-
Notifications
You must be signed in to change notification settings - Fork 3.3k
Expand file tree
/
Copy pathtest_auth.py
More file actions
103 lines (87 loc) · 3.85 KB
/
test_auth.py
File metadata and controls
103 lines (87 loc) · 3.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
"""Tests for OAuth 2.0 shared code."""
import pytest
from pydantic import AnyUrl
from mcp.shared.auth import InvalidScopeError, OAuthClientMetadata, OAuthMetadata
def test_oauth():
"""Should not throw when parsing OAuth metadata."""
OAuthMetadata.model_validate(
{
"issuer": "https://example.com",
"authorization_endpoint": "https://example.com/oauth2/authorize",
"token_endpoint": "https://example.com/oauth2/token",
"scopes_supported": ["read", "write"],
"response_types_supported": ["code", "token"],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
}
)
def test_oidc():
"""Should not throw when parsing OIDC metadata."""
OAuthMetadata.model_validate(
{
"issuer": "https://example.com",
"authorization_endpoint": "https://example.com/oauth2/authorize",
"token_endpoint": "https://example.com/oauth2/token",
"end_session_endpoint": "https://example.com/logout",
"id_token_signing_alg_values_supported": ["RS256"],
"jwks_uri": "https://example.com/.well-known/jwks.json",
"response_types_supported": ["code", "token"],
"revocation_endpoint": "https://example.com/oauth2/revoke",
"scopes_supported": ["openid", "read", "write"],
"subject_types_supported": ["public"],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
"userinfo_endpoint": "https://example.com/oauth2/userInfo",
}
)
def test_oauth_with_jarm():
"""Should not throw when parsing OAuth metadata that includes JARM response modes."""
OAuthMetadata.model_validate(
{
"issuer": "https://example.com",
"authorization_endpoint": "https://example.com/oauth2/authorize",
"token_endpoint": "https://example.com/oauth2/token",
"scopes_supported": ["read", "write"],
"response_types_supported": ["code", "token"],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"query.jwt",
"fragment.jwt",
"form_post.jwt",
"jwt",
],
"token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
}
)
def test_validate_scope_none_required_scopes_accepts_all():
"""When client has no scope restrictions (scope=None), all requested scopes should be accepted."""
client = OAuthClientMetadata(
redirect_uris=[AnyUrl("http://localhost:3030/callback")],
scope=None,
)
result = client.validate_scope("read write admin")
assert result == ["read", "write", "admin"]
def test_validate_scope_none_requested_scope_returns_none():
"""When no scope is requested, validate_scope should return None."""
client = OAuthClientMetadata(
redirect_uris=[AnyUrl("http://localhost:3030/callback")],
scope="read write",
)
result = client.validate_scope(None)
assert result is None
def test_validate_scope_rejects_unauthorized_scope():
"""When client has specific allowed scopes, unauthorized scopes should be rejected."""
client = OAuthClientMetadata(
redirect_uris=[AnyUrl("http://localhost:3030/callback")],
scope="read",
)
with pytest.raises(InvalidScopeError, match="write"):
client.validate_scope("read write")
def test_validate_scope_accepts_authorized_scope():
"""When client has specific allowed scopes, authorized scopes should be accepted."""
client = OAuthClientMetadata(
redirect_uris=[AnyUrl("http://localhost:3030/callback")],
scope="read write",
)
result = client.validate_scope("read write")
assert result == ["read", "write"]