RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/oidc/provider_test.go

314 lines
13 KiB
Go
Raw Normal View History

feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
package oidc
import (
feat(oidc): issuer jwk certificates (#3989) This allows for JWKs to include certificate information, either signed via Global PKI, Enterprise PKI, or self-signed.
2022-10-02 02:07:40 +00:00
"crypto/rsa"
"crypto/x509"
"encoding/pem"
feat(oidc): pairwise subject identifiers (#3116) Allows configuring clients with a sector identifier to allow pairwise subject types.
2022-04-07 06:13:01 +00:00
"net/url"
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
"testing"
"github.com/stretchr/testify/assert"
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
"github.com/stretchr/testify/require"
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
)
var exampleIssuerPrivateKey = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAvcMVMB2vEbqI6PlSNJ4HmUyMxBDJ5iY7FS+zDDAHOZBg9S3S\nKcAn1CZcnyL0VvJ7wcdhR6oTnOwR94eKvzUyJZ+GL2hTMm27dubEYsNdhoCl6N3X\nyEEohNfoxiiCYraVauX8X3M9jFzbEz9+pacaDbHB2syaJ1qFmMNR+HSu2jPzOo7M\nlqKIOgUzA0741MaYNt47AEVg4XU5ORLdolbAkItmYg1QbyFndg9H5IvwKkYaXTGE\nlgDBcPUC0yVjAC15Mguquq+jZeQay+6PSbHTD8PQMOkLjyChI2xEhVNbdCXe676R\ncMW2R/gjrcK23zmtmTWRfdC1iZLSlHO+bJj9vQIDAQABAoIBAEZvkP/JJOCJwqPn\nV3IcbmmilmV4bdi1vByDFgyiDyx4wOSA24+PubjvfFW9XcCgRPuKjDtTj/AhWBHv\nB7stfa2lZuNV7/u562mZArA+IAr62Zp0LdIxDV8x3T8gbjVB3HhPYbv0RJZDKTYd\nzV6jhfIrVu9mHpoY6ZnodhapCPYIyk/d49KBIHZuAc25CUjMXgTeaVtf0c996036\nUxW6ef33wAOJAvW0RCvbXAJfmBeEq2qQlkjTIlpYx71fhZWexHifi8Ouv3Zonc+1\n/P2Adq5uzYVBT92f9RKHg9QxxNzVrLjSMaxyvUtWQCAQfW0tFIRdqBGsHYsQrFtI\nF4yzv8ECgYEA7ntpyN9HD9Z9lYQzPCR73sFCLM+ID99aVij0wHuxK97bkSyyvkLd\n7MyTaym3lg1UEqWNWBCLvFULZx7F0Ah6qCzD4ymm3Bj/ADpWWPgljBI0AFml+HHs\nhcATmXUrj5QbLyhiP2gmJjajp1o/rgATx6ED66seSynD6JOH8wUhhZUCgYEAy7OA\n06PF8GfseNsTqlDjNF0K7lOqd21S0prdwrsJLiVzUlfMM25MLE0XLDUutCnRheeh\nIlcuDoBsVTxz6rkvFGD74N+pgXlN4CicsBq5ofK060PbqCQhSII3fmHobrZ9Cr75\nHmBjAxHx998SKaAAGbBbcYGUAp521i1pH5CEPYkCgYEAkUd1Zf0+2RMdZhwm6hh/\nrW+l1I6IoMK70YkZsLipccRNld7Y9LbfYwYtODcts6di9AkOVfueZJiaXbONZfIE\nZrb+jkAteh9wGL9xIrnohbABJcV3Kiaco84jInUSmGDtPokncOENfHIEuEpuSJ2b\nbx1TuhmAVuGWivR0+ULC7RECgYEAgS0cDRpWc9Xzh9Cl7+PLsXEvdWNpPsL9OsEq\n0Ep7z9+/+f/jZtoTRCS/BTHUpDvAuwHglT5j3p5iFMt5VuiIiovWLwynGYwrbnNS\nqfrIrYKUaH1n1oDS+oBZYLQGCe9/7EifAjxtjYzbvSyg//SPG7tSwfBCREbpZXj2\nqSWkNsECgYA/mCDzCTlrrWPuiepo6kTmN+4TnFA+hJI6NccDVQ+jvbqEdoJ4SW4L\nzqfZSZRFJMNpSgIqkQNRPJqMP0jQ5KRtJrjMWBnYxktwKz9fDg2R2MxdFgMF2LH2\nHEMMhFHlv8NDjVOXh1KwRoltNGVWYsSrD9wKU9GhRCEfmNCGrvBcEg==\n-----END RSA PRIVATE KEY-----"
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_NotConfigured(t *testing.T) {
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
provider, err := NewOpenIDConnectProvider(nil, nil)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
assert.NoError(t, err)
assert.Nil(t, provider.Fosite)
assert.Nil(t, provider.Store)
}
feat(oidc): pairwise subject identifiers (#3116) Allows configuring clients with a sector identifier to allow pairwise subject types.
2022-04-07 06:13:01 +00:00
func TestNewOpenIDConnectProvider_ShouldEnableOptionalDiscoveryValues(t *testing.T) {
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
feat(oidc): issuer jwk certificates (#3989) This allows for JWKs to include certificate information, either signed via Global PKI, Enterprise PKI, or self-signed.
2022-10-02 02:07:40 +00:00
IssuerCertificateChain: schema.X509CertificateChain{},
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
feat(oidc): pairwise subject identifiers (#3116) Allows configuring clients with a sector identifier to allow pairwise subject types.
2022-04-07 06:13:01 +00:00
EnablePKCEPlainChallenge: true,
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
Clients: []schema.OpenIDConnectClientConfiguration{
{
ID: "a-client",
Secret: "a-client-secret",
SectorIdentifier: url.URL{Host: "google.com"},
Policy: "one_factor",
RedirectURIs: []string{
"https://google.com",
},
},
},
}, nil)
assert.NoError(t, err)
assert.True(t, provider.Pairwise())
disco := provider.GetOpenIDConnectWellKnownConfiguration("https://example.com")
assert.Len(t, disco.SubjectTypesSupported, 2)
assert.Contains(t, disco.SubjectTypesSupported, "public")
assert.Contains(t, disco.SubjectTypesSupported, "pairwise")
assert.Len(t, disco.CodeChallengeMethodsSupported, 2)
assert.Contains(t, disco.CodeChallengeMethodsSupported, "S256")
assert.Contains(t, disco.CodeChallengeMethodsSupported, "S256")
}
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GoodConfiguration(t *testing.T) {
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
feat(oidc): issuer jwk certificates (#3989) This allows for JWKs to include certificate information, either signed via Global PKI, Enterprise PKI, or self-signed.
2022-10-02 02:07:40 +00:00
IssuerCertificateChain: schema.X509CertificateChain{},
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
Clients: []schema.OpenIDConnectClientConfiguration{
{
ID: "a-client",
Secret: "a-client-secret",
Policy: "one_factor",
RedirectURIs: []string{
"https://google.com",
},
},
{
ID: "b-client",
Description: "Normal Description",
Secret: "b-client-secret",
Policy: "two_factor",
RedirectURIs: []string{
"https://google.com",
},
Scopes: []string{
"groups",
},
GrantTypes: []string{
"refresh_token",
},
ResponseTypes: []string{
"token",
"code",
},
},
},
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}, nil)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
feat(oidc): add additional config options, accurate token times, and refactoring (#1991) * This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes. * Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately. * Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-03 23:44:30 +00:00
assert.NotNil(t, provider)
feature(oidc): add support for OpenID Connect OpenID connect has become a standard when it comes to authentication and in order to fix a security concern around forwarding authentication and authorization information it has been decided to add support for it. This feature is in beta version and only enabled when there is a configuration for it. Before enabling it in production, please consider that it's in beta with potential bugs and that there are several production critical features still missing such as all OIDC related data is stored in configuration or memory. This means you are potentially going to experience issues with HA deployments, or when restarting a single instance specifically related to OIDC. We are still working on adding the remaining set of features before making it GA as soon as possible. Related to #189 Co-authored-by: Clement Michaud <clement.michaud34@gmail.com>
2021-05-04 22:06:05 +00:00
assert.NoError(t, err)
}
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOpenIDConnectWellKnownConfiguration(t *testing.T) {
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
feat(oidc): issuer jwk certificates (#3989) This allows for JWKs to include certificate information, either signed via Global PKI, Enterprise PKI, or self-signed.
2022-10-02 02:07:40 +00:00
IssuerCertificateChain: schema.X509CertificateChain{},
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
Clients: []schema.OpenIDConnectClientConfiguration{
{
ID: "a-client",
Secret: "a-client-secret",
Policy: "one_factor",
RedirectURIs: []string{
"https://google.com",
},
},
},
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}, nil)
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.NoError(t, err)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
assert.False(t, provider.Pairwise())
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
disco := provider.GetOpenIDConnectWellKnownConfiguration("https://example.com")
assert.Equal(t, "https://example.com", disco.Issuer)
feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.
2022-04-07 00:58:51 +00:00
assert.Equal(t, "https://example.com/jwks.json", disco.JWKSURI)
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.Equal(t, "https://example.com/api/oidc/authorization", disco.AuthorizationEndpoint)
assert.Equal(t, "https://example.com/api/oidc/token", disco.TokenEndpoint)
assert.Equal(t, "https://example.com/api/oidc/userinfo", disco.UserinfoEndpoint)
assert.Equal(t, "https://example.com/api/oidc/introspection", disco.IntrospectionEndpoint)
assert.Equal(t, "https://example.com/api/oidc/revocation", disco.RevocationEndpoint)
assert.Equal(t, "", disco.RegistrationEndpoint)
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
assert.Len(t, disco.CodeChallengeMethodsSupported, 1)
assert.Contains(t, disco.CodeChallengeMethodsSupported, "S256")
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.Len(t, disco.ScopesSupported, 5)
assert.Contains(t, disco.ScopesSupported, ScopeOpenID)
assert.Contains(t, disco.ScopesSupported, ScopeOfflineAccess)
assert.Contains(t, disco.ScopesSupported, ScopeProfile)
assert.Contains(t, disco.ScopesSupported, ScopeGroups)
assert.Contains(t, disco.ScopesSupported, ScopeEmail)
assert.Len(t, disco.ResponseModesSupported, 3)
assert.Contains(t, disco.ResponseModesSupported, "form_post")
assert.Contains(t, disco.ResponseModesSupported, "query")
assert.Contains(t, disco.ResponseModesSupported, "fragment")
assert.Len(t, disco.SubjectTypesSupported, 1)
assert.Contains(t, disco.SubjectTypesSupported, "public")
assert.Len(t, disco.ResponseTypesSupported, 8)
assert.Contains(t, disco.ResponseTypesSupported, "code")
assert.Contains(t, disco.ResponseTypesSupported, "token")
assert.Contains(t, disco.ResponseTypesSupported, "id_token")
assert.Contains(t, disco.ResponseTypesSupported, "code token")
assert.Contains(t, disco.ResponseTypesSupported, "code id_token")
assert.Contains(t, disco.ResponseTypesSupported, "token id_token")
assert.Contains(t, disco.ResponseTypesSupported, "code token id_token")
assert.Contains(t, disco.ResponseTypesSupported, "none")
assert.Len(t, disco.IDTokenSigningAlgValuesSupported, 1)
assert.Contains(t, disco.IDTokenSigningAlgValuesSupported, "RS256")
assert.Len(t, disco.UserinfoSigningAlgValuesSupported, 2)
assert.Contains(t, disco.UserinfoSigningAlgValuesSupported, "RS256")
assert.Contains(t, disco.UserinfoSigningAlgValuesSupported, "none")
assert.Len(t, disco.RequestObjectSigningAlgValuesSupported, 2)
assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "RS256")
assert.Contains(t, disco.RequestObjectSigningAlgValuesSupported, "none")
feat(oidc): client id claims (#3150) Adds the authorized party (azp) and client_id registered claims to ID Tokens.
2022-04-09 06:55:24 +00:00
assert.Len(t, disco.ClaimsSupported, 18)
fix(oidc): missing amr claim supported in discovery (#3147) This adds the AMR claim to discovery.
2022-04-08 23:35:13 +00:00
assert.Contains(t, disco.ClaimsSupported, "amr")
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.Contains(t, disco.ClaimsSupported, "aud")
feat(oidc): client id claims (#3150) Adds the authorized party (azp) and client_id registered claims to ID Tokens.
2022-04-09 06:55:24 +00:00
assert.Contains(t, disco.ClaimsSupported, "azp")
assert.Contains(t, disco.ClaimsSupported, "client_id")
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.Contains(t, disco.ClaimsSupported, "exp")
assert.Contains(t, disco.ClaimsSupported, "iat")
assert.Contains(t, disco.ClaimsSupported, "iss")
assert.Contains(t, disco.ClaimsSupported, "jti")
assert.Contains(t, disco.ClaimsSupported, "rat")
assert.Contains(t, disco.ClaimsSupported, "sub")
assert.Contains(t, disco.ClaimsSupported, "auth_time")
assert.Contains(t, disco.ClaimsSupported, "nonce")
assert.Contains(t, disco.ClaimsSupported, ClaimEmail)
assert.Contains(t, disco.ClaimsSupported, ClaimEmailVerified)
assert.Contains(t, disco.ClaimsSupported, ClaimEmailAlts)
assert.Contains(t, disco.ClaimsSupported, ClaimGroups)
assert.Contains(t, disco.ClaimsSupported, ClaimPreferredUsername)
assert.Contains(t, disco.ClaimsSupported, ClaimDisplayName)
}
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOAuth2WellKnownConfiguration(t *testing.T) {
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
feat(oidc): issuer jwk certificates (#3989) This allows for JWKs to include certificate information, either signed via Global PKI, Enterprise PKI, or self-signed.
2022-10-02 02:07:40 +00:00
IssuerCertificateChain: schema.X509CertificateChain{},
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
Clients: []schema.OpenIDConnectClientConfiguration{
{
ID: "a-client",
Secret: "a-client-secret",
Policy: "one_factor",
RedirectURIs: []string{
"https://google.com",
},
},
},
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}, nil)
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.NoError(t, err)
disco := provider.GetOAuth2WellKnownConfiguration("https://example.com")
assert.Equal(t, "https://example.com", disco.Issuer)
feat(oidc): provide cors config including options handlers (#3005) This adjusts the CORS headers appropriately for OpenID Connect. This includes responding to OPTIONS requests appropriately. Currently this is only configured to operate when the Origin scheme is HTTPS; but can easily be expanded in the future to include additional Origins.
2022-04-07 00:58:51 +00:00
assert.Equal(t, "https://example.com/jwks.json", disco.JWKSURI)
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.Equal(t, "https://example.com/api/oidc/authorization", disco.AuthorizationEndpoint)
assert.Equal(t, "https://example.com/api/oidc/token", disco.TokenEndpoint)
assert.Equal(t, "https://example.com/api/oidc/introspection", disco.IntrospectionEndpoint)
assert.Equal(t, "https://example.com/api/oidc/revocation", disco.RevocationEndpoint)
assert.Equal(t, "", disco.RegistrationEndpoint)
require.Len(t, disco.CodeChallengeMethodsSupported, 1)
assert.Equal(t, "S256", disco.CodeChallengeMethodsSupported[0])
assert.Len(t, disco.ScopesSupported, 5)
assert.Contains(t, disco.ScopesSupported, ScopeOpenID)
assert.Contains(t, disco.ScopesSupported, ScopeOfflineAccess)
assert.Contains(t, disco.ScopesSupported, ScopeProfile)
assert.Contains(t, disco.ScopesSupported, ScopeGroups)
assert.Contains(t, disco.ScopesSupported, ScopeEmail)
assert.Len(t, disco.ResponseModesSupported, 3)
assert.Contains(t, disco.ResponseModesSupported, "form_post")
assert.Contains(t, disco.ResponseModesSupported, "query")
assert.Contains(t, disco.ResponseModesSupported, "fragment")
assert.Len(t, disco.SubjectTypesSupported, 1)
assert.Contains(t, disco.SubjectTypesSupported, "public")
assert.Len(t, disco.ResponseTypesSupported, 8)
assert.Contains(t, disco.ResponseTypesSupported, "code")
assert.Contains(t, disco.ResponseTypesSupported, "token")
assert.Contains(t, disco.ResponseTypesSupported, "id_token")
assert.Contains(t, disco.ResponseTypesSupported, "code token")
assert.Contains(t, disco.ResponseTypesSupported, "code id_token")
assert.Contains(t, disco.ResponseTypesSupported, "token id_token")
assert.Contains(t, disco.ResponseTypesSupported, "code token id_token")
assert.Contains(t, disco.ResponseTypesSupported, "none")
feat(oidc): client id claims (#3150) Adds the authorized party (azp) and client_id registered claims to ID Tokens.
2022-04-09 06:55:24 +00:00
assert.Len(t, disco.ClaimsSupported, 18)
fix(oidc): missing amr claim supported in discovery (#3147) This adds the AMR claim to discovery.
2022-04-08 23:35:13 +00:00
assert.Contains(t, disco.ClaimsSupported, "amr")
feat(oidc): client id claims (#3150) Adds the authorized party (azp) and client_id registered claims to ID Tokens.
2022-04-09 06:55:24 +00:00
assert.Contains(t, disco.ClaimsSupported, "aud")
assert.Contains(t, disco.ClaimsSupported, "azp")
assert.Contains(t, disco.ClaimsSupported, "client_id")
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.Contains(t, disco.ClaimsSupported, "exp")
assert.Contains(t, disco.ClaimsSupported, "iat")
assert.Contains(t, disco.ClaimsSupported, "iss")
assert.Contains(t, disco.ClaimsSupported, "jti")
assert.Contains(t, disco.ClaimsSupported, "rat")
assert.Contains(t, disco.ClaimsSupported, "sub")
assert.Contains(t, disco.ClaimsSupported, "auth_time")
assert.Contains(t, disco.ClaimsSupported, "nonce")
assert.Contains(t, disco.ClaimsSupported, ClaimEmail)
assert.Contains(t, disco.ClaimsSupported, ClaimEmailVerified)
assert.Contains(t, disco.ClaimsSupported, ClaimEmailAlts)
assert.Contains(t, disco.ClaimsSupported, ClaimGroups)
assert.Contains(t, disco.ClaimsSupported, ClaimPreferredUsername)
assert.Contains(t, disco.ClaimsSupported, ClaimDisplayName)
}
func TestOpenIDConnectProvider_NewOpenIDConnectProvider_GetOpenIDConnectWellKnownConfigurationWithPlainPKCE(t *testing.T) {
provider, err := NewOpenIDConnectProvider(&schema.OpenIDConnectConfiguration{
feat(oidc): issuer jwk certificates (#3989) This allows for JWKs to include certificate information, either signed via Global PKI, Enterprise PKI, or self-signed.
2022-10-02 02:07:40 +00:00
IssuerCertificateChain: schema.X509CertificateChain{},
IssuerPrivateKey: mustParseRSAPrivateKey(exampleIssuerPrivateKey),
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
HMACSecret: "asbdhaaskmdlkamdklasmdlkams",
EnablePKCEPlainChallenge: true,
Clients: []schema.OpenIDConnectClientConfiguration{
{
ID: "a-client",
Secret: "a-client-secret",
Policy: "one_factor",
RedirectURIs: []string{
"https://google.com",
},
},
},
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia.
2022-04-07 05:33:53 +00:00
}, nil)
feat(oidc): oauth2 discovery support (#2925) * feat(oidc): oauth2 discovery and endpoint rename This implements the oauth2 authorization server discovery document, adds tests to the discovery documents, implements an efficiency upgrade to these docs, and renames some endpoints to be uniform.
2022-03-04 03:09:27 +00:00
assert.NoError(t, err)
disco := provider.GetOpenIDConnectWellKnownConfiguration("https://example.com")
require.Len(t, disco.CodeChallengeMethodsSupported, 2)
assert.Equal(t, "S256", disco.CodeChallengeMethodsSupported[0])
assert.Equal(t, "plain", disco.CodeChallengeMethodsSupported[1])
}
feat(oidc): issuer jwk certificates (#3989) This allows for JWKs to include certificate information, either signed via Global PKI, Enterprise PKI, or self-signed.
2022-10-02 02:07:40 +00:00
func mustParseRSAPrivateKey(data string) *rsa.PrivateKey {
block, _ := pem.Decode([]byte(data))
if block == nil || block.Bytes == nil || len(block.Bytes) == 0 {
panic("not pem encoded")
}
if block.Type != "RSA PRIVATE KEY" {
panic("not private key")
}
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
panic(err)
}
return key
}