authelia/internal/oidc/discovery_test.go

package oidc

import (
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
)

func TestNewOpenIDConnectWellKnownConfiguration(t *testing.T) {
	testCases := []struct {
		desc               string
		pkcePlainChallenge bool
		enforcePAR         bool
		clients            map[string]Client
		discovery          schema.OpenIDConnectDiscovery

		expectCodeChallengeMethodsSupported, expectSubjectTypesSupported, expectedIDTokenSigAlgsSupported, expectedUserInfoSigAlgsSupported []string
	}{
		{
			desc:                                "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublic",
			pkcePlainChallenge:                  false,
			clients:                             map[string]Client{"a": &BaseClient{}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
			expectedIDTokenSigAlgsSupported:     []string{SigningAlgRSAUsingSHA256},
			expectedUserInfoSigAlgsSupported:    []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
		},
		{
			desc:               "ShouldIncludDiscoveryInfo",
			pkcePlainChallenge: false,
			clients:            map[string]Client{"a": &BaseClient{}},
			discovery: schema.OpenIDConnectDiscovery{
				RegisteredJWKSigningAlgs: []string{SigningAlgECDSAUsingP521AndSHA512},
			},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
			expectedIDTokenSigAlgsSupported:     []string{SigningAlgRSAUsingSHA256, SigningAlgECDSAUsingP521AndSHA512},
			expectedUserInfoSigAlgsSupported:    []string{SigningAlgRSAUsingSHA256, SigningAlgECDSAUsingP521AndSHA512, SigningAlgNone},
		},
		{
			desc:                                "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublic",
			pkcePlainChallenge:                  true,
			clients:                             map[string]Client{"a": &BaseClient{}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
			expectedIDTokenSigAlgsSupported:     []string{SigningAlgRSAUsingSHA256},
			expectedUserInfoSigAlgsSupported:    []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
		},
		{
			desc:                                "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublicPairwise",
			pkcePlainChallenge:                  false,
			clients:                             map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
			expectedIDTokenSigAlgsSupported:     []string{SigningAlgRSAUsingSHA256},
			expectedUserInfoSigAlgsSupported:    []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
		},
		{
			desc:                                "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublicPairwise",
			pkcePlainChallenge:                  true,
			clients:                             map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
			expectedIDTokenSigAlgsSupported:     []string{SigningAlgRSAUsingSHA256},
			expectedUserInfoSigAlgsSupported:    []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
		},
		{
			desc:                                "ShouldHaveTokenAuthMethodsNone",
			pkcePlainChallenge:                  true,
			clients:                             map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
			expectedIDTokenSigAlgsSupported:     []string{SigningAlgRSAUsingSHA256},
			expectedUserInfoSigAlgsSupported:    []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
		},
		{
			desc:               "ShouldHaveTokenAuthMethodsNone",
			pkcePlainChallenge: true,
			clients: map[string]Client{
				"a": &BaseClient{SectorIdentifier: "yes"},
				"b": &BaseClient{SectorIdentifier: "yes"},
			},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
			expectedIDTokenSigAlgsSupported:     []string{SigningAlgRSAUsingSHA256},
			expectedUserInfoSigAlgsSupported:    []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
		},
		{
			desc:               "ShouldHaveTokenAuthMethodsNone",
			pkcePlainChallenge: true,
			clients: map[string]Client{
				"a": &BaseClient{SectorIdentifier: "yes"},
				"b": &BaseClient{SectorIdentifier: "yes"},
			},
			expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},
			expectSubjectTypesSupported:         []string{SubjectTypePublic, SubjectTypePairwise},
			expectedIDTokenSigAlgsSupported:     []string{SigningAlgRSAUsingSHA256},
			expectedUserInfoSigAlgsSupported:    []string{SigningAlgRSAUsingSHA256, SigningAlgNone},
		},
	}

	for _, tc := range testCases {
		t.Run(tc.desc, func(t *testing.T) {
			c := schema.OpenIDConnectConfiguration{
				EnablePKCEPlainChallenge: tc.pkcePlainChallenge,
				PAR: schema.OpenIDConnectPARConfiguration{
					Enforce: tc.enforcePAR,
				},
				Discovery: tc.discovery,
			}

			actual := NewOpenIDConnectWellKnownConfiguration(&c)
			for _, codeChallengeMethod := range tc.expectCodeChallengeMethodsSupported {
				assert.Contains(t, actual.CodeChallengeMethodsSupported, codeChallengeMethod)
			}

			for _, subjectType := range tc.expectSubjectTypesSupported {
				assert.Contains(t, actual.SubjectTypesSupported, subjectType)
			}

			for _, codeChallengeMethod := range actual.CodeChallengeMethodsSupported {
				assert.Contains(t, tc.expectCodeChallengeMethodsSupported, codeChallengeMethod)
			}

			for _, subjectType := range actual.SubjectTypesSupported {
				assert.Contains(t, tc.expectSubjectTypesSupported, subjectType)
			}

			assert.Equal(t, tc.expectedUserInfoSigAlgsSupported, actual.UserinfoSigningAlgValuesSupported)
			assert.Equal(t, tc.expectedIDTokenSigAlgsSupported, actual.IDTokenSigningAlgValuesSupported)
		})
	}
}
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`package oidc`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00
			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`)`

			`func TestNewOpenIDConnectWellKnownConfiguration(t *testing.T) {`
			`testCases := []struct {`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`desc string`
			`pkcePlainChallenge bool`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`enforcePAR bool`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`clients map[string]Client`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`discovery schema.OpenIDConnectDiscovery`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`expectCodeChallengeMethodsSupported, expectSubjectTypesSupported, expectedIDTokenSigAlgsSupported, expectedUserInfoSigAlgsSupported []string`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`}{`
			`{`
			`desc: "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublic",`
			`pkcePlainChallenge: false,`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`clients: map[string]Client{"a": &BaseClient{}},`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},`
			`expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},`
			`},`
			`{`
			`desc: "ShouldIncludDiscoveryInfo",`
			`pkcePlainChallenge: false,`
			`clients: map[string]Client{"a": &BaseClient{}},`
			`discovery: schema.OpenIDConnectDiscovery{`
			`RegisteredJWKSigningAlgs: []string{SigningAlgECDSAUsingP521AndSHA512},`
			`},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
			`expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgECDSAUsingP521AndSHA512},`
			`expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgECDSAUsingP521AndSHA512, SigningAlgNone},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`{`
			`desc: "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublic",`
			`pkcePlainChallenge: true,`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`clients: map[string]Client{"a": &BaseClient{}},`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},`
			`expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`{`
			`desc: "ShouldHaveChallengeMethodsS256ANDSubjectTypesSupportedPublicPairwise",`
			`pkcePlainChallenge: false,`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`clients: map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},`
			`expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`{`
			`desc: "ShouldHaveChallengeMethodsS256PlainANDSubjectTypesSupportedPublicPairwise",`
			`pkcePlainChallenge: true,`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`clients: map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},`
			`expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`},`
			`{`
			`desc: "ShouldHaveTokenAuthMethodsNone",`
			`pkcePlainChallenge: true,`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`clients: map[string]Client{"a": &BaseClient{SectorIdentifier: "yes"}},`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},`
			`expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},`
			`},`
			`{`
			`desc: "ShouldHaveTokenAuthMethodsNone",`
			`pkcePlainChallenge: true,`
			`clients: map[string]Client{`
			`"a": &BaseClient{SectorIdentifier: "yes"},`
			`"b": &BaseClient{SectorIdentifier: "yes"},`
			`},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
			`expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},`
			`expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`},`
			`{`
			`desc: "ShouldHaveTokenAuthMethodsNone",`
			`pkcePlainChallenge: true,`
feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`clients: map[string]Client{`
			`"a": &BaseClient{SectorIdentifier: "yes"},`
			`"b": &BaseClient{SectorIdentifier: "yes"},`
feat(oidc): implicit consent (#4080) This adds multiple consent modes to OpenID Connect clients. Specifically it allows configuration of a new consent mode called implicit which never asks for user consent. 2022-10-20 02:16:36 +00:00			`},`
			`expectCodeChallengeMethodsSupported: []string{PKCEChallengeMethodSHA256, PKCEChallengeMethodPlain},`
			`expectSubjectTypesSupported: []string{SubjectTypePublic, SubjectTypePairwise},`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`expectedIDTokenSigAlgsSupported: []string{SigningAlgRSAUsingSHA256},`
			`expectedUserInfoSigAlgsSupported: []string{SigningAlgRSAUsingSHA256, SigningAlgNone},`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`},`
			`}`

			`for _, tc := range testCases {`
			`t.Run(tc.desc, func(t *testing.T) {`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`c := schema.OpenIDConnectConfiguration{`
			`EnablePKCEPlainChallenge: tc.pkcePlainChallenge,`
			`PAR: schema.OpenIDConnectPARConfiguration{`
			`Enforce: tc.enforcePAR,`
			`},`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00			`Discovery: tc.discovery,`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`}`

feat(oidc): client authentication modes (#5150) This adds a feature to OpenID Connect 1.0 where clients can be restricted to a specific client authentication mode, as well as implements some backend requirements for the private_key_jwt client authentication mode (and potentially the tls_client_auth / self_signed_tls_client_auth client authentication modes). It also adds some improvements to configuration defaults and validations which will for now be warnings but likely be made into errors. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-04-13 10:58:18 +00:00			`actual := NewOpenIDConnectWellKnownConfiguration(&c)`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`for _, codeChallengeMethod := range tc.expectCodeChallengeMethodsSupported {`
			`assert.Contains(t, actual.CodeChallengeMethodsSupported, codeChallengeMethod)`
			`}`

			`for _, subjectType := range tc.expectSubjectTypesSupported {`
			`assert.Contains(t, actual.SubjectTypesSupported, subjectType)`
			`}`

			`for _, codeChallengeMethod := range actual.CodeChallengeMethodsSupported {`
			`assert.Contains(t, tc.expectCodeChallengeMethodsSupported, codeChallengeMethod)`
			`}`

			`for _, subjectType := range actual.SubjectTypesSupported {`
			`assert.Contains(t, tc.expectSubjectTypesSupported, subjectType)`
			`}`
feat(oidc): multiple jwk algorithms (#5279) This adds support for multiple JWK algorithms and keys and allows for per-client algorithm choices. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> 2023-05-15 00:03:19 +00:00
			`assert.Equal(t, tc.expectedUserInfoSigAlgsSupported, actual.UserinfoSigningAlgValuesSupported)`
			`assert.Equal(t, tc.expectedIDTokenSigAlgsSupported, actual.IDTokenSigningAlgValuesSupported)`
feat(oidc): persistent storage (#2965) This moves the OpenID Connect storage from memory into the SQL storage, making it persistent and allowing it to be used with clustered deployments like the rest of Authelia. 2022-04-07 05:33:53 +00:00			`})`
			`}`
			`}`