work in progress: oidc auth tests

2025-04-28 15:29:21 +02:00 · 2025-04-28 15:29:21 +02:00 · 6857601ab8
commit 6857601ab8
parent 01fc7d2874
2 changed files with 17 additions and 15 deletions
--- a/scopes/tests/tlib_web.py
+++ b/scopes/tests/tlib_web.py
@ -10,6 +10,8 @@ from zope.publisher.publish import publish
 from scopes.web.app import Publication
 from scopes.storage.folder import Root

+logger = logging.getLogger('tlib_web')
+

 def publishRequest(config, storage, path):
    appRoot = Root(storage)
@ -20,7 +22,6 @@ def publishRequest(config, storage, path):


 def test_app(self, config):
-    logger = logging.getLogger('tlib_web')
    storage = config.storageFactory(config.dbschema)
    response = publishRequest(config, storage, '/top')
    logger.info('test_app: response %s %s', response.getStatus(), response.getHeaders())
@ -31,3 +32,8 @@ def test_auth(self, config):
    from scopes.web.auth import oidc
    oidc.startup()  # todo: use generic app.startServices()
    self.assertEqual(len(config.oidc_params['op_uris']), 8)
+    storage = config.storageFactory(config.dbschema)
+    response = publishRequest(config, storage, '/top/auth/login')
+    headers = dict(response.getHeaders())
+    logger.info('test_auth: response %s %s', response.getStatus(), headers)
+    self.assertEqual(response.getStatus(), 302)
--- a/scopes/web/auth/oidc.py
+++ b/scopes/web/auth/oidc.py
@ -199,24 +199,20 @@ class Authenticator(DummyFolder):
        return data

    def getIdTokenData(self, token):
-        keyUri = self.params['op_uris']['jwks_uri']
-        jwksClient = jwt.PyJWKClient(keyUri)
+        uri = self.params['op_uris']['jwks_uri']
+        keys = self.loadPublicKeys(uri)
+        header = jwt.get_unverified_header(token)
+        key = jwt.PyJWK(keys[header['kid']])
+        return jwt.decode(token, key, audience=self.params.client_id)
+        jwksClient = jwt.PyJWKClient(uri)
        key = jwksClient.get_signing_key_from_jwt(token)
        return jwt.decode(token, key, options=dict(verify_aud=False))
-        header = jwt.get_unverified_header(token)
-        kid = header['kid']
-        key = self.loadOidcKeys()[kid]
-        return jwt.decode(token, key, audience=self.params.client_id)

-    def loadOidcKeys(self):
-        result = {}
-        keyUri = self.params['op_uris']['jwks_uri']
-        for k in requests.get(keyUri).json()['keys']:
-            result[k['kid']] = jwt.PyJWK(k)
-        return result
+    def loadOidcKeys(self, uri):
+        return dict((item['kid'], item) for item in requests.get(uri).json()['keys'])


-@register('auth', Root)
+@register('auth')
 def authView(context, request):
    return Authenticator(request)

@ -254,4 +250,4 @@ def loadOidcProviderData(force=False):
        for key in oidcProviderUris:
            uris[key] = opData[key]
    #if force or params.get('op_keys') is None:
-        params['op_keys'] = requests.get(uris['jwks_uri']).json()['keys']
+        #params['op_keys'] = requests.get(uris['jwks_uri']).json()['keys']