When userinfo_signed_response_alg is set as client metadata and not none, the userinfo response must be signed.
(test_client, client, token, db)
| 299 | |
| 300 | |
| 301 | def test_scope_signed_secured(test_client, client, token, db): |
| 302 | """When userinfo_signed_response_alg is set as client metadata and not none, the userinfo response must be signed.""" |
| 303 | client.set_client_metadata( |
| 304 | { |
| 305 | "scope": "profile", |
| 306 | "redirect_uris": ["https://client.test/authorized"], |
| 307 | "userinfo_signed_response_alg": "RS256", |
| 308 | } |
| 309 | ) |
| 310 | db.session.add(client) |
| 311 | db.session.commit() |
| 312 | |
| 313 | token.scope = "openid email" |
| 314 | db.session.add(token) |
| 315 | db.session.commit() |
| 316 | |
| 317 | headers = {"Authorization": "Bearer access-token"} |
| 318 | rv = test_client.get("/oauth/userinfo", headers=headers) |
| 319 | assert rv.headers["Content-Type"] == "application/jwt" |
| 320 | |
| 321 | pub_key = KeySet.import_key_set(read_file_path("jwks_public.json")) |
| 322 | token = jwt.decode(rv.data, pub_key) |
| 323 | assert token.claims == { |
| 324 | "sub": "1", |
| 325 | "iss": "https://provider.test", |
| 326 | "aud": "client-id", |
| 327 | "email": "janedoe@example.com", |
| 328 | "email_verified": True, |
| 329 | } |
nothing calls this directly
no test coverage detected
searching dependent graphs…