.Ib Lundgren2013-09-129-0/+1032
View Lorry Controller Status