2020-11-13 17:31:39 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package callback
|
|
|
|
|
|
|
|
import (
|
2020-11-19 01:15:01 +00:00
|
|
|
"context"
|
2020-11-19 14:00:41 +00:00
|
|
|
"errors"
|
2020-11-13 23:59:51 +00:00
|
|
|
"fmt"
|
2020-11-13 17:31:39 +00:00
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
2020-11-13 23:59:51 +00:00
|
|
|
"net/url"
|
2020-11-16 22:07:34 +00:00
|
|
|
"regexp"
|
2020-11-19 01:15:01 +00:00
|
|
|
"strings"
|
2020-11-13 17:31:39 +00:00
|
|
|
"testing"
|
2020-11-20 01:57:07 +00:00
|
|
|
"time"
|
2020-11-13 17:31:39 +00:00
|
|
|
|
2020-11-13 23:59:51 +00:00
|
|
|
"github.com/gorilla/securecookie"
|
2020-11-18 21:38:13 +00:00
|
|
|
"github.com/ory/fosite"
|
2020-11-19 01:15:01 +00:00
|
|
|
"github.com/ory/fosite/handler/openid"
|
2020-11-18 21:38:13 +00:00
|
|
|
"github.com/ory/fosite/storage"
|
2020-11-13 17:31:39 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2020-11-13 23:59:51 +00:00
|
|
|
|
2020-11-18 21:38:13 +00:00
|
|
|
"go.pinniped.dev/internal/oidc"
|
2020-11-20 01:57:07 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/oidctestutil"
|
2020-11-19 01:15:01 +00:00
|
|
|
"go.pinniped.dev/internal/oidcclient"
|
|
|
|
"go.pinniped.dev/internal/oidcclient/nonce"
|
|
|
|
"go.pinniped.dev/internal/oidcclient/pkce"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/testutil"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
happyUpstreamIDPName = "upstream-idp-name"
|
2020-11-19 19:19:01 +00:00
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
upstreamIssuer = "https://my-upstream-issuer.com"
|
2020-11-19 19:19:01 +00:00
|
|
|
upstreamSubject = "abc123-some-guid"
|
|
|
|
upstreamUsername = "test-pinniped-username"
|
|
|
|
|
|
|
|
upstreamUsernameClaim = "the-user-claim"
|
|
|
|
upstreamGroupsClaim = "the-groups-claim"
|
2020-11-20 01:57:07 +00:00
|
|
|
|
|
|
|
happyDownstreamState = "some-downstream-state"
|
|
|
|
happyCSRF = "test-csrf"
|
|
|
|
happyPKCE = "test-pkce"
|
|
|
|
happyNonce = "test-nonce"
|
|
|
|
happyStateVersion = "1"
|
|
|
|
|
|
|
|
downstreamIssuer = "https://my-downstream-issuer.com/path"
|
|
|
|
happyUpstreamAuthcode = "upstream-auth-code"
|
|
|
|
downstreamRedirectURI = "http://127.0.0.1/callback"
|
|
|
|
downstreamClientID = "pinniped-cli"
|
|
|
|
|
|
|
|
timeComparisonFudgeFactor = time.Second * 15
|
2020-11-19 19:19:01 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2020-11-20 01:57:07 +00:00
|
|
|
upstreamGroupMembership = []string{"test-pinniped-group-0", "test-pinniped-group-1"}
|
|
|
|
happyDownstreamScopesRequested = []string{"openid", "profile", "email"}
|
|
|
|
|
|
|
|
happyOriginalRequestParamsQuery = url.Values{
|
|
|
|
"response_type": []string{"code"},
|
|
|
|
"scope": []string{strings.Join(happyDownstreamScopesRequested, " ")},
|
|
|
|
"client_id": []string{downstreamClientID},
|
|
|
|
"state": []string{happyDownstreamState},
|
|
|
|
"nonce": []string{"some-nonce-value"},
|
|
|
|
"code_challenge": []string{"some-challenge"},
|
|
|
|
"code_challenge_method": []string{"S256"},
|
|
|
|
"redirect_uri": []string{downstreamRedirectURI},
|
|
|
|
}
|
|
|
|
happyOriginalRequestParams = happyOriginalRequestParamsQuery.Encode()
|
2020-11-13 17:31:39 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestCallbackEndpoint(t *testing.T) {
|
2020-11-20 01:57:07 +00:00
|
|
|
otherUpstreamOIDCIdentityProvider := oidctestutil.TestUpstreamOIDCIdentityProvider{
|
2020-11-18 21:38:13 +00:00
|
|
|
Name: "other-upstream-idp-name",
|
|
|
|
ClientID: "other-some-client-id",
|
|
|
|
Scopes: []string{"other-scope1", "other-scope2"},
|
2020-11-13 23:59:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var stateEncoderHashKey = []byte("fake-hash-secret")
|
|
|
|
var stateEncoderBlockKey = []byte("0123456789ABCDEF") // block encryption requires 16/24/32 bytes for AES
|
|
|
|
var cookieEncoderHashKey = []byte("fake-hash-secret2")
|
|
|
|
var cookieEncoderBlockKey = []byte("0123456789ABCDE2") // block encryption requires 16/24/32 bytes for AES
|
|
|
|
require.NotEqual(t, stateEncoderHashKey, cookieEncoderHashKey)
|
|
|
|
require.NotEqual(t, stateEncoderBlockKey, cookieEncoderBlockKey)
|
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
var happyStateCodec = securecookie.New(stateEncoderHashKey, stateEncoderBlockKey)
|
|
|
|
happyStateCodec.SetSerializer(securecookie.JSONEncoder{})
|
|
|
|
var happyCookieCodec = securecookie.New(cookieEncoderHashKey, cookieEncoderBlockKey)
|
|
|
|
happyCookieCodec.SetSerializer(securecookie.JSONEncoder{})
|
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
happyState := happyUpstreamStateParam().Build(t, happyStateCodec)
|
2020-11-19 13:51:23 +00:00
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
encodedIncomingCookieCSRFValue, err := happyCookieCodec.Encode("csrf", happyCSRF)
|
2020-11-16 16:47:49 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
happyCSRFCookie := "__Host-pinniped-csrf=" + encodedIncomingCookieCSRFValue
|
2020-11-13 23:59:51 +00:00
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
happyExchangeAndValidateTokensArgs := &oidctestutil.ExchangeAuthcodeAndValidateTokenArgs{
|
2020-11-19 15:20:46 +00:00
|
|
|
Authcode: happyUpstreamAuthcode,
|
|
|
|
PKCECodeVerifier: pkce.Code(happyPKCE),
|
|
|
|
ExpectedIDTokenNonce: nonce.Nonce(happyNonce),
|
|
|
|
}
|
|
|
|
|
2020-11-19 16:08:21 +00:00
|
|
|
// Note that fosite puts the granted scopes as a param in the redirect URI even though the spec doesn't seem to require it
|
|
|
|
happyRedirectLocationRegexp := downstreamRedirectURI + `\?code=([^&]+)&scope=openid&state=` + happyDownstreamState
|
|
|
|
|
2020-11-13 17:31:39 +00:00
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
idp oidctestutil.TestUpstreamOIDCIdentityProvider
|
2020-11-19 15:20:46 +00:00
|
|
|
method string
|
|
|
|
path string
|
|
|
|
csrfCookie string
|
2020-11-13 17:31:39 +00:00
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
wantStatus int
|
|
|
|
wantBody string
|
|
|
|
wantRedirectLocationRegexp string
|
|
|
|
wantGrantedOpenidScope bool
|
|
|
|
wantDownstreamIDTokenSubject string
|
|
|
|
wantDownstreamIDTokenGroups []string
|
|
|
|
wantDownstreamRequestedScopes []string
|
2020-11-19 15:20:46 +00:00
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
wantExchangeAndValidateTokensCall *oidctestutil.ExchangeAuthcodeAndValidateTokenArgs
|
2020-11-13 17:31:39 +00:00
|
|
|
}{
|
2020-11-16 22:07:34 +00:00
|
|
|
{
|
2020-11-19 16:08:21 +00:00
|
|
|
name: "GET with good state and cookie and successful upstream token exchange returns 302 to downstream client callback with its state and code",
|
2020-11-19 19:19:01 +00:00
|
|
|
idp: happyUpstream().Build(),
|
2020-11-19 16:08:21 +00:00
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
2020-11-19 16:08:21 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusFound,
|
|
|
|
wantRedirectLocationRegexp: happyRedirectLocationRegexp,
|
|
|
|
wantGrantedOpenidScope: true,
|
|
|
|
wantBody: "",
|
2020-11-19 19:19:01 +00:00
|
|
|
wantDownstreamIDTokenSubject: upstreamUsername,
|
|
|
|
wantDownstreamIDTokenGroups: upstreamGroupMembership,
|
2020-11-20 01:57:07 +00:00
|
|
|
wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
|
2020-11-19 16:08:21 +00:00
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
},
|
|
|
|
{
|
2020-11-20 01:57:07 +00:00
|
|
|
name: "upstream IDP provides no username or group claim configuration, so we use default username claim and skip groups",
|
2020-11-19 19:19:01 +00:00
|
|
|
idp: happyUpstream().WithoutUsernameClaim().WithoutGroupsClaim().Build(),
|
2020-11-19 16:08:21 +00:00
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusFound,
|
|
|
|
wantRedirectLocationRegexp: happyRedirectLocationRegexp,
|
|
|
|
wantGrantedOpenidScope: true,
|
|
|
|
wantBody: "",
|
|
|
|
wantDownstreamIDTokenSubject: upstreamIssuer + "?sub=" + upstreamSubject,
|
|
|
|
wantDownstreamIDTokenGroups: nil,
|
|
|
|
wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "upstream IDP provides username claim configuration as `sub`, so the downstream token subject should be exactly what they asked for",
|
|
|
|
idp: happyUpstream().WithUsernameClaim("sub").Build(),
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
2020-11-19 16:08:21 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusFound,
|
|
|
|
wantRedirectLocationRegexp: happyRedirectLocationRegexp,
|
2020-11-19 15:20:46 +00:00
|
|
|
wantGrantedOpenidScope: true,
|
|
|
|
wantBody: "",
|
2020-11-19 19:19:01 +00:00
|
|
|
wantDownstreamIDTokenSubject: upstreamSubject,
|
2020-11-20 01:57:07 +00:00
|
|
|
wantDownstreamIDTokenGroups: upstreamGroupMembership,
|
|
|
|
wantDownstreamRequestedScopes: happyDownstreamScopesRequested,
|
2020-11-19 15:20:46 +00:00
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
2020-11-16 22:07:34 +00:00
|
|
|
},
|
2020-11-13 17:31:39 +00:00
|
|
|
|
|
|
|
// Pre-upstream-exchange verification
|
|
|
|
{
|
|
|
|
name: "PUT method is invalid",
|
|
|
|
method: http.MethodPut,
|
2020-11-13 23:59:51 +00:00
|
|
|
path: newRequestPath().String(),
|
2020-11-13 17:31:39 +00:00
|
|
|
wantStatus: http.StatusMethodNotAllowed,
|
|
|
|
wantBody: "Method Not Allowed: PUT (try GET)\n",
|
|
|
|
},
|
2020-11-13 23:59:51 +00:00
|
|
|
{
|
|
|
|
name: "POST method is invalid",
|
|
|
|
method: http.MethodPost,
|
|
|
|
path: newRequestPath().String(),
|
|
|
|
wantStatus: http.StatusMethodNotAllowed,
|
|
|
|
wantBody: "Method Not Allowed: POST (try GET)\n",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "PATCH method is invalid",
|
|
|
|
method: http.MethodPatch,
|
|
|
|
path: newRequestPath().String(),
|
|
|
|
wantStatus: http.StatusMethodNotAllowed,
|
|
|
|
wantBody: "Method Not Allowed: PATCH (try GET)\n",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "DELETE method is invalid",
|
|
|
|
method: http.MethodDelete,
|
|
|
|
path: newRequestPath().String(),
|
|
|
|
wantStatus: http.StatusMethodNotAllowed,
|
|
|
|
wantBody: "Method Not Allowed: DELETE (try GET)\n",
|
|
|
|
},
|
|
|
|
{
|
2020-11-16 19:41:00 +00:00
|
|
|
name: "code param was not included on request",
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(happyState).WithoutCode().String(),
|
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusBadRequest,
|
|
|
|
wantBody: "Bad Request: code param not found\n",
|
2020-11-13 23:59:51 +00:00
|
|
|
},
|
|
|
|
{
|
2020-11-16 19:41:00 +00:00
|
|
|
name: "state param was not included on request",
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithoutState().String(),
|
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusBadRequest,
|
|
|
|
wantBody: "Bad Request: state param not found\n",
|
2020-11-13 23:59:51 +00:00
|
|
|
},
|
|
|
|
{
|
2020-11-19 15:20:46 +00:00
|
|
|
name: "state param was not signed correctly, has expired, or otherwise cannot be decoded for any reason",
|
2020-11-19 19:19:01 +00:00
|
|
|
idp: happyUpstream().Build(),
|
2020-11-19 15:20:46 +00:00
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState("this-will-not-decode").String(),
|
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusBadRequest,
|
|
|
|
wantBody: "Bad Request: error reading state\n",
|
2020-11-16 19:41:00 +00:00
|
|
|
},
|
2020-11-20 01:57:07 +00:00
|
|
|
{
|
|
|
|
// This shouldn't happen in practice because the authorize endpoint should have already run the same
|
|
|
|
// validations, but we would like to test the error handling in this endpoint anyway.
|
|
|
|
name: "state param contains authorization request params which fail validation",
|
|
|
|
idp: happyUpstream().Build(),
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(
|
|
|
|
happyUpstreamStateParam().
|
|
|
|
WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyOriginalRequestParamsQuery, map[string]string{"prompt": "none login"}).Encode()).
|
|
|
|
Build(t, happyStateCodec),
|
|
|
|
).String(),
|
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
wantStatus: http.StatusInternalServerError,
|
|
|
|
wantBody: "Internal Server Error: error while generating and saving authcode\n",
|
|
|
|
},
|
2020-11-16 19:41:00 +00:00
|
|
|
{
|
2020-11-19 15:20:46 +00:00
|
|
|
name: "state's internal version does not match what we want",
|
2020-11-19 19:19:01 +00:00
|
|
|
idp: happyUpstream().Build(),
|
2020-11-19 15:20:46 +00:00
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyUpstreamStateParam().WithStateVersion("wrong-state-version").Build(t, happyStateCodec)).String(),
|
2020-11-19 15:20:46 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusUnprocessableEntity,
|
|
|
|
wantBody: "Unprocessable Entity: state format version is invalid\n",
|
2020-11-13 23:59:51 +00:00
|
|
|
},
|
2020-11-19 13:41:44 +00:00
|
|
|
{
|
2020-11-20 01:57:07 +00:00
|
|
|
name: "state's downstream auth params element is invalid",
|
|
|
|
idp: happyUpstream().Build(),
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(happyUpstreamStateParam().
|
|
|
|
WithAuthorizeRequestParams("the following is an invalid url encoding token, and therefore this is an invalid param: %z").
|
|
|
|
Build(t, happyStateCodec)).String(),
|
2020-11-19 15:20:46 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusBadRequest,
|
|
|
|
wantBody: "Bad Request: error reading state downstream auth params\n",
|
2020-11-19 13:51:23 +00:00
|
|
|
},
|
|
|
|
{
|
2020-11-20 01:57:07 +00:00
|
|
|
name: "state's downstream auth params are missing required value (e.g., client_id)",
|
|
|
|
idp: happyUpstream().Build(),
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(
|
|
|
|
happyUpstreamStateParam().
|
|
|
|
WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyOriginalRequestParamsQuery, map[string]string{"client_id": ""}).Encode()).
|
|
|
|
Build(t, happyStateCodec),
|
|
|
|
).String(),
|
2020-11-19 15:20:46 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusBadRequest,
|
|
|
|
wantBody: "Bad Request: error using state downstream auth params\n",
|
2020-11-19 13:41:44 +00:00
|
|
|
},
|
2020-11-19 14:28:56 +00:00
|
|
|
{
|
2020-11-20 01:57:07 +00:00
|
|
|
name: "state's downstream auth params does not contain openid scope",
|
|
|
|
idp: happyUpstream().Build(),
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().
|
|
|
|
WithState(
|
|
|
|
happyUpstreamStateParam().
|
|
|
|
WithAuthorizeRequestParams(shallowCopyAndModifyQuery(happyOriginalRequestParamsQuery, map[string]string{"scope": "profile email"}).Encode()).
|
|
|
|
Build(t, happyStateCodec),
|
|
|
|
).String(),
|
2020-11-19 15:20:46 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusFound,
|
|
|
|
wantRedirectLocationRegexp: downstreamRedirectURI + `\?code=([^&]+)&scope=&state=` + happyDownstreamState,
|
2020-11-19 19:19:01 +00:00
|
|
|
wantDownstreamIDTokenSubject: upstreamUsername,
|
2020-11-20 01:57:07 +00:00
|
|
|
wantDownstreamRequestedScopes: []string{"profile", "email"},
|
2020-11-19 19:19:01 +00:00
|
|
|
wantDownstreamIDTokenGroups: upstreamGroupMembership,
|
2020-11-19 15:20:46 +00:00
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
2020-11-19 14:28:56 +00:00
|
|
|
},
|
2020-11-13 23:59:51 +00:00
|
|
|
{
|
2020-11-19 15:20:46 +00:00
|
|
|
name: "the UpstreamOIDCProvider CRD has been deleted",
|
|
|
|
idp: otherUpstreamOIDCIdentityProvider,
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusUnprocessableEntity,
|
|
|
|
wantBody: "Unprocessable Entity: upstream provider not found\n",
|
2020-11-13 23:59:51 +00:00
|
|
|
},
|
2020-11-16 16:47:49 +00:00
|
|
|
{
|
2020-11-19 15:20:46 +00:00
|
|
|
name: "the CSRF cookie does not exist on request",
|
2020-11-19 19:19:01 +00:00
|
|
|
idp: happyUpstream().Build(),
|
2020-11-19 15:20:46 +00:00
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
|
|
|
wantStatus: http.StatusForbidden,
|
|
|
|
wantBody: "Forbidden: CSRF cookie is missing\n",
|
2020-11-16 16:47:49 +00:00
|
|
|
},
|
|
|
|
{
|
2020-11-19 15:20:46 +00:00
|
|
|
name: "cookie was not signed correctly, has expired, or otherwise cannot be decoded for any reason",
|
2020-11-19 19:19:01 +00:00
|
|
|
idp: happyUpstream().Build(),
|
2020-11-19 15:20:46 +00:00
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
|
|
|
csrfCookie: "__Host-pinniped-csrf=this-value-was-not-signed-by-pinniped",
|
|
|
|
wantStatus: http.StatusForbidden,
|
|
|
|
wantBody: "Forbidden: error reading CSRF cookie\n",
|
2020-11-16 19:41:00 +00:00
|
|
|
},
|
|
|
|
{
|
2020-11-19 15:20:46 +00:00
|
|
|
name: "cookie csrf value does not match state csrf value",
|
2020-11-19 19:19:01 +00:00
|
|
|
idp: happyUpstream().Build(),
|
2020-11-19 15:20:46 +00:00
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyUpstreamStateParam().WithCSRF("wrong-csrf-value").Build(t, happyStateCodec)).String(),
|
2020-11-19 15:20:46 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusForbidden,
|
|
|
|
wantBody: "Forbidden: CSRF value does not match\n",
|
2020-11-16 16:47:49 +00:00
|
|
|
},
|
2020-11-19 14:00:41 +00:00
|
|
|
|
|
|
|
// Upstream exchange
|
|
|
|
{
|
2020-11-19 15:20:46 +00:00
|
|
|
name: "upstream auth code exchange fails",
|
2020-11-19 19:19:01 +00:00
|
|
|
idp: happyUpstream().WithoutUpstreamAuthcodeExchangeError(errors.New("some error")).Build(),
|
2020-11-19 15:20:46 +00:00
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
2020-11-19 15:20:46 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusBadGateway,
|
|
|
|
wantBody: "Bad Gateway: error exchanging and validating upstream tokens\n",
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
2020-11-19 14:00:41 +00:00
|
|
|
},
|
2020-11-19 19:19:01 +00:00
|
|
|
{
|
|
|
|
name: "upstream ID token does not contain requested username claim",
|
|
|
|
idp: happyUpstream().WithoutIDTokenClaim(upstreamUsernameClaim).Build(),
|
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
2020-11-19 19:19:01 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusUnprocessableEntity,
|
|
|
|
wantBody: "Unprocessable Entity: no username claim in upstream ID token\n",
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
},
|
2020-11-19 20:53:21 +00:00
|
|
|
{
|
|
|
|
name: "upstream ID token does not contain requested groups claim",
|
|
|
|
idp: happyUpstream().WithoutIDTokenClaim(upstreamGroupsClaim).Build(),
|
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
2020-11-19 20:53:21 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusUnprocessableEntity,
|
|
|
|
wantBody: "Unprocessable Entity: no groups claim in upstream ID token\n",
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "upstream ID token contains username claim with weird format",
|
|
|
|
idp: happyUpstream().WithIDTokenClaim(upstreamUsernameClaim, 42).Build(),
|
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
2020-11-19 20:53:21 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusUnprocessableEntity,
|
|
|
|
wantBody: "Unprocessable Entity: username claim in upstream ID token has invalid format\n",
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
},
|
2020-11-20 01:57:07 +00:00
|
|
|
{
|
|
|
|
name: "upstream ID token does not contain iss claim when using default username claim config",
|
|
|
|
idp: happyUpstream().WithIDTokenClaim("iss", "").WithoutUsernameClaim().Build(),
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusUnprocessableEntity,
|
|
|
|
wantBody: "Unprocessable Entity: issuer claim in upstream ID token missing\n",
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "upstream ID token has an non-string iss claim when using default username claim config",
|
|
|
|
idp: happyUpstream().WithIDTokenClaim("iss", 42).WithoutUsernameClaim().Build(),
|
|
|
|
method: http.MethodGet,
|
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusUnprocessableEntity,
|
|
|
|
wantBody: "Unprocessable Entity: issuer claim in upstream ID token has invalid format\n",
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
},
|
2020-11-19 20:53:21 +00:00
|
|
|
{
|
|
|
|
name: "upstream ID token contains groups claim with weird format",
|
|
|
|
idp: happyUpstream().WithIDTokenClaim(upstreamGroupsClaim, 42).Build(),
|
|
|
|
method: http.MethodGet,
|
2020-11-20 01:57:07 +00:00
|
|
|
path: newRequestPath().WithState(happyState).String(),
|
2020-11-19 20:53:21 +00:00
|
|
|
csrfCookie: happyCSRFCookie,
|
|
|
|
wantStatus: http.StatusUnprocessableEntity,
|
|
|
|
wantBody: "Unprocessable Entity: groups claim in upstream ID token has invalid format\n",
|
|
|
|
wantExchangeAndValidateTokensCall: happyExchangeAndValidateTokensArgs,
|
|
|
|
},
|
2020-11-13 17:31:39 +00:00
|
|
|
}
|
|
|
|
for _, test := range tests {
|
|
|
|
test := test
|
2020-11-20 01:57:07 +00:00
|
|
|
|
2020-11-13 17:31:39 +00:00
|
|
|
t.Run(test.name, func(t *testing.T) {
|
2020-11-19 14:28:56 +00:00
|
|
|
// Configure fosite the same way that the production code would, except use in-memory storage.
|
|
|
|
// Inject this into our test subject at the last second so we get a fresh storage for every test.
|
|
|
|
oauthStore := &storage.MemoryStore{
|
|
|
|
Clients: map[string]fosite.Client{oidc.PinnipedCLIOIDCClient().ID: oidc.PinnipedCLIOIDCClient()},
|
|
|
|
AuthorizeCodes: map[string]storage.StoreAuthorizeCode{},
|
|
|
|
PKCES: map[string]fosite.Requester{},
|
|
|
|
IDSessions: map[string]fosite.Requester{},
|
|
|
|
}
|
|
|
|
hmacSecret := []byte("some secret - must have at least 32 bytes")
|
|
|
|
require.GreaterOrEqual(t, len(hmacSecret), 32, "fosite requires that hmac secrets have at least 32 bytes")
|
|
|
|
oauthHelper := oidc.FositeOauth2Helper(oauthStore, hmacSecret)
|
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
idpListGetter := oidctestutil.NewIDPListGetter(&test.idp)
|
2020-11-19 16:35:23 +00:00
|
|
|
subject := NewHandler(downstreamIssuer, idpListGetter, oauthHelper, happyStateCodec, happyCookieCodec)
|
2020-11-13 23:59:51 +00:00
|
|
|
req := httptest.NewRequest(test.method, test.path, nil)
|
2020-11-16 16:47:49 +00:00
|
|
|
if test.csrfCookie != "" {
|
|
|
|
req.Header.Set("Cookie", test.csrfCookie)
|
|
|
|
}
|
2020-11-13 17:31:39 +00:00
|
|
|
rsp := httptest.NewRecorder()
|
|
|
|
subject.ServeHTTP(rsp, req)
|
2020-11-19 14:28:56 +00:00
|
|
|
t.Logf("response: %#v", rsp)
|
|
|
|
t.Logf("response body: %q", rsp.Body.String())
|
2020-11-13 17:31:39 +00:00
|
|
|
|
2020-11-19 16:35:23 +00:00
|
|
|
if test.wantExchangeAndValidateTokensCall != nil {
|
|
|
|
require.Equal(t, 1, test.idp.ExchangeAuthcodeAndValidateTokensCallCount())
|
|
|
|
test.wantExchangeAndValidateTokensCall.Ctx = req.Context()
|
|
|
|
require.Equal(t, test.wantExchangeAndValidateTokensCall, test.idp.ExchangeAuthcodeAndValidateTokensArgs(0))
|
|
|
|
} else {
|
|
|
|
require.Equal(t, 0, test.idp.ExchangeAuthcodeAndValidateTokensCallCount())
|
|
|
|
}
|
2020-11-16 22:07:34 +00:00
|
|
|
|
2020-11-19 16:35:23 +00:00
|
|
|
require.Equal(t, test.wantStatus, rsp.Code)
|
2020-11-19 01:15:01 +00:00
|
|
|
|
|
|
|
if test.wantBody != "" {
|
2020-11-16 22:07:34 +00:00
|
|
|
require.Equal(t, test.wantBody, rsp.Body.String())
|
2020-11-19 01:15:01 +00:00
|
|
|
} else {
|
|
|
|
require.Empty(t, rsp.Body.String())
|
|
|
|
}
|
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
if test.wantRedirectLocationRegexp != "" { //nolint:nestif // don't mind have several sequential if statements in this test
|
2020-11-16 22:07:34 +00:00
|
|
|
// Assert that Location header matches regular expression.
|
|
|
|
require.Len(t, rsp.Header().Values("Location"), 1)
|
|
|
|
actualLocation := rsp.Header().Get("Location")
|
|
|
|
regex := regexp.MustCompile(test.wantRedirectLocationRegexp)
|
|
|
|
submatches := regex.FindStringSubmatch(actualLocation)
|
|
|
|
require.Lenf(t, submatches, 2, "no regexp match in actualLocation: %q", actualLocation)
|
|
|
|
capturedAuthCode := submatches[1]
|
|
|
|
|
2020-11-19 01:15:01 +00:00
|
|
|
// One authcode should have been stored.
|
|
|
|
require.Len(t, oauthStore.AuthorizeCodes, 1)
|
2020-11-16 22:07:34 +00:00
|
|
|
|
2020-11-19 01:15:01 +00:00
|
|
|
// fosite authcodes are in the format `data.signature`, so grab the signature part, which is the lookup key in the storage interface
|
|
|
|
authcodeDataAndSignature := strings.Split(capturedAuthCode, ".")
|
|
|
|
require.Len(t, authcodeDataAndSignature, 2)
|
|
|
|
|
|
|
|
// Get the authcode session back from storage so we can require that it was stored correctly.
|
|
|
|
storedAuthorizeRequest, err := oauthStore.GetAuthorizeCodeSession(context.Background(), authcodeDataAndSignature[1], nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Check that storage returned the expected concrete data types.
|
2020-11-19 14:28:56 +00:00
|
|
|
storedRequest, ok := storedAuthorizeRequest.(*fosite.Request)
|
2020-11-19 01:15:01 +00:00
|
|
|
require.True(t, ok)
|
|
|
|
storedSession, ok := storedAuthorizeRequest.GetSession().(*openid.DefaultSession)
|
|
|
|
require.True(t, ok)
|
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
// Check which scopes were granted.
|
2020-11-19 14:28:56 +00:00
|
|
|
if test.wantGrantedOpenidScope {
|
|
|
|
require.Contains(t, storedRequest.GetGrantedScopes(), "openid")
|
|
|
|
} else {
|
|
|
|
require.NotContains(t, storedRequest.GetGrantedScopes(), "openid")
|
|
|
|
}
|
2020-11-20 01:57:07 +00:00
|
|
|
|
|
|
|
// Check all the other fields of the stored request.
|
|
|
|
require.NotEmpty(t, storedRequest.ID)
|
|
|
|
require.Equal(t, downstreamClientID, storedRequest.Client.GetID())
|
|
|
|
require.ElementsMatch(t, test.wantDownstreamRequestedScopes, storedRequest.RequestedScope)
|
|
|
|
require.Nil(t, storedRequest.RequestedAudience)
|
|
|
|
require.Empty(t, storedRequest.GrantedAudience)
|
|
|
|
require.Equal(t, url.Values{"redirect_uri": []string{downstreamRedirectURI}}, storedRequest.Form)
|
|
|
|
testutil.RequireTimeInDelta(t, time.Now(), storedRequest.RequestedAt, timeComparisonFudgeFactor)
|
|
|
|
|
|
|
|
// We're not using these fields yet, so confirm that we did not set them (for now).
|
|
|
|
require.Empty(t, storedSession.Subject)
|
|
|
|
require.Empty(t, storedSession.Username)
|
|
|
|
require.Empty(t, storedSession.Headers)
|
|
|
|
|
|
|
|
// The authcode that we are issuing should be good for 15 minutes, which is default for fosite.
|
|
|
|
testutil.RequireTimeInDelta(t, time.Now().Add(time.Minute*15), storedSession.ExpiresAt[fosite.AuthorizeCode], timeComparisonFudgeFactor)
|
|
|
|
require.Len(t, storedSession.ExpiresAt, 1)
|
|
|
|
|
|
|
|
// Now confirm the ID token claims.
|
|
|
|
actualClaims := storedSession.Claims
|
|
|
|
|
|
|
|
// Check the user's identity, which are put into the downstream ID token's subject and groups claims.
|
|
|
|
require.Equal(t, test.wantDownstreamIDTokenSubject, actualClaims.Subject)
|
2020-11-19 19:19:01 +00:00
|
|
|
if test.wantDownstreamIDTokenGroups != nil {
|
2020-11-20 01:57:07 +00:00
|
|
|
require.Len(t, actualClaims.Extra, 1)
|
|
|
|
require.Equal(t, test.wantDownstreamIDTokenGroups, actualClaims.Extra["groups"])
|
2020-11-19 19:19:01 +00:00
|
|
|
} else {
|
2020-11-20 01:57:07 +00:00
|
|
|
require.Empty(t, actualClaims.Extra)
|
|
|
|
require.NotContains(t, actualClaims.Extra, "groups")
|
2020-11-19 19:19:01 +00:00
|
|
|
}
|
2020-11-20 01:57:07 +00:00
|
|
|
|
|
|
|
// Check the rest of the downstream ID token's claims.
|
|
|
|
require.Equal(t, downstreamIssuer, actualClaims.Issuer)
|
|
|
|
require.Equal(t, []string{downstreamClientID}, actualClaims.Audience)
|
|
|
|
testutil.RequireTimeInDelta(t, time.Now().Add(time.Minute*5), actualClaims.ExpiresAt, timeComparisonFudgeFactor)
|
|
|
|
testutil.RequireTimeInDelta(t, time.Now(), actualClaims.IssuedAt, timeComparisonFudgeFactor)
|
|
|
|
testutil.RequireTimeInDelta(t, time.Now(), actualClaims.RequestedAt, timeComparisonFudgeFactor)
|
|
|
|
testutil.RequireTimeInDelta(t, time.Now(), actualClaims.AuthTime, timeComparisonFudgeFactor)
|
|
|
|
|
|
|
|
// These are not needed yet.
|
|
|
|
require.Empty(t, actualClaims.JTI)
|
|
|
|
require.Empty(t, actualClaims.CodeHash)
|
|
|
|
require.Empty(t, actualClaims.AccessTokenHash)
|
|
|
|
require.Empty(t, actualClaims.AuthenticationContextClassReference)
|
|
|
|
require.Empty(t, actualClaims.AuthenticationMethodsReference)
|
|
|
|
|
|
|
|
// TODO we should put the downstream request's nonce into the ID token, but maybe the token endpoint is responsible for that?
|
|
|
|
require.Empty(t, actualClaims.Nonce)
|
|
|
|
|
|
|
|
// TODO add thorough tests about what should be stored for PKCES and IDSessions
|
2020-11-19 01:15:01 +00:00
|
|
|
} else {
|
2020-11-16 22:07:34 +00:00
|
|
|
require.Empty(t, rsp.Header().Values("Location"))
|
|
|
|
}
|
2020-11-13 17:31:39 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2020-11-13 23:59:51 +00:00
|
|
|
|
|
|
|
type requestPath struct {
|
|
|
|
upstreamIDPName, code, state *string
|
|
|
|
}
|
|
|
|
|
|
|
|
func newRequestPath() *requestPath {
|
|
|
|
n := happyUpstreamIDPName
|
2020-11-20 01:57:07 +00:00
|
|
|
c := happyUpstreamAuthcode
|
2020-11-13 23:59:51 +00:00
|
|
|
s := "4321"
|
|
|
|
return &requestPath{
|
|
|
|
upstreamIDPName: &n,
|
|
|
|
code: &c,
|
|
|
|
state: &s,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *requestPath) WithUpstreamIDPName(name string) *requestPath {
|
|
|
|
r.upstreamIDPName = &name
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *requestPath) WithCode(code string) *requestPath {
|
|
|
|
r.code = &code
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *requestPath) WithoutCode() *requestPath {
|
|
|
|
r.code = nil
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *requestPath) WithState(state string) *requestPath {
|
|
|
|
r.state = &state
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *requestPath) WithoutState() *requestPath {
|
|
|
|
r.state = nil
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *requestPath) String() string {
|
|
|
|
path := fmt.Sprintf("/downstream-provider-name/callback/%s?", *r.upstreamIDPName)
|
|
|
|
params := url.Values{}
|
|
|
|
if r.code != nil {
|
|
|
|
params.Add("code", *r.code)
|
|
|
|
}
|
|
|
|
if r.state != nil {
|
|
|
|
params.Add("state", *r.state)
|
|
|
|
}
|
|
|
|
return path + params.Encode()
|
|
|
|
}
|
2020-11-19 13:51:23 +00:00
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
type upstreamStateParamBuilder oidctestutil.ExpectedUpstreamStateParamFormat
|
|
|
|
|
|
|
|
func happyUpstreamStateParam() *upstreamStateParamBuilder {
|
|
|
|
return &upstreamStateParamBuilder{
|
|
|
|
P: happyOriginalRequestParams,
|
|
|
|
N: happyNonce,
|
|
|
|
C: happyCSRF,
|
|
|
|
K: happyPKCE,
|
|
|
|
V: happyStateVersion,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b upstreamStateParamBuilder) Build(t *testing.T, stateEncoder *securecookie.SecureCookie) string {
|
|
|
|
state, err := stateEncoder.Encode("s", b)
|
|
|
|
require.NoError(t, err)
|
|
|
|
return state
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *upstreamStateParamBuilder) WithAuthorizeRequestParams(params string) *upstreamStateParamBuilder {
|
|
|
|
b.P = params
|
|
|
|
return b
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *upstreamStateParamBuilder) WithNonce(nonce string) *upstreamStateParamBuilder {
|
|
|
|
b.N = nonce
|
|
|
|
return b
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *upstreamStateParamBuilder) WithCSRF(csrf string) *upstreamStateParamBuilder {
|
|
|
|
b.C = csrf
|
|
|
|
return b
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *upstreamStateParamBuilder) WithPKCVE(pkce string) *upstreamStateParamBuilder {
|
|
|
|
b.K = pkce
|
|
|
|
return b
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *upstreamStateParamBuilder) WithStateVersion(version string) *upstreamStateParamBuilder {
|
|
|
|
b.V = version
|
|
|
|
return b
|
|
|
|
}
|
|
|
|
|
2020-11-19 19:19:01 +00:00
|
|
|
type upstreamOIDCIdentityProviderBuilder struct {
|
|
|
|
idToken map[string]interface{}
|
|
|
|
usernameClaim, groupsClaim string
|
|
|
|
authcodeExchangeErr error
|
|
|
|
}
|
|
|
|
|
|
|
|
func happyUpstream() *upstreamOIDCIdentityProviderBuilder {
|
|
|
|
return &upstreamOIDCIdentityProviderBuilder{
|
|
|
|
usernameClaim: upstreamUsernameClaim,
|
|
|
|
groupsClaim: upstreamGroupsClaim,
|
|
|
|
idToken: map[string]interface{}{
|
2020-11-20 01:57:07 +00:00
|
|
|
"iss": upstreamIssuer,
|
2020-11-19 19:19:01 +00:00
|
|
|
"sub": upstreamSubject,
|
|
|
|
upstreamUsernameClaim: upstreamUsername,
|
|
|
|
upstreamGroupsClaim: upstreamGroupMembership,
|
|
|
|
"other-claim": "should be ignored",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
func (u *upstreamOIDCIdentityProviderBuilder) WithUsernameClaim(claim string) *upstreamOIDCIdentityProviderBuilder {
|
|
|
|
u.usernameClaim = claim
|
|
|
|
return u
|
|
|
|
}
|
|
|
|
|
2020-11-19 19:19:01 +00:00
|
|
|
func (u *upstreamOIDCIdentityProviderBuilder) WithoutUsernameClaim() *upstreamOIDCIdentityProviderBuilder {
|
|
|
|
u.usernameClaim = ""
|
|
|
|
return u
|
|
|
|
}
|
|
|
|
|
|
|
|
func (u *upstreamOIDCIdentityProviderBuilder) WithoutGroupsClaim() *upstreamOIDCIdentityProviderBuilder {
|
|
|
|
u.groupsClaim = ""
|
|
|
|
return u
|
|
|
|
}
|
|
|
|
|
2020-11-19 20:53:21 +00:00
|
|
|
func (u *upstreamOIDCIdentityProviderBuilder) WithIDTokenClaim(name string, value interface{}) *upstreamOIDCIdentityProviderBuilder {
|
2020-11-19 19:19:01 +00:00
|
|
|
u.idToken[name] = value
|
|
|
|
return u
|
|
|
|
}
|
|
|
|
|
|
|
|
func (u *upstreamOIDCIdentityProviderBuilder) WithoutIDTokenClaim(claim string) *upstreamOIDCIdentityProviderBuilder {
|
|
|
|
delete(u.idToken, claim)
|
|
|
|
return u
|
|
|
|
}
|
|
|
|
|
|
|
|
func (u *upstreamOIDCIdentityProviderBuilder) WithoutUpstreamAuthcodeExchangeError(err error) *upstreamOIDCIdentityProviderBuilder {
|
|
|
|
u.authcodeExchangeErr = err
|
|
|
|
return u
|
|
|
|
}
|
|
|
|
|
2020-11-20 01:57:07 +00:00
|
|
|
func (u *upstreamOIDCIdentityProviderBuilder) Build() oidctestutil.TestUpstreamOIDCIdentityProvider {
|
|
|
|
return oidctestutil.TestUpstreamOIDCIdentityProvider{
|
2020-11-19 19:19:01 +00:00
|
|
|
Name: happyUpstreamIDPName,
|
|
|
|
ClientID: "some-client-id",
|
|
|
|
UsernameClaim: u.usernameClaim,
|
|
|
|
GroupsClaim: u.groupsClaim,
|
|
|
|
Scopes: []string{"scope1", "scope2"},
|
|
|
|
ExchangeAuthcodeAndValidateTokensFunc: func(ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce) (oidcclient.Token, map[string]interface{}, error) {
|
|
|
|
return oidcclient.Token{}, u.idToken, u.authcodeExchangeErr
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-11-19 14:28:56 +00:00
|
|
|
func shallowCopyAndModifyQuery(query url.Values, modifications map[string]string) url.Values {
|
2020-11-19 13:51:23 +00:00
|
|
|
copied := url.Values{}
|
|
|
|
for key, value := range query {
|
2020-11-20 01:57:07 +00:00
|
|
|
copied[key] = value
|
|
|
|
}
|
|
|
|
for key, value := range modifications {
|
|
|
|
if value == "" {
|
|
|
|
copied.Del(key)
|
2020-11-19 14:28:56 +00:00
|
|
|
} else {
|
2020-11-20 01:57:07 +00:00
|
|
|
copied[key] = []string{value}
|
2020-11-19 13:51:23 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return copied
|
|
|
|
}
|