remove implicit grant type for OAuth 2 apps

2026-02-16 02:30:01 -03:30 · 2019-05-28 14:22:57 -04:00
parent 41f2b83ae2
commit cb279843d2
7 changed files with 28 additions and 97 deletions
--- a/awx/main/tests/functional/api/test_oauth.py
+++ b/awx/main/tests/functional/api/test_oauth.py
@@ -4,7 +4,6 @@ import json

 from django.db import connection
 from django.test.utils import override_settings
-from django.test import Client
 from django.utils.encoding import smart_str, smart_bytes

 from awx.main.utils.encryption import decrypt_value, get_encryption_key
@@ -114,7 +113,7 @@ def test_oauth_application_update(oauth_application, organization, patch, admin,
            'name': 'Test app with immutable grant type and user',
            'organization': organization.pk,
            'redirect_uris': 'http://localhost/api/',
-            'authorization_grant_type': 'implicit',
+            'authorization_grant_type': 'password',
            'skip_authorization': True,
        }, admin, expect=200
    )
@@ -175,27 +174,22 @@ def test_oauth_token_create(oauth_application, get, post, admin):
    assert response.data['summary_fields']['tokens']['results'][0] == {
        'id': token.pk, 'scope': token.scope, 'token': '************'
    }
-    # If the application is implicit grant type, no new refresb tokens should be created.
-    # The following tests check for that.
-    oauth_application.authorization_grant_type = 'implicit'
-    oauth_application.save()
-    token_count = RefreshToken.objects.count()
+
    response = post(
        reverse('api:o_auth2_token_list'),
        {'scope': 'read', 'application': oauth_application.pk}, admin, expect=201
    )
-    assert response.data['refresh_token'] is None
+    assert response.data['refresh_token']
    response = post(
        reverse('api:user_authorized_token_list', kwargs={'pk': admin.pk}),
        {'scope': 'read', 'application': oauth_application.pk}, admin, expect=201
    )
-    assert response.data['refresh_token'] is None
+    assert response.data['refresh_token']
    response = post(
        reverse('api:application_o_auth2_token_list', kwargs={'pk': oauth_application.pk}),
        {'scope': 'read'}, admin, expect=201
    )
-    assert response.data['refresh_token'] is None
-    assert token_count == RefreshToken.objects.count()
+    assert response.data['refresh_token']


@pytest.mark.django_db
@@ -260,30 +254,6 @@ def test_oauth_list_user_tokens(oauth_application, post, get, admin, alice):
        post(url, {'scope': 'read'}, user, expect=201)
        response = get(url, admin, expect=200)
        assert response.data['count'] == 1
-
-
-@pytest.mark.django_db
-def test_implicit_authorization(oauth_application, admin):
-    oauth_application.client_type = 'confidential'
-    oauth_application.authorization_grant_type = 'implicit'
-    oauth_application.redirect_uris = 'http://test.com'
-    oauth_application.save()
-    data = {
-        'response_type': 'token',
-        'client_id': oauth_application.client_id,
-        'client_secret': oauth_application.client_secret,
-        'scope': 'read',
-        'redirect_uri': 'http://test.com', 
-        'allow': True
-    }
-
-    request_client = Client()
-    request_client.force_login(admin, 'django.contrib.auth.backends.ModelBackend')
-    refresh_token_count = RefreshToken.objects.count()
-    response = request_client.post(drf_reverse('api:authorize'), data)
-    assert 'http://test.com' in response.url and 'access_token' in response.url
-    # Make sure no refresh token is created for app with implicit grant type.
-    assert refresh_token_count == RefreshToken.objects.count()
    

@pytest.mark.django_db