2021-05-04 22:06:05 +00:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
2022-04-07 06:13:01 +00:00
|
|
|
"net/url"
|
2021-05-04 22:06:05 +00:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2022-03-04 03:09:27 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2021-05-04 22:06:05 +00:00
|
|
|
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
2021-05-04 22:06:05 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var exampleIssuerPrivateKey = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAvcMVMB2vEbqI6PlSNJ4HmUyMxBDJ5iY7FS+zDDAHOZBg9S3S\nKcAn1CZcnyL0VvJ7wcdhR6oTnOwR94eKvzUyJZ+GL2hTMm27dubEYsNdhoCl6N3X\nyEEohNfoxiiCYraVauX8X3M9jFzbEz9+pacaDbHB2syaJ1qFmMNR+HSu2jPzOo7M\nlqKIOgUzA0741MaYNt47AEVg4XU5ORLdolbAkItmYg1QbyFndg9H5IvwKkYaXTGE\nlgDBcPUC0yVjAC15Mguquq+jZeQay+6PSbHTD8PQMOkLjyChI2xEhVNbdCXe676R\ncMW2R/gjrcK23zmtmTWRfdC1iZLSlHO+bJj9vQIDAQABAoIBAEZvkP/JJOCJwqPn\nV3IcbmmilmV4bdi1vByDFgyiDyx4wOSA24+PubjvfFW9XcCgRPuKjDtTj/AhWBHv\nB7stfa2lZuNV7/u562mZArA+IAr62Zp0LdIxDV8x3T8gbjVB3HhPYbv0RJZDKTYd\nzV6jhfIrVu9mHpoY6ZnodhapCPYIyk/d49KBIHZuAc25CUjMXgTeaVtf0c996036\nUxW6ef33wAOJAvW0RCvbXAJfmBeEq2qQlkjTIlpYx71fhZWexHifi8Ouv3Zonc+1\n/P2Adq5uzYVBT92f9RKHg9QxxNzVrLjSMaxyvUtWQCAQfW0tFIRdqBGsHYsQrFtI\nF4yzv8ECgYEA7ntpyN9HD9Z9lYQzPCR73sFCLM+ID99aVij0wHuxK97bkSyyvkLd\n7MyTaym3lg1UEqWNWBCLvFULZx7F0Ah6qCzD4ymm3Bj/ADpWWPgljBI0AFml+HHs\nhcATmXUrj5QbLyhiP2gmJjajp1o/rgATx6ED66seSynD6JOH8wUhhZUCgYEAy7OA\n06PF8GfseNsTqlDjNF0K7lOqd21S0prdwrsJLiVzUlfMM25MLE0XLDUutCnRheeh\nIlcuDoBsVTxz6rkvFGD74N+pgXlN4CicsBq5ofK060PbqCQhSII3fmHobrZ9Cr75\nHmBjAxHx998SKaAAGbBbcYGUAp521i1pH5CEPYkCgYEAkUd1Zf0+2RMdZhwm6hh/\nrW+l1I6IoMK70YkZsLipccRNld7Y9LbfYwYtODcts6di9AkOVfueZJiaXbONZfIE\nZrb+jkAteh9wGL9xIrnohbABJcV3Kiaco84jInUSmGDtPokncOENfHIEuEpuSJ2b\nbx1TuhmAVuGWivR0+ULC7RECgYEAgS0cDRpWc9Xzh9Cl7+PLsXEvdWNpPsL9OsEq\n0Ep7z9+/+f/jZtoTRCS/BTHUpDvAuwHglT5j3p5iFMt5VuiIiovWLwynGYwrbnNS\nqfrIrYKUaH1n1oDS+oBZYLQGCe9/7EifAjxtjYzbvSyg//SPG7tSwfBCREbpZXj2\nqSWkNsECgYA/mCDzCTlrrWPuiepo6kTmN+4TnFA+hJI6NccDVQ+jvbqEdoJ4SW4L\nzqfZSZRFJMNpSgIqkQNRPJqMP0jQ5KRtJrjMWBnYxktwKz9fDg2R2MxdFgMF2LH2\nHEMMhFHlv8NDjVOXh1KwRoltNGVWYsSrD9wKU9GhRCEfmNCGrvBcEg==\n-----END RSA PRIVATE KEY-----"
|
|
|
|
|
|
|
|
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_NotConfigured(t *testing.T) {
|
2022-04-07 05:33:53 +00:00
|
|
|
provider, err := NewOpenIDConnectProvider(nil, nil)
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
assert.Nil(t, provider.Fosite)
|
|
|
|
assert.Nil(t, provider.Store)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_BadIssuerKey(t *testing.T) {
|
|
|
|
_, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
|
|
|
|
IssuerPrivateKey: "BAD KEY",
|
2022-04-07 05:33:53 +00:00
|
|
|
}, nil)
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
assert.Error(t, err, "abc")
|
|
|
|
}
|
|
|
|
|
2022-04-07 06:13:01 +00:00
|
|
|
func TestNewOpenIDConnectProvider_ShouldEnableOptionalDiscoveryValues(t *testing.T) {
|
|
|
|
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
|
|
|
|
IssuerPrivateKey: exampleIssuerPrivateKey,
|
|
|
|
EnablePKCEPlainChallenge: true,
|
|
|
|
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
|
|
|
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
|
|
|
{
|
|
|
|
ID: "a-client",
|
|
|
|
Secret: "a-client-secret",
|
|
|
|
SectorIdentifier: url.URL{Host: "google.com"},
|
|
|
|
Policy: "one_factor",
|
|
|
|
RedirectURIs: []string{
|
|
|
|
"https://google.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}, nil)
|
|
|
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
assert.True(t, provider.Pairwise())
|
|
|
|
|
|
|
|
disco := provider.GetOpenIDConnectWellKnownConfiguration("https://example.com")
|
|
|
|
|
|
|
|
assert.Len(t, disco.SubjectTypesSupported, 2)
|
|
|
|
assert.Contains(t, disco.SubjectTypesSupported, "public")
|
|
|
|
assert.Contains(t, disco.SubjectTypesSupported, "pairwise")
|
|
|
|
|
|
|
|
assert.Len(t, disco.CodeChallengeMethodsSupported, 2)
|
|
|
|
assert.Contains(t, disco.CodeChallengeMethodsSupported, "S256")
|
|
|
|
assert.Contains(t, disco.CodeChallengeMethodsSupported, "S256")
|
|
|
|
}
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GoodConfiguration(t *testing.T) {
|
|
|
|
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
|
2021-05-04 22:06:05 +00:00
|
|
|
IssuerPrivateKey: exampleIssuerPrivateKey,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
|
|
|
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
|
|
|
{
|
|
|
|
ID: "a-client",
|
|
|
|
Secret: "a-client-secret",
|
|
|
|
Policy: "one_factor",
|
|
|
|
RedirectURIs: []string{
|
|
|
|
"https://google.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
ID: "b-client",
|
|
|
|
Description: "Normal Description",
|
|
|
|
Secret: "b-client-secret",
|
|
|
|
Policy: "two_factor",
|
|
|
|
RedirectURIs: []string{
|
|
|
|
"https://google.com",
|
|
|
|
},
|
|
|
|
Scopes: []string{
|
|
|
|
"groups",
|
|
|
|
},
|
|
|
|
GrantTypes: []string{
|
|
|
|
"refresh_token",
|
|
|
|
},
|
|
|
|
ResponseTypes: []string{
|
|
|
|
"token",
|
|
|
|
"code",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2022-04-07 05:33:53 +00:00
|
|
|
}, nil)
|
2021-05-04 22:06:05 +00:00
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
assert.NotNil(t, provider)
|
2021-05-04 22:06:05 +00:00
|
|
|
assert.NoError(t, err)
|
|
|
|
}
|
2022-03-04 03:09:27 +00:00
|
|
|
|
|
|
|
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOpenIDConnectWellKnownConfiguration(t *testing.T) {
|
|
|
|
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
|
|
|
|
IssuerPrivateKey: exampleIssuerPrivateKey,
|
|
|
|
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
|
|
|
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
|
|
|
{
|
|
|
|
ID: "a-client",
|
|
|
|
Secret: "a-client-secret",
|
|
|
|
Policy: "one_factor",
|
|
|
|
RedirectURIs: []string{
|
|
|
|
"https://google.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2022-04-07 05:33:53 +00:00
|
|
|
}, nil)
|
2022-03-04 03:09:27 +00:00
|
|
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
assert.False(t, provider.Pairwise())
|
|
|
|
|
2022-03-04 03:09:27 +00:00
|
|
|
disco := provider.GetOpenIDConnectWellKnownConfiguration("https://example.com")
|
|
|
|
|
|
|
|
assert.Equal(t, "https://example.com", disco.Issuer)
|
2022-04-07 00:58:51 +00:00
|
|
|
assert.Equal(t, "https://example.com/jwks.json", disco.JWKSURI)
|
2022-03-04 03:09:27 +00:00
|
|
|
assert.Equal(t, "https://example.com/api/oidc/authorization", disco.AuthorizationEndpoint)
|
|
|
|
assert.Equal(t, "https://example.com/api/oidc/token", disco.TokenEndpoint)
|
|
|
|
assert.Equal(t, "https://example.com/api/oidc/userinfo", disco.UserinfoEndpoint)
|
|
|
|
assert.Equal(t, "https://example.com/api/oidc/introspection", disco.IntrospectionEndpoint)
|
|
|
|
assert.Equal(t, "https://example.com/api/oidc/revocation", disco.RevocationEndpoint)
|
|
|
|
assert.Equal(t, "", disco.RegistrationEndpoint)
|
|
|
|
|
2022-04-07 05:33:53 +00:00
|
|
|
assert.Len(t, disco.CodeChallengeMethodsSupported, 1)
|
|
|
|
assert.Contains(t, disco.CodeChallengeMethodsSupported, "S256")
|
2022-03-04 03:09:27 +00:00
|
|
|
|
|
|
|
assert.Len(t, disco.ScopesSupported, 5)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeOpenID)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeOfflineAccess)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeProfile)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeGroups)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeEmail)
|
|
|
|
|
|
|
|
assert.Len(t, disco.ResponseModesSupported, 3)
|
|
|
|
assert.Contains(t, disco.ResponseModesSupported, "form_post")
|
|
|
|
assert.Contains(t, disco.ResponseModesSupported, "query")
|
|
|
|
assert.Contains(t, disco.ResponseModesSupported, "fragment")
|
|
|
|
|
|
|
|
assert.Len(t, disco.SubjectTypesSupported, 1)
|
|
|
|
assert.Contains(t, disco.SubjectTypesSupported, "public")
|
|
|
|
|
|
|
|
assert.Len(t, disco.ResponseTypesSupported, 8)
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "code")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "id_token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "code token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "code id_token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "token id_token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "code token id_token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "none")
|
|
|
|
|
|
|
|
assert.Len(t, disco.IDTokenSigningAlgValuesSupported, 1)
|
|
|
|
assert.Contains(t, disco.IDTokenSigningAlgValuesSupported, "RS256")
|
|
|
|
|
|
|
|
assert.Len(t, disco.UserinfoSigningAlgValuesSupported, 2)
|
|
|
|
assert.Contains(t, disco.UserinfoSigningAlgValuesSupported, "RS256")
|
|
|
|
assert.Contains(t, disco.UserinfoSigningAlgValuesSupported, "none")
|
|
|
|
|
|
|
|
assert.Len(t, disco.RequestObjectSigningAlgValuesSupported, 2)
|
|
|
|
assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "RS256")
|
|
|
|
assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "none")
|
|
|
|
|
2022-04-08 23:35:13 +00:00
|
|
|
assert.Len(t, disco.ClaimsSupported, 16)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "amr")
|
2022-03-04 03:09:27 +00:00
|
|
|
assert.Contains(t, disco.ClaimsSupported, "aud")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "exp")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "iat")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "iss")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "jti")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "rat")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "sub")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "auth_time")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "nonce")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimEmail)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimEmailVerified)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimEmailAlts)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimGroups)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimPreferredUsername)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimDisplayName)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOAuth2WellKnownConfiguration(t *testing.T) {
|
|
|
|
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
|
|
|
|
IssuerPrivateKey: exampleIssuerPrivateKey,
|
|
|
|
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
|
|
|
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
|
|
|
{
|
|
|
|
ID: "a-client",
|
|
|
|
Secret: "a-client-secret",
|
|
|
|
Policy: "one_factor",
|
|
|
|
RedirectURIs: []string{
|
|
|
|
"https://google.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2022-04-07 05:33:53 +00:00
|
|
|
}, nil)
|
2022-03-04 03:09:27 +00:00
|
|
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
disco := provider.GetOAuth2WellKnownConfiguration("https://example.com")
|
|
|
|
|
|
|
|
assert.Equal(t, "https://example.com", disco.Issuer)
|
2022-04-07 00:58:51 +00:00
|
|
|
assert.Equal(t, "https://example.com/jwks.json", disco.JWKSURI)
|
2022-03-04 03:09:27 +00:00
|
|
|
assert.Equal(t, "https://example.com/api/oidc/authorization", disco.AuthorizationEndpoint)
|
|
|
|
assert.Equal(t, "https://example.com/api/oidc/token", disco.TokenEndpoint)
|
|
|
|
assert.Equal(t, "https://example.com/api/oidc/introspection", disco.IntrospectionEndpoint)
|
|
|
|
assert.Equal(t, "https://example.com/api/oidc/revocation", disco.RevocationEndpoint)
|
|
|
|
assert.Equal(t, "", disco.RegistrationEndpoint)
|
|
|
|
|
|
|
|
require.Len(t, disco.CodeChallengeMethodsSupported, 1)
|
|
|
|
assert.Equal(t, "S256", disco.CodeChallengeMethodsSupported[0])
|
|
|
|
|
|
|
|
assert.Len(t, disco.ScopesSupported, 5)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeOpenID)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeOfflineAccess)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeProfile)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeGroups)
|
|
|
|
assert.Contains(t, disco.ScopesSupported, ScopeEmail)
|
|
|
|
|
|
|
|
assert.Len(t, disco.ResponseModesSupported, 3)
|
|
|
|
assert.Contains(t, disco.ResponseModesSupported, "form_post")
|
|
|
|
assert.Contains(t, disco.ResponseModesSupported, "query")
|
|
|
|
assert.Contains(t, disco.ResponseModesSupported, "fragment")
|
|
|
|
|
|
|
|
assert.Len(t, disco.SubjectTypesSupported, 1)
|
|
|
|
assert.Contains(t, disco.SubjectTypesSupported, "public")
|
|
|
|
|
|
|
|
assert.Len(t, disco.ResponseTypesSupported, 8)
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "code")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "id_token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "code token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "code id_token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "token id_token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "code token id_token")
|
|
|
|
assert.Contains(t, disco.ResponseTypesSupported, "none")
|
|
|
|
|
2022-04-08 23:35:13 +00:00
|
|
|
assert.Len(t, disco.ClaimsSupported, 16)
|
2022-03-04 03:09:27 +00:00
|
|
|
assert.Contains(t, disco.ClaimsSupported, "aud")
|
2022-04-08 23:35:13 +00:00
|
|
|
assert.Contains(t, disco.ClaimsSupported, "amr")
|
2022-03-04 03:09:27 +00:00
|
|
|
assert.Contains(t, disco.ClaimsSupported, "exp")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "iat")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "iss")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "jti")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "rat")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "sub")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "auth_time")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, "nonce")
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimEmail)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimEmailVerified)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimEmailAlts)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimGroups)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimPreferredUsername)
|
|
|
|
assert.Contains(t, disco.ClaimsSupported, ClaimDisplayName)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOpenIDConnectWellKnownConfigurationWithPlainPKCE(t *testing.T) {
|
|
|
|
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
|
|
|
|
IssuerPrivateKey: exampleIssuerPrivateKey,
|
|
|
|
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
|
|
|
|
EnablePKCEPlainChallenge: true,
|
|
|
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
|
|
|
{
|
|
|
|
ID: "a-client",
|
|
|
|
Secret: "a-client-secret",
|
|
|
|
Policy: "one_factor",
|
|
|
|
RedirectURIs: []string{
|
|
|
|
"https://google.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2022-04-07 05:33:53 +00:00
|
|
|
}, nil)
|
2022-03-04 03:09:27 +00:00
|
|
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
|
|
|
disco := provider.GetOpenIDConnectWellKnownConfiguration("https://example.com")
|
|
|
|
|
|
|
|
require.Len(t, disco.CodeChallengeMethodsSupported, 2)
|
|
|
|
assert.Equal(t, "S256", disco.CodeChallengeMethodsSupported[0])
|
|
|
|
assert.Equal(t, "plain", disco.CodeChallengeMethodsSupported[1])
|
|
|
|
}
|