From e3ecddb8c9c3d43d84bde6e70926d48f02ed0906 Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Fri, 26 Feb 2021 10:04:38 +0100
Subject: [PATCH] Unit tests for #2424

---
 lemonldap-ng-portal/t/32-OIDC-ClientCredentials-Grant.t       | 3 +++
 .../t/32-OIDC-Password-Grant-with-Bruteforce.t                | 4 ++++
 lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t           | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/lemonldap-ng-portal/t/32-OIDC-ClientCredentials-Grant.t b/lemonldap-ng-portal/t/32-OIDC-ClientCredentials-Grant.t
index e2f5a9e05..048869638 100644
--- a/lemonldap-ng-portal/t/32-OIDC-ClientCredentials-Grant.t
+++ b/lemonldap-ng-portal/t/32-OIDC-ClientCredentials-Grant.t
@@ -139,6 +139,8 @@ my $payload = expectJSON($res);
 my $access_token = $payload->{access_token};
 ok( $access_token, "Access Token found" );
 count(1);
+my $token_res_scope = $payload->{scope};
+ok ($token_res_scope, "Token response returned scope");
 
 # Get userinfo
 $res = $op->_post(
@@ -172,6 +174,7 @@ ok(
 $payload = expectJSON($res);
 like( $payload->{scope}, qr/\bread\b/,   "Scope read found" );
 like( $payload->{scope}, qr/\balways\b/, "Rule-enforced scope found" );
+is ($token_res_scope, $payload->{scope}, "Token response scope match token scope");
 
 clean_sessions();
 done_testing();
diff --git a/lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce.t b/lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce.t
index d2be545bf..721cf451d 100644
--- a/lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Password-Grant-with-Bruteforce.t
@@ -130,6 +130,9 @@ my $payload = expectJSON($res);
 my $access_token = $payload->{access_token};
 ok( $access_token, "Access Token found" );
 count(1);
+my $token_res_scope = $payload->{scope};
+ok( $token_res_scope, "Scope found in token response" );
+count(1);
 
 # Get userinfo
 $res = $op->_post(
@@ -169,6 +172,7 @@ unlike( $payload->{scope}, qr/\bread\b/,
     "Scope read not asked, and thus not found" );
 like( $payload->{scope}, qr/\bfrench\b/, "Attribute-based scope found" );
 like( $payload->{scope}, qr/\balways\b/, "Rule-enforced scope found" );
+is ($payload->{scope}, $token_res_scope, "Token response scope matches token scope");
 
 clean_sessions();
 done_testing();
diff --git a/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t b/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
index b05c5993e..b1523ce4a 100644
--- a/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Token-Introspection.t
@@ -84,6 +84,8 @@ my $json = expectJSON( codeGrant( $op, "rpid", $code, "http://rp2.com/" ) );
 
 my $token = $json->{access_token};
 ok( $token, 'Access token present' );
+my $token_resp_scope = $json->{scope};
+ok ($token_resp_scope, 'Token response returned granted scopes');
 
 my ( $res, $query );
 
@@ -128,6 +130,7 @@ unlike( $json->{scope}, qr/\bwrite\b/,   "Response omits a dynamic scope that ev
 unlike( $json->{scope}, qr/\bifrequested\b/,   "Response omits a dynamic scope that was not requested" );
 like( $json->{scope}, qr/\bread\b/,   "Response contains a dynamic scope that is sent only when requested" );
 like( $json->{scope}, qr/\balways\b/,   "Response contains a dynamic scope that is not requested but always sent" );
+is ($token_resp_scope, $json->{scope}, "Token response scope matches token scope");
 
 # Check status after expiration
 Time::Fake->offset("+2h");