Client Credential Flow implementation

2025-11-08 07:49:49 +01:00 · 2025-11-07 15:49:01 +01:00
parent 68341a2a7e
commit bfd50e3cd5
4 changed files with 56 additions and 31 deletions
--- a/apps/permission/tests/test_oauth2_access.py
+++ b/apps/permission/tests/test_oauth2_access.py
@@ -126,6 +126,7 @@ class OAuth2TestCase(TestCase):
                               **{'Authorization': f'Bearer {token.token}'})

        # Token is not granted to see other api
-        resp = self.client.get(f'/api/user/{self.user.pk}/',
+        resp = self.client.get(f'/api/members/profile/{self.user.profile.pk}/',
                               **{'Authorization': f'Bearer {token.token}'})
+
        self.assertEqual(resp.status_code, 404)
--- a/apps/permission/tests/test_oauth2_flow.py
+++ b/apps/permission/tests/test_oauth2_flow.py
@@ -7,7 +7,7 @@ from django.contrib.auth.models import User
 from django.test import TestCase
 from member.models import Membership, Club
 from note.models import NoteUser
-from oauth2_provider.models import Application
+from oauth2_provider.models import Application, AccessToken

 from ..models import Role, Permission

@@ -81,14 +81,10 @@ class OAuth2TestCase(TestCase):

        self.assertEqual(resp.status_code, 200)

-        token = resp.json()['access_token']
+        token = AccessToken.objects.get(token=resp.json()['access_token'])

-        # Token is valid but has no right
-        resp = self.client.get('/api/user/{self.user.pk}',
-                               **{'Authorization': f'Bearer {token}'}
-                               )
-
-        self.assertEqual(resp.status_code, 403)
+        # Token do nothing, it should be have the useless scope
+        self.assertEqual(token.scope, '0_0')

        # RFC6749 4.4.2 allows use of scope in client credential flow
        resp = self.client.post('/o/token/',
@@ -100,13 +96,10 @@ class OAuth2TestCase(TestCase):

        self.assertEqual(resp.status_code, 200)

-        token = resp.json()['access_token']
+        token = AccessToken.objects.get(token=resp.json()['access_token'])

-        # Now app can see his creator
-        resp = self.client.post(f'/api/user/{self.user.pk}/',
-                                **{'Authorization': f'Bearer {token}'})
-
-        self.assertEqual(resp.status_code, 200)
+        # Token can have access, it shouldn't have the useless scope
+        self.assertEqual(token.scope, self.base_scope)

    def test_oidc_flow(self):
        """