Resource servers¶

If you are writing a resource server, you will probably want to test if your application can successfully check if a token is valid, to determine wether resources can be accessed. If the access token is a RFC9068 JWT, then your application will need to check the signature against the identity server JWKs. If the access token is not a JWT then your application will need to perform a request against the identity server token introspection endpoint.

def test_valid_token_auth(iam_server, testclient, client, user):
    token = iam_server.random_token(client=client, subject=user)
    res = testclient.get(
        "/protected-resource", headers={"Authorization": f"Bearer {token.access_token}"}
    )
    assert res.status_code == 200


def test_invalid_token_auth(iam_server, testclient):
    res = testclient.get(
        "/protected-resource", headers={"Authorization": "Bearer invalid"}
    )
    assert res.status_code == 401

Resource servers¶

pytest_iam

Navigation

Related Topics