Gitiles
Code Review Sign In
korap.ids-mannheim.de / KorAP / Kustvakt / d43a98d222eec80632b558fd249934206ba7771a / . / full / src / test / java / de / ids_mannheim / korap / web / controller / OAuth2OpenIdControllerTest.java
blob: 020ced2d093768c86ff06e5459aa2109f314d658 [file] [log] [blame]
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]1package de.ids_mannheim.korap.web.controller;
2
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]3import static org.junit.jupiter.api.Assertions.assertEquals;
4import static org.junit.jupiter.api.Assertions.assertNotNull;
5import static org.junit.jupiter.api.Assertions.assertTrue;
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]6
7import java.net.URI;
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]8import java.security.NoSuchAlgorithmException;
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]9import java.security.spec.InvalidKeySpecException;
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]10import java.text.ParseException;
11import java.util.Date;
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]12import javax.ws.rs.core.Form;
margaretha56fd5582018-06-18 22:14:51 +0200[diff] [blame]13import javax.ws.rs.core.MediaType;
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]14
15import org.apache.http.entity.ContentType;
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]16import org.apache.oltu.oauth2.common.message.types.TokenType;
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]17import org.junit.jupiter.api.Test;
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]18import org.springframework.beans.factory.annotation.Autowired;
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]19import org.springframework.util.MultiValueMap;
20import org.springframework.web.util.UriComponentsBuilder;
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]21import com.fasterxml.jackson.databind.JsonNode;
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]22import com.google.common.net.HttpHeaders;
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]23import com.nimbusds.jose.JOSEException;
24import com.nimbusds.jose.JWSVerifier;
25import com.nimbusds.jose.crypto.RSASSAVerifier;
margaretha19295962018-06-26 16:00:47 +0200[diff] [blame]26import com.nimbusds.jose.jwk.JWKSet;
27import com.nimbusds.jose.jwk.RSAKey;
margarethaa2ce63d2018-06-28 10:11:43 +0200[diff] [blame]28import com.nimbusds.jwt.JWTClaimsSet;
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]29import com.nimbusds.jwt.SignedJWT;
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]30import com.nimbusds.oauth2.sdk.GrantType;
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]31
abcpro163418f42022-11-09 20:35:09 +0000[diff] [blame]32import javax.ws.rs.ProcessingException;
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]33import javax.ws.rs.core.Response;
34import javax.ws.rs.client.Entity;
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]35
36import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
37import de.ids_mannheim.korap.config.Attributes;
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]38import de.ids_mannheim.korap.config.FullConfiguration;
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]39import de.ids_mannheim.korap.config.SpringJerseyTest;
40import de.ids_mannheim.korap.exceptions.KustvaktException;
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]41import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
42import de.ids_mannheim.korap.utils.JsonUtils;
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]43
44public class OAuth2OpenIdControllerTest extends SpringJerseyTest {
45
46 @Autowired
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]47 private FullConfiguration config;
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]48
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]49 private String redirectUri = "https://korap.ids-mannheim.de/confidential/redirect";
50
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]51 private String username = "dory";
52
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]53 private Response sendAuthorizationRequest(Form form) throws KustvaktException {
54 return target().path(API_VERSION).path("oauth2").path("openid").path("authorize").request().header(Attributes.AUTHORIZATION, HttpAuthorizationHandler.createBasicAuthorizationHeaderValue(username, "password")).header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED).post(Entity.form(form));
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]55 }
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]56
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]57 private Response sendTokenRequest(Form form) throws KustvaktException {
58 return target().path(API_VERSION).path("oauth2").path("openid").path("token").request().header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32").header(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED).post(Entity.form(form));
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]59 }
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]60
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]61 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]62 public void testRequestAuthorizationCode() throws ProcessingException, KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]63 Form form = new Form();
64 form.param("response_type", "code");
65 form.param("client_id", "fCBbQkAyYzI4NzUxMg");
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]66 testRequestAuthorizationCodeWithoutOpenID(form, redirectUri);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]67 form.param("scope", "openid");
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]68 testRequestAuthorizationCodeMissingRedirectUri(form);
69 testRequestAuthorizationCodeInvalidRedirectUri(form);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]70 form.param("redirect_uri", redirectUri);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]71 form.param("state", "thisIsMyState");
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]72 Response response = sendAuthorizationRequest(form);
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]73 URI location = response.getLocation();
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]74 assertEquals(redirectUri, location.getScheme() + "://" + location.getHost() + location.getPath());
75 MultiValueMap<String, String> params = UriComponentsBuilder.fromUri(location).build().getQueryParams();
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]76 assertNotNull(params.getFirst("code"));
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]77 assertEquals(params.getFirst("state"), "thisIsMyState");
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]78 }
79
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]80 private void testRequestAuthorizationCodeWithoutOpenID(Form form, String redirectUri) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]81 Response response = sendAuthorizationRequest(form);
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]82 URI location = response.getLocation();
83 // System.out.println(location.toString());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]84 assertEquals(redirectUri, location.getScheme() + "://" + location.getHost() + location.getPath());
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]85 }
86
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]87 private void testRequestAuthorizationCodeMissingRedirectUri(Form form) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]88 Response response = sendAuthorizationRequest(form);
89 String entity = response.readEntity(String.class);
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]90 JsonNode node = JsonUtils.readTree(entity);
91 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]92 assertEquals(node.at("/error_description").asText(), "redirect_uri is required");
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]93 }
94
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]95 private void testRequestAuthorizationCodeInvalidRedirectUri(Form form) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]96 form.param("redirect_uri", "blah");
97 Response response = sendAuthorizationRequest(form);
98 String entity = response.readEntity(String.class);
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]99 JsonNode node = JsonUtils.readTree(entity);
100 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]101 assertEquals(node.at("/error_description").asText(), "Invalid redirect URI");
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]102 form.asMap().remove("redirect_uri");
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]103 }
104
105 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]106 public void testRequestAuthorizationCodeMissingClientID() throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]107 Form form = new Form();
108 form.param("scope", "openid");
109 form.param("redirect_uri", redirectUri);
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]110 // error response is represented in JSON because redirect URI
111 // cannot be verified without client id
112 // Besides client_id is a mandatory parameter in a normal
113 // OAuth2 authorization request, thus it is checked first,
114 // before redirect_uri. see
115 // com.nimbusds.oauth2.sdk.AuthorizationRequest
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]116 Response response = sendAuthorizationRequest(form);
117 String entity = response.readEntity(String.class);
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]118 JsonNode node = JsonUtils.readTree(entity);
119 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]120 assertEquals(node.at("/error_description").asText(), "Invalid request: Missing client_id parameter");
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]121 }
122
123 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]124 public void testRequestAuthorizationCodeMissingResponseType() throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]125 Form form = new Form();
126 form.param("scope", "openid");
127 form.param("redirect_uri", redirectUri);
128 form.param("client_id", "blah");
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]129 // client_id has not been verified yet
130 // MUST NOT automatically redirect the user-agent to the
131 // invalid redirection URI.
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]132 Response response = sendAuthorizationRequest(form);
133 String entity = response.readEntity(String.class);
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]134 JsonNode node = JsonUtils.readTree(entity);
135 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]136 assertEquals(node.at("/error_description").asText(), "Invalid request: Missing response_type parameter");
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]137 }
138
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]139 private void testRequestAuthorizationCodeUnsupportedResponseType(Form form, String type) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]140 Response response = sendAuthorizationRequest(form);
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]141 URI location = response.getLocation();
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]142 assertEquals(MediaType.APPLICATION_FORM_URLENCODED, response.getMediaType().toString());
143 MultiValueMap<String, String> params = UriComponentsBuilder.fromUri(location).build().getQueryParams();
144 assertEquals(params.getFirst("error"), "invalid_request");
145 assertEquals("unsupported+response_type%3A+" + type, params.getFirst("error_description"));
margarethada3c7852018-06-14 20:35:11 +0200[diff] [blame]146 }
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]147
148 /**
149 * We don't support implicit grant. Implicit grant allows
150 * response_type:
151 * <ul>
152 * <li>id_token</li>
153 * <li>id_token token</li>
154 * </ul>
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]155 *
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]156 * @throws KustvaktException
157 */
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]158 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]159 public void testRequestAuthorizationCodeUnsupportedImplicitFlow() throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]160 Form form = new Form();
161 form.param("scope", "openid");
162 form.param("redirect_uri", redirectUri);
163 form.param("response_type", "id_token");
164 form.param("client_id", "fCBbQkAyYzI4NzUxMg");
165 form.param("nonce", "nonce");
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]166 testRequestAuthorizationCodeUnsupportedResponseType(form, "id_token");
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]167 form.asMap().remove("response_type");
168 form.param("response_type", "id_token token");
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]169 testRequestAuthorizationCodeUnsupportedResponseType(form, "id_token");
170 }
171
172 /**
173 * Hybrid flow is not supported. Hybrid flow allows
174 * response_type:
175 * <ul>
176 * <li>code id_token</li>
177 * <li>code token</li>
178 * <li>code id_token token</li>
179 * </ul>
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]180 *
181 * @throws KustvaktExceptiony); assertTrue(signedJWT.verify(verifier));
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]182 */
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]183 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]184 public void testRequestAuthorizationCodeUnsupportedHybridFlow() throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]185 Form form = new Form();
186 form.param("scope", "openid");
187 form.param("redirect_uri", redirectUri);
188 form.param("response_type", "code id_token");
189 form.param("client_id", "fCBbQkAyYzI4NzUxMg");
190 form.param("nonce", "nonce");
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]191 testRequestAuthorizationCodeUnsupportedResponseType(form, "id_token");
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]192 form.asMap().remove("response_type");
193 form.param("response_type", "code token");
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]194 testRequestAuthorizationCodeUnsupportedResponseType(form, "token");
195 }
196
197 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]198 public void testRequestAccessTokenWithAuthorizationCode() throws KustvaktException, ParseException, InvalidKeySpecException, NoSuchAlgorithmException, JOSEException {
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]199 String client_id = "fCBbQkAyYzI4NzUxMg";
margarethaa2ce63d2018-06-28 10:11:43 +0200[diff] [blame]200 String nonce = "thisIsMyNonce";
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]201 Form form = new Form();
202 form.param("response_type", "code");
203 form.param("client_id", client_id);
204 form.param("redirect_uri", redirectUri);
205 form.param("scope", "openid");
206 form.param("state", "thisIsMyState");
207 form.param("nonce", nonce);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]208 Response response = sendAuthorizationRequest(form);
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]209 URI location = response.getLocation();
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]210 MultiValueMap<String, String> params = UriComponentsBuilder.fromUri(location).build().getQueryParams();
211 assertEquals(params.getFirst("state"), "thisIsMyState");
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]212 String code = params.getFirst("code");
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]213 Form tokenForm = new Form();
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]214 testRequestAccessTokenMissingGrant(tokenForm);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]215 tokenForm.param("grant_type", "authorization_code");
216 tokenForm.param("code", code);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]217 testRequestAccessTokenMissingClientId(tokenForm);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]218 tokenForm.param("client_id", client_id);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]219 testRequestAccessTokenMissingClientSecret(tokenForm);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]220 tokenForm.param("client_secret", "secret");
221 tokenForm.param("redirect_uri", redirectUri);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]222 Response tokenResponse = sendTokenRequest(tokenForm);
223 String entity = tokenResponse.readEntity(String.class);
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]224 JsonNode node = JsonUtils.readTree(entity);
225 assertNotNull(node.at("/access_token").asText());
226 assertNotNull(node.at("/refresh_token").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]227 assertEquals(TokenType.BEARER.toString(), node.at("/token_type").asText());
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]228 assertNotNull(node.at("/expires_in").asText());
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]229 String id_token = node.at("/id_token").asText();
230 assertNotNull(id_token);
margarethaa2ce63d2018-06-28 10:11:43 +0200[diff] [blame]231 verifyingIdToken(id_token, username, client_id, nonce);
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]232 }
233
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]234 private void testRequestAccessTokenMissingGrant(Form tokenForm) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]235 Response response = sendTokenRequest(tokenForm);
236 String entity = response.readEntity(String.class);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]237 JsonNode node = JsonUtils.readTree(entity);
238 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]239 assertEquals(node.at("/error_description").asText(), "Invalid request: Missing grant_type parameter");
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]240 }
241
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]242 private void testRequestAccessTokenMissingClientId(Form tokenForm) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]243 Response response = sendTokenRequest(tokenForm);
244 String entity = response.readEntity(String.class);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]245 JsonNode node = JsonUtils.readTree(entity);
246 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]247 assertEquals("Invalid request: Missing required client_id " + "parameter", node.at("/error_description").asText());
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]248 }
249
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]250 private void testRequestAccessTokenMissingClientSecret(Form tokenForm) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]251 Response response = sendTokenRequest(tokenForm);
252 String entity = response.readEntity(String.class);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]253 JsonNode node = JsonUtils.readTree(entity);
254 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]255 assertEquals(node.at("/error_description").asText(), "Missing parameter: client_secret");
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]256 }
257
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]258 private void verifyingIdToken(String id_token, String username, String client_id, String nonce) throws ParseException, InvalidKeySpecException, NoSuchAlgorithmException, JOSEException {
margaretha19295962018-06-26 16:00:47 +0200[diff] [blame]259 JWKSet keySet = config.getPublicKeySet();
260 RSAKey publicKey = (RSAKey) keySet.getKeyByKeyId(config.getRsaKeyId());
margaretha5225ed02018-06-25 18:38:40 +0200[diff] [blame]261 SignedJWT signedJWT = SignedJWT.parse(id_token);
262 JWSVerifier verifier = new RSASSAVerifier(publicKey);
263 assertTrue(signedJWT.verify(verifier));
margarethaa2ce63d2018-06-28 10:11:43 +0200[diff] [blame]264 JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
265 assertEquals(client_id, claimsSet.getAudience().get(0));
266 assertEquals(username, claimsSet.getSubject());
267 assertEquals(config.getIssuerURI().toString(), claimsSet.getIssuer());
268 assertTrue(new Date().before(claimsSet.getExpirationTime()));
269 assertNotNull(claimsSet.getClaim(Attributes.AUTHENTICATION_TIME));
270 assertEquals(nonce, claimsSet.getClaim("nonce"));
margarethab36b1a32018-06-20 20:13:07 +0200[diff] [blame]271 }
margaretha19295962018-06-26 16:00:47 +0200[diff] [blame]272
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]273 // no openid
274 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]275 public void testRequestAccessTokenWithPassword() throws KustvaktException, ParseException, InvalidKeySpecException, NoSuchAlgorithmException, JOSEException {
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]276 // public client
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]277 String client_id = "8bIDtZnH6NvRkW2Fq";
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]278 Form tokenForm = new Form();
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]279 testRequestAccessTokenMissingGrant(tokenForm);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]280 tokenForm.param("grant_type", GrantType.PASSWORD.toString());
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]281 testRequestAccessTokenMissingUsername(tokenForm);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]282 tokenForm.param("username", username);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]283 testRequestAccessTokenMissingPassword(tokenForm);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]284 tokenForm.param("password", "pass");
285 tokenForm.param("client_id", client_id);
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]286 Response tokenResponse = sendTokenRequest(tokenForm);
287 String entity = tokenResponse.readEntity(String.class);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]288 JsonNode node = JsonUtils.readTree(entity);
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]289 assertEquals(OAuth2Error.UNAUTHORIZED_CLIENT, node.at("/error").asText());
290 assertEquals(node.at("/error_description").asText(), "Password grant is not allowed for third party clients");
margaretha835178d2018-08-15 19:04:03 +0200[diff] [blame]291 }
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]292
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]293 private void testRequestAccessTokenMissingUsername(Form tokenForm) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]294 Response response = sendTokenRequest(tokenForm);
295 String entity = response.readEntity(String.class);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]296 JsonNode node = JsonUtils.readTree(entity);
297 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]298 assertEquals(node.at("/error_description").asText(), "Invalid request: Missing or empty username parameter");
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]299 }
300
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]301 private void testRequestAccessTokenMissingPassword(Form tokenForm) throws KustvaktException {
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]302 Response response = sendTokenRequest(tokenForm);
303 String entity = response.readEntity(String.class);
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]304 JsonNode node = JsonUtils.readTree(entity);
305 assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]306 assertEquals(node.at("/error_description").asText(), "Invalid request: Missing or empty password parameter");
margaretha249a0aa2018-06-28 22:25:14 +0200[diff] [blame]307 }
308
margaretha19295962018-06-26 16:00:47 +0200[diff] [blame]309 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]310 public void testPublicKeyAPI() throws KustvaktException {
311 Response response = target().path(API_VERSION).path("oauth2").path("openid").path("jwks").request().get();
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]312 String entity = response.readEntity(String.class);
margaretha19295962018-06-26 16:00:47 +0200[diff] [blame]313 JsonNode node = JsonUtils.readTree(entity);
margarethaa2ce63d2018-06-28 10:11:43 +0200[diff] [blame]314 assertEquals(1, node.at("/keys").size());
margaretha19295962018-06-26 16:00:47 +0200[diff] [blame]315 node = node.at("/keys/0");
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]316 assertEquals(node.at("/kty").asText(), "RSA");
margaretha19295962018-06-26 16:00:47 +0200[diff] [blame]317 assertEquals(config.getRsaKeyId(), node.at("/kid").asText());
318 assertNotNull(node.at("/e").asText());
319 assertNotNull(node.at("/n").asText());
320 }
margarethaa2ce63d2018-06-28 10:11:43 +0200[diff] [blame]321
margaretha9c78e1a2018-06-27 14:12:35 +0200[diff] [blame]322 @Test
Marc Kupietzd43a98d2023-09-22 17:11:46 +0200[diff] [blame^]323 public void testOpenIDConfiguration() throws KustvaktException {
324 Response response = target().path(API_VERSION).path("oauth2").path("openid").path("config").request().get();
abcpro173fe8f22022-11-08 19:56:52 +0000[diff] [blame]325 String entity = response.readEntity(String.class);
margaretha9c78e1a2018-06-27 14:12:35 +0200[diff] [blame]326 JsonNode node = JsonUtils.readTree(entity);
327 assertNotNull(node.at("/issuer"));
328 assertNotNull(node.at("/authorization_endpoint"));
329 assertNotNull(node.at("/token_endpoint"));
330 assertNotNull(node.at("/response_types_supported"));
331 assertNotNull(node.at("/subject_types_supported"));
332 assertNotNull(node.at("/id_token_signing_alg_values_supported"));
333 }
margarethaec247dd2018-06-12 21:55:46 +0200[diff] [blame]334}