643 lines
22 KiB
Go
643 lines
22 KiB
Go
package oidc_test
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/ory/fosite"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"gopkg.in/square/go-jose.v2"
|
|
|
|
"github.com/authelia/authelia/v4/internal/authentication"
|
|
"github.com/authelia/authelia/v4/internal/authorization"
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
|
"github.com/authelia/authelia/v4/internal/model"
|
|
"github.com/authelia/authelia/v4/internal/oidc"
|
|
)
|
|
|
|
func TestNewClient(t *testing.T) {
|
|
config := schema.OpenIDConnectClient{}
|
|
client := oidc.NewClient(config, &schema.OpenIDConnect{})
|
|
assert.Equal(t, "", client.GetID())
|
|
assert.Equal(t, "", client.GetDescription())
|
|
assert.Len(t, client.GetResponseModes(), 0)
|
|
assert.Len(t, client.GetResponseTypes(), 1)
|
|
assert.Equal(t, "", client.GetSectorIdentifier())
|
|
|
|
bclient, ok := client.(*oidc.BaseClient)
|
|
require.True(t, ok)
|
|
assert.Equal(t, "", bclient.UserinfoSigningAlg)
|
|
assert.Equal(t, oidc.SigningAlgNone, client.GetUserinfoSigningAlg())
|
|
assert.Equal(t, "", client.GetUserinfoSigningKeyID())
|
|
|
|
_, ok = client.(*oidc.FullClient)
|
|
assert.False(t, ok)
|
|
|
|
config = schema.OpenIDConnectClient{
|
|
ID: myclient,
|
|
Description: myclientdesc,
|
|
Policy: twofactor,
|
|
Secret: tOpenIDConnectPlainTextClientSecret,
|
|
RedirectURIs: []string{examplecom},
|
|
Scopes: schema.DefaultOpenIDConnectClientConfiguration.Scopes,
|
|
ResponseTypes: schema.DefaultOpenIDConnectClientConfiguration.ResponseTypes,
|
|
GrantTypes: schema.DefaultOpenIDConnectClientConfiguration.GrantTypes,
|
|
ResponseModes: schema.DefaultOpenIDConnectClientConfiguration.ResponseModes,
|
|
}
|
|
|
|
client = oidc.NewClient(config, &schema.OpenIDConnect{})
|
|
assert.Equal(t, myclient, client.GetID())
|
|
require.Len(t, client.GetResponseModes(), 1)
|
|
assert.Equal(t, fosite.ResponseModeFormPost, client.GetResponseModes()[0])
|
|
assert.Equal(t, authorization.TwoFactor, client.GetAuthorizationPolicy(authorization.Subject{}))
|
|
|
|
config = schema.OpenIDConnectClient{
|
|
TokenEndpointAuthMethod: oidc.ClientAuthMethodClientSecretPost,
|
|
}
|
|
|
|
client = oidc.NewClient(config, &schema.OpenIDConnect{})
|
|
|
|
fclient, ok := client.(*oidc.FullClient)
|
|
|
|
require.True(t, ok)
|
|
|
|
assert.Equal(t, "", fclient.UserinfoSigningAlg)
|
|
assert.Equal(t, oidc.SigningAlgNone, client.GetUserinfoSigningAlg())
|
|
assert.Equal(t, oidc.SigningAlgNone, fclient.GetUserinfoSigningAlg())
|
|
assert.Equal(t, oidc.SigningAlgNone, fclient.UserinfoSigningAlg)
|
|
|
|
assert.Equal(t, "", fclient.UserinfoSigningKeyID)
|
|
assert.Equal(t, "", client.GetUserinfoSigningKeyID())
|
|
assert.Equal(t, "", fclient.GetUserinfoSigningKeyID())
|
|
|
|
fclient.UserinfoSigningKeyID = "aukeyid"
|
|
|
|
assert.Equal(t, "aukeyid", client.GetUserinfoSigningKeyID())
|
|
assert.Equal(t, "aukeyid", fclient.GetUserinfoSigningKeyID())
|
|
|
|
assert.Equal(t, "", fclient.IDTokenSigningAlg)
|
|
assert.Equal(t, oidc.SigningAlgRSAUsingSHA256, client.GetIDTokenSigningAlg())
|
|
assert.Equal(t, oidc.SigningAlgRSAUsingSHA256, fclient.GetIDTokenSigningAlg())
|
|
assert.Equal(t, oidc.SigningAlgRSAUsingSHA256, fclient.IDTokenSigningAlg)
|
|
|
|
assert.Equal(t, "", fclient.IDTokenSigningKeyID)
|
|
assert.Equal(t, "", client.GetIDTokenSigningKeyID())
|
|
assert.Equal(t, "", fclient.GetIDTokenSigningKeyID())
|
|
|
|
fclient.IDTokenSigningKeyID = "akeyid"
|
|
|
|
assert.Equal(t, "akeyid", client.GetIDTokenSigningKeyID())
|
|
assert.Equal(t, "akeyid", fclient.GetIDTokenSigningKeyID())
|
|
|
|
assert.Equal(t, oidc.ClientAuthMethodClientSecretPost, fclient.TokenEndpointAuthMethod)
|
|
assert.Equal(t, oidc.ClientAuthMethodClientSecretPost, fclient.GetTokenEndpointAuthMethod())
|
|
|
|
assert.Equal(t, "", fclient.TokenEndpointAuthSigningAlgorithm)
|
|
assert.Equal(t, oidc.SigningAlgRSAUsingSHA256, fclient.GetTokenEndpointAuthSigningAlgorithm())
|
|
assert.Equal(t, oidc.SigningAlgRSAUsingSHA256, fclient.TokenEndpointAuthSigningAlgorithm)
|
|
|
|
assert.Equal(t, "", fclient.RequestObjectSigningAlgorithm)
|
|
assert.Equal(t, "", fclient.GetRequestObjectSigningAlgorithm())
|
|
|
|
fclient.RequestObjectSigningAlgorithm = oidc.SigningAlgRSAUsingSHA256
|
|
|
|
assert.Equal(t, oidc.SigningAlgRSAUsingSHA256, fclient.GetRequestObjectSigningAlgorithm())
|
|
|
|
assert.Equal(t, "", fclient.JSONWebKeysURI)
|
|
assert.Equal(t, "", fclient.GetJSONWebKeysURI())
|
|
|
|
fclient.JSONWebKeysURI = "https://example.com"
|
|
assert.Equal(t, "https://example.com", fclient.GetJSONWebKeysURI())
|
|
|
|
var niljwks *jose.JSONWebKeySet
|
|
|
|
assert.Equal(t, niljwks, fclient.JSONWebKeys)
|
|
assert.Equal(t, niljwks, fclient.GetJSONWebKeys())
|
|
|
|
assert.Equal(t, oidc.ClientConsentMode(0), fclient.Consent.Mode)
|
|
assert.Equal(t, time.Second*0, fclient.Consent.Duration)
|
|
assert.Equal(t, oidc.ClientConsent{Mode: oidc.ClientConsentModeExplicit}, fclient.GetConsentPolicy())
|
|
|
|
fclient.TokenEndpointAuthMethod = ""
|
|
fclient.Public = false
|
|
assert.Equal(t, oidc.ClientAuthMethodClientSecretBasic, fclient.GetTokenEndpointAuthMethod())
|
|
assert.Equal(t, oidc.ClientAuthMethodClientSecretBasic, fclient.TokenEndpointAuthMethod)
|
|
|
|
fclient.TokenEndpointAuthMethod = ""
|
|
fclient.Public = true
|
|
assert.Equal(t, oidc.ClientAuthMethodNone, fclient.GetTokenEndpointAuthMethod())
|
|
assert.Equal(t, oidc.ClientAuthMethodNone, fclient.TokenEndpointAuthMethod)
|
|
|
|
assert.Equal(t, []string(nil), fclient.RequestURIs)
|
|
assert.Equal(t, []string(nil), fclient.GetRequestURIs())
|
|
}
|
|
|
|
func TestBaseClient_ValidatePARPolicy(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
client *oidc.BaseClient
|
|
have *fosite.Request
|
|
expected string
|
|
}{
|
|
{
|
|
"ShouldNotEnforcePAR",
|
|
&oidc.BaseClient{
|
|
EnforcePAR: false,
|
|
},
|
|
&fosite.Request{},
|
|
"",
|
|
},
|
|
{
|
|
"ShouldEnforcePARAndErrorWithoutCorrectRequestURI",
|
|
&oidc.BaseClient{
|
|
EnforcePAR: true,
|
|
},
|
|
&fosite.Request{
|
|
Form: map[string][]string{
|
|
oidc.FormParameterRequestURI: {"https://google.com"},
|
|
},
|
|
},
|
|
"invalid_request",
|
|
},
|
|
{
|
|
"ShouldEnforcePARAndErrorWithEmptyRequestURI",
|
|
&oidc.BaseClient{
|
|
EnforcePAR: true,
|
|
},
|
|
&fosite.Request{
|
|
Form: map[string][]string{
|
|
oidc.FormParameterRequestURI: {""},
|
|
},
|
|
},
|
|
"invalid_request",
|
|
},
|
|
{
|
|
"ShouldEnforcePARAndNotErrorWithCorrectRequestURI",
|
|
&oidc.BaseClient{
|
|
EnforcePAR: true,
|
|
},
|
|
&fosite.Request{
|
|
Form: map[string][]string{
|
|
oidc.FormParameterRequestURI: {oidc.RedirectURIPrefixPushedAuthorizationRequestURN + "abc"},
|
|
},
|
|
},
|
|
"",
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
err := tc.client.ValidatePARPolicy(tc.have, oidc.RedirectURIPrefixPushedAuthorizationRequestURN)
|
|
|
|
switch tc.expected {
|
|
case "":
|
|
assert.NoError(t, err)
|
|
default:
|
|
assert.EqualError(t, err, tc.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsAuthenticationLevelSufficient(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
c.Policy = oidc.ClientPolicy{DefaultPolicy: authorization.Bypass}
|
|
assert.False(t, c.IsAuthenticationLevelSufficient(authentication.NotAuthenticated, authorization.Subject{}))
|
|
assert.True(t, c.IsAuthenticationLevelSufficient(authentication.OneFactor, authorization.Subject{}))
|
|
assert.True(t, c.IsAuthenticationLevelSufficient(authentication.TwoFactor, authorization.Subject{}))
|
|
|
|
c.Policy = oidc.ClientPolicy{DefaultPolicy: authorization.OneFactor}
|
|
assert.False(t, c.IsAuthenticationLevelSufficient(authentication.NotAuthenticated, authorization.Subject{}))
|
|
assert.True(t, c.IsAuthenticationLevelSufficient(authentication.OneFactor, authorization.Subject{}))
|
|
assert.True(t, c.IsAuthenticationLevelSufficient(authentication.TwoFactor, authorization.Subject{}))
|
|
|
|
c.Policy = oidc.ClientPolicy{DefaultPolicy: authorization.TwoFactor}
|
|
assert.False(t, c.IsAuthenticationLevelSufficient(authentication.NotAuthenticated, authorization.Subject{}))
|
|
assert.False(t, c.IsAuthenticationLevelSufficient(authentication.OneFactor, authorization.Subject{}))
|
|
assert.True(t, c.IsAuthenticationLevelSufficient(authentication.TwoFactor, authorization.Subject{}))
|
|
|
|
c.Policy = oidc.ClientPolicy{DefaultPolicy: authorization.Denied}
|
|
assert.False(t, c.IsAuthenticationLevelSufficient(authentication.NotAuthenticated, authorization.Subject{}))
|
|
assert.False(t, c.IsAuthenticationLevelSufficient(authentication.OneFactor, authorization.Subject{}))
|
|
assert.False(t, c.IsAuthenticationLevelSufficient(authentication.TwoFactor, authorization.Subject{}))
|
|
}
|
|
|
|
func TestClient_GetConsentResponseBody(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
consentRequestBody := c.GetConsentResponseBody(nil)
|
|
assert.Equal(t, "", consentRequestBody.ClientID)
|
|
assert.Equal(t, "", consentRequestBody.ClientDescription)
|
|
assert.Equal(t, []string(nil), consentRequestBody.Scopes)
|
|
assert.Equal(t, []string(nil), consentRequestBody.Audience)
|
|
|
|
c.ID = myclient
|
|
c.Description = myclientdesc
|
|
|
|
consent := &model.OAuth2ConsentSession{
|
|
RequestedAudience: []string{examplecom},
|
|
RequestedScopes: []string{oidc.ScopeOpenID, oidc.ScopeGroups},
|
|
}
|
|
|
|
expectedScopes := []string{oidc.ScopeOpenID, oidc.ScopeGroups}
|
|
expectedAudiences := []string{examplecom}
|
|
|
|
consentRequestBody = c.GetConsentResponseBody(consent)
|
|
assert.Equal(t, myclient, consentRequestBody.ClientID)
|
|
assert.Equal(t, myclientdesc, consentRequestBody.ClientDescription)
|
|
assert.Equal(t, expectedScopes, consentRequestBody.Scopes)
|
|
assert.Equal(t, expectedAudiences, consentRequestBody.Audience)
|
|
}
|
|
|
|
func TestClient_GetAudience(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
audience := c.GetAudience()
|
|
assert.Len(t, audience, 0)
|
|
|
|
c.Audience = []string{examplecom}
|
|
|
|
audience = c.GetAudience()
|
|
require.Len(t, audience, 1)
|
|
assert.Equal(t, examplecom, audience[0])
|
|
}
|
|
|
|
func TestClient_GetScopes(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
scopes := c.GetScopes()
|
|
assert.Len(t, scopes, 0)
|
|
|
|
c.Scopes = []string{oidc.ScopeOpenID}
|
|
|
|
scopes = c.GetScopes()
|
|
require.Len(t, scopes, 1)
|
|
assert.Equal(t, oidc.ScopeOpenID, scopes[0])
|
|
}
|
|
|
|
func TestClient_GetGrantTypes(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
grantTypes := c.GetGrantTypes()
|
|
require.Len(t, grantTypes, 1)
|
|
assert.Equal(t, oidc.GrantTypeAuthorizationCode, grantTypes[0])
|
|
|
|
c.GrantTypes = []string{"device_code"}
|
|
|
|
grantTypes = c.GetGrantTypes()
|
|
require.Len(t, grantTypes, 1)
|
|
assert.Equal(t, "device_code", grantTypes[0])
|
|
}
|
|
|
|
func TestClient_Hashing(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
hashedSecret := c.GetHashedSecret()
|
|
assert.Equal(t, []byte(nil), hashedSecret)
|
|
|
|
c.Secret = tOpenIDConnectPlainTextClientSecret
|
|
|
|
assert.True(t, c.Secret.MatchBytes([]byte("client-secret")))
|
|
}
|
|
|
|
func TestClient_GetHashedSecret(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
hashedSecret := c.GetHashedSecret()
|
|
assert.Equal(t, []byte(nil), hashedSecret)
|
|
|
|
c.Secret = tOpenIDConnectPlainTextClientSecret
|
|
|
|
hashedSecret = c.GetHashedSecret()
|
|
assert.Equal(t, []byte("$plaintext$client-secret"), hashedSecret)
|
|
}
|
|
|
|
func TestClient_GetID(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
id := c.GetID()
|
|
assert.Equal(t, "", id)
|
|
|
|
c.ID = myclient
|
|
|
|
id = c.GetID()
|
|
assert.Equal(t, myclient, id)
|
|
}
|
|
|
|
func TestClient_GetRedirectURIs(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
redirectURIs := c.GetRedirectURIs()
|
|
require.Len(t, redirectURIs, 0)
|
|
|
|
c.RedirectURIs = []string{examplecom}
|
|
|
|
redirectURIs = c.GetRedirectURIs()
|
|
require.Len(t, redirectURIs, 1)
|
|
assert.Equal(t, examplecom, redirectURIs[0])
|
|
}
|
|
|
|
func TestClient_GetResponseModes(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
responseModes := c.GetResponseModes()
|
|
require.Len(t, responseModes, 0)
|
|
|
|
c.ResponseModes = []fosite.ResponseModeType{
|
|
fosite.ResponseModeDefault, fosite.ResponseModeFormPost,
|
|
fosite.ResponseModeQuery, fosite.ResponseModeFragment,
|
|
}
|
|
|
|
responseModes = c.GetResponseModes()
|
|
require.Len(t, responseModes, 4)
|
|
assert.Equal(t, fosite.ResponseModeDefault, responseModes[0])
|
|
assert.Equal(t, fosite.ResponseModeFormPost, responseModes[1])
|
|
assert.Equal(t, fosite.ResponseModeQuery, responseModes[2])
|
|
assert.Equal(t, fosite.ResponseModeFragment, responseModes[3])
|
|
}
|
|
|
|
func TestClient_GetResponseTypes(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
responseTypes := c.GetResponseTypes()
|
|
require.Len(t, responseTypes, 1)
|
|
assert.Equal(t, oidc.ResponseTypeAuthorizationCodeFlow, responseTypes[0])
|
|
|
|
c.ResponseTypes = []string{oidc.ResponseTypeAuthorizationCodeFlow, oidc.ResponseTypeImplicitFlowIDToken}
|
|
|
|
responseTypes = c.GetResponseTypes()
|
|
require.Len(t, responseTypes, 2)
|
|
assert.Equal(t, oidc.ResponseTypeAuthorizationCodeFlow, responseTypes[0])
|
|
assert.Equal(t, oidc.ResponseTypeImplicitFlowIDToken, responseTypes[1])
|
|
}
|
|
|
|
func TestNewClientPKCE(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
have schema.OpenIDConnectClient
|
|
expectedEnforcePKCE bool
|
|
expectedEnforcePKCEChallengeMethod bool
|
|
expected string
|
|
r *fosite.Request
|
|
err string
|
|
desc string
|
|
}{
|
|
{
|
|
"ShouldNotEnforcePKCEAndNotErrorOnNonPKCERequest",
|
|
schema.OpenIDConnectClient{},
|
|
false,
|
|
false,
|
|
"",
|
|
&fosite.Request{},
|
|
"",
|
|
"",
|
|
},
|
|
{
|
|
"ShouldEnforcePKCEAndErrorOnNonPKCERequest",
|
|
schema.OpenIDConnectClient{EnforcePKCE: true},
|
|
true,
|
|
false,
|
|
"",
|
|
&fosite.Request{},
|
|
"invalid_request",
|
|
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a code_challenge when performing the authorize code flow, but it is missing. The server is configured in a way that enforces PKCE for this client.",
|
|
},
|
|
{
|
|
"ShouldEnforcePKCEAndNotErrorOnPKCERequest",
|
|
schema.OpenIDConnectClient{EnforcePKCE: true},
|
|
true,
|
|
false,
|
|
"",
|
|
&fosite.Request{Form: map[string][]string{"code_challenge": {"abc"}}},
|
|
"",
|
|
"",
|
|
},
|
|
{"ShouldEnforcePKCEFromChallengeMethodAndErrorOnNonPKCERequest",
|
|
schema.OpenIDConnectClient{PKCEChallengeMethod: "S256"},
|
|
true,
|
|
true,
|
|
"S256",
|
|
&fosite.Request{},
|
|
"invalid_request",
|
|
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Clients must include a code_challenge when performing the authorize code flow, but it is missing. The server is configured in a way that enforces PKCE for this client.",
|
|
},
|
|
{"ShouldEnforcePKCEFromChallengeMethodAndErrorOnInvalidChallengeMethod",
|
|
schema.OpenIDConnectClient{PKCEChallengeMethod: "S256"},
|
|
true,
|
|
true,
|
|
"S256",
|
|
&fosite.Request{Form: map[string][]string{"code_challenge": {"abc"}}},
|
|
"invalid_request",
|
|
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Client must use code_challenge_method=S256, is not allowed. The server is configured in a way that enforces PKCE S256 as challenge method for this client.",
|
|
},
|
|
{"ShouldEnforcePKCEFromChallengeMethodAndNotErrorOnValidRequest",
|
|
schema.OpenIDConnectClient{PKCEChallengeMethod: "S256"},
|
|
true,
|
|
true,
|
|
"S256",
|
|
&fosite.Request{Form: map[string][]string{"code_challenge": {"abc"}, "code_challenge_method": {"S256"}}},
|
|
"",
|
|
"",
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
client := oidc.NewClient(tc.have, &schema.OpenIDConnect{})
|
|
|
|
assert.Equal(t, tc.expectedEnforcePKCE, client.GetPKCEEnforcement())
|
|
assert.Equal(t, tc.expectedEnforcePKCEChallengeMethod, client.GetPKCEChallengeMethodEnforcement())
|
|
assert.Equal(t, tc.expected, client.GetPKCEChallengeMethod())
|
|
|
|
if tc.r != nil {
|
|
err := client.ValidatePKCEPolicy(tc.r)
|
|
|
|
if tc.err != "" {
|
|
require.NotNil(t, err)
|
|
assert.EqualError(t, err, tc.err)
|
|
assert.Equal(t, tc.desc, fosite.ErrorToRFC6749Error(err).WithExposeDebug(true).GetDescription())
|
|
} else {
|
|
assert.NoError(t, err)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestNewClientPAR(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
have schema.OpenIDConnectClient
|
|
expected bool
|
|
r *fosite.Request
|
|
err string
|
|
desc string
|
|
}{
|
|
{
|
|
"ShouldNotEnforcEPARAndNotErrorOnNonPARRequest",
|
|
schema.OpenIDConnectClient{},
|
|
false,
|
|
&fosite.Request{},
|
|
"",
|
|
"",
|
|
},
|
|
{
|
|
"ShouldEnforcePARAndErrorOnNonPARRequest",
|
|
schema.OpenIDConnectClient{EnforcePAR: true},
|
|
true,
|
|
&fosite.Request{},
|
|
"invalid_request",
|
|
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Pushed Authorization Requests are enforced for this client but no such request was sent. The request_uri parameter was empty.",
|
|
},
|
|
{
|
|
"ShouldEnforcePARAndErrorOnNonPARRequest",
|
|
schema.OpenIDConnectClient{EnforcePAR: true},
|
|
true,
|
|
&fosite.Request{Form: map[string][]string{oidc.FormParameterRequestURI: {"https://example.com"}}},
|
|
"invalid_request",
|
|
"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Pushed Authorization Requests are enforced for this client but no such request was sent. The request_uri parameter 'https://example.com' is malformed."},
|
|
{
|
|
"ShouldEnforcePARAndNotErrorOnPARRequest",
|
|
schema.OpenIDConnectClient{EnforcePAR: true},
|
|
true,
|
|
&fosite.Request{Form: map[string][]string{oidc.FormParameterRequestURI: {fmt.Sprintf("%sabc", oidc.RedirectURIPrefixPushedAuthorizationRequestURN)}}},
|
|
"",
|
|
"",
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
client := oidc.NewClient(tc.have, &schema.OpenIDConnect{})
|
|
|
|
assert.Equal(t, tc.expected, client.GetPAREnforcement())
|
|
|
|
if tc.r != nil {
|
|
err := client.ValidatePARPolicy(tc.r, oidc.RedirectURIPrefixPushedAuthorizationRequestURN)
|
|
|
|
if tc.err != "" {
|
|
require.NotNil(t, err)
|
|
assert.EqualError(t, err, tc.err)
|
|
assert.Equal(t, tc.desc, fosite.ErrorToRFC6749Error(err).WithExposeDebug(true).GetDescription())
|
|
} else {
|
|
assert.NoError(t, err)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestNewClientResponseModes(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
have schema.OpenIDConnectClient
|
|
expected []fosite.ResponseModeType
|
|
r *fosite.AuthorizeRequest
|
|
err string
|
|
desc string
|
|
}{
|
|
{
|
|
"ShouldEnforceResponseModePolicyAndAllowDefaultModeQuery",
|
|
schema.OpenIDConnectClient{ResponseModes: []string{oidc.ResponseModeQuery}},
|
|
[]fosite.ResponseModeType{fosite.ResponseModeQuery},
|
|
&fosite.AuthorizeRequest{DefaultResponseMode: fosite.ResponseModeQuery, ResponseMode: fosite.ResponseModeDefault, Request: fosite.Request{Form: map[string][]string{oidc.FormParameterResponseMode: nil}}},
|
|
"",
|
|
"",
|
|
},
|
|
{
|
|
"ShouldEnforceResponseModePolicyAndFailOnDefaultMode",
|
|
schema.OpenIDConnectClient{ResponseModes: []string{oidc.ResponseModeFormPost}},
|
|
[]fosite.ResponseModeType{fosite.ResponseModeFormPost},
|
|
&fosite.AuthorizeRequest{DefaultResponseMode: fosite.ResponseModeQuery, ResponseMode: fosite.ResponseModeDefault, Request: fosite.Request{Form: map[string][]string{oidc.FormParameterResponseMode: nil}}},
|
|
"unsupported_response_mode",
|
|
"The authorization server does not support obtaining a response using this response mode. The request omitted the response_mode making the default response_mode 'query' based on the other authorization request parameters but registered OAuth 2.0 client doesn't support this response_mode",
|
|
},
|
|
{
|
|
"ShouldNotEnforceConfiguredResponseMode",
|
|
schema.OpenIDConnectClient{ResponseModes: []string{oidc.ResponseModeFormPost}},
|
|
[]fosite.ResponseModeType{fosite.ResponseModeFormPost},
|
|
&fosite.AuthorizeRequest{DefaultResponseMode: fosite.ResponseModeQuery, ResponseMode: fosite.ResponseModeQuery, Request: fosite.Request{Form: map[string][]string{oidc.FormParameterResponseMode: {oidc.ResponseModeQuery}}}},
|
|
"",
|
|
"",
|
|
},
|
|
{
|
|
"ShouldNotEnforceUnconfiguredResponseMode",
|
|
schema.OpenIDConnectClient{ResponseModes: []string{}},
|
|
[]fosite.ResponseModeType{},
|
|
&fosite.AuthorizeRequest{DefaultResponseMode: fosite.ResponseModeQuery, ResponseMode: fosite.ResponseModeDefault, Request: fosite.Request{Form: map[string][]string{oidc.FormParameterResponseMode: {oidc.ResponseModeQuery}}}},
|
|
"",
|
|
"",
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
client := oidc.NewClient(tc.have, &schema.OpenIDConnect{})
|
|
|
|
assert.Equal(t, tc.expected, client.GetResponseModes())
|
|
|
|
if tc.r != nil {
|
|
err := client.ValidateResponseModePolicy(tc.r)
|
|
|
|
if tc.err != "" {
|
|
require.NotNil(t, err)
|
|
assert.EqualError(t, err, tc.err)
|
|
assert.Equal(t, tc.desc, fosite.ErrorToRFC6749Error(err).WithExposeDebug(true).GetDescription())
|
|
} else {
|
|
assert.NoError(t, err)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestClient_IsPublic(t *testing.T) {
|
|
c := &oidc.FullClient{BaseClient: &oidc.BaseClient{}}
|
|
|
|
assert.False(t, c.IsPublic())
|
|
|
|
c.Public = true
|
|
assert.True(t, c.IsPublic())
|
|
}
|
|
|
|
func TestNewClient_JSONWebKeySetURI(t *testing.T) {
|
|
var (
|
|
client oidc.Client
|
|
clientf *oidc.FullClient
|
|
ok bool
|
|
)
|
|
|
|
client = oidc.NewClient(schema.OpenIDConnectClient{
|
|
TokenEndpointAuthMethod: oidc.ClientAuthMethodClientSecretPost,
|
|
PublicKeys: schema.OpenIDConnectClientPublicKeys{
|
|
URI: MustParseRequestURI("https://google.com"),
|
|
},
|
|
}, &schema.OpenIDConnect{})
|
|
|
|
require.NotNil(t, client)
|
|
|
|
clientf, ok = client.(*oidc.FullClient)
|
|
|
|
require.True(t, ok)
|
|
|
|
assert.Equal(t, "https://google.com", clientf.GetJSONWebKeysURI())
|
|
|
|
client = oidc.NewClient(schema.OpenIDConnectClient{
|
|
TokenEndpointAuthMethod: oidc.ClientAuthMethodClientSecretPost,
|
|
PublicKeys: schema.OpenIDConnectClientPublicKeys{
|
|
URI: nil,
|
|
},
|
|
}, &schema.OpenIDConnect{})
|
|
|
|
require.NotNil(t, client)
|
|
|
|
clientf, ok = client.(*oidc.FullClient)
|
|
|
|
require.True(t, ok)
|
|
|
|
assert.Equal(t, "", clientf.GetJSONWebKeysURI())
|
|
}
|