func TestGenerateJWT(t *testing.T) {
claims := &JWTClaims{
ExpiresAt: time.Now().Add(time.Hour),
}
j := RS256JWTStrategy{
PrivateKey: internal.MustRSAKey(),
}
token, sig, err := j.Generate(claims.ToMapClaims(), header)
require.Nil(t, err, "%s", err)
require.NotNil(t, token)
sig, err = j.Validate(token)
require.Nil(t, err, "%s", err)
sig, err = j.Validate(token + "." + "0123456789")
require.NotNil(t, err, "%s", err)
partToken := strings.Split(token, ".")[2]
sig, err = j.Validate(partToken)
require.NotNil(t, err, "%s", err)
// Reset private key
j.PrivateKey = internal.MustRSAKey()
// Lets validate the exp claim
claims = &JWTClaims{
ExpiresAt: time.Now().Add(-time.Hour),
}
token, sig, err = j.Generate(claims.ToMapClaims(), header)
require.Nil(t, err, "%s", err)
require.NotNil(t, token)
//t.Logf("%s.%s", token, sig)
sig, err = j.Validate(token)
require.NotNil(t, err, "%s", err)
// Lets validate the nbf claim
claims = &JWTClaims{
NotBefore: time.Now().Add(time.Hour),
}
token, sig, err = j.Generate(claims.ToMapClaims(), header)
require.Nil(t, err, "%s", err)
require.NotNil(t, token)
//t.Logf("%s.%s", token, sig)
sig, err = j.Validate(token)
require.NotNil(t, err, "%s", err)
require.Empty(t, sig, "%s", err)
}
func TestHash(t *testing.T) {
j := RS256JWTStrategy{
PrivateKey: internal.MustRSAKey(),
}
in := []byte("foo")
out, err := j.Hash(in)
assert.Nil(t, err)
assert.NotEqual(t, in, out)
}
func TestValidateSignatureRejectsJWT(t *testing.T) {
var err error
j := RS256JWTStrategy{
PrivateKey: internal.MustRSAKey(),
}
for k, c := range []string{
"",
" ",
"foo.bar",
"foo.",
".foo",
} {
_, err = j.Validate(c)
assert.NotNil(t, err, "%s", err)
t.Logf("Passed test case %d", k)
}
}
func TestOIDCImplicitFlow(t *testing.T) {
session := &defaultSession{
DefaultSession: &openid.DefaultSession{
Claims: &jwt.IDTokenClaims{
Subject: "peter",
},
Headers: &jwt.Headers{},
},
}
f := compose.ComposeAllEnabled(new(compose.Config), fositeStore, []byte("some-secret-thats-random"), internal.MustRSAKey())
ts := mockServer(t, f, session)
defer ts.Close()
oauthClient := newOAuth2Client(ts)
fositeStore.Clients["my-client"].RedirectURIs[0] = ts.URL + "/callback"
var state = "12345678901234567890"
for k, c := range []struct {
responseType string
description string
nonce string
setup func()
hasToken bool
hasCode bool
}{
{
description: "should pass without id token",
responseType: "token",
setup: func() {
oauthClient.Scopes = []string{"fosite"}
},
},
{
responseType: "id_token%20token",
nonce: "1111111111111111",
description: "should pass id token (id_token token)",
setup: func() {
oauthClient.Scopes = []string{"fosite", "openid"}
},
hasToken: true,
},
{
responseType: "token%20id_token%20code",
nonce: "1111111111111111",
description: "should pass id token (id_token token)",
setup: func() {},
hasToken: true,
hasCode: true,
},
} {
c.setup()
var callbackURL *url.URL
authURL := strings.Replace(oauthClient.AuthCodeURL(state), "response_type=code", "response_type="+c.responseType, -1) + "&nonce=" + c.nonce
client := &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
callbackURL = req.URL
return errors.New("Dont follow redirects")
},
}
resp, err := client.Get(authURL)
require.NotNil(t, err, "(%d) %s", k, c.description)
t.Logf("Response: %s", callbackURL.String())
fragment, err := url.ParseQuery(callbackURL.Fragment)
require.Nil(t, err, "(%d) %s", k, c.description)
expires, err := strconv.Atoi(fragment.Get("expires_in"))
require.Nil(t, err, "(%d) %s", k, c.description)
token := &oauth2.Token{
AccessToken: fragment.Get("access_token"),
TokenType: fragment.Get("token_type"),
RefreshToken: fragment.Get("refresh_token"),
Expiry: time.Now().Add(time.Duration(expires) * time.Second),
}
if c.hasToken {
assert.NotEmpty(t, fragment.Get("id_token"), "(%d) %s", k, c.description)
} else {
assert.Empty(t, fragment.Get("id_token"), "(%d) %s", k, c.description)
}
if c.hasCode {
assert.NotEmpty(t, fragment.Get("code"), "(%d) %s", k, c.description)
} else {
assert.Empty(t, fragment.Get("code"), "(%d) %s", k, c.description)
}
httpClient := oauthClient.Client(oauth2.NoContext, token)
resp, err = httpClient.Get(ts.URL + "/info")
require.Nil(t, err, "(%d) %s", k, c.description)
assert.Equal(t, http.StatusNoContent, resp.StatusCode, "(%d) %s", k, c.description)
t.Logf("Passed test case (%d) %s", k, c.description)
}
}
"time"
"github.com/golang/mock/gomock"
"github.com/ory-am/fosite"
"github.com/ory-am/fosite/handler/oauth2"
"github.com/ory-am/fosite/internal"
"github.com/ory-am/fosite/storage"
"github.com/ory-am/fosite/token/hmac"
"github.com/ory-am/fosite/token/jwt"
"github.com/pkg/errors"
"github.com/stretchr/testify/assert"
)
var idStrategy = &DefaultStrategy{
RS256JWTStrategy: &jwt.RS256JWTStrategy{
PrivateKey: internal.MustRSAKey(),
},
}
var hmacStrategy = &oauth2.HMACSHAStrategy{
Enigma: &hmac.HMACStrategy{
GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows"),
},
}
type defaultSession struct {
Claims *jwt.IDTokenClaims
Headers *jwt.Headers
*fosite.DefaultSession
}
func TestOpenIDConnectExplicitFlow(t *testing.T) {
session := &defaultSession{
DefaultSession: &openid.DefaultSession{
Claims: &jwt.IDTokenClaims{
Subject: "peter",
},
Headers: &jwt.Headers{},
},
}
f := compose.ComposeAllEnabled(new(compose.Config), fositeStore, []byte("some-secret-thats-random"), internal.MustRSAKey())
ts := mockServer(t, f, session)
defer ts.Close()
oauthClient := newOAuth2Client(ts)
fositeStore.Clients["my-client"].RedirectURIs[0] = ts.URL + "/callback"
var state string
for k, c := range []struct {
description string
setup func()
authStatusCode int
}{
{
description: "should pass",
setup: func() {
state = "12345678901234567890"
oauthClient.Scopes = []string{"openid"}
},
authStatusCode: http.StatusOK,
},
} {
c.setup()
resp, err := http.Get(oauthClient.AuthCodeURL(state) + "&nonce=1234567890")
require.Nil(t, err)
require.Equal(t, c.authStatusCode, resp.StatusCode, "(%d) %s", k, c.description)
if resp.StatusCode == http.StatusOK {
token, err := oauthClient.Exchange(oauth2.NoContext, resp.Request.URL.Query().Get("code"))
fmt.Printf("after exchange: %s\n\n", fositeStore.AuthorizeCodes)
require.Nil(t, err, "(%d) %s", k, c.description)
require.NotEmpty(t, token.AccessToken, "(%d) %s", k, c.description)
require.NotEmpty(t, token.Extra("id_token"), "(%d) %s", k, c.description)
}
t.Logf("Passed test case (%d) %s", k, c.description)
}
}
