2022-04-07 05:33:53 +00:00
|
|
|
package oidc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2023-03-06 03:58:50 +00:00
|
|
|
|
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
2022-04-07 05:33:53 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestNewOpenIDConnectWellKnownConfiguration(t *testing.T) {
|
|
|
|
testCases := []struct {
|
2022-10-20 02:16:36 +00:00
|
|
|
desc string
|
|
|
|
pkcePlainChallenge bool
|
2023-03-06 03:58:50 +00:00
|
|
|
enforcePAR bool
|
2023-04-13 10:58:18 +00:00
|
|
|
clients map[string]Client
|
2023-04-19 04:24:05 +00:00
|
|
|
discovery schema.OpenIDConnectDiscovery
|
2022-10-20 02:16:36 +00:00
|
|
|
|
2023-04-19 04:24:05 +00:00
|
|
|
expectCodeChallengeMethodsSupported, expectSubjectTypesSupported, expectedIDTokenSigAlgsSupported, expectedUserInfoSigAlgsSupported []string
|
2022-04-07 05:33:53 +00:00
|
|
|
}{
|
|
|
|
{
|
|
|
|
desc: "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublic",
|
|
|
|
pkcePlainChallenge: false,
|
2023-04-13 10:58:18 +00:00
|
|
|
clients: map[string]Client{"a": &BaseClient{}},
|
2022-10-20 02:16:36 +00:00
|
|
|
expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},
|
2023-04-13 10:58:18 +00:00
|
|
|
expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},
|
2023-04-19 04:24:05 +00:00
|
|
|
expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},
|
|
|
|
expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "ShouldIncludDiscoveryInfo",
|
|
|
|
pkcePlainChallenge: false,
|
|
|
|
clients: map[string]Client{"a": &BaseClient{}},
|
|
|
|
discovery: schema.OpenIDConnectDiscovery{
|
|
|
|
RegisteredJWKSigningAlgs: []string{SigningAlgECDSAUsingP521AndSHA512},
|
|
|
|
},
|
|
|
|
expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},
|
|
|
|
expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},
|
|
|
|
expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgECDSAUsingP521AndSHA512},
|
|
|
|
expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgECDSAUsingP521AndSHA512, SigningAlgNone},
|
2022-04-07 05:33:53 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublic",
|
|
|
|
pkcePlainChallenge: true,
|
2023-04-13 10:58:18 +00:00
|
|
|
clients: map[string]Client{"a": &BaseClient{}},
|
2022-10-20 02:16:36 +00:00
|
|
|
expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
|
2023-04-13 10:58:18 +00:00
|
|
|
expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},
|
2023-04-19 04:24:05 +00:00
|
|
|
expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},
|
|
|
|
expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
|
2022-04-07 05:33:53 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublicPairwise",
|
|
|
|
pkcePlainChallenge: false,
|
2023-04-13 10:58:18 +00:00
|
|
|
clients: map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},
|
2022-10-20 02:16:36 +00:00
|
|
|
expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},
|
|
|
|
expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},
|
2023-04-19 04:24:05 +00:00
|
|
|
expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},
|
|
|
|
expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
|
2022-04-07 05:33:53 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublicPairwise",
|
|
|
|
pkcePlainChallenge: true,
|
2023-04-13 10:58:18 +00:00
|
|
|
clients: map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},
|
2022-10-20 02:16:36 +00:00
|
|
|
expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
|
|
|
|
expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},
|
2023-04-19 04:24:05 +00:00
|
|
|
expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},
|
|
|
|
expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
|
2022-10-20 02:16:36 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "ShouldHaveTokenAuthMethodsNone",
|
|
|
|
pkcePlainChallenge: true,
|
2023-04-13 10:58:18 +00:00
|
|
|
clients: map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},
|
2022-10-20 02:16:36 +00:00
|
|
|
expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
|
|
|
|
expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},
|
2023-04-19 04:24:05 +00:00
|
|
|
expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},
|
|
|
|
expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "ShouldHaveTokenAuthMethodsNone",
|
|
|
|
pkcePlainChallenge: true,
|
|
|
|
clients: map[string]Client{
|
|
|
|
"a": &BaseClient{SectorIdentifier: "yes"},
|
|
|
|
"b": &BaseClient{SectorIdentifier: "yes"},
|
|
|
|
},
|
|
|
|
expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
|
|
|
|
expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},
|
|
|
|
expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},
|
|
|
|
expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
|
2022-10-20 02:16:36 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
desc: "ShouldHaveTokenAuthMethodsNone",
|
|
|
|
pkcePlainChallenge: true,
|
2023-04-13 10:58:18 +00:00
|
|
|
clients: map[string]Client{
|
|
|
|
"a": &BaseClient{SectorIdentifier: "yes"},
|
|
|
|
"b": &BaseClient{SectorIdentifier: "yes"},
|
2022-10-20 02:16:36 +00:00
|
|
|
},
|
|
|
|
expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
|
|
|
|
expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},
|
2023-04-19 04:24:05 +00:00
|
|
|
expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},
|
|
|
|
expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
|
2022-04-07 05:33:53 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
t.Run(tc.desc, func(t *testing.T) {
|
2023-03-06 03:58:50 +00:00
|
|
|
c := schema.OpenIDConnectConfiguration{
|
|
|
|
EnablePKCEPlainChallenge: tc.pkcePlainChallenge,
|
|
|
|
PAR: schema.OpenIDConnectPARConfiguration{
|
|
|
|
Enforce: tc.enforcePAR,
|
|
|
|
},
|
2023-04-19 04:24:05 +00:00
|
|
|
Discovery: tc.discovery,
|
2023-03-06 03:58:50 +00:00
|
|
|
}
|
|
|
|
|
2023-04-13 10:58:18 +00:00
|
|
|
actual := NewOpenIDConnectWellKnownConfiguration(&c)
|
2022-04-07 05:33:53 +00:00
|
|
|
for _, codeChallengeMethod := range tc.expectCodeChallengeMethodsSupported {
|
|
|
|
assert.Contains(t, actual.CodeChallengeMethodsSupported, codeChallengeMethod)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, subjectType := range tc.expectSubjectTypesSupported {
|
|
|
|
assert.Contains(t, actual.SubjectTypesSupported, subjectType)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, codeChallengeMethod := range actual.CodeChallengeMethodsSupported {
|
|
|
|
assert.Contains(t, tc.expectCodeChallengeMethodsSupported, codeChallengeMethod)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, subjectType := range actual.SubjectTypesSupported {
|
|
|
|
assert.Contains(t, tc.expectSubjectTypesSupported, subjectType)
|
|
|
|
}
|
2023-04-19 04:24:05 +00:00
|
|
|
|
|
|
|
assert.Equal(t, tc.expectedUserInfoSigAlgsSupported, actual.UserinfoSigningAlgValuesSupported)
|
|
|
|
assert.Equal(t, tc.expectedIDTokenSigAlgsSupported, actual.IDTokenSigningAlgValuesSupported)
|
2022-04-07 05:33:53 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|