2023-04-19 04:27:10 +00:00
package oidc_test
2021-05-04 22:06:05 +00:00
import (
2023-04-11 11:29:02 +00:00
"fmt"
2021-05-04 22:06:05 +00:00
"testing"
2023-04-19 04:24:05 +00:00
"time"
2021-05-04 22:06:05 +00:00
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
"github.com/ory/fosite"
2021-05-04 22:06:05 +00:00
"github.com/stretchr/testify/assert"
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
"github.com/stretchr/testify/require"
2023-04-13 10:58:18 +00:00
"gopkg.in/square/go-jose.v2"
2021-05-04 22:06:05 +00:00
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/authentication"
"github.com/authelia/authelia/v4/internal/authorization"
"github.com/authelia/authelia/v4/internal/configuration/schema"
2022-04-01 11:18:58 +00:00
"github.com/authelia/authelia/v4/internal/model"
2023-04-19 04:27:10 +00:00
"github.com/authelia/authelia/v4/internal/oidc"
2021-05-04 22:06:05 +00:00
)
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
func TestNewClient ( t * testing . T ) {
2023-04-13 10:58:18 +00:00
config := schema . OpenIDConnectClientConfiguration { }
2023-04-19 04:27:10 +00:00
client := oidc . NewClient ( config )
2023-04-13 10:58:18 +00:00
assert . Equal ( t , "" , client . GetID ( ) )
assert . Equal ( t , "" , client . GetDescription ( ) )
assert . Len ( t , client . GetResponseModes ( ) , 0 )
assert . Len ( t , client . GetResponseTypes ( ) , 1 )
assert . Equal ( t , "" , client . GetSectorIdentifier ( ) )
2023-04-19 04:27:10 +00:00
bclient , ok := client . ( * oidc . BaseClient )
2023-04-13 10:58:18 +00:00
require . True ( t , ok )
2023-04-19 04:24:05 +00:00
assert . Equal ( t , "" , bclient . UserinfoSigningAlg )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . SigningAlgNone , client . GetUserinfoSigningAlg ( ) )
2023-04-13 10:58:18 +00:00
2023-04-19 04:27:10 +00:00
_ , ok = client . ( * oidc . FullClient )
2023-04-13 10:58:18 +00:00
assert . False ( t , ok )
config = schema . OpenIDConnectClientConfiguration {
ID : myclient ,
Description : myclientdesc ,
Policy : twofactor ,
2023-04-19 04:27:10 +00:00
Secret : tOpenIDConnectPlainTextClientSecret ,
2023-04-13 10:58:18 +00:00
RedirectURIs : [ ] string { examplecom } ,
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
Scopes : schema . DefaultOpenIDConnectClientConfiguration . Scopes ,
ResponseTypes : schema . DefaultOpenIDConnectClientConfiguration . ResponseTypes ,
GrantTypes : schema . DefaultOpenIDConnectClientConfiguration . GrantTypes ,
ResponseModes : schema . DefaultOpenIDConnectClientConfiguration . ResponseModes ,
}
2023-04-19 04:27:10 +00:00
client = oidc . NewClient ( config )
2023-04-13 10:58:18 +00:00
assert . Equal ( t , myclient , client . GetID ( ) )
require . Len ( t , client . GetResponseModes ( ) , 1 )
assert . Equal ( t , fosite . ResponseModeFormPost , client . GetResponseModes ( ) [ 0 ] )
assert . Equal ( t , authorization . TwoFactor , client . GetAuthorizationPolicy ( ) )
config = schema . OpenIDConnectClientConfiguration {
2023-04-19 04:27:10 +00:00
TokenEndpointAuthMethod : oidc . ClientAuthMethodClientSecretPost ,
2023-04-13 10:58:18 +00:00
}
2023-04-19 04:27:10 +00:00
client = oidc . NewClient ( config )
2023-04-13 10:58:18 +00:00
2023-04-19 04:27:10 +00:00
fclient , ok := client . ( * oidc . FullClient )
2023-04-13 10:58:18 +00:00
require . True ( t , ok )
2023-04-19 04:24:05 +00:00
assert . Equal ( t , "" , fclient . UserinfoSigningAlg )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . SigningAlgNone , client . GetUserinfoSigningAlg ( ) )
assert . Equal ( t , oidc . SigningAlgNone , fclient . UserinfoSigningAlg )
2023-04-19 04:24:05 +00:00
assert . Equal ( t , "" , fclient . IDTokenSigningAlg )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . SigningAlgRSAUsingSHA256 , client . GetIDTokenSigningAlg ( ) )
assert . Equal ( t , oidc . SigningAlgRSAUsingSHA256 , fclient . IDTokenSigningAlg )
2023-04-19 04:24:05 +00:00
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . ClientAuthMethodClientSecretPost , fclient . TokenEndpointAuthMethod )
assert . Equal ( t , oidc . ClientAuthMethodClientSecretPost , fclient . GetTokenEndpointAuthMethod ( ) )
2023-04-19 04:24:05 +00:00
2023-04-13 10:58:18 +00:00
assert . Equal ( t , "" , fclient . TokenEndpointAuthSigningAlgorithm )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . SigningAlgRSAUsingSHA256 , fclient . GetTokenEndpointAuthSigningAlgorithm ( ) )
assert . Equal ( t , oidc . SigningAlgRSAUsingSHA256 , fclient . TokenEndpointAuthSigningAlgorithm )
2023-04-19 04:24:05 +00:00
2023-04-13 10:58:18 +00:00
assert . Equal ( t , "" , fclient . RequestObjectSigningAlgorithm )
assert . Equal ( t , "" , fclient . GetRequestObjectSigningAlgorithm ( ) )
2023-04-19 04:24:05 +00:00
2023-04-19 04:27:10 +00:00
fclient . RequestObjectSigningAlgorithm = oidc . SigningAlgRSAUsingSHA256
assert . Equal ( t , oidc . SigningAlgRSAUsingSHA256 , fclient . GetRequestObjectSigningAlgorithm ( ) )
2023-04-19 04:24:05 +00:00
2023-04-13 10:58:18 +00:00
assert . Equal ( t , "" , fclient . JSONWebKeysURI )
assert . Equal ( t , "" , fclient . GetJSONWebKeysURI ( ) )
2023-04-19 04:24:05 +00:00
fclient . JSONWebKeysURI = "https://example.com"
assert . Equal ( t , "https://example.com" , fclient . GetJSONWebKeysURI ( ) )
2023-04-19 04:27:10 +00:00
var niljwks * jose . JSONWebKeySet
2023-04-13 10:58:18 +00:00
assert . Equal ( t , niljwks , fclient . JSONWebKeys )
assert . Equal ( t , niljwks , fclient . GetJSONWebKeys ( ) )
2023-04-19 04:24:05 +00:00
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . ClientConsentMode ( 0 ) , fclient . Consent . Mode )
2023-04-19 04:24:05 +00:00
assert . Equal ( t , time . Second * 0 , fclient . Consent . Duration )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . ClientConsent { Mode : oidc . ClientConsentModeExplicit } , fclient . GetConsentPolicy ( ) )
2023-04-19 04:24:05 +00:00
fclient . TokenEndpointAuthMethod = ""
fclient . Public = false
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . ClientAuthMethodClientSecretBasic , fclient . GetTokenEndpointAuthMethod ( ) )
assert . Equal ( t , oidc . ClientAuthMethodClientSecretBasic , fclient . TokenEndpointAuthMethod )
2023-04-19 04:24:05 +00:00
fclient . TokenEndpointAuthMethod = ""
fclient . Public = true
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . ClientAuthMethodNone , fclient . GetTokenEndpointAuthMethod ( ) )
assert . Equal ( t , oidc . ClientAuthMethodNone , fclient . TokenEndpointAuthMethod )
2023-04-19 04:24:05 +00:00
2023-04-13 10:58:18 +00:00
assert . Equal ( t , [ ] string ( nil ) , fclient . RequestURIs )
assert . Equal ( t , [ ] string ( nil ) , fclient . GetRequestURIs ( ) )
}
func TestBaseClient_ValidatePARPolicy ( t * testing . T ) {
testCases := [ ] struct {
name string
2023-04-19 04:27:10 +00:00
client * oidc . BaseClient
2023-04-13 10:58:18 +00:00
have * fosite . Request
expected string
} {
{
"ShouldNotEnforcePAR" ,
2023-04-19 04:27:10 +00:00
& oidc . BaseClient {
2023-04-13 10:58:18 +00:00
EnforcePAR : false ,
} ,
& fosite . Request { } ,
"" ,
} ,
{
"ShouldEnforcePARAndErrorWithoutCorrectRequestURI" ,
2023-04-19 04:27:10 +00:00
& oidc . BaseClient {
2023-04-13 10:58:18 +00:00
EnforcePAR : true ,
} ,
& fosite . Request {
Form : map [ string ] [ ] string {
2023-04-19 04:27:10 +00:00
oidc . FormParameterRequestURI : { "https://google.com" } ,
2023-04-13 10:58:18 +00:00
} ,
} ,
"invalid_request" ,
} ,
{
"ShouldEnforcePARAndErrorWithEmptyRequestURI" ,
2023-04-19 04:27:10 +00:00
& oidc . BaseClient {
2023-04-13 10:58:18 +00:00
EnforcePAR : true ,
} ,
& fosite . Request {
Form : map [ string ] [ ] string {
2023-04-19 04:27:10 +00:00
oidc . FormParameterRequestURI : { "" } ,
2023-04-13 10:58:18 +00:00
} ,
} ,
"invalid_request" ,
} ,
{
"ShouldEnforcePARAndNotErrorWithCorrectRequestURI" ,
2023-04-19 04:27:10 +00:00
& oidc . BaseClient {
2023-04-13 10:58:18 +00:00
EnforcePAR : true ,
} ,
& fosite . Request {
Form : map [ string ] [ ] string {
2023-04-19 04:27:10 +00:00
oidc . FormParameterRequestURI : { oidc . RedirectURIPrefixPushedAuthorizationRequestURN + "abc" } ,
2023-04-13 10:58:18 +00:00
} ,
} ,
"" ,
} ,
}
for _ , tc := range testCases {
t . Run ( tc . name , func ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
err := tc . client . ValidatePARPolicy ( tc . have , oidc . RedirectURIPrefixPushedAuthorizationRequestURN )
2023-04-13 10:58:18 +00:00
switch tc . expected {
case "" :
assert . NoError ( t , err )
default :
assert . EqualError ( t , err , tc . expected )
}
} )
}
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
2021-05-04 22:06:05 +00:00
func TestIsAuthenticationLevelSufficient ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
2021-05-04 22:06:05 +00:00
c . Policy = authorization . Bypass
2022-10-20 02:16:36 +00:00
assert . False ( t , c . IsAuthenticationLevelSufficient ( authentication . NotAuthenticated ) )
2021-05-04 22:06:05 +00:00
assert . True ( t , c . IsAuthenticationLevelSufficient ( authentication . OneFactor ) )
assert . True ( t , c . IsAuthenticationLevelSufficient ( authentication . TwoFactor ) )
c . Policy = authorization . OneFactor
assert . False ( t , c . IsAuthenticationLevelSufficient ( authentication . NotAuthenticated ) )
assert . True ( t , c . IsAuthenticationLevelSufficient ( authentication . OneFactor ) )
assert . True ( t , c . IsAuthenticationLevelSufficient ( authentication . TwoFactor ) )
c . Policy = authorization . TwoFactor
assert . False ( t , c . IsAuthenticationLevelSufficient ( authentication . NotAuthenticated ) )
assert . False ( t , c . IsAuthenticationLevelSufficient ( authentication . OneFactor ) )
assert . True ( t , c . IsAuthenticationLevelSufficient ( authentication . TwoFactor ) )
c . Policy = authorization . Denied
assert . False ( t , c . IsAuthenticationLevelSufficient ( authentication . NotAuthenticated ) )
assert . False ( t , c . IsAuthenticationLevelSufficient ( authentication . OneFactor ) )
assert . False ( t , c . IsAuthenticationLevelSufficient ( authentication . TwoFactor ) )
}
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
2022-10-20 03:21:45 +00:00
func TestClient_GetConsentResponseBody ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
consentRequestBody := c . GetConsentResponseBody ( nil )
assert . Equal ( t , "" , consentRequestBody . ClientID )
assert . Equal ( t , "" , consentRequestBody . ClientDescription )
2022-02-07 14:18:16 +00:00
assert . Equal ( t , [ ] string ( nil ) , consentRequestBody . Scopes )
assert . Equal ( t , [ ] string ( nil ) , consentRequestBody . Audience )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
2023-04-13 10:58:18 +00:00
c . ID = myclient
c . Description = myclientdesc
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
2022-04-07 05:33:53 +00:00
consent := & model . OAuth2ConsentSession {
2023-04-13 10:58:18 +00:00
RequestedAudience : [ ] string { examplecom } ,
2023-04-19 04:27:10 +00:00
RequestedScopes : [ ] string { oidc . ScopeOpenID , oidc . ScopeGroups } ,
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
2022-02-07 14:18:16 +00:00
2023-04-19 04:27:10 +00:00
expectedScopes := [ ] string { oidc . ScopeOpenID , oidc . ScopeGroups }
2023-04-13 10:58:18 +00:00
expectedAudiences := [ ] string { examplecom }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
2022-04-07 05:33:53 +00:00
consentRequestBody = c . GetConsentResponseBody ( consent )
2023-04-13 10:58:18 +00:00
assert . Equal ( t , myclient , consentRequestBody . ClientID )
assert . Equal ( t , myclientdesc , consentRequestBody . ClientDescription )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
assert . Equal ( t , expectedScopes , consentRequestBody . Scopes )
assert . Equal ( t , expectedAudiences , consentRequestBody . Audience )
}
2022-10-20 03:21:45 +00:00
func TestClient_GetAudience ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
audience := c . GetAudience ( )
assert . Len ( t , audience , 0 )
2023-04-13 10:58:18 +00:00
c . Audience = [ ] string { examplecom }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
audience = c . GetAudience ( )
require . Len ( t , audience , 1 )
2023-04-13 10:58:18 +00:00
assert . Equal ( t , examplecom , audience [ 0 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
2022-10-20 03:21:45 +00:00
func TestClient_GetScopes ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
scopes := c . GetScopes ( )
assert . Len ( t , scopes , 0 )
2023-04-19 04:27:10 +00:00
c . Scopes = [ ] string { oidc . ScopeOpenID }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
scopes = c . GetScopes ( )
require . Len ( t , scopes , 1 )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . ScopeOpenID , scopes [ 0 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
2022-10-20 03:21:45 +00:00
func TestClient_GetGrantTypes ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
grantTypes := c . GetGrantTypes ( )
require . Len ( t , grantTypes , 1 )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . GrantTypeAuthorizationCode , grantTypes [ 0 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
c . GrantTypes = [ ] string { "device_code" }
grantTypes = c . GetGrantTypes ( )
require . Len ( t , grantTypes , 1 )
assert . Equal ( t , "device_code" , grantTypes [ 0 ] )
}
2022-10-20 03:21:45 +00:00
func TestClient_Hashing ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
hashedSecret := c . GetHashedSecret ( )
assert . Equal ( t , [ ] byte ( nil ) , hashedSecret )
2023-04-19 04:27:10 +00:00
c . Secret = tOpenIDConnectPlainTextClientSecret
2022-10-20 03:21:45 +00:00
2023-04-19 04:27:10 +00:00
assert . True ( t , c . Secret . MatchBytes ( [ ] byte ( "client-secret" ) ) )
2022-10-20 03:21:45 +00:00
}
func TestClient_GetHashedSecret ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
2022-10-20 03:21:45 +00:00
hashedSecret := c . GetHashedSecret ( )
assert . Equal ( t , [ ] byte ( nil ) , hashedSecret )
2023-04-19 04:27:10 +00:00
c . Secret = tOpenIDConnectPlainTextClientSecret
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
hashedSecret = c . GetHashedSecret ( )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , [ ] byte ( "$plaintext$client-secret" ) , hashedSecret )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
2022-10-20 03:21:45 +00:00
func TestClient_GetID ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
id := c . GetID ( )
assert . Equal ( t , "" , id )
2023-04-13 10:58:18 +00:00
c . ID = myclient
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
id = c . GetID ( )
2023-04-13 10:58:18 +00:00
assert . Equal ( t , myclient , id )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
2022-10-20 03:21:45 +00:00
func TestClient_GetRedirectURIs ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
redirectURIs := c . GetRedirectURIs ( )
require . Len ( t , redirectURIs , 0 )
2023-04-13 10:58:18 +00:00
c . RedirectURIs = [ ] string { examplecom }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
redirectURIs = c . GetRedirectURIs ( )
require . Len ( t , redirectURIs , 1 )
2023-04-13 10:58:18 +00:00
assert . Equal ( t , examplecom , redirectURIs [ 0 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
2022-10-20 03:21:45 +00:00
func TestClient_GetResponseModes ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
responseModes := c . GetResponseModes ( )
require . Len ( t , responseModes , 0 )
c . ResponseModes = [ ] fosite . ResponseModeType {
fosite . ResponseModeDefault , fosite . ResponseModeFormPost ,
fosite . ResponseModeQuery , fosite . ResponseModeFragment ,
}
responseModes = c . GetResponseModes ( )
require . Len ( t , responseModes , 4 )
assert . Equal ( t , fosite . ResponseModeDefault , responseModes [ 0 ] )
assert . Equal ( t , fosite . ResponseModeFormPost , responseModes [ 1 ] )
assert . Equal ( t , fosite . ResponseModeQuery , responseModes [ 2 ] )
assert . Equal ( t , fosite . ResponseModeFragment , responseModes [ 3 ] )
}
2022-10-20 03:21:45 +00:00
func TestClient_GetResponseTypes ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
responseTypes := c . GetResponseTypes ( )
require . Len ( t , responseTypes , 1 )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . ResponseTypeAuthorizationCodeFlow , responseTypes [ 0 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
2023-04-19 04:27:10 +00:00
c . ResponseTypes = [ ] string { oidc . ResponseTypeAuthorizationCodeFlow , oidc . ResponseTypeImplicitFlowIDToken }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
responseTypes = c . GetResponseTypes ( )
require . Len ( t , responseTypes , 2 )
2023-04-19 04:27:10 +00:00
assert . Equal ( t , oidc . ResponseTypeAuthorizationCodeFlow , responseTypes [ 0 ] )
assert . Equal ( t , oidc . ResponseTypeImplicitFlowIDToken , responseTypes [ 1 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
}
2023-01-03 15:03:23 +00:00
func TestNewClientPKCE ( t * testing . T ) {
testCases := [ ] struct {
name string
have schema . OpenIDConnectClientConfiguration
expectedEnforcePKCE bool
expectedEnforcePKCEChallengeMethod bool
expected string
2023-03-06 03:58:50 +00:00
r * fosite . Request
2023-01-03 15:03:23 +00:00
err string
2023-04-11 11:29:02 +00:00
desc string
2023-01-03 15:03:23 +00:00
} {
{
"ShouldNotEnforcePKCEAndNotErrorOnNonPKCERequest" ,
schema . OpenIDConnectClientConfiguration { } ,
false ,
false ,
"" ,
& fosite . Request { } ,
"" ,
2023-04-11 11:29:02 +00:00
"" ,
2023-01-03 15:03:23 +00:00
} ,
{
"ShouldEnforcePKCEAndErrorOnNonPKCERequest" ,
schema . OpenIDConnectClientConfiguration { EnforcePKCE : true } ,
true ,
false ,
"" ,
& fosite . Request { } ,
"invalid_request" ,
2023-04-11 11:29:02 +00:00
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a code_challenge when performing the authorize code flow, but it is missing. The server is configured in a way that enforces PKCE for this client." ,
2023-01-03 15:03:23 +00:00
} ,
{
"ShouldEnforcePKCEAndNotErrorOnPKCERequest" ,
schema . OpenIDConnectClientConfiguration { EnforcePKCE : true } ,
true ,
false ,
"" ,
& fosite . Request { Form : map [ string ] [ ] string { "code_challenge" : { "abc" } } } ,
"" ,
2023-04-11 11:29:02 +00:00
"" ,
2023-01-03 15:03:23 +00:00
} ,
{ "ShouldEnforcePKCEFromChallengeMethodAndErrorOnNonPKCERequest" ,
schema . OpenIDConnectClientConfiguration { PKCEChallengeMethod : "S256" } ,
true ,
true ,
"S256" ,
& fosite . Request { } ,
"invalid_request" ,
2023-04-11 11:29:02 +00:00
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a code_challenge when performing the authorize code flow, but it is missing. The server is configured in a way that enforces PKCE for this client." ,
2023-01-03 15:03:23 +00:00
} ,
{ "ShouldEnforcePKCEFromChallengeMethodAndErrorOnInvalidChallengeMethod" ,
schema . OpenIDConnectClientConfiguration { PKCEChallengeMethod : "S256" } ,
true ,
true ,
"S256" ,
& fosite . Request { Form : map [ string ] [ ] string { "code_challenge" : { "abc" } } } ,
"invalid_request" ,
2023-04-11 11:29:02 +00:00
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client must use code_challenge_method=S256, is not allowed. The server is configured in a way that enforces PKCE S256 as challenge method for this client." ,
2023-01-03 15:03:23 +00:00
} ,
{ "ShouldEnforcePKCEFromChallengeMethodAndNotErrorOnValidRequest" ,
schema . OpenIDConnectClientConfiguration { PKCEChallengeMethod : "S256" } ,
true ,
true ,
"S256" ,
& fosite . Request { Form : map [ string ] [ ] string { "code_challenge" : { "abc" } , "code_challenge_method" : { "S256" } } } ,
"" ,
2023-04-11 11:29:02 +00:00
"" ,
2023-01-03 15:03:23 +00:00
} ,
}
for _ , tc := range testCases {
t . Run ( tc . name , func ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
client := oidc . NewClient ( tc . have )
2023-01-03 15:03:23 +00:00
2023-04-13 10:58:18 +00:00
assert . Equal ( t , tc . expectedEnforcePKCE , client . GetPKCEEnforcement ( ) )
assert . Equal ( t , tc . expectedEnforcePKCEChallengeMethod , client . GetPKCEChallengeMethodEnforcement ( ) )
assert . Equal ( t , tc . expected , client . GetPKCEChallengeMethod ( ) )
2023-01-03 15:03:23 +00:00
2023-03-06 03:58:50 +00:00
if tc . r != nil {
err := client . ValidatePKCEPolicy ( tc . r )
2023-01-03 15:03:23 +00:00
if tc . err != "" {
2023-04-11 11:29:02 +00:00
require . NotNil ( t , err )
assert . EqualError ( t , err , tc . err )
assert . Equal ( t , tc . desc , fosite . ErrorToRFC6749Error ( err ) . WithExposeDebug ( true ) . GetDescription ( ) )
} else {
assert . NoError ( t , err )
}
}
} )
}
}
func TestNewClientPAR ( t * testing . T ) {
testCases := [ ] struct {
name string
have schema . OpenIDConnectClientConfiguration
expected bool
r * fosite . Request
err string
desc string
} {
{
"ShouldNotEnforcEPARAndNotErrorOnNonPARRequest" ,
schema . OpenIDConnectClientConfiguration { } ,
false ,
& fosite . Request { } ,
"" ,
"" ,
} ,
{
"ShouldEnforcePARAndErrorOnNonPARRequest" ,
schema . OpenIDConnectClientConfiguration { EnforcePAR : true } ,
true ,
& fosite . Request { } ,
"invalid_request" ,
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Pushed Authorization Requests are enforced for this client but no such request was sent. The request_uri parameter was empty." ,
} ,
{
"ShouldEnforcePARAndErrorOnNonPARRequest" ,
schema . OpenIDConnectClientConfiguration { EnforcePAR : true } ,
true ,
2023-04-19 04:27:10 +00:00
& fosite . Request { Form : map [ string ] [ ] string { oidc . FormParameterRequestURI : { "https://example.com" } } } ,
2023-04-11 11:29:02 +00:00
"invalid_request" ,
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Pushed Authorization Requests are enforced for this client but no such request was sent. The request_uri parameter 'https://example.com' is malformed." } ,
{
"ShouldEnforcePARAndNotErrorOnPARRequest" ,
schema . OpenIDConnectClientConfiguration { EnforcePAR : true } ,
true ,
2023-04-19 04:27:10 +00:00
& fosite . Request { Form : map [ string ] [ ] string { oidc . FormParameterRequestURI : { fmt . Sprintf ( "%sabc" , oidc . RedirectURIPrefixPushedAuthorizationRequestURN ) } } } ,
2023-04-11 11:29:02 +00:00
"" ,
"" ,
} ,
}
for _ , tc := range testCases {
t . Run ( tc . name , func ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
client := oidc . NewClient ( tc . have )
2023-04-11 11:29:02 +00:00
2023-04-13 10:58:18 +00:00
assert . Equal ( t , tc . expected , client . GetPAREnforcement ( ) )
2023-04-11 11:29:02 +00:00
if tc . r != nil {
2023-04-19 04:27:10 +00:00
err := client . ValidatePARPolicy ( tc . r , oidc . RedirectURIPrefixPushedAuthorizationRequestURN )
2023-04-11 11:29:02 +00:00
if tc . err != "" {
require . NotNil ( t , err )
assert . EqualError ( t , err , tc . err )
assert . Equal ( t , tc . desc , fosite . ErrorToRFC6749Error ( err ) . WithExposeDebug ( true ) . GetDescription ( ) )
} else {
assert . NoError ( t , err )
}
}
} )
}
}
func TestNewClientResponseModes ( t * testing . T ) {
testCases := [ ] struct {
name string
have schema . OpenIDConnectClientConfiguration
expected [ ] fosite . ResponseModeType
r * fosite . AuthorizeRequest
err string
desc string
} {
{
"ShouldEnforceResponseModePolicyAndAllowDefaultModeQuery" ,
2023-04-19 04:27:10 +00:00
schema . OpenIDConnectClientConfiguration { ResponseModes : [ ] string { oidc . ResponseModeQuery } } ,
2023-04-11 11:29:02 +00:00
[ ] fosite . ResponseModeType { fosite . ResponseModeQuery } ,
2023-04-19 04:27:10 +00:00
& fosite . AuthorizeRequest { DefaultResponseMode : fosite . ResponseModeQuery , ResponseMode : fosite . ResponseModeDefault , Request : fosite . Request { Form : map [ string ] [ ] string { oidc . FormParameterResponseMode : nil } } } ,
2023-04-11 11:29:02 +00:00
"" ,
"" ,
} ,
{
"ShouldEnforceResponseModePolicyAndFailOnDefaultMode" ,
2023-04-19 04:27:10 +00:00
schema . OpenIDConnectClientConfiguration { ResponseModes : [ ] string { oidc . ResponseModeFormPost } } ,
2023-04-11 11:29:02 +00:00
[ ] fosite . ResponseModeType { fosite . ResponseModeFormPost } ,
2023-04-19 04:27:10 +00:00
& fosite . AuthorizeRequest { DefaultResponseMode : fosite . ResponseModeQuery , ResponseMode : fosite . ResponseModeDefault , Request : fosite . Request { Form : map [ string ] [ ] string { oidc . FormParameterResponseMode : nil } } } ,
2023-04-11 11:29:02 +00:00
"unsupported_response_mode" ,
"The authorization server does not support obtaining a response using this response mode. The request omitted the response_mode making the default response_mode 'query' based on the other authorization request parameters but registered OAuth 2.0 client doesn't support this response_mode" ,
} ,
{
"ShouldNotEnforceConfiguredResponseMode" ,
2023-04-19 04:27:10 +00:00
schema . OpenIDConnectClientConfiguration { ResponseModes : [ ] string { oidc . ResponseModeFormPost } } ,
2023-04-11 11:29:02 +00:00
[ ] fosite . ResponseModeType { fosite . ResponseModeFormPost } ,
2023-04-19 04:27:10 +00:00
& fosite . AuthorizeRequest { DefaultResponseMode : fosite . ResponseModeQuery , ResponseMode : fosite . ResponseModeQuery , Request : fosite . Request { Form : map [ string ] [ ] string { oidc . FormParameterResponseMode : { oidc . ResponseModeQuery } } } } ,
2023-04-11 11:29:02 +00:00
"" ,
"" ,
} ,
{
"ShouldNotEnforceUnconfiguredResponseMode" ,
schema . OpenIDConnectClientConfiguration { ResponseModes : [ ] string { } } ,
[ ] fosite . ResponseModeType { } ,
2023-04-19 04:27:10 +00:00
& fosite . AuthorizeRequest { DefaultResponseMode : fosite . ResponseModeQuery , ResponseMode : fosite . ResponseModeDefault , Request : fosite . Request { Form : map [ string ] [ ] string { oidc . FormParameterResponseMode : { oidc . ResponseModeQuery } } } } ,
2023-04-11 11:29:02 +00:00
"" ,
"" ,
} ,
}
for _ , tc := range testCases {
t . Run ( tc . name , func ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
client := oidc . NewClient ( tc . have )
2023-04-11 11:29:02 +00:00
assert . Equal ( t , tc . expected , client . GetResponseModes ( ) )
if tc . r != nil {
err := client . ValidateResponseModePolicy ( tc . r )
if tc . err != "" {
require . NotNil ( t , err )
2023-01-03 15:03:23 +00:00
assert . EqualError ( t , err , tc . err )
2023-04-11 11:29:02 +00:00
assert . Equal ( t , tc . desc , fosite . ErrorToRFC6749Error ( err ) . WithExposeDebug ( true ) . GetDescription ( ) )
2023-01-03 15:03:23 +00:00
} else {
assert . NoError ( t , err )
}
}
} )
}
}
2022-10-20 03:21:45 +00:00
func TestClient_IsPublic ( t * testing . T ) {
2023-04-19 04:27:10 +00:00
c := & oidc . FullClient { BaseClient : & oidc . BaseClient { } }
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
assert . False ( t , c . IsPublic ( ) )
c . Public = true
assert . True ( t , c . IsPublic ( ) )
}
2023-04-19 04:27:10 +00:00
func TestNewClient_JSONWebKeySetURI ( t * testing . T ) {
var (
client oidc . Client
clientf * oidc . FullClient
ok bool
)
client = oidc . NewClient ( schema . OpenIDConnectClientConfiguration {
TokenEndpointAuthMethod : oidc . ClientAuthMethodClientSecretPost ,
PublicKeys : schema . OpenIDConnectClientPublicKeys {
URI : MustParseRequestURI ( "https://google.com" ) ,
} ,
} )
require . NotNil ( t , client )
clientf , ok = client . ( * oidc . FullClient )
require . True ( t , ok )
assert . Equal ( t , "https://google.com" , clientf . GetJSONWebKeysURI ( ) )
client = oidc . NewClient ( schema . OpenIDConnectClientConfiguration {
TokenEndpointAuthMethod : oidc . ClientAuthMethodClientSecretPost ,
PublicKeys : schema . OpenIDConnectClientPublicKeys {
URI : nil ,
} ,
} )
require . NotNil ( t , client )
clientf , ok = client . ( * oidc . FullClient )
require . True ( t , ok )
assert . Equal ( t , "" , clientf . GetJSONWebKeysURI ( ) )
}