From 7fa97d9dafc53239be2352c6ea5b9a46da472f85 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Mon, 2 Jan 2023 11:10:32 +1100 Subject: [PATCH 1/4] build(deps): update hydra to fosite pr718 --- go.mod | 2 ++ go.sum | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 17fb0f25096..4274665a06a 100644 --- a/go.mod +++ b/go.mod @@ -271,3 +271,5 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect howett.net/plist v1.0.0 // indirect ) + +replace github.com/ory/fosite => github.com/james-d-elliott/fosite v0.42.2-0.20230102000600-1b13725b7055 diff --git a/go.sum b/go.sum index db4ff29fbfc..2f83aa79045 100644 --- a/go.sum +++ b/go.sum @@ -640,6 +640,8 @@ github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0f github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.3.0/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= +github.com/james-d-elliott/fosite v0.42.2-0.20230102000600-1b13725b7055 h1:O7o+kTtgNjE1ITdljrxhJIiq6EV3Mylr9aGKzWbtYIQ= +github.com/james-d-elliott/fosite v0.42.2-0.20230102000600-1b13725b7055/go.mod h1:o/G4kAeNn65l6MCod2+KmFfU6JQBSojS7eXys6lKGzM= github.com/jandelgado/gcov2lcov v1.0.4/go.mod h1:NnSxK6TMlg1oGDBfGelGbjgorT5/L3cchlbtgFYZSss= github.com/jandelgado/gcov2lcov v1.0.5 h1:rkBt40h0CVK4oCb8Dps950gvfd1rYvQ8+cWa346lVU0= github.com/jandelgado/gcov2lcov v1.0.5/go.mod h1:NnSxK6TMlg1oGDBfGelGbjgorT5/L3cchlbtgFYZSss= @@ -856,8 +858,6 @@ github.com/ory/analytics-go/v4 v4.0.3 h1:2zNBQLlm3UiD8U7DdUGLLUBm62ZA5GtbEJ3S5U+ github.com/ory/analytics-go/v4 v4.0.3/go.mod h1:A3Chm/3TmM8jw4nqRss+gFhAYHRI5j/HFYH3C1FRahU= github.com/ory/dockertest/v3 v3.9.1 h1:v4dkG+dlu76goxMiTT2j8zV7s4oPPEppKT8K8p2f1kY= github.com/ory/dockertest/v3 v3.9.1/go.mod h1:42Ir9hmvaAPm0Mgibk6mBPi7SFvTXxEcnztDYOJ//uM= -github.com/ory/fosite v0.44.0 h1:Z3UjyO11/wlIoa3BotOqcTkfm7kUNA8F7dd8mOMfx0o= -github.com/ory/fosite v0.44.0/go.mod h1:o/G4kAeNn65l6MCod2+KmFfU6JQBSojS7eXys6lKGzM= github.com/ory/go-acc v0.2.6/go.mod h1:4Kb/UnPcT8qRAk3IAxta+hvVapdxTLWtrr7bFLlEgpw= github.com/ory/go-acc v0.2.8 h1:rOHHAPQjf0u7eHFGWpiXK+gIu/e0GRSJNr9pDukdNC4= github.com/ory/go-acc v0.2.8/go.mod h1:iCRZUdGb/7nqvSn8xWZkhfVrtXRZ9Wru2E5rabCjFPI= From d4115e2f12d6042a976983bacca3ba87343e91e3 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Mon, 2 Jan 2023 19:06:05 +1100 Subject: [PATCH 2/4] test: add refresh narrowing and broadening e2e --- cypress/integration/oauth2/refresh_token.js | 44 +++++++++++++++++++++ cypress/support/commands.js | 15 +++++++ 2 files changed, 59 insertions(+) diff --git a/cypress/integration/oauth2/refresh_token.js b/cypress/integration/oauth2/refresh_token.js index a3b1c6282bf..f1f1c72521e 100644 --- a/cypress/integration/oauth2/refresh_token.js +++ b/cypress/integration/oauth2/refresh_token.js @@ -89,4 +89,48 @@ describe("The OAuth 2.0 Refresh Token Grant", function () { }) }) }) + + it("should narrow Refresh Token scopes correctly", function () { + const referrer = `${Cypress.env("client_url")}/empty` + cy.visit(referrer, { + failOnStatusCode: false, + }) + + createClient({ + scope: "offline_access openid foo bar baz", + redirect_uris: [referrer], + grant_types: ["authorization_code", "refresh_token"], + response_types: ["code"], + token_endpoint_auth_method: "none", + }).then((client) => { + cy.authCodeFlowBrowser(client, { + consent: { scope: ["offline_access openid foo bar baz"] }, + createClient: false, + }).then((originalResponse) => { + expect(originalResponse.status).to.eq(200) + expect(originalResponse.body.refresh_token).to.not.be.empty + expect(originalResponse.body.scope).to.eq("offline_access openid foo bar baz") + + const originalToken = originalResponse.body.refresh_token + + cy.refreshTokenBrowserScope(client, originalToken, "offline_access openid foo").then( + (refreshedResponse) => { + expect(refreshedResponse.status).to.eq(200) + expect(refreshedResponse.body.refresh_token).to.not.be.empty + expect(refreshedResponse.body.scope).to.eq("offline_access openid foo") + + const refreshedToken = refreshedResponse.body.refresh_token + + cy.refreshTokenBrowserScope(client, refreshedToken, "offline_access openid foo bar baz").then( + (finalRefreshedResponse) => { + expect(finalRefreshedResponse.status).to.eq(200) + expect(finalRefreshedResponse.body.refresh_token).to.not.be.empty + expect(finalRefreshedResponse.body.scope).to.eq("offline_access openid foo bar baz") + }, + ) + }, + ) + }) + }) + }) }) diff --git a/cypress/support/commands.js b/cypress/support/commands.js index 2f75293404d..08b7be6b4f7 100644 --- a/cypress/support/commands.js +++ b/cypress/support/commands.js @@ -216,3 +216,18 @@ Cypress.Commands.add("refreshTokenBrowser", (client, token) => failOnStatusCode: false, }), ) + +Cypress.Commands.add("refreshTokenBrowserScope", (client, token, scope) => + cy.request({ + url: `${Cypress.env("public_url")}/oauth2/token`, + method: "POST", + form: true, + body: { + grant_type: "refresh_token", + client_id: client.client_id, + refresh_token: token, + scope: scope, + }, + failOnStatusCode: false, + }), +) From e9a13581ad74b1fce6c2356bdb99efed646c609a Mon Sep 17 00:00:00 2001 From: James Elliott Date: Mon, 2 Jan 2023 19:24:54 +1100 Subject: [PATCH 3/4] test: use to deep equal --- cypress/integration/oauth2/refresh_token.js | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/cypress/integration/oauth2/refresh_token.js b/cypress/integration/oauth2/refresh_token.js index f1f1c72521e..d11a5f7af50 100644 --- a/cypress/integration/oauth2/refresh_token.js +++ b/cypress/integration/oauth2/refresh_token.js @@ -90,7 +90,7 @@ describe("The OAuth 2.0 Refresh Token Grant", function () { }) }) - it("should narrow Refresh Token scopes correctly", function () { + it("should narrow and broaded Refresh Token scope correctly", function () { const referrer = `${Cypress.env("client_url")}/empty` cy.visit(referrer, { failOnStatusCode: false, @@ -109,23 +109,21 @@ describe("The OAuth 2.0 Refresh Token Grant", function () { }).then((originalResponse) => { expect(originalResponse.status).to.eq(200) expect(originalResponse.body.refresh_token).to.not.be.empty - expect(originalResponse.body.scope).to.eq("offline_access openid foo bar baz") + expect(originalResponse.body.scope).to.deep.equal(["offline_access", "openid", "foo", "bar", "baz"]) const originalToken = originalResponse.body.refresh_token - cy.refreshTokenBrowserScope(client, originalToken, "offline_access openid foo").then( - (refreshedResponse) => { + cy.refreshTokenBrowserScope(client, originalToken, "offline_access openid foo").then((refreshedResponse) => { expect(refreshedResponse.status).to.eq(200) expect(refreshedResponse.body.refresh_token).to.not.be.empty - expect(refreshedResponse.body.scope).to.eq("offline_access openid foo") + expect(refreshedResponse.body.scope).to.deep.equal(["offline_access", "openid", "foo"]) const refreshedToken = refreshedResponse.body.refresh_token - cy.refreshTokenBrowserScope(client, refreshedToken, "offline_access openid foo bar baz").then( - (finalRefreshedResponse) => { + cy.refreshTokenBrowserScope(client, refreshedToken, "offline_access openid foo bar").then((finalRefreshedResponse) => { expect(finalRefreshedResponse.status).to.eq(200) expect(finalRefreshedResponse.body.refresh_token).to.not.be.empty - expect(finalRefreshedResponse.body.scope).to.eq("offline_access openid foo bar baz") + expect(finalRefreshedResponse.body.scope).to.deep.equal(["offline_access", "openid", "foo", "bar"]) }, ) }, From 8381101f9b04ec2f8befc1c9e08d5869e4062846 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sun, 29 Jan 2023 13:57:54 +1100 Subject: [PATCH 4/4] test: fix test --- cypress/integration/oauth2/refresh_token.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cypress/integration/oauth2/refresh_token.js b/cypress/integration/oauth2/refresh_token.js index d11a5f7af50..d4cb9a6da59 100644 --- a/cypress/integration/oauth2/refresh_token.js +++ b/cypress/integration/oauth2/refresh_token.js @@ -90,7 +90,7 @@ describe("The OAuth 2.0 Refresh Token Grant", function () { }) }) - it("should narrow and broaded Refresh Token scope correctly", function () { + it("should narrow and broaden Refresh Token scope correctly", function () { const referrer = `${Cypress.env("client_url")}/empty` cy.visit(referrer, { failOnStatusCode: false, @@ -104,26 +104,26 @@ describe("The OAuth 2.0 Refresh Token Grant", function () { token_endpoint_auth_method: "none", }).then((client) => { cy.authCodeFlowBrowser(client, { - consent: { scope: ["offline_access openid foo bar baz"] }, + consent: { scope: ["offline_access", "openid", "foo", "bar", "baz"] }, createClient: false, }).then((originalResponse) => { expect(originalResponse.status).to.eq(200) expect(originalResponse.body.refresh_token).to.not.be.empty - expect(originalResponse.body.scope).to.deep.equal(["offline_access", "openid", "foo", "bar", "baz"]) + expect(originalResponse.body.scope).to.equal("offline_access openid foo bar baz") const originalToken = originalResponse.body.refresh_token cy.refreshTokenBrowserScope(client, originalToken, "offline_access openid foo").then((refreshedResponse) => { expect(refreshedResponse.status).to.eq(200) expect(refreshedResponse.body.refresh_token).to.not.be.empty - expect(refreshedResponse.body.scope).to.deep.equal(["offline_access", "openid", "foo"]) + expect(refreshedResponse.body.scope).to.equal("offline_access openid foo") const refreshedToken = refreshedResponse.body.refresh_token cy.refreshTokenBrowserScope(client, refreshedToken, "offline_access openid foo bar").then((finalRefreshedResponse) => { expect(finalRefreshedResponse.status).to.eq(200) expect(finalRefreshedResponse.body.refresh_token).to.not.be.empty - expect(finalRefreshedResponse.body.scope).to.deep.equal(["offline_access", "openid", "foo", "bar"]) + expect(finalRefreshedResponse.body.scope).to.equal("offline_access openid foo bar") }, ) },