Unit test for #2550
This commit is contained in:
parent
8db02a693f
commit
9a2dc48b56
|
@ -52,7 +52,7 @@ my $op = LLNG::Manager::Test->new( {
|
|||
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
|
||||
oidcRPMetaDataOptionsClientSecret => "rpsecret",
|
||||
oidcRPMetaDataOptionsUserIDAttr => "",
|
||||
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
|
||||
oidcRPMetaDataOptionsAccessTokenExpiration => 120,
|
||||
oidcRPMetaDataOptionsBypassConsent => 1,
|
||||
oidcRPMetaDataOptionsRefreshToken => 1,
|
||||
oidcRPMetaDataOptionsIDTokenForceClaims => 1,
|
||||
|
@ -97,7 +97,7 @@ my $goodquery = buildForm( {
|
|||
grant_type => 'password',
|
||||
username => 'french',
|
||||
password => 'french',
|
||||
scope => 'openid profile email',
|
||||
scope => 'profile email openid',
|
||||
}
|
||||
);
|
||||
|
||||
|
@ -136,8 +136,12 @@ my $access_token = $payload->{access_token};
|
|||
ok( $access_token, "Access Token found" );
|
||||
count(1);
|
||||
my $token_res_scope = $payload->{scope};
|
||||
ok( $token_res_scope, "Scope found in token response" );
|
||||
count(1);
|
||||
ok( $token_res_scope, "Scope found in token response" );
|
||||
ok( $payload->{id_token}, "Found ID token in original grant" );
|
||||
|
||||
my $refresh_token = $payload->{refresh_token};
|
||||
ok( $refresh_token, "Got refresh token" );
|
||||
count(3);
|
||||
|
||||
# Get userinfo
|
||||
$res = $op->_post(
|
||||
|
@ -180,6 +184,46 @@ like( $payload->{scope}, qr/\balways\b/, "Rule-enforced scope found" );
|
|||
is( $payload->{scope}, $token_res_scope,
|
||||
"Token response scope matches token scope" );
|
||||
|
||||
# Expire token
|
||||
Time::Fake->offset("+305m");
|
||||
|
||||
ok(
|
||||
$res = $op->_post(
|
||||
"/oauth2/introspect",
|
||||
IO::String->new($query),
|
||||
accept => 'text/html',
|
||||
length => length $query,
|
||||
custom => {
|
||||
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
|
||||
},
|
||||
),
|
||||
"Post introspection"
|
||||
);
|
||||
|
||||
$res = expectJSON($res);
|
||||
is( $res->{active}, 0, "Token is no longer active" );
|
||||
|
||||
$query = buildForm( {
|
||||
grant_type => 'refresh_token',
|
||||
refresh_token => $refresh_token,
|
||||
}
|
||||
);
|
||||
|
||||
ok(
|
||||
$res = $op->_post(
|
||||
"/oauth2/token",
|
||||
IO::String->new($query),
|
||||
accept => 'text/json',
|
||||
length => length $query,
|
||||
custom => {
|
||||
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
|
||||
},
|
||||
),
|
||||
"Post introspection"
|
||||
);
|
||||
$res = expectJSON($res);
|
||||
ok( $res->{id_token}, "Found ID token in refresh grant" );
|
||||
|
||||
clean_sessions();
|
||||
done_testing();
|
||||
|
||||
|
|
|
@ -0,0 +1,186 @@
|
|||
use lib 'inc';
|
||||
use Test::More;
|
||||
use strict;
|
||||
use IO::String;
|
||||
use LWP::UserAgent;
|
||||
use LWP::Protocol::PSGI;
|
||||
use MIME::Base64;
|
||||
use JSON;
|
||||
|
||||
BEGIN {
|
||||
require 't/test-lib.pm';
|
||||
require 't/oidc-lib.pm';
|
||||
}
|
||||
|
||||
my $debug = 'error';
|
||||
|
||||
# Initialization
|
||||
my $op = LLNG::Manager::Test->new( {
|
||||
ini => {
|
||||
logLevel => $debug,
|
||||
domain => 'op.com',
|
||||
portal => 'http://auth.op.com',
|
||||
|
||||
macros => {
|
||||
gender => '"32"',
|
||||
_whatToTrace => '$uid',
|
||||
nickname => '"froggie; frenchie"',
|
||||
},
|
||||
issuerDBOpenIDConnectActivation => 1,
|
||||
oidcRPMetaDataExportedVars => {
|
||||
rp => {
|
||||
email => "mail;string;always",
|
||||
preferred_username => "uid",
|
||||
name => "cn",
|
||||
gender => "gender;int;auto",
|
||||
nickname => "nickname",
|
||||
}
|
||||
},
|
||||
oidcRPMetaDataOptions => {
|
||||
rp => {
|
||||
oidcRPMetaDataOptionsDisplayName => "RP",
|
||||
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
|
||||
oidcRPMetaDataOptionsClientID => "rpid",
|
||||
oidcRPMetaDataOptionsAllowOffline => 1,
|
||||
oidcRPMetaDataOptionsAllowPasswordGrant => 1,
|
||||
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
|
||||
oidcRPMetaDataOptionsClientSecret => "rpsecret",
|
||||
oidcRPMetaDataOptionsUserIDAttr => "",
|
||||
oidcRPMetaDataOptionsAccessTokenExpiration => 120,
|
||||
oidcRPMetaDataOptionsBypassConsent => 1,
|
||||
oidcRPMetaDataOptionsRefreshToken => 1,
|
||||
oidcRPMetaDataOptionsIDTokenForceClaims => 1,
|
||||
oidcRPMetaDataOptionsRule => '$uid eq "french"',
|
||||
}
|
||||
},
|
||||
oidcRPMetaDataScopeRules => {
|
||||
rp => {
|
||||
"read" => '$requested',
|
||||
"french" => '$uid eq "french"',
|
||||
"always" => '1',
|
||||
},
|
||||
},
|
||||
oidcServicePrivateKeySig => oidc_key_op_private_sig,
|
||||
oidcServicePublicKeySig => oidc_key_op_public_sig,
|
||||
}
|
||||
}
|
||||
);
|
||||
my $res;
|
||||
|
||||
# Resource Owner Password Credentials Grant
|
||||
# Access Token Request
|
||||
# https://tools.ietf.org/html/rfc6749#section-4.3
|
||||
my $query = buildForm( {
|
||||
client_id => 'rpid',
|
||||
client_secret => 'rpsecret',
|
||||
grant_type => 'password',
|
||||
username => 'french',
|
||||
password => 'french',
|
||||
scope => 'profile email',
|
||||
}
|
||||
);
|
||||
|
||||
## Login should be valid
|
||||
$res = $op->_post(
|
||||
"/oauth2/token",
|
||||
IO::String->new($query),
|
||||
accept => 'application/json',
|
||||
length => length($query),
|
||||
);
|
||||
my $payload = expectJSON($res);
|
||||
|
||||
my $access_token = $payload->{access_token};
|
||||
ok( $access_token, "Access Token found" );
|
||||
count(1);
|
||||
my $token_res_scope = $payload->{scope};
|
||||
ok( $token_res_scope, "Scope found in token response" );
|
||||
is( $payload->{id_token}, undef, "No ID token in original request" );
|
||||
|
||||
my $refresh_token = $payload->{refresh_token};
|
||||
ok( $refresh_token, "Got refresh token" );
|
||||
count(3);
|
||||
|
||||
# Get userinfo
|
||||
$res = $op->_post(
|
||||
"/oauth2/userinfo",
|
||||
IO::String->new(''),
|
||||
accept => 'application/json',
|
||||
length => 0,
|
||||
custom => {
|
||||
HTTP_AUTHORIZATION => "Bearer " . $access_token,
|
||||
},
|
||||
);
|
||||
|
||||
$payload = expectJSON($res);
|
||||
|
||||
ok( $payload->{'name'} eq "Frédéric Accents", 'Got User Info' );
|
||||
like( $res->[2]->[0], qr/"gender":32/, "Attribute released as int in JSON" );
|
||||
is( ref( $payload->{email} ),
|
||||
"ARRAY", "Single valued attribute forced as array" );
|
||||
is( ref( $payload->{nickname} ),
|
||||
"ARRAY", "Multi valued attribute exposed as array" );
|
||||
|
||||
my $query = "token=$access_token";
|
||||
ok(
|
||||
$res = $op->_post(
|
||||
"/oauth2/introspect",
|
||||
IO::String->new($query),
|
||||
accept => 'text/html',
|
||||
length => length $query,
|
||||
custom => {
|
||||
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
|
||||
},
|
||||
),
|
||||
"Post introspection"
|
||||
);
|
||||
$payload = expectJSON($res);
|
||||
unlike( $payload->{scope}, qr/\bread\b/,
|
||||
"Scope read not asked, and thus not found" );
|
||||
like( $payload->{scope}, qr/\bfrench\b/, "Attribute-based scope found" );
|
||||
like( $payload->{scope}, qr/\balways\b/, "Rule-enforced scope found" );
|
||||
is( $payload->{scope}, $token_res_scope,
|
||||
"Token response scope matches token scope" );
|
||||
|
||||
# Expire token
|
||||
Time::Fake->offset("+5m");
|
||||
|
||||
ok(
|
||||
$res = $op->_post(
|
||||
"/oauth2/introspect",
|
||||
IO::String->new($query),
|
||||
accept => 'text/html',
|
||||
length => length $query,
|
||||
custom => {
|
||||
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
|
||||
},
|
||||
),
|
||||
"Post introspection"
|
||||
);
|
||||
|
||||
$res = expectJSON($res);
|
||||
is( $res->{active}, 0, "Token is no longer active" );
|
||||
|
||||
$query = buildForm( {
|
||||
grant_type => 'refresh_token',
|
||||
refresh_token => $refresh_token,
|
||||
}
|
||||
);
|
||||
|
||||
ok(
|
||||
$res = $op->_post(
|
||||
"/oauth2/token",
|
||||
IO::String->new($query),
|
||||
accept => 'text/json',
|
||||
length => length $query,
|
||||
custom => {
|
||||
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
|
||||
},
|
||||
),
|
||||
"Post introspection"
|
||||
);
|
||||
$res = expectJSON($res);
|
||||
is( $res->{id_token}, undef, "No ID token in refreshed response" );
|
||||
|
||||
clean_sessions();
|
||||
done_testing();
|
||||
|
Loading…
Reference in New Issue