MCPcopy
hub / github.com/authlib/authlib / test_scope_signed_secured

Function test_scope_signed_secured

tests/flask/test_oauth2/test_userinfo.py:301–329  ·  view source on GitHub ↗

When userinfo_signed_response_alg is set as client metadata and not none, the userinfo response must be signed.

(test_client, client, token, db)

Source from the content-addressed store, hash-verified

299
300
301def test_scope_signed_secured(test_client, client, token, db):
302 """When userinfo_signed_response_alg is set as client metadata and not none, the userinfo response must be signed."""
303 client.set_client_metadata(
304 {
305 "scope": "profile",
306 "redirect_uris": ["https://client.test/authorized"],
307 "userinfo_signed_response_alg": "RS256",
308 }
309 )
310 db.session.add(client)
311 db.session.commit()
312
313 token.scope = "openid email"
314 db.session.add(token)
315 db.session.commit()
316
317 headers = {"Authorization": "Bearer access-token"}
318 rv = test_client.get("/oauth/userinfo", headers=headers)
319 assert rv.headers["Content-Type"] == "application/jwt"
320
321 pub_key = KeySet.import_key_set(read_file_path("jwks_public.json"))
322 token = jwt.decode(rv.data, pub_key)
323 assert token.claims == {
324 "sub": "1",
325 "iss": "https://provider.test",
326 "aud": "client-id",
327 "email": "janedoe@example.com",
328 "email_verified": True,
329 }

Callers

nothing calls this directly

Calls 5

read_file_pathFunction · 0.90
set_client_metadataMethod · 0.80
import_key_setMethod · 0.80
decodeMethod · 0.80
getMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…