package oidc_test import ( "context" "fmt" "net/url" "testing" "time" "github.com/ory/fosite/token/jwt" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/authelia/authelia/v4/internal/oidc" "github.com/authelia/authelia/v4/internal/templates" ) func TestConfig_GetAllowedPrompts(t *testing.T) { ctx := context.Background() config := &oidc.Config{} assert.Equal(t, []string(nil), config.AllowedPrompts) assert.Equal(t, []string{oidc.PromptNone, oidc.PromptLogin, oidc.PromptConsent}, config.GetAllowedPrompts(ctx)) assert.Equal(t, []string{oidc.PromptNone, oidc.PromptLogin, oidc.PromptConsent}, config.AllowedPrompts) config.AllowedPrompts = []string{oidc.PromptNone} assert.Equal(t, []string{oidc.PromptNone}, config.AllowedPrompts) } func TestConfig_PKCE(t *testing.T) { ctx := context.Background() config := &oidc.Config{} assert.False(t, config.GetEnforcePKCE(ctx)) assert.False(t, config.GetEnforcePKCEForPublicClients(ctx)) config.ProofKeyCodeExchange.Enforce = true assert.True(t, config.GetEnforcePKCE(ctx)) assert.True(t, config.GetEnforcePKCEForPublicClients(ctx)) config.ProofKeyCodeExchange.Enforce = false assert.False(t, config.GetEnforcePKCEForPublicClients(ctx)) config.ProofKeyCodeExchange.EnforcePublicClients = true assert.True(t, config.GetEnforcePKCEForPublicClients(ctx)) assert.False(t, config.GetEnablePKCEPlainChallengeMethod(ctx)) config.ProofKeyCodeExchange.AllowPlainChallengeMethod = true assert.True(t, config.GetEnablePKCEPlainChallengeMethod(ctx)) } func TestConfig_GrantTypeJWTBearer(t *testing.T) { ctx := context.Background() config := &oidc.Config{} assert.False(t, config.GetGrantTypeJWTBearerIDOptional(ctx)) assert.False(t, config.GetGrantTypeJWTBearerCanSkipClientAuth(ctx)) assert.False(t, config.GetGrantTypeJWTBearerIssuedDateOptional(ctx)) config.GrantTypeJWTBearer.OptionalJTIClaim = true assert.True(t, config.GetGrantTypeJWTBearerIDOptional(ctx)) assert.False(t, config.GetGrantTypeJWTBearerCanSkipClientAuth(ctx)) assert.False(t, config.GetGrantTypeJWTBearerIssuedDateOptional(ctx)) config.GrantTypeJWTBearer.OptionalClientAuth = true assert.True(t, config.GetGrantTypeJWTBearerIDOptional(ctx)) assert.True(t, config.GetGrantTypeJWTBearerCanSkipClientAuth(ctx)) assert.False(t, config.GetGrantTypeJWTBearerIssuedDateOptional(ctx)) config.GrantTypeJWTBearer.OptionalIssuedDate = true assert.True(t, config.GetGrantTypeJWTBearerIDOptional(ctx)) assert.True(t, config.GetGrantTypeJWTBearerCanSkipClientAuth(ctx)) assert.True(t, config.GetGrantTypeJWTBearerIssuedDateOptional(ctx)) } func TestConfig_Durations(t *testing.T) { ctx := context.Background() config := &oidc.Config{} assert.Equal(t, time.Duration(0), config.JWTMaxDuration) assert.Equal(t, time.Hour*24, config.GetJWTMaxDuration(ctx)) assert.Equal(t, time.Hour*24, config.JWTMaxDuration) assert.Equal(t, time.Duration(0), config.Lifespans.IDToken) assert.Equal(t, time.Hour, config.GetIDTokenLifespan(ctx)) assert.Equal(t, time.Hour, config.Lifespans.IDToken) assert.Equal(t, time.Duration(0), config.Lifespans.AccessToken) assert.Equal(t, time.Hour, config.GetAccessTokenLifespan(ctx)) assert.Equal(t, time.Hour, config.Lifespans.AccessToken) assert.Equal(t, time.Duration(0), config.Lifespans.RefreshToken) assert.Equal(t, time.Hour*24*30, config.GetRefreshTokenLifespan(ctx)) assert.Equal(t, time.Hour*24*30, config.Lifespans.RefreshToken) assert.Equal(t, time.Duration(0), config.Lifespans.AuthorizeCode) assert.Equal(t, time.Minute*15, config.GetAuthorizeCodeLifespan(ctx)) assert.Equal(t, time.Minute*15, config.Lifespans.AuthorizeCode) } func TestConfig_GetTokenEntropy(t *testing.T) { ctx := context.Background() config := &oidc.Config{} assert.Equal(t, 0, config.TokenEntropy) assert.Equal(t, 32, config.GetTokenEntropy(ctx)) assert.Equal(t, 32, config.TokenEntropy) } func TestConfig_Misc(t *testing.T) { ctx := context.Background() config := &oidc.Config{} assert.False(t, config.DisableRefreshTokenValidation) assert.False(t, config.GetDisableRefreshTokenValidation(ctx)) assert.Equal(t, "", config.Issuers.AccessToken) assert.Equal(t, "", config.GetAccessTokenIssuer(ctx)) assert.Equal(t, "", config.Issuers.IDToken) assert.Equal(t, "", config.GetIDTokenIssuer(ctx)) assert.Equal(t, jwt.JWTScopeFieldUnset, config.JWTScopeField) assert.Equal(t, jwt.JWTScopeFieldList, config.GetJWTScopeField(ctx)) assert.Equal(t, jwt.JWTScopeFieldList, config.JWTScopeField) assert.Equal(t, []string(nil), config.SanitationWhiteList) assert.Equal(t, []string(nil), config.GetSanitationWhiteList(ctx)) assert.Equal(t, []string(nil), config.SanitationWhiteList) assert.False(t, config.OmitRedirectScopeParameter) assert.False(t, config.GetOmitRedirectScopeParam(ctx)) assert.NotNil(t, config.GetRedirectSecureChecker(ctx)) assert.NotNil(t, config.GetHTTPClient(ctx)) assert.Nil(t, config.Strategy.Scope) assert.NotNil(t, config.GetScopeStrategy(ctx)) assert.NotNil(t, config.Strategy.Scope) assert.Nil(t, config.Strategy.Audience) assert.NotNil(t, config.GetAudienceStrategy(ctx)) assert.NotNil(t, config.Strategy.Audience) assert.Equal(t, []string(nil), config.RefreshTokenScopes) assert.Equal(t, []string{oidc.ScopeOffline, oidc.ScopeOfflineAccess}, config.GetRefreshTokenScopes(ctx)) assert.Equal(t, []string{oidc.ScopeOffline, oidc.ScopeOfflineAccess}, config.RefreshTokenScopes) assert.Equal(t, 0, config.MinParameterEntropy) assert.Equal(t, 8, config.GetMinParameterEntropy(ctx)) assert.Equal(t, 8, config.MinParameterEntropy) assert.False(t, config.SendDebugMessagesToClients) assert.False(t, config.GetSendDebugMessagesToClients(ctx)) config.SendDebugMessagesToClients = true assert.True(t, config.GetSendDebugMessagesToClients(ctx)) assert.Nil(t, config.Strategy.JWKSFetcher) assert.NotNil(t, config.GetJWKSFetcherStrategy(ctx)) assert.NotNil(t, config.Strategy.JWKSFetcher) assert.Nil(t, config.Strategy.ClientAuthentication) assert.Nil(t, config.GetClientAuthenticationStrategy(ctx)) assert.Nil(t, config.MessageCatalog) assert.Nil(t, config.GetMessageCatalog(ctx)) assert.Nil(t, config.Templates) assert.Nil(t, config.GetFormPostHTMLTemplate(ctx)) var err error config.Templates, err = templates.New(templates.Config{}) require.NoError(t, err) assert.NotNil(t, config.GetFormPostHTMLTemplate(ctx)) assert.NotNil(t, config.Templates) assert.False(t, config.GetUseLegacyErrorFormat(ctx)) assert.Nil(t, config.GetAuthorizeEndpointHandlers(ctx)) assert.Nil(t, config.GetTokenEndpointHandlers(ctx)) assert.Nil(t, config.GetTokenIntrospectionHandlers(ctx)) assert.Nil(t, config.GetRevocationHandlers(ctx)) assert.Nil(t, config.GetPushedAuthorizeEndpointHandlers(ctx)) assert.Nil(t, config.GetResponseModeHandlerExtension(ctx)) assert.Equal(t, "", config.GetTokenURL(ctx)) octx := &MockOpenIDConnectContext{ Context: ctx, IssuerURLFunc: func() (issuerURL *url.URL, err error) { return nil, fmt.Errorf("test error") }, } assert.Equal(t, "", config.GetTokenURL(octx)) } func TestConfig_PAR(t *testing.T) { ctx := context.Background() config := &oidc.Config{} assert.Equal(t, "", config.PAR.URIPrefix) assert.Equal(t, "urn:ietf:params:oauth:request_uri:", config.GetPushedAuthorizeRequestURIPrefix(ctx)) assert.Equal(t, "urn:ietf:params:oauth:request_uri:", config.PAR.URIPrefix) assert.False(t, config.PAR.Enforced) assert.False(t, config.EnforcePushedAuthorize(ctx)) assert.False(t, config.PAR.Enforced) config.PAR.Enforced = true assert.True(t, config.EnforcePushedAuthorize(ctx)) assert.Equal(t, time.Duration(0), config.PAR.ContextLifespan) assert.Equal(t, time.Minute*5, config.GetPushedAuthorizeContextLifespan(ctx)) assert.Equal(t, time.Minute*5, config.PAR.ContextLifespan) }