Unit test for #2496

2021-06-03 18:31:38 +02:00 · 2021-06-03 18:31:38 +02:00 · 275567436e
commit 275567436e
parent b8e8bbcedd
1 changed files with 33 additions and 18 deletions
--- a/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
@ -23,6 +23,7 @@ my $op = LLNG::Manager::Test->new( {
            authentication                     => 'Demo',
            userDB                             => 'Same',
            issuerDBOpenIDConnectActivation    => 1,
+            oidcServiceAllowOnlyDeclaredScopes => 1,
            oidcRPMetaDataExportedVars         => {
                rp => {
                    email       => "mail",
@ -43,6 +44,11 @@ my $op = LLNG::Manager::Test->new( {
                    "always"      => '$uid eq "french"',
                },
            },
+            oidcRPMetaDataOptionsExtraClaims => {
+                rp => {
+                    extrascope => "dummy",
+                },
+            },
            oidcRPMetaDataOptions => {
                rp => {
                    oidcRPMetaDataOptionsDisplayName           => "RP",
@ -73,7 +79,7 @@ my $code = authorize(
    $op, $idpId,
    {
        response_type => "code",
-        scope => "openid profile email read write",
+        scope         => "openid profile email read write extrascope unknown",
        client_id     => "rpid",
        state         => "af0ifjsldkj",
        redirect_uri  => "http://rp2.com/"
@ -85,7 +91,7 @@ my $json = expectJSON( codeGrant( $op, "rpid", $code, "http://rp2.com/" ) );
 my $token = $json->{access_token};
 ok( $token, 'Access token present' );
 my $token_resp_scope = $json->{scope};
-ok ($token_resp_scope, 'Token response returned granted scopes');
+ok( $token_resp_scope, 'Token response returned granted scopes' );

 my ( $res, $query );

@ -126,11 +132,20 @@ is( $json->{client_id}, "rpid", "Response contains the correct client id" );
 like( $json->{scope}, qr/\bopenid\b/,  "Response contains the default scopes" );
 like( $json->{scope}, qr/\bprofile\b/, "Response contains the default scopes" );
 like( $json->{scope}, qr/\bemail\b/,   "Response contains the default scopes" );
-unlike( $json->{scope}, qr/\bwrite\b/,   "Response omits a dynamic scope that evaluates to false" );
-unlike( $json->{scope}, qr/\bifrequested\b/,   "Response omits a dynamic scope that was not requested" );
-like( $json->{scope}, qr/\bread\b/,   "Response contains a dynamic scope that is sent only when requested" );
-like( $json->{scope}, qr/\balways\b/,   "Response contains a dynamic scope that is not requested but always sent" );
-is ($token_resp_scope, $json->{scope}, "Token response scope matches token scope");
+unlike( $json->{scope}, qr/\bwrite\b/,
+    "Response omits a dynamic scope that evaluates to false" );
+unlike( $json->{scope}, qr/\bifrequested\b/,
+    "Response omits a dynamic scope that was not requested" );
+like( $json->{scope}, qr/\bread\b/,
+    "Response contains a dynamic scope that is sent only when requested" );
+like( $json->{scope}, qr/\balways\b/,
+    "Response contains a dynamic scope that is not requested but always sent" );
+unlike( $json->{scope}, qr/\bunknown\b/,
+    "Response omits a scope that is not declared anywhere" );
+like( $json->{scope}, qr/\bextrascope\b/,
+    "Response contains scope coming from extra claims definition" );
+is( $token_resp_scope, $json->{scope},
+    "Token response scope matches token scope" );

 # Check status after expiration
 Time::Fake->offset("+2h");