Updates per PR feedback

adamjmcgrath · adamjmcgrath · commit 67bf283d9b5c · 2025-09-15T10:25:24.000+01:00
diff --git a/auth0/authentication/back_channel_login.py b/auth0/authentication/back_channel_login.py
@@ -33,7 +33,7 @@ def back_channel_login(
              Rich Authorization Requests (RAR) details to include in the CIBA request.
 
              requested_expiry (int, optional): Number of seconds the authentication request is valid for.
-                Auth0 defaults to 30 seconds if not provided.
+                Auth0 defaults to 300 seconds (5 mins) if not provided.
 
              **kwargs: Other fields to send along with the request.
 
@@ -56,6 +56,8 @@ def back_channel_login(
                 data["authorization_details"] = json.dumps(authorization_details)
 
         if requested_expiry is not None:
+            if not isinstance(requested_expiry, int) or requested_expiry <= 0:
+                raise ValueError("requested_expiry must be a positive integer")
             data["requested_expiry"] = str(requested_expiry)
 
         data.update(kwargs)
diff --git a/auth0/test/authentication/test_back_channel_login.py b/auth0/test/authentication/test_back_channel_login.py
@@ -33,6 +33,23 @@ def test_ciba(self, mock_post):
             },
         )
 
+    @mock.patch("requests.request")
+    def test_server_error(self, mock_requests_request):
+        response = requests.Response()
+        response.status_code = 400
+        response._content = b'{"error":"foo"}'
+        mock_requests_request.return_value = response
+
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+        with self.assertRaises(Auth0Error) as context:
+            g.back_channel_login(
+                binding_message="msg",
+                login_hint="hint",
+                scope="openid"
+            )
+        self.assertEqual(context.exception.status_code, 400)
+        self.assertEqual(context.exception.message, 'foo')
+
     @mock.patch("auth0.rest.RestClient.post")
     def test_should_require_binding_message(self, mock_post):
         g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
@@ -161,3 +178,33 @@ def test_with_request_expiry(self, mock_post):
                 "requested_expiry": "100",
             },
         )
+
+    def test_requested_expiry_negative_raises(self):
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+        with self.assertRaises(ValueError):
+            g.back_channel_login(
+                binding_message="msg",
+                login_hint="hint",
+                scope="openid",
+                requested_expiry=-10
+            )
+
+    def test_requested_expiry_zero_raises(self):
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+        with self.assertRaises(ValueError):
+            g.back_channel_login(
+                binding_message="msg",
+                login_hint="hint",
+                scope="openid",
+                requested_expiry=0
+            )
+
+    def test_requested_non_int_raises(self):
+        g = BackChannelLogin("my.domain.com", "cid", client_secret="clsec")
+        with self.assertRaises(ValueError):
+            g.back_channel_login(
+                binding_message="msg",
+                login_hint="hint",
+                scope="openid",
+                requested_expiry="string_instead_of_int"
+            )
diff --git a/auth0/test/authentication/test_get_token.py b/auth0/test/authentication/test_get_token.py
@@ -6,6 +6,7 @@
 
 from cryptography.hazmat.primitives import asymmetric, serialization
 
+from ... import Auth0Error
 from ...authentication.get_token import GetToken
 
 
@@ -337,24 +338,23 @@ def test_backchannel_login(self, mock_post):
             },
         )
 
-    @mock.patch("auth0.rest.RestClient.post")
-    def test_backchannel_login_headers_on_failure(self, mock_post):
+    @mock.patch("requests.request")
+    def test_backchannel_login_headers_on_failure(self, mock_requests_request):
         response = requests.Response()
         response.status_code = 400
-        response.headers = {"Retry-After": 100}
+        response.headers = {"Retry-After": "100"}
         response._content = b'{"error":"slow_down"}'
-        mock_post.side_effect = requests.exceptions.HTTPError(response=response)
+        mock_requests_request.return_value = response
 
         g = GetToken("my.domain.com", "cid", client_secret="csec")
 
-        try:
+        with self.assertRaises(Auth0Error) as context:
             g.backchannel_login(
                 auth_req_id="reqid",
                 grant_type="urn:openid:params:grant-type:ciba",
             )
-        except requests.exceptions.HTTPError as e:
-            self.assertEqual(e.response.headers["Retry-After"], 100)
-            self.assertEqual(e.response.status_code, 400)
+        self.assertEqual(context.exception.headers["Retry-After"], "100")
+        self.assertEqual(context.exception.status_code, 400)
 
     @mock.patch("auth0.rest.RestClient.post")
     def test_connection_login(self, mock_post):
