Adding Support For RAR and JAR Requests (#659)

kishore7snehil · web-flow · commit 66429f167c0e · 2025-01-29T17:50:24.000+05:30
Adding Support For RAR and JAR Requests
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -12,17 +12,17 @@ permissions:
 
 jobs:
   rl-scanner:
-  uses: ./.github/workflows/rl-scanner
-  with:
-    python-version: 3.10
-    artifact-name: "auth0-python.tgz"
-  secrets:
-    RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
-    RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
-    SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
-    PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
-    PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
-    PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+    uses: ./.github/workflows/rl-scanner.yml
+    with:
+      python-version: 3.10
+      artifact-name: "auth0-python.tgz"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
   publish-pypi:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     name: "PyPI"
diff --git a/auth0/authentication/pushed_authorization_requests.py b/auth0/authentication/pushed_authorization_requests.py
@@ -16,6 +16,8 @@ def pushed_authorization_request(
              redirect_uri (str): The URL to which Auth0 will redirect the browser after authorization has been granted
              by the user.
              **kwargs: Other fields to send along with the PAR.
+             For RAR requests, authorization_details parameter should be added in a proper format. See:https://datatracker.ietf.org/doc/html/rfc9396
+             For JAR requests, requests parameter should be send with the JWT as the value. See: https://datatracker.ietf.org/doc/html/rfc9126#name-the-request-request-paramet
 
         See: https://www.rfc-editor.org/rfc/rfc9126.html
         """
diff --git a/auth0/test/authentication/test_pushed_authorization_requests.py b/auth0/test/authentication/test_pushed_authorization_requests.py
@@ -1,4 +1,5 @@
 import unittest
+import json
 from unittest import mock
 
 from ...authentication.pushed_authorization_requests import PushedAuthorizationRequests
@@ -45,3 +46,59 @@ def test_par_custom_params(self, mock_post):
                 "foo": "bar",
             },
         )
+
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_rar(self, mock_post):
+        a = PushedAuthorizationRequests("my.domain.com", "cid", client_secret="sh!")
+        a.pushed_authorization_request(
+            response_type="code", 
+            redirect_uri="https://example.com/callback", 
+            authorization_details=[{"type": "money_transfer", "instructedAmount": {"amount": 2500, "currency": "USD"}}],
+        )
+
+        args, kwargs = mock_post.call_args
+
+        expected_data = {
+            "client_id": "cid",
+            "client_secret": "sh!",
+            "response_type": "code",
+            "redirect_uri": "https://example.com/callback",
+            "authorization_details": [{"type": "money_transfer", "instructedAmount": {"amount": 2500, "currency": "USD"}}],
+        }
+
+        actual_data = kwargs["data"]
+        
+        self.assertEqual(args[0], "https://my.domain.com/oauth/par")
+   
+        self.assertEqual(
+            json.dumps(actual_data, sort_keys=True), 
+            json.dumps(expected_data, sort_keys=True)
+        )
+
+    @mock.patch("auth0.rest.RestClient.post")
+    def test_jar(self, mock_post):
+        a = PushedAuthorizationRequests("my.domain.com", "cid", client_secret="sh!")
+        a.pushed_authorization_request(
+            response_type="code", 
+            redirect_uri="https://example.com/callback", 
+            request="my-jwt-request",
+        )
+
+        args, kwargs = mock_post.call_args
+
+        expected_data = {
+            "client_id": "cid",
+            "client_secret": "sh!",
+            "response_type": "code",
+            "redirect_uri": "https://example.com/callback",
+            "request": 'my-jwt-request',
+        }
+
+        actual_data = kwargs["data"]
+        
+        self.assertEqual(args[0], "https://my.domain.com/oauth/par")
+   
+        self.assertEqual(
+            json.dumps(actual_data, sort_keys=True), 
+            json.dumps(expected_data, sort_keys=True)
+        )
