Merge branch 'master' into docs/fix-typo-docstring

Author: kishore7snehil

.github/workflows/docs.yml

@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
 
       - name: Configure Python
         uses: actions/setup-python@v5

.github/workflows/publish.yml

@@ -12,17 +12,17 @@ permissions:
 
 jobs:
   rl-scanner:
-  uses: ./.github/workflows/rl-scanner.yml
-  with:
-    node-version: 18
-    artifact-name: "auth0-python.tgz"
-  secrets:
-    RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
-    RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
-    SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
-    PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
-    PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
-    PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+    uses: ./.github/workflows/rl-scanner.yml
+    with:
+      python-version: 3.10
+      artifact-name: "auth0-python.tgz"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
   publish-pypi:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     name: "PyPI"

.github/workflows/snyk.yml

@@ -34,7 +34,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
-      - uses: snyk/actions/python-3.8@4a528b5c534bb771b6e3772656a8e0e9dc902f8b # pinned 2023-06-13
+      - uses: snyk/actions/python-3.8@cdb760004ba9ea4d525f2e043745dfe85bb9077e # pinned 2023-06-13
         continue-on-error: true # Make sure the SARIF upload is called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/test.yml

@@ -80,4 +80,4 @@ jobs:
 
       - if: ${{ matrix.python-version == '3.10' }}
         name: Upload coverage
-        uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0 # [email protected].5
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # pin@5.3.1

auth0/authentication/back_channel_login.py

@@ -0,0 +1,37 @@
+from typing import Any
+
+from .base import AuthenticationBase
+
+
+class BackChannelLogin(AuthenticationBase):
+    """Back-Channel Login endpoint"""
+
+    def back_channel_login(
+        self, binding_message: str, login_hint: str, scope: str, **kwargs
+    ) -> Any:
+        """Send a Back-Channel Login.
+
+        Args:
+             binding_message (str): Human-readable string displayed on both the device calling /bc-authorize and the user’s 
+             authentication device to ensure the user is approves the correct request.
+
+             login_hint (str): String containing information about the user to contact for authentication.
+
+             scope(str): "openid" is a required scope.Multiple scopes are separated 
+             with whitespace.
+
+             **kwargs: Other fields to send along with the PAR.
+
+        Returns:
+            auth_req_id, expires_in, interval
+        """
+        return self.authenticated_post(
+            f"{self.protocol}://{self.domain}/bc-authorize",
+            data={
+                "client_id": self.client_id,
+                "binding_message": binding_message,
+                "login_hint": login_hint,
+                "scope": scope,
+                **kwargs,
+            },
+        )

auth0/authentication/get_token.py

@@ -253,3 +253,27 @@ def passwordless_login(
                 "grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp",
             },
         )
+
+    def backchannel_login(
+        self, auth_req_id: str, grant_type: str = "urn:openid:params:grant-type:ciba",
+    ) -> Any:
+        """Calls /oauth/token endpoint with "urn:openid:params:grant-type:ciba" grant type
+
+        Args:
+            auth_req_id (str): The id received from /bc-authorize
+
+            grant_type (str): Denotes the flow you're using.For Back Channel login
+            use urn:openid:params:grant-type:ciba
+
+        Returns:
+            access_token, id_token
+        """
+
+        return self.authenticated_post(
+            f"{self.protocol}://{self.domain}/oauth/token",
+            data={
+                "client_id": self.client_id,
+                "auth_req_id": auth_req_id,
+                "grant_type": grant_type,
+            },
+        )

auth0/authentication/pushed_authorization_requests.py

@@ -16,6 +16,8 @@ def pushed_authorization_request(
              redirect_uri (str): The URL to which Auth0 will redirect the browser after authorization has been granted
              by the user.
              **kwargs: Other fields to send along with the PAR.
+             For RAR requests, authorization_details parameter should be added in a proper format. See:https://datatracker.ietf.org/doc/html/rfc9396
+             For JAR requests, requests parameter should be send with the JWT as the value. See: https://datatracker.ietf.org/doc/html/rfc9126#name-the-request-request-paramet
 
         See: https://www.rfc-editor.org/rfc/rfc9126.html
         """

auth0/test/authentication/test_back_channel_login.py

@@ -0,0 +1,78 @@
+
+import unittest
+from unittest import mock
+
+import requests
+from ...exceptions import Auth0Error, RateLimitError
+
+from ...authentication.back_channel_login import BackChannelLogin
+
+class TestBackChannelLogin(unittest.TestCase):
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_ciba(self, mock_post):
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+
+        g.back_channel_login(
+            binding_message="This is a binding message",
+            login_hint="{ \"format\": \"iss_sub\", \"iss\": \"https://my.domain.auth0.com/\", \"sub\": \"auth0|[USER ID]\" }",
+            scope="openid",
+        )
+
+        args, kwargs = mock_post.call_args
+
+        self.assertEqual(args[0], "https://my.domain.com/bc-authorize")
+        self.assertEqual(
+            kwargs["data"],
+            {
+                "client_id": "cid",
+                "client_secret": "clsec",
+                "binding_message": "This is a binding message",
+                "login_hint": "{ \"format\": \"iss_sub\", \"iss\": \"https://my.domain.auth0.com/\", \"sub\": \"auth0|[USER ID]\" }",
+                "scope": "openid",
+            },
+        )
+
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_should_require_binding_message(self, mock_post):
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+
+        # Expecting an exception to be raised when binding_message is missing
+        with self.assertRaises(Exception) as context:
+            g.back_channel_login(
+                login_hint='{ "format": "iss_sub", "iss": "https://my.domain.auth0.com/", "sub": "auth0|USER_ID" }',
+                scope="openid",
+            )
+
+        # Assert the error message is correct
+        self.assertIn("missing 1 required positional argument: \'binding_message\'", str(context.exception))
+
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_should_require_login_hint(self, mock_post):
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+
+        # Expecting an exception to be raised when login_hint is missing
+        with self.assertRaises(Exception) as context:
+            g.back_channel_login(
+                binding_message="This is a binding message.",
+                scope="openid",
+            )
+
+        # Assert the error message is correct
+        self.assertIn("missing 1 required positional argument: \'login_hint\'", str(context.exception))
+    
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_should_require_scope(self, mock_post):
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+
+        # Expecting an exception to be raised when scope is missing
+        with self.assertRaises(Exception) as context:
+            g.back_channel_login(
+                binding_message="This is a binding message.",
+                login_hint='{ "format": "iss_sub", "iss": "https://my.domain.auth0.com/", "sub": "auth0|USER_ID" }',
+            )
+
+        # Assert the error message is correct
+        self.assertIn("missing 1 required positional argument: \'scope\'", str(context.exception))
+
+
+

auth0/test/authentication/test_get_token.py

@@ -313,3 +313,25 @@ def test_passwordless_login_with_email(self, mock_post):
                 "scope": "openid",
             },
         )
+
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_backchannel_login(self, mock_post):
+        g = GetToken("my.domain.com", "cid", client_secret="csec")
+
+        g.backchannel_login(
+            auth_req_id="reqid",
+            grant_type="urn:openid:params:grant-type:ciba",
+        )
+
+        args, kwargs = mock_post.call_args
+
+        self.assertEqual(args[0], "https://my.domain.com/oauth/token")
+        self.assertEqual(
+            kwargs["data"],
+            {
+                "client_id": "cid",
+                "client_secret": "csec",
+                "auth_req_id": "reqid",
+                "grant_type": "urn:openid:params:grant-type:ciba",
+            },
+        )

auth0/test/authentication/test_pushed_authorization_requests.py

@@ -1,4 +1,5 @@
 import unittest
+import json
 from unittest import mock
 
 from ...authentication.pushed_authorization_requests import PushedAuthorizationRequests
@@ -45,3 +46,59 @@ def test_par_custom_params(self, mock_post):
                 "foo": "bar",
             },
         )
+
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_rar(self, mock_post):
+        a = PushedAuthorizationRequests("my.domain.com", "cid", client_secret="sh!")
+        a.pushed_authorization_request(
+            response_type="code", 
+            redirect_uri="https://example.com/callback", 
+            authorization_details=[{"type": "money_transfer", "instructedAmount": {"amount": 2500, "currency": "USD"}}],
+        )
+
+        args, kwargs = mock_post.call_args
+
+        expected_data = {
+            "client_id": "cid",
+            "client_secret": "sh!",
+            "response_type": "code",
+            "redirect_uri": "https://example.com/callback",
+            "authorization_details": [{"type": "money_transfer", "instructedAmount": {"amount": 2500, "currency": "USD"}}],
+        }
+
+        actual_data = kwargs["data"]
+        
+        self.assertEqual(args[0], "https://my.domain.com/oauth/par")
+   
+        self.assertEqual(
+            json.dumps(actual_data, sort_keys=True), 
+            json.dumps(expected_data, sort_keys=True)
+        )
+
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_jar(self, mock_post):
+        a = PushedAuthorizationRequests("my.domain.com", "cid", client_secret="sh!")
+        a.pushed_authorization_request(
+            response_type="code", 
+            redirect_uri="https://example.com/callback", 
+            request="my-jwt-request",
+        )
+
+        args, kwargs = mock_post.call_args
+
+        expected_data = {
+            "client_id": "cid",
+            "client_secret": "sh!",
+            "response_type": "code",
+            "redirect_uri": "https://example.com/callback",
+            "request": 'my-jwt-request',
+        }
+
+        actual_data = kwargs["data"]
+        
+        self.assertEqual(args[0], "https://my.domain.com/oauth/par")
+   
+        self.assertEqual(
+            json.dumps(actual_data, sort_keys=True), 
+            json.dumps(expected_data, sort_keys=True)
+        )