k-space/dex
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Activity
This repository has been archived on 2023-08-14. You can view files and clone it, but cannot push or open issues or pull requests.
d33e994805
dex/connector/oidc/oidc_test.go

573 lines
16 KiB
Go
Raw Normal View History

connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
2017-03-20 15:38:52 +00:00
package oidc
add documentation and tests
2017-06-22 05:56:02 +00:00
import (
make userID configurable
2019-05-24 03:51:42 +00:00
"bytes"
"crypto/rand"
"crypto/rsa"
"encoding/base64"
"encoding/binary"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/http/httptest"
"reflect"
"strings"
add documentation and tests
2017-06-22 05:56:02 +00:00
"testing"
make userID configurable
2019-05-24 03:51:42 +00:00
"time"
"github.com/sirupsen/logrus"
"gopkg.in/square/go-jose.v2"
Fix goimports
2019-12-18 14:53:34 +00:00
"github.com/dexidp/dex/connector"
add documentation and tests
2017-06-22 05:56:02 +00:00
)
connector/oidc: expose oauth2.RegisterBrokenAuthHeaderProvider
2017-03-20 15:38:52 +00:00
func TestKnownBrokenAuthHeaderProvider(t *testing.T) {
tests := []struct {
issuerURL string
expect bool
}{
{"https://dev.oktapreview.com", true},
{"https://dev.okta.com", true},
{"https://okta.com", true},
{"https://dev.oktaaccounts.com", false},
{"https://accounts.google.com", false},
}
for _, tc := range tests {
got := knownBrokenAuthHeaderProvider(tc.issuerURL)
if got != tc.expect {
t.Errorf("knownBrokenAuthHeaderProvider(%q), want=%t, got=%t", tc.issuerURL, tc.expect, got)
}
}
}
make userID configurable
2019-05-24 03:51:42 +00:00
func TestHandleCallback(t *testing.T) {
t.Helper()
tests := []struct {
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
name string
userIDKey string
make userName configurable
2019-06-02 19:33:53 +00:00
userNameKey string
Move claimMapping.enforce to overrideClaimMapping Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-13 10:49:24 +00:00
overrideClaimMapping bool
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
preferredUsernameKey string
emailKey string
groupsKey string
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
insecureSkipEmailVerified bool
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
scopes []string
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
expectUserID string
make userName configurable
2019-06-02 19:33:53 +00:00
expectUserName string
Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 20:25:21 +00:00
expectGroups []string
Make OIDC username key configurable Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>
2019-02-27 20:12:11 +00:00
expectPreferredUsername string
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
expectedEmailField string
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
token map[string]interface{}
make userID configurable
2019-05-24 03:51:42 +00:00
}{
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
{
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
name: "simpleCase",
userIDKey: "", // not configured
userNameKey: "", // not configured
expectUserID: "subvalue",
expectUserName: "namevalue",
Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 20:25:21 +00:00
expectGroups: []string{"group1", "group2"},
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
expectedEmailField: "emailvalue",
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 20:25:21 +00:00
"groups": []string{"group1", "group2"},
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
"email": "emailvalue",
"email_verified": true,
},
},
Add parameter configuration to override email claim key Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-04-17 08:01:52 +00:00
{
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
name: "customEmailClaim",
userIDKey: "", // not configured
userNameKey: "", // not configured
emailKey: "mail",
Add parameter configuration to override email claim key Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-04-17 08:01:52 +00:00
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"mail": "emailvalue",
"email_verified": true,
},
},
Add claimMapping enforcement Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-11 10:20:46 +00:00
{
Move claimMapping.enforce to overrideClaimMapping Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-13 10:49:24 +00:00
name: "overrideWithCustomEmailClaim",
userIDKey: "", // not configured
userNameKey: "", // not configured
overrideClaimMapping: true,
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
emailKey: "custommail",
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "customemailvalue",
Add claimMapping enforcement Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-11 10:20:46 +00:00
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
"email": "emailvalue",
Add claimMapping enforcement Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-11 10:20:46 +00:00
"custommail": "customemailvalue",
"email_verified": true,
},
},
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
{
name: "email_verified not in claims, configured to be skipped",
insecureSkipEmailVerified: true,
expectUserID: "subvalue",
make userName configurable
2019-06-02 19:33:53 +00:00
expectUserName: "namevalue",
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
expectedEmailField: "emailvalue",
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"email": "emailvalue",
},
},
{
add tests when preferred username key is not set Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-04 19:39:03 +00:00
name: "withUserIDKey",
userIDKey: "name",
expectUserID: "namevalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
token: map[string]interface{}{
add tests when preferred username key is not set Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-04 19:39:03 +00:00
"sub": "subvalue",
"name": "namevalue",
"email": "emailvalue",
"email_verified": true,
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
},
},
make userName configurable
2019-06-02 19:33:53 +00:00
{
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
name: "withUserNameKey",
userNameKey: "user_name",
expectUserID: "subvalue",
expectUserName: "username",
expectedEmailField: "emailvalue",
make userName configurable
2019-06-02 19:33:53 +00:00
token: map[string]interface{}{
"sub": "subvalue",
"user_name": "username",
"email": "emailvalue",
"email_verified": true,
},
},
Make OIDC username key configurable Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>
2019-02-27 20:12:11 +00:00
{
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
name: "withPreferredUsernameKey",
preferredUsernameKey: "username_key",
Make OIDC username key configurable Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>
2019-02-27 20:12:11 +00:00
expectUserID: "subvalue",
expectUserName: "namevalue",
default to preferred_username claim Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-01-21 16:12:35 +00:00
expectPreferredUsername: "username_value",
Make OIDC username key configurable Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>
2019-02-27 20:12:11 +00:00
expectedEmailField: "emailvalue",
token: map[string]interface{}{
default to preferred_username claim Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-01-21 16:12:35 +00:00
"sub": "subvalue",
"name": "namevalue",
"username_key": "username_value",
"email": "emailvalue",
"email_verified": true,
Make OIDC username key configurable Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>
2019-02-27 20:12:11 +00:00
},
},
add tests when preferred username key is not set Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-04 19:39:03 +00:00
{
name: "withoutPreferredUsernameKeyAndBackendReturns",
expectUserID: "subvalue",
expectUserName: "namevalue",
expectPreferredUsername: "preferredusernamevalue",
expectedEmailField: "emailvalue",
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"preferred_username": "preferredusernamevalue",
"email": "emailvalue",
"email_verified": true,
},
},
{
name: "withoutPreferredUsernameKeyAndBackendNotReturn",
expectUserID: "subvalue",
expectUserName: "namevalue",
expectPreferredUsername: "",
expectedEmailField: "emailvalue",
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"email": "emailvalue",
"email_verified": true,
},
},
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
{
name: "emptyEmailScope",
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "",
scopes: []string{"groups"},
insecureSkipEmailVerified: true,
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"user_name": "username",
},
},
{
name: "emptyEmailScopeButEmailProvided",
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
scopes: []string{"groups"},
insecureSkipEmailVerified: true,
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"user_name": "username",
"email": "emailvalue",
},
},
Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 20:25:21 +00:00
{
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
name: "customGroupsKey",
groupsKey: "cognito:groups",
Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 20:25:21 +00:00
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
expectGroups: []string{"group3", "group4"},
scopes: []string{"groups"},
insecureSkipEmailVerified: true,
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"user_name": "username",
"email": "emailvalue",
"cognito:groups": []string{"group3", "group4"},
},
},
{
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
name: "customGroupsKeyButGroupsProvided",
groupsKey: "cognito:groups",
Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 20:25:21 +00:00
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
expectGroups: []string{"group1", "group2"},
scopes: []string{"groups"},
insecureSkipEmailVerified: true,
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"user_name": "username",
"email": "emailvalue",
"groups": []string{"group1", "group2"},
"cognito:groups": []string{"group3", "group4"},
},
},
Add claimMapping enforcement Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-11 10:20:46 +00:00
{
Remove false failed errors. Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 11:23:02 +00:00
name: "customGroupsKeyDespiteGroupsProvidedButOverride",
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
overrideClaimMapping: true,
groupsKey: "cognito:groups",
Add claimMapping enforcement Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-11 10:20:46 +00:00
expectUserID: "subvalue",
expectUserName: "namevalue",
expectedEmailField: "emailvalue",
expectGroups: []string{"group3", "group4"},
scopes: []string{"groups"},
insecureSkipEmailVerified: true,
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"user_name": "username",
"email": "emailvalue",
"groups": []string{"group1", "group2"},
"cognito:groups": []string{"group3", "group4"},
},
},
fix: Fallback when group claim is a string instead of an array of strings (#2639) Signed-off-by: Joost Buskermolen <joost@buskervezel.nl> Co-authored-by: Michiel van Pouderoijen <michiel@pouderoijen.nl>
2022-08-25 08:55:30 +00:00
{
name: "singularGroupResponseAsString",
userIDKey: "", // not configured
userNameKey: "", // not configured
expectUserID: "subvalue",
expectUserName: "namevalue",
expectGroups: []string{"group1"},
expectedEmailField: "emailvalue",
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
"groups": "group1",
"email": "emailvalue",
"email_verified": true,
},
},
make userID configurable
2019-05-24 03:51:42 +00:00
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
Add support for IDPs that do not send ID tokens in the reply when using a refresh grant. Add tests for the aforementioned functionality. Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-20 04:13:10 +00:00
idTokenDesired := true
testServer, err := setupServer(tc.token, idTokenDesired)
make userID configurable
2019-05-24 03:51:42 +00:00
if err != nil {
t.Fatal("failed to setup test server", err)
}
defer testServer.Close()
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
var scopes []string
if len(tc.scopes) > 0 {
scopes = tc.scopes
} else {
scopes = []string{"email", "groups"}
}
make userID configurable
2019-05-24 03:51:42 +00:00
serverURL := testServer.URL
connector/oidc: replace deprecated oauth2.RegisterBrokenAuthHeaderProvider with oauth2.Endpoint.AuthStyle
2019-11-16 00:31:22 +00:00
basicAuth := true
make userID configurable
2019-05-24 03:51:42 +00:00
config := Config{
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
Issuer: serverURL,
ClientID: "clientID",
ClientSecret: "clientSecret",
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
Scopes: scopes,
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
RedirectURI: fmt.Sprintf("%s/callback", serverURL),
revert changes for user id and user name Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-09-08 17:12:53 +00:00
UserIDKey: tc.userIDKey,
UserNameKey: tc.userNameKey,
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
InsecureSkipEmailVerified: tc.insecureSkipEmailVerified,
Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 20:25:21 +00:00
InsecureEnableGroups: true,
connector/oidc: replace deprecated oauth2.RegisterBrokenAuthHeaderProvider with oauth2.Endpoint.AuthStyle
2019-11-16 00:31:22 +00:00
BasicAuthUnsupported: &basicAuth,
Move claimMapping.enforce to overrideClaimMapping Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-13 10:49:24 +00:00
OverrideClaimMapping: tc.overrideClaimMapping,
make userID configurable
2019-05-24 03:51:42 +00:00
}
Revert ClaimMapping struct Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-19 08:02:55 +00:00
config.ClaimMapping.PreferredUsernameKey = tc.preferredUsernameKey
config.ClaimMapping.EmailKey = tc.emailKey
config.ClaimMapping.GroupsKey = tc.groupsKey
make userID configurable
2019-05-24 03:51:42 +00:00
conn, err := newConnector(config)
if err != nil {
t.Fatal("failed to create new connector", err)
}
req, err := newRequestWithAuthCode(testServer.URL, "someCode")
if err != nil {
t.Fatal("failed to create request", err)
}
identity, err := conn.HandleCallback(connector.Scopes{Groups: true}, req)
if err != nil {
t.Fatal("handle callback failed", err)
}
expectEquals(t, identity.UserID, tc.expectUserID)
make userName configurable
2019-06-02 19:33:53 +00:00
expectEquals(t, identity.Username, tc.expectUserName)
Make OIDC username key configurable Signed-off-by: Josh Winters <jwinters@pivotal.io> Co-authored-by: Mark Huang <mhuang@pivotal.io> Signed-off-by: Rui Yang <ruiya@vmware.com>
2019-02-27 20:12:11 +00:00
expectEquals(t, identity.PreferredUsername, tc.expectPreferredUsername)
Adding oidc email scope check This helps to avoid "no email claim" error if email scope was not specified. Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2019-12-28 08:18:51 +00:00
expectEquals(t, identity.Email, tc.expectedEmailField)
make userID configurable
2019-05-24 03:51:42 +00:00
expectEquals(t, identity.EmailVerified, true)
Combine #1691 and #1776 to unify OIDC provider claim mapping add tests for groups key mapping Signed-off-by: Rui Yang <ruiya@vmware.com>
2020-08-11 20:25:21 +00:00
expectEquals(t, identity.Groups, tc.expectGroups)
make userID configurable
2019-05-24 03:51:42 +00:00
})
}
}
Add support for IDPs that do not send ID tokens in the reply when using a refresh grant. Add tests for the aforementioned functionality. Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-20 04:13:10 +00:00
func TestRefresh(t *testing.T) {
t.Helper()
tests := []struct {
name string
expectUserID string
expectUserName string
idTokenDesired bool
token map[string]interface{}
}{
{
name: "IDTokenOnRefresh",
expectUserID: "subvalue",
expectUserName: "namevalue",
idTokenDesired: true,
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
},
},
{
name: "NoIDTokenOnRefresh",
expectUserID: "subvalue",
expectUserName: "namevalue",
idTokenDesired: false,
token: map[string]interface{}{
"sub": "subvalue",
"name": "namevalue",
},
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
testServer, err := setupServer(tc.token, tc.idTokenDesired)
if err != nil {
t.Fatal("failed to setup test server", err)
}
defer testServer.Close()
scopes := []string{"openid", "offline_access"}
serverURL := testServer.URL
config := Config{
Issuer: serverURL,
ClientID: "clientID",
ClientSecret: "clientSecret",
Scopes: scopes,
RedirectURI: fmt.Sprintf("%s/callback", serverURL),
GetUserInfo: true,
}
conn, err := newConnector(config)
if err != nil {
t.Fatal("failed to create new connector", err)
}
req, err := newRequestWithAuthCode(testServer.URL, "someCode")
if err != nil {
t.Fatal("failed to create request", err)
}
refreshTokenStr := "{\"RefreshToken\":\"asdf\"}"
refreshToken := []byte(refreshTokenStr)
identity := connector.Identity{
UserID: tc.expectUserID,
Username: tc.expectUserName,
ConnectorData: refreshToken,
}
refreshIdentity, err := conn.Refresh(req.Context(), connector.Scopes{OfflineAccess: true}, identity)
if err != nil {
t.Fatal("Refresh failed", err)
}
expectEquals(t, refreshIdentity.UserID, tc.expectUserID)
expectEquals(t, refreshIdentity.Username, tc.expectUserName)
})
}
}
func setupServer(tok map[string]interface{}, idTokenDesired bool) (*httptest.Server, error) {
make userID configurable
2019-05-24 03:51:42 +00:00
key, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
return nil, fmt.Errorf("failed to generate rsa key: %v", err)
}
jwk := jose.JSONWebKey{
Key: key,
KeyID: "keyId",
Algorithm: "RSA",
}
mux := http.NewServeMux()
mux.HandleFunc("/keys", func(w http.ResponseWriter, r *http.Request) {
json.NewEncoder(w).Encode(&map[string]interface{}{
"keys": []map[string]interface{}{{
"alg": jwk.Algorithm,
"kty": jwk.Algorithm,
"kid": jwk.KeyID,
"n": n(&key.PublicKey),
"e": e(&key.PublicKey),
}},
})
})
mux.HandleFunc("/token", func(w http.ResponseWriter, r *http.Request) {
url := fmt.Sprintf("http://%s", r.Host)
connectors/oidc: truely ignore "email_verified" claim if configured that way Fixes #1455, I hope. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2019-05-28 12:43:00 +00:00
tok["iss"] = url
tok["exp"] = time.Now().Add(time.Hour).Unix()
tok["aud"] = "clientID"
token, err := newToken(&jwk, tok)
make userID configurable
2019-05-24 03:51:42 +00:00
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
}
w.Header().Add("Content-Type", "application/json")
Add support for IDPs that do not send ID tokens in the reply when using a refresh grant. Add tests for the aforementioned functionality. Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-20 04:13:10 +00:00
if idTokenDesired {
json.NewEncoder(w).Encode(&map[string]string{
"access_token": token,
"id_token": token,
Fix issues to make the linter happy Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-20 04:35:05 +00:00
"token_type": "Bearer",
})
Add support for IDPs that do not send ID tokens in the reply when using a refresh grant. Add tests for the aforementioned functionality. Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-20 04:13:10 +00:00
} else {
json.NewEncoder(w).Encode(&map[string]string{
"access_token": token,
Fix issues to make the linter happy Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-20 04:35:05 +00:00
"token_type": "Bearer",
})
Add support for IDPs that do not send ID tokens in the reply when using a refresh grant. Add tests for the aforementioned functionality. Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-20 04:13:10 +00:00
}
})
mux.HandleFunc("/userinfo", func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Content-Type", "application/json")
Fix issues to make the linter happy Signed-off-by: Anthony Brandelli <abrandel@cisco.com>
2022-05-20 04:35:05 +00:00
json.NewEncoder(w).Encode(tok)
make userID configurable
2019-05-24 03:51:42 +00:00
})
mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
url := fmt.Sprintf("http://%s", r.Host)
json.NewEncoder(w).Encode(&map[string]string{
"issuer": url,
"token_endpoint": fmt.Sprintf("%s/token", url),
"authorization_endpoint": fmt.Sprintf("%s/authorize", url),
"userinfo_endpoint": fmt.Sprintf("%s/userinfo", url),
"jwks_uri": fmt.Sprintf("%s/keys", url),
})
})
return httptest.NewServer(mux), nil
}
func newToken(key *jose.JSONWebKey, claims map[string]interface{}) (string, error) {
signingKey := jose.SigningKey{
Key: key,
Algorithm: jose.RS256,
}
signer, err := jose.NewSigner(signingKey, &jose.SignerOptions{})
if err != nil {
return "", fmt.Errorf("failed to create new signer: %v", err)
}
payload, err := json.Marshal(claims)
if err != nil {
return "", fmt.Errorf("failed to marshal claims: %v", err)
}
signature, err := signer.Sign(payload)
if err != nil {
return "", fmt.Errorf("failed to sign: %v", err)
}
return signature.CompactSerialize()
}
func newConnector(config Config) (*oidcConnector, error) {
logger := logrus.New()
conn, err := config.Open("id", logger)
if err != nil {
return nil, fmt.Errorf("unable to open: %v", err)
}
oidcConn, ok := conn.(*oidcConnector)
if !ok {
return nil, errors.New("failed to convert to oidcConnector")
}
return oidcConn, nil
}
func newRequestWithAuthCode(serverURL string, code string) (*http.Request, error) {
req, err := http.NewRequest("GET", serverURL, nil)
if err != nil {
return nil, fmt.Errorf("failed to create request: %v", err)
}
values := req.URL.Query()
values.Add("code", code)
req.URL.RawQuery = values.Encode()
return req, nil
}
func n(pub *rsa.PublicKey) string {
return encode(pub.N.Bytes())
}
func e(pub *rsa.PublicKey) string {
data := make([]byte, 8)
binary.BigEndian.PutUint64(data, uint64(pub.E))
return encode(bytes.TrimLeft(data, "\x00"))
}
func encode(payload []byte) string {
result := base64.URLEncoding.EncodeToString(payload)
return strings.TrimRight(result, "=")
}
func expectEquals(t *testing.T, a interface{}, b interface{}) {
if !reflect.DeepEqual(a, b) {
t.Errorf("Expected %+v to equal %+v", a, b)
}
}
Reference in New Issue Copy Permalink