Add more assertion to token_handler_test.go for token exchange exp claim

2022-12-13 17:03:19 -08:00 · 2022-12-13 17:03:19 -08:00 · 85b67f254c
commit 85b67f254c
parent e1a0367b03
1 changed files with 11 additions and 0 deletions
--- a/internal/oidc/token/token_handler_test.go
+++ b/internal/oidc/token/token_handler_test.go
@ -1433,6 +1433,7 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn
 			// at and expires at dates which are newer than the old tokens.
 			time.Sleep(1 * time.Second)

+			approxRequestTime := time.Now()
 			subject.ServeHTTP(rsp, req)
 			t.Logf("response: %#v", rsp)
 			t.Logf("response body: %q", rsp.Body.String())
@ -1518,6 +1519,16 @@ func TestTokenEndpointTokenExchange(t *testing.T) { // tests for grant_type "urn
 			requireClaimsAreNotEqual(t, "iat", claimsOfFirstIDToken, tokenClaims) // issued at
 			require.Greater(t, tokenClaims["iat"], claimsOfFirstIDToken["iat"])

+			// Assert that the timestamps in the token are approximately as expected.
+			expiresAtAsFloat, ok := tokenClaims["exp"].(float64)
+			require.True(t, ok, "expected exp claim to be a float64")
+			expiresAt := time.Unix(int64(expiresAtAsFloat), 0)
+			testutil.RequireTimeInDelta(t, approxRequestTime.UTC().Add(idTokenExpirationSeconds*time.Second), expiresAt, timeComparisonFudge)
+			issuedAtAsFloat, ok := tokenClaims["iat"].(float64)
+			require.True(t, ok, "expected iat claim to be a float64")
+			issuedAt := time.Unix(int64(issuedAtAsFloat), 0)
+			testutil.RequireTimeInDelta(t, approxRequestTime.UTC(), issuedAt, timeComparisonFudge)
+
 			// Assert that nothing in storage has been modified.
 			newSecrets, err := secrets.List(context.Background(), metav1.ListOptions{})
 			require.NoError(t, err)