From 68d882e6c0408b029ab0be5a8641d19c7652a154 Mon Sep 17 00:00:00 2001 From: Franz See Date: Sun, 5 Jan 2020 23:55:04 +0800 Subject: [PATCH 1/2] moto/issues/2672 | Modified 'token_use' to return 'id' for an id token, and 'access' for an access token --- moto/cognitoidp/models.py | 8 ++++---- tests/test_cognitoidp/test_cognitoidp.py | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/moto/cognitoidp/models.py b/moto/cognitoidp/models.py index 6700920ce..082fa5189 100644 --- a/moto/cognitoidp/models.py +++ b/moto/cognitoidp/models.py @@ -108,7 +108,7 @@ class CognitoIdpUserPool(BaseModel): return user_pool_json - def create_jwt(self, client_id, username, expires_in=60 * 60, extra_data={}): + def create_jwt(self, client_id, username, token_use, expires_in=60 * 60, extra_data={}): now = int(time.time()) payload = { "iss": "https://cognito-idp.{}.amazonaws.com/{}".format( @@ -116,7 +116,7 @@ class CognitoIdpUserPool(BaseModel): ), "sub": self.users[username].id, "aud": client_id, - "token_use": "id", + "token_use": token_use, "auth_time": now, "exp": now + expires_in, } @@ -125,7 +125,7 @@ class CognitoIdpUserPool(BaseModel): return jws.sign(payload, self.json_web_key, algorithm="RS256"), expires_in def create_id_token(self, client_id, username): - id_token, expires_in = self.create_jwt(client_id, username) + id_token, expires_in = self.create_jwt(client_id, username, "id") self.id_tokens[id_token] = (client_id, username) return id_token, expires_in @@ -137,7 +137,7 @@ class CognitoIdpUserPool(BaseModel): def create_access_token(self, client_id, username): extra_data = self.get_user_extra_data_by_client_id(client_id, username) access_token, expires_in = self.create_jwt( - client_id, username, extra_data=extra_data + client_id, username, "access", extra_data=extra_data ) self.access_tokens[access_token] = (client_id, username) return access_token, expires_in diff --git a/tests/test_cognitoidp/test_cognitoidp.py b/tests/test_cognitoidp/test_cognitoidp.py index 7ac1038b0..71a6e3191 100644 --- a/tests/test_cognitoidp/test_cognitoidp.py +++ b/tests/test_cognitoidp/test_cognitoidp.py @@ -1142,12 +1142,13 @@ def test_token_legitimacy(): id_claims = json.loads(jws.verify(id_token, json_web_key, "RS256")) id_claims["iss"].should.equal(issuer) id_claims["aud"].should.equal(client_id) + id_claims["token_use"].should.equal("id") access_claims = json.loads(jws.verify(access_token, json_web_key, "RS256")) access_claims["iss"].should.equal(issuer) access_claims["aud"].should.equal(client_id) for k, v in outputs["additional_fields"].items(): access_claims[k].should.equal(v) - + access_claims["token_use"].should.equal("access") @mock_cognitoidp def test_change_password(): From a8e1a3bf08312581bf4fae1908cc1bcb76aef7d6 Mon Sep 17 00:00:00 2001 From: Franz See Date: Mon, 6 Jan 2020 13:29:23 +0800 Subject: [PATCH 2/2] moto/issues/2672 | Formatted using black --- moto/cognitoidp/models.py | 4 +++- tests/test_cognitoidp/test_cognitoidp.py | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/moto/cognitoidp/models.py b/moto/cognitoidp/models.py index 082fa5189..b67239e93 100644 --- a/moto/cognitoidp/models.py +++ b/moto/cognitoidp/models.py @@ -108,7 +108,9 @@ class CognitoIdpUserPool(BaseModel): return user_pool_json - def create_jwt(self, client_id, username, token_use, expires_in=60 * 60, extra_data={}): + def create_jwt( + self, client_id, username, token_use, expires_in=60 * 60, extra_data={} + ): now = int(time.time()) payload = { "iss": "https://cognito-idp.{}.amazonaws.com/{}".format( diff --git a/tests/test_cognitoidp/test_cognitoidp.py b/tests/test_cognitoidp/test_cognitoidp.py index 71a6e3191..79e6dbbb8 100644 --- a/tests/test_cognitoidp/test_cognitoidp.py +++ b/tests/test_cognitoidp/test_cognitoidp.py @@ -1150,6 +1150,7 @@ def test_token_legitimacy(): access_claims[k].should.equal(v) access_claims["token_use"].should.equal("access") + @mock_cognitoidp def test_change_password(): conn = boto3.client("cognito-idp", "us-west-2")