diff --git a/tests/test_cognitoidp/test_cognitoidp.py b/tests/test_cognitoidp/test_cognitoidp.py index 5eb529e28..3b7037889 100644 --- a/tests/test_cognitoidp/test_cognitoidp.py +++ b/tests/test_cognitoidp/test_cognitoidp.py @@ -14,7 +14,7 @@ from botocore.exceptions import ClientError from jose import jws, jwk, jwt from nose.tools import assert_raises -from moto import mock_cognitoidp +from moto import mock_cognitoidp, settings from moto.core import ACCOUNT_ID @@ -1312,52 +1312,58 @@ def test_admin_update_user_attributes(): val.should.equal("Jane") -@mock_cognitoidp -def test_idtoken_contains_kid_header(): - # https://github.com/spulec/moto/issues/3078 - # Setup - cognito = boto3.client("cognito-idp", "us-west-2") - user_pool_id = cognito.create_user_pool(PoolName=str(uuid.uuid4()))["UserPool"][ - "Id" - ] - client = cognito.create_user_pool_client( - UserPoolId=user_pool_id, - ExplicitAuthFlows=[ - "ALLOW_ADMIN_USER_PASSWORD_AUTH", - "ALLOW_REFRESH_TOKEN_AUTH", - "ALLOW_ADMIN_NO_SRP_AUTH", - ], - AllowedOAuthFlows=["code", "implicit"], - ClientName=str(uuid.uuid4()), - CallbackURLs=["https://example.com"], - ) - client_id = client["UserPoolClient"]["ClientId"] - username = str(uuid.uuid4()) - temporary_password = "1TemporaryP@ssword" - cognito.admin_create_user( - UserPoolId=user_pool_id, Username=username, TemporaryPassword=temporary_password - ) - result = cognito.admin_initiate_auth( - UserPoolId=user_pool_id, - ClientId=client_id, - AuthFlow="ADMIN_NO_SRP_AUTH", - AuthParameters={"USERNAME": username, "PASSWORD": temporary_password}, - ) +# Test will retrieve public key from cognito.amazonaws.com/.well-known/jwks.json, +# which isnt mocked in ServerMode +if not settings.TEST_SERVER_MODE: - # A newly created user is forced to set a new password - # This sets a new password and logs the user in (creates tokens) - password = "1F@kePassword" - result = cognito.respond_to_auth_challenge( - Session=result["Session"], - ClientId=client_id, - ChallengeName="NEW_PASSWORD_REQUIRED", - ChallengeResponses={"USERNAME": username, "NEW_PASSWORD": password}, - ) - # - id_token = result["AuthenticationResult"]["IdToken"] + @mock_cognitoidp + def test_idtoken_contains_kid_header(): + # https://github.com/spulec/moto/issues/3078 + # Setup + cognito = boto3.client("cognito-idp", "us-west-2") + user_pool_id = cognito.create_user_pool(PoolName=str(uuid.uuid4()))["UserPool"][ + "Id" + ] + client = cognito.create_user_pool_client( + UserPoolId=user_pool_id, + ExplicitAuthFlows=[ + "ALLOW_ADMIN_USER_PASSWORD_AUTH", + "ALLOW_REFRESH_TOKEN_AUTH", + "ALLOW_ADMIN_NO_SRP_AUTH", + ], + AllowedOAuthFlows=["code", "implicit"], + ClientName=str(uuid.uuid4()), + CallbackURLs=["https://example.com"], + ) + client_id = client["UserPoolClient"]["ClientId"] + username = str(uuid.uuid4()) + temporary_password = "1TemporaryP@ssword" + cognito.admin_create_user( + UserPoolId=user_pool_id, + Username=username, + TemporaryPassword=temporary_password, + ) + result = cognito.admin_initiate_auth( + UserPoolId=user_pool_id, + ClientId=client_id, + AuthFlow="ADMIN_NO_SRP_AUTH", + AuthParameters={"USERNAME": username, "PASSWORD": temporary_password}, + ) - # Verify the KID header is present in the token, and corresponds to the KID supplied by the public JWT - verify_kid_header(id_token) + # A newly created user is forced to set a new password + # This sets a new password and logs the user in (creates tokens) + password = "1F@kePassword" + result = cognito.respond_to_auth_challenge( + Session=result["Session"], + ClientId=client_id, + ChallengeName="NEW_PASSWORD_REQUIRED", + ChallengeResponses={"USERNAME": username, "NEW_PASSWORD": password}, + ) + # + id_token = result["AuthenticationResult"]["IdToken"] + + # Verify the KID header is present in the token, and corresponds to the KID supplied by the public JWT + verify_kid_header(id_token) def verify_kid_header(token):