Fix #16: handle sub-tenant prefix correctly

Author: frankie567

fief_client/client.py

@@ -3,7 +3,7 @@
 import uuid
 from enum import Enum
 from typing import Any, Dict, List, Mapping, Optional, Tuple, TypedDict, Union
-from urllib.parse import urlencode, urlsplit
+from urllib.parse import urlencode
 
 import httpx
 from httpx._types import CertTypes, VerifyTypes
@@ -253,8 +253,7 @@ def _get_endpoint_url(
         rather stick to the host specified on the client configuration.
         """
         if not absolute:
-            splitted_url = urlsplit(openid_configuration[field])
-            return splitted_url.path
+            return openid_configuration[field].split(self.base_url)[1]
         return openid_configuration[field]
 
     def _auth_url(

tests/conftest.py

@@ -1,7 +1,8 @@
+import contextlib
 import uuid
 from datetime import datetime, timezone
 from os import path
-from typing import Callable, Generator, List
+from typing import Callable, ContextManager, Generator, List, Protocol
 
 import pytest
 import pytest_asyncio
@@ -98,27 +99,47 @@ def encrypted_id_token(generate_token: Callable[..., str]) -> str:
     return generate_token(encrypt=True)
 
 
+class GetAPIRequestsMock(Protocol):
+    def __call__(
+        self, *, hostname: str = "https://bretagne.fief.dev", path_prefix: str = ""
+    ) -> ContextManager[respx.MockRouter]:
+        ...
+
+
+@pytest_asyncio.fixture(scope="module")
+def get_api_requests_mock(signature_key: jwk.JWK) -> GetAPIRequestsMock:
+    @contextlib.contextmanager
+    def _get_api_requests_mock(
+        *, hostname: str = "https://bretagne.fief.dev", path_prefix: str = ""
+    ) -> Generator[respx.MockRouter, None, None]:
+        with respx.mock(assert_all_mocked=True, assert_all_called=False) as respx_mock:
+            openid_configuration_route = respx_mock.get(
+                f"{path_prefix}/.well-known/openid-configuration"
+            )
+            openid_configuration_route.return_value = Response(
+                200,
+                json={
+                    "authorization_endpoint": f"{hostname}{path_prefix}/authorize",
+                    "token_endpoint": f"{hostname}{path_prefix}/token",
+                    "userinfo_endpoint": f"{hostname}{path_prefix}/userinfo",
+                    "jwks_uri": f"{hostname}{path_prefix}/.well-known/jwks.json",
+                },
+            )
+
+            jwks_route = respx_mock.get(f"{path_prefix}/.well-known/jwks.json")
+            jwks_route.return_value = Response(
+                200,
+                json={"keys": [signature_key.export(private_key=False, as_dict=True)]},
+            )
+
+            yield respx_mock
+
+    return _get_api_requests_mock
+
+
 @pytest_asyncio.fixture(scope="module", autouse=True)
 def mock_api_requests(
-    signature_key: jwk.JWK,
+    get_api_requests_mock: GetAPIRequestsMock,
 ) -> Generator[respx.MockRouter, None, None]:
-    HOSTNAME = "https://bretagne.fief.dev"
-
-    with respx.mock(assert_all_mocked=True, assert_all_called=False) as respx_mock:
-        openid_configuration_route = respx_mock.get("/.well-known/openid-configuration")
-        openid_configuration_route.return_value = Response(
-            200,
-            json={
-                "authorization_endpoint": f"{HOSTNAME}/authorize",
-                "token_endpoint": f"{HOSTNAME}/token",
-                "userinfo_endpoint": f"{HOSTNAME}/userinfo",
-                "jwks_uri": f"{HOSTNAME}/.well-known/jwks.json",
-            },
-        )
-
-        jwks_route = respx_mock.get("/.well-known/jwks.json")
-        jwks_route.return_value = Response(
-            200, json={"keys": [signature_key.export(private_key=False, as_dict=True)]}
-        )
-
+    with get_api_requests_mock() as respx_mock:
         yield respx_mock

tests/test_client.py

@@ -24,13 +24,19 @@
     FiefTokenResponse,
 )
 from fief_client.crypto import get_validation_hash
+from tests.conftest import GetAPIRequestsMock
 
 
 @pytest.fixture(scope="module")
 def fief_client() -> Fief:
     return Fief("https://bretagne.fief.dev", "CLIENT_ID", "CLIENT_SECRET")
 
 
+@pytest.fixture(scope="module")
+def fief_client_tenant() -> Fief:
+    return Fief("https://bretagne.fief.dev/secondary", "CLIENT_ID", "CLIENT_SECRET")
+
+
 @pytest.fixture(scope="module")
 def fief_client_encryption_key(encryption_key: jwk.JWK) -> Fief:
     return Fief(
@@ -235,6 +241,30 @@ async def test_authorization_url_async(
 
         assert request.url.host == request.headers["Host"]
 
+    def test_authorization_url_tenant(
+        self, fief_client_tenant: Fief, mock_api_requests: respx.MockRouter
+    ):
+        openid_configuration_route = mock_api_requests.get(
+            "/secondary/.well-known/openid-configuration"
+        )
+        openid_configuration_route.return_value = Response(
+            200,
+            json={
+                "authorization_endpoint": "https://bretagne.fief.dev/secondary/authorize",
+                "token_endpoint": "https://bretagne.fief.dev/secondary/token",
+                "userinfo_endpoint": "https://bretagne.fief.dev/secondary/userinfo",
+                "jwks_uri": "https://bretagne.fief.dev/secondary/.well-known/jwks.json",
+            },
+        )
+
+        authorize_url = fief_client_tenant.auth_url(
+            "https://www.bretagne.duchy/callback"
+        )
+        assert (
+            authorize_url
+            == "https://bretagne.fief.dev/secondary/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=https%3A%2F%2Fwww.bretagne.duchy%2Fcallback"
+        )
+
 
 class TestAuthCallback:
     def test_error_response(
@@ -339,6 +369,44 @@ async def test_valid_response_async(
         assert isinstance(userinfo, dict)
         assert userinfo["sub"] == user_id
 
+    def test_valid_response_tenant(
+        self,
+        fief_client_tenant: Fief,
+        get_api_requests_mock: GetAPIRequestsMock,
+        access_token: str,
+        signed_id_token: str,
+        user_id: str,
+    ):
+        with get_api_requests_mock(path_prefix="/secondary") as mock_api_requests:
+            token_route = mock_api_requests.post("/secondary/token")
+            token_route.return_value = Response(
+                200,
+                json={
+                    "access_token": access_token,
+                    "id_token": signed_id_token,
+                    "token_type": "bearer",
+                },
+            )
+
+            token_response, userinfo = fief_client_tenant.auth_callback(
+                "CODE",
+                "https://www.bretagne.duchy/callback",
+                code_verifier="CODE_VERIFIER",
+            )
+
+            token_route_call = token_route.calls.last
+            assert token_route_call is not None
+
+            request_data = token_route_call.request.content.decode("utf-8")
+            assert "client_id" in request_data
+            assert "client_secret" in request_data
+
+            assert token_response["access_token"] == access_token
+            assert token_response["id_token"] == signed_id_token
+
+            assert isinstance(userinfo, dict)
+            assert userinfo["sub"] == user_id
+
 
 class TestAuthRefreshToken:
     def test_error_response(