Implemented OpenID support for auth_time, nonce and max_age.
Change-Id: I509554ff19a9f5baf6c1add5c6b5c0a07ec76380
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
index 00b1eb6..07344fd 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
@@ -25,18 +25,9 @@
public class OAuth2AccessTokenTest extends SpringJerseyTest {
// test access token for username: dory
- private static String testAccessToken;
-
- @BeforeClass
- public static void init () throws IOException {
- InputStream is = OAuth2AccessTokenTest.class.getClassLoader()
- .getResourceAsStream("test-oauth2.token");
-
- try (BufferedReader reader =
- new BufferedReader(new InputStreamReader(is));) {
- testAccessToken = reader.readLine();
- }
- }
+ // see:
+ // full/src/main/resources/db/insert/V3.5__insert_oauth2_clients.sql
+ private static String testAccessToken = "249c64a77f40e2b5504982cc5521b596";
@Test
public void testListVC () throws KustvaktException {
@@ -84,7 +75,8 @@
JsonNode node = JsonUtils.readTree(ent);
assertEquals(StatusCodes.INVALID_ACCESS_TOKEN,
node.at("/errors/0/0").asInt());
- assertEquals("Access token is not found", node.at("/errors/0/1").asText());
+ assertEquals("Access token is not found",
+ node.at("/errors/0/1").asText());
}
@Test
@@ -97,12 +89,13 @@
.get(ClientResponse.class);
String ent = response.getEntity(String.class);
-
+
assertEquals(ClientResponse.Status.UNAUTHORIZED.getStatusCode(),
response.getStatus());
JsonNode node = JsonUtils.readTree(ent);
assertEquals(StatusCodes.EXPIRED, node.at("/errors/0/0").asInt());
- assertEquals("Access token is expired", node.at("/errors/0/1").asText());
+ assertEquals("Access token is expired",
+ node.at("/errors/0/1").asText());
}
}
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
index 6594fdd..9032c67 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
@@ -13,6 +13,7 @@
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
+import org.apache.http.HttpStatus;
import org.apache.http.entity.ContentType;
import org.apache.oltu.oauth2.common.message.types.TokenType;
import org.junit.Test;
@@ -27,6 +28,7 @@
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.sun.jersey.api.client.ClientHandlerException;
import com.sun.jersey.api.client.ClientResponse;
@@ -38,6 +40,7 @@
import de.ids_mannheim.korap.config.FullConfiguration;
import de.ids_mannheim.korap.config.SpringJerseyTest;
import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.exceptions.StatusCodes;
import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
import de.ids_mannheim.korap.utils.JsonUtils;
@@ -185,7 +188,6 @@
throws KustvaktException {
ClientResponse response = sendAuthorizationRequest(form);
- System.out.println(response.getEntity(String.class));
URI location = response.getLocation();
assertEquals(MediaType.APPLICATION_FORM_URLENCODED,
response.getType().toString());
@@ -254,21 +256,54 @@
}
@Test
+ public void testRequestAuthorizationCodeAuthenticationTooOld ()
+ throws KustvaktException {
+ MultivaluedMap<String, String> form = new MultivaluedMapImpl();
+ form.add("response_type", "code");
+ form.add("client_id", "fCBbQkAyYzI4NzUxMg");
+ form.add("redirect_uri", redirectUri);
+ form.add("scope", "openid");
+ form.add("max_age", "1800");
+
+ ClientResponse response =
+ resource().path("oauth2").path("openid").path("authorize")
+ .header(Attributes.AUTHORIZATION,
+ "Bearer 249c64a77f40e2b5504982cc5521b596")
+ .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
+ .header(HttpHeaders.CONTENT_TYPE,
+ ContentType.APPLICATION_FORM_URLENCODED)
+ .entity(form).post(ClientResponse.class);
+
+ assertEquals(HttpStatus.SC_UNAUTHORIZED, response.getStatus());
+ String entity = response.getEntity(String.class);
+ JsonNode node = JsonUtils.readTree(entity);
+ assertEquals(StatusCodes.USER_REAUTHENTICATION_REQUIRED,
+ node.at("/errors/0/0").asInt());
+ assertEquals(
+ "User reauthentication is required because the authentication "
+ + "time is too old according to max_age",
+ node.at("/errors/0/1").asText());
+ }
+
+ @Test
public void testRequestAccessToken ()
throws KustvaktException, ParseException, InvalidKeySpecException,
NoSuchAlgorithmException, JOSEException {
String client_id = "fCBbQkAyYzI4NzUxMg";
+ String nonce = "thisIsMyNonce";
MultivaluedMap<String, String> form = new MultivaluedMapImpl();
form.add("response_type", "code");
form.add("client_id", client_id);
form.add("redirect_uri", redirectUri);
form.add("scope", "openid");
form.add("state", "thisIsMyState");
+ form.add("nonce", nonce);
ClientResponse response = sendAuthorizationRequest(form);
URI location = response.getLocation();
MultiValueMap<String, String> params =
UriComponentsBuilder.fromUri(location).build().getQueryParams();
+ assertEquals("thisIsMyState", params.getFirst("state"));
String code = params.getFirst("code");
MultivaluedMap<String, String> tokenForm = new MultivaluedMapImpl();
@@ -280,7 +315,6 @@
ClientResponse tokenResponse = sendTokenRequest(tokenForm);
String entity = tokenResponse.getEntity(String.class);
- // System.out.println(entity);
JsonNode node = JsonUtils.readTree(entity);
assertNotNull(node.at("/access_token").asText());
@@ -291,12 +325,12 @@
String id_token = node.at("/id_token").asText();
assertNotNull(id_token);
- verifyingIdToken(id_token, username, client_id);
+ verifyingIdToken(id_token, username, client_id, nonce);
}
private void verifyingIdToken (String id_token, String username,
- String client_id) throws ParseException, InvalidKeySpecException,
- NoSuchAlgorithmException, JOSEException {
+ String client_id, String nonce) throws ParseException,
+ InvalidKeySpecException, NoSuchAlgorithmException, JOSEException {
JWKSet keySet = config.getPublicKeySet();
RSAKey publicKey = (RSAKey) keySet.getKeyByKeyId(config.getRsaKeyId());
@@ -304,13 +338,13 @@
JWSVerifier verifier = new RSASSAVerifier(publicKey);
assertTrue(signedJWT.verify(verifier));
- assertEquals(client_id,
- signedJWT.getJWTClaimsSet().getAudience().get(0));
- assertEquals(username, signedJWT.getJWTClaimsSet().getSubject());
- assertEquals(config.getIssuerURI().toString(),
- signedJWT.getJWTClaimsSet().getIssuer());
- assertTrue(new Date()
- .before(signedJWT.getJWTClaimsSet().getExpirationTime()));
+ JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
+ assertEquals(client_id, claimsSet.getAudience().get(0));
+ assertEquals(username, claimsSet.getSubject());
+ assertEquals(config.getIssuerURI().toString(), claimsSet.getIssuer());
+ assertTrue(new Date().before(claimsSet.getExpirationTime()));
+ assertNotNull(claimsSet.getClaim(Attributes.AUTHENTICATION_TIME));
+ assertEquals(nonce, claimsSet.getClaim("nonce"));
}
@Test
@@ -319,14 +353,14 @@
.path("jwks").get(ClientResponse.class);
String entity = response.getEntity(String.class);
JsonNode node = JsonUtils.readTree(entity);
- assertEquals(1,node.at("/keys").size());
+ assertEquals(1, node.at("/keys").size());
node = node.at("/keys/0");
assertEquals("RSA", node.at("/kty").asText());
assertEquals(config.getRsaKeyId(), node.at("/kid").asText());
assertNotNull(node.at("/e").asText());
assertNotNull(node.at("/n").asText());
}
-
+
@Test
public void testOpenIDConfiguration () throws KustvaktException {
ClientResponse response = resource().path("oauth2").path("openid")
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
index 9ff8db4..89b0f3c 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/VirtualCorpusControllerTest.java
@@ -178,6 +178,7 @@
.header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
.get(ClientResponse.class);
String entity = response.getEntity(String.class);
+ System.out.println(entity);
JsonNode node = JsonUtils.readTree(entity);
assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
assertEquals(StatusCodes.AUTHORIZATION_FAILED,
diff --git a/full/src/test/resources/kustvakt-test.conf b/full/src/test/resources/kustvakt-test.conf
index 9061918..6a6b5c2 100644
--- a/full/src/test/resources/kustvakt-test.conf
+++ b/full/src/test/resources/kustvakt-test.conf
@@ -62,7 +62,7 @@
openid.token.signing.algorithms = RS256
openid.subject.types = public
openid.display.types = page
-openid.supported.scopes = openid email
+openid.supported.scopes = openid email auth_time
openid.support.claim.param = false
openid.claim.types = normal
openid.supported.claims = iss sub aud exp iat
diff --git a/full/src/test/resources/test-oauth2.token b/full/src/test/resources/test-oauth2.token
deleted file mode 100644
index eb7b4af..0000000
--- a/full/src/test/resources/test-oauth2.token
+++ /dev/null
@@ -1 +0,0 @@
-249c64a77f40e2b5504982cc5521b596
\ No newline at end of file