2023-05-15 00:32:10 +00:00
|
|
|
package oidc_test
|
2021-05-04 22:06:05 +00:00
|
|
|
|
|
|
|
import (
|
2022-04-07 06:13:01 +00:00
|
|
|
"net/url"
|
2021-05-04 22:06:05 +00:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2022-03-04 03:09:27 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2021-05-04 22:06:05 +00:00
|
|
|
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
2023-05-15 00:32:10 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/oidc"
|
2021-05-04 22:06:05 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_NotConfigured(t *testing.T) {
|
2023-05-15 00:32:10 +00:00
|
|
|
provider := oidc.NewOpenIDConnectProvider(nil, nil, nil)
|
2021-05-04 22:06:05 +00:00
|
|
|
|
2022-10-20 02:16:36 +00:00
|
|
|
assert.Nil(t, provider)
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|
|
|
|
|
2022-04-07 06:13:01 +00:00
|
|
|
func TestNewOpenIDConnectProvider_ShouldEnableOptionalDiscoveryValues(t *testing.T) {
|
2023-01-26 02:23:47 +00:00
|
|
|
provider := oidc.NewOpenIDConnectProvider(&schema.IdentityProvidersOpenIDConnect{
|
2022-10-02 02:07:40 +00:00
|
|
|
IssuerCertificateChain: schema.X509CertificateChain{},
|
2023-05-15 00:03:19 +00:00
|
|
|
IssuerPrivateKey: keyRSA2048,
|
2022-04-07 06:13:01 +00:00
|
|
|
EnablePKCEPlainChallenge: true,
|
2023-04-13 10:58:18 +00:00
|
|
|
HMACSecret: badhmac,
|
2023-01-26 02:23:47 +00:00
|
|
|
Clients: []schema.IdentityProvidersOpenIDConnectClient{
|
2022-04-07 06:13:01 +00:00
|
|
|
{
|
2023-04-13 10:58:18 +00:00
|
|
|
ID: myclient,
|
2023-05-15 00:32:10 +00:00
|
|
|
Secret: tOpenIDConnectPlainTextClientSecret,
|
2023-04-13 10:58:18 +00:00
|
|
|
SectorIdentifier: url.URL{Host: examplecomsid},
|
|
|
|
Policy: onefactor,
|
2022-04-07 06:13:01 +00:00
|
|
|
RedirectURIs: []string{
|
2023-04-13 10:58:18 +00:00
|
|
|
examplecom,
|
2022-04-07 06:13:01 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2023-01-07 20:04:06 +00:00
|
|
|
}, nil, nil)
|
2022-04-07 06:13:01 +00:00
|
|
|
|
2023-05-15 00:03:19 +00:00
|
|
|
require.NotNil(t, provider)
|
2022-04-07 06:13:01 +00:00
|
|
|
|
2023-04-13 10:58:18 +00:00
|
|
|
disco := provider.GetOpenIDConnectWellKnownConfiguration(examplecom)
|
2022-04-07 06:13:01 +00:00
|
|
|
|
|
|
|
assert.Len(t, disco.SubjectTypesSupported, 2)
|
2023-05-15 00:32:10 +00:00
|
|
|
assert.Contains(t, disco.SubjectTypesSupported, oidc.SubjectTypePublic)
|
|
|
|
assert.Contains(t, disco.SubjectTypesSupported, oidc.SubjectTypePairwise)
|
2022-04-07 06:13:01 +00:00
|
|
|
|
|
|
|
assert.Len(t, disco.CodeChallengeMethodsSupported, 2)
|
2023-05-15 00:32:10 +00:00
|
|
|
assert.Contains(t, disco.CodeChallengeMethodsSupported, oidc.PKCEChallengeMethodSHA256)
|
|
|
|
assert.Contains(t, disco.CodeChallengeMethodsSupported, oidc.PKCEChallengeMethodSHA256)
|
2022-04-07 06:13:01 +00:00
|
|
|
}
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GoodConfiguration(t *testing.T) {
|
2023-01-26 02:23:47 +00:00
|
|
|
provider := oidc.NewOpenIDConnectProvider(&schema.IdentityProvidersOpenIDConnect{
|
2022-10-02 02:07:40 +00:00
|
|
|
IssuerCertificateChain: schema.X509CertificateChain{},
|
2023-05-15 00:03:19 +00:00
|
|
|
IssuerPrivateKey: keyRSA2048,
|
2023-04-13 10:58:18 +00:00
|
|
|
HMACSecret: badhmac,
|
2023-01-26 02:23:47 +00:00
|
|
|
Clients: []schema.IdentityProvidersOpenIDConnectClient{
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
{
|
|
|
|
ID: "a-client",
|
2023-05-15 00:32:10 +00:00
|
|
|
Secret: tOpenIDConnectPlainTextClientSecret,
|
2023-04-13 10:58:18 +00:00
|
|
|
Policy: onefactor,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
RedirectURIs: []string{
|
|
|
|
"https://google.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
ID: "b-client",
|
|
|
|
Description: "Normal Description",
|
2023-05-15 00:32:10 +00:00
|
|
|
Secret: tOpenIDConnectPlainTextClientSecret,
|
2023-04-13 10:58:18 +00:00
|
|
|
Policy: twofactor,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
RedirectURIs: []string{
|
|
|
|
"https://google.com",
|
|
|
|
},
|
|
|
|
Scopes: []string{
|
2023-05-15 00:32:10 +00:00
|
|
|
oidc.ScopeGroups,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
},
|
|
|
|
GrantTypes: []string{
|
2023-05-15 00:32:10 +00:00
|
|
|
oidc.GrantTypeRefreshToken,
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
},
|
|
|
|
ResponseTypes: []string{
|
|
|
|
"token",
|
|
|
|
"code",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
2023-01-07 20:04:06 +00:00
|
|
|
}, nil, nil)
|
2021-05-04 22:06:05 +00:00
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
|
|
|
assert.NotNil(t, provider)
|
2021-05-04 22:06:05 +00:00
|
|
|
}
|