-
-
Notifications
You must be signed in to change notification settings - Fork 367
/
oidc_implicit_hybrid_public_client_pkce_test.go
116 lines (96 loc) · 3.16 KB
/
oidc_implicit_hybrid_public_client_pkce_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
// Copyright © 2024 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package integration_test
import (
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"strings"
"testing"
"github.com/ory/fosite/internal/gen"
"github.com/pkg/errors"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
goauth "golang.org/x/oauth2"
"github.com/ory/fosite"
"github.com/ory/fosite/compose"
"github.com/ory/fosite/handler/openid"
"github.com/ory/fosite/token/jwt"
)
func TestOIDCImplicitFlowPublicClientPKCE(t *testing.T) {
session := &defaultSession{
DefaultSession: &openid.DefaultSession{
Claims: &jwt.IDTokenClaims{
Subject: "peter",
},
Headers: &jwt.Headers{},
},
}
f := compose.ComposeAllEnabled(&fosite.Config{
GlobalSecret: []byte("some-secret-thats-random-some-secret-thats-random-"),
}, fositeStore, gen.MustRSAKey())
ts := mockServer(t, f, session)
defer ts.Close()
oauthClient := newOAuth2Client(ts)
oauthClient.ClientSecret = ""
oauthClient.ClientID = "public-client"
oauthClient.Scopes = []string{"openid"}
fositeStore.Clients["public-client"].(*fosite.DefaultClient).RedirectURIs[0] = ts.URL + "/callback"
var state = "12345678901234567890"
for k, c := range []struct {
responseType string
description string
nonce string
setup func()
codeVerifier string
codeChallenge string
}{
{
responseType: "id_token%20code",
nonce: "1111111111111111",
description: "should pass id token (id_token code) with PKCE applied.",
setup: func() {},
codeVerifier: "e7343b9bee0847e3b589ccb60d124ff81adcba6067b84f79b092f86249111fdc",
codeChallenge: "J11vOtKUitab04a_N0Ogm0dQBytTgl0fgHzYk4xUryo",
},
} {
t.Run(fmt.Sprintf("case=%d/description=%s", k, c.description), func(t *testing.T) {
c.setup()
var callbackURL *url.URL
authURL := strings.Replace(oauthClient.AuthCodeURL(state), "response_type=code", "response_type="+c.responseType, -1) +
"&nonce=" + c.nonce + "&code_challenge_method=S256&code_challenge=" + c.codeChallenge
client := &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
callbackURL = req.URL
return errors.New("Dont follow redirects")
},
}
resp, err := client.Get(authURL)
require.Error(t, err)
t.Logf("Response (%d): %s", k, callbackURL.String())
fragment, err := url.ParseQuery(callbackURL.Fragment)
require.NoError(t, err)
code := fragment.Get("code")
assert.NotEmpty(t, code)
assert.NotEmpty(t, fragment.Get("id_token"))
resp, err = http.PostForm(oauthClient.Endpoint.TokenURL, url.Values{
"code": {code},
"grant_type": {"authorization_code"},
"client_id": {"public-client"},
"redirect_uri": {ts.URL + "/callback"},
"code_verifier": {c.codeVerifier},
})
require.NoError(t, err)
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
require.NoError(t, err)
assert.Equal(t, resp.StatusCode, http.StatusOK)
token := goauth.Token{}
require.NoError(t, json.Unmarshal(body, &token))
require.NotEmpty(t, token.AccessToken, "Got body: %s", string(body))
t.Logf("Passed test case (%d) %s", k, c.description)
})
}
}