func TestGenerateJWT(t *testing.T) { claims := &JWTClaims{ ExpiresAt: time.Now().Add(time.Hour), } j := RS256JWTStrategy{ PrivateKey: internal.MustRSAKey(), } token, sig, err := j.Generate(claims.ToMapClaims(), header) require.Nil(t, err, "%s", err) require.NotNil(t, token) sig, err = j.Validate(token) require.Nil(t, err, "%s", err) sig, err = j.Validate(token + "." + "0123456789") require.NotNil(t, err, "%s", err) partToken := strings.Split(token, ".")[2] sig, err = j.Validate(partToken) require.NotNil(t, err, "%s", err) // Reset private key j.PrivateKey = internal.MustRSAKey() // Lets validate the exp claim claims = &JWTClaims{ ExpiresAt: time.Now().Add(-time.Hour), } token, sig, err = j.Generate(claims.ToMapClaims(), header) require.Nil(t, err, "%s", err) require.NotNil(t, token) //t.Logf("%s.%s", token, sig) sig, err = j.Validate(token) require.NotNil(t, err, "%s", err) // Lets validate the nbf claim claims = &JWTClaims{ NotBefore: time.Now().Add(time.Hour), } token, sig, err = j.Generate(claims.ToMapClaims(), header) require.Nil(t, err, "%s", err) require.NotNil(t, token) //t.Logf("%s.%s", token, sig) sig, err = j.Validate(token) require.NotNil(t, err, "%s", err) require.Empty(t, sig, "%s", err) }
func TestHash(t *testing.T) { j := RS256JWTStrategy{ PrivateKey: internal.MustRSAKey(), } in := []byte("foo") out, err := j.Hash(in) assert.Nil(t, err) assert.NotEqual(t, in, out) }
func TestValidateSignatureRejectsJWT(t *testing.T) { var err error j := RS256JWTStrategy{ PrivateKey: internal.MustRSAKey(), } for k, c := range []string{ "", " ", "foo.bar", "foo.", ".foo", } { _, err = j.Validate(c) assert.NotNil(t, err, "%s", err) t.Logf("Passed test case %d", k) } }
func TestOIDCImplicitFlow(t *testing.T) { session := &defaultSession{ DefaultSession: &openid.DefaultSession{ Claims: &jwt.IDTokenClaims{ Subject: "peter", }, Headers: &jwt.Headers{}, }, } f := compose.ComposeAllEnabled(new(compose.Config), fositeStore, []byte("some-secret-thats-random"), internal.MustRSAKey()) ts := mockServer(t, f, session) defer ts.Close() oauthClient := newOAuth2Client(ts) fositeStore.Clients["my-client"].RedirectURIs[0] = ts.URL + "/callback" var state = "12345678901234567890" for k, c := range []struct { responseType string description string nonce string setup func() hasToken bool hasCode bool }{ { description: "should pass without id token", responseType: "token", setup: func() { oauthClient.Scopes = []string{"fosite"} }, }, { responseType: "id_token%20token", nonce: "1111111111111111", description: "should pass id token (id_token token)", setup: func() { oauthClient.Scopes = []string{"fosite", "openid"} }, hasToken: true, }, { responseType: "token%20id_token%20code", nonce: "1111111111111111", description: "should pass id token (id_token token)", setup: func() {}, hasToken: true, hasCode: true, }, } { c.setup() var callbackURL *url.URL authURL := strings.Replace(oauthClient.AuthCodeURL(state), "response_type=code", "response_type="+c.responseType, -1) + "&nonce=" + c.nonce client := &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { callbackURL = req.URL return errors.New("Dont follow redirects") }, } resp, err := client.Get(authURL) require.NotNil(t, err, "(%d) %s", k, c.description) t.Logf("Response: %s", callbackURL.String()) fragment, err := url.ParseQuery(callbackURL.Fragment) require.Nil(t, err, "(%d) %s", k, c.description) expires, err := strconv.Atoi(fragment.Get("expires_in")) require.Nil(t, err, "(%d) %s", k, c.description) token := &oauth2.Token{ AccessToken: fragment.Get("access_token"), TokenType: fragment.Get("token_type"), RefreshToken: fragment.Get("refresh_token"), Expiry: time.Now().Add(time.Duration(expires) * time.Second), } if c.hasToken { assert.NotEmpty(t, fragment.Get("id_token"), "(%d) %s", k, c.description) } else { assert.Empty(t, fragment.Get("id_token"), "(%d) %s", k, c.description) } if c.hasCode { assert.NotEmpty(t, fragment.Get("code"), "(%d) %s", k, c.description) } else { assert.Empty(t, fragment.Get("code"), "(%d) %s", k, c.description) } httpClient := oauthClient.Client(oauth2.NoContext, token) resp, err = httpClient.Get(ts.URL + "/info") require.Nil(t, err, "(%d) %s", k, c.description) assert.Equal(t, http.StatusNoContent, resp.StatusCode, "(%d) %s", k, c.description) t.Logf("Passed test case (%d) %s", k, c.description) } }
"time" "github.com/golang/mock/gomock" "github.com/ory-am/fosite" "github.com/ory-am/fosite/handler/oauth2" "github.com/ory-am/fosite/internal" "github.com/ory-am/fosite/storage" "github.com/ory-am/fosite/token/hmac" "github.com/ory-am/fosite/token/jwt" "github.com/pkg/errors" "github.com/stretchr/testify/assert" ) var idStrategy = &DefaultStrategy{ RS256JWTStrategy: &jwt.RS256JWTStrategy{ PrivateKey: internal.MustRSAKey(), }, } var hmacStrategy = &oauth2.HMACSHAStrategy{ Enigma: &hmac.HMACStrategy{ GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows"), }, } type defaultSession struct { Claims *jwt.IDTokenClaims Headers *jwt.Headers *fosite.DefaultSession }
func TestOpenIDConnectExplicitFlow(t *testing.T) { session := &defaultSession{ DefaultSession: &openid.DefaultSession{ Claims: &jwt.IDTokenClaims{ Subject: "peter", }, Headers: &jwt.Headers{}, }, } f := compose.ComposeAllEnabled(new(compose.Config), fositeStore, []byte("some-secret-thats-random"), internal.MustRSAKey()) ts := mockServer(t, f, session) defer ts.Close() oauthClient := newOAuth2Client(ts) fositeStore.Clients["my-client"].RedirectURIs[0] = ts.URL + "/callback" var state string for k, c := range []struct { description string setup func() authStatusCode int }{ { description: "should pass", setup: func() { state = "12345678901234567890" oauthClient.Scopes = []string{"openid"} }, authStatusCode: http.StatusOK, }, } { c.setup() resp, err := http.Get(oauthClient.AuthCodeURL(state) + "&nonce=1234567890") require.Nil(t, err) require.Equal(t, c.authStatusCode, resp.StatusCode, "(%d) %s", k, c.description) if resp.StatusCode == http.StatusOK { token, err := oauthClient.Exchange(oauth2.NoContext, resp.Request.URL.Query().Get("code")) fmt.Printf("after exchange: %s\n\n", fositeStore.AuthorizeCodes) require.Nil(t, err, "(%d) %s", k, c.description) require.NotEmpty(t, token.AccessToken, "(%d) %s", k, c.description) require.NotEmpty(t, token.Extra("id_token"), "(%d) %s", k, c.description) } t.Logf("Passed test case (%d) %s", k, c.description) } }