WIP: start to validate ID token returned from token endpoint
This won't compile, but we are passing this between two teammates. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
parent
09e6c86c46
commit
9419b7392d
@ -21,6 +21,7 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
coreosoidc "github.com/coreos/go-oidc"
|
||||||
"github.com/ory/fosite"
|
"github.com/ory/fosite"
|
||||||
"github.com/ory/fosite/handler/openid"
|
"github.com/ory/fosite/handler/openid"
|
||||||
"github.com/ory/fosite/storage"
|
"github.com/ory/fosite/storage"
|
||||||
@ -360,7 +361,7 @@ func TestTokenEndpoint(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
oauthStore := storage.NewMemoryStore()
|
oauthStore := storage.NewMemoryStore()
|
||||||
oauthHelper, authCode := makeHappyOauthHelper(t, authRequest, oauthStore)
|
oauthHelper, authCode, jwtSigningKey := makeHappyOauthHelper(t, authRequest, oauthStore)
|
||||||
if test.storage != nil {
|
if test.storage != nil {
|
||||||
test.storage(t, oauthStore, authCode)
|
test.storage(t, oauthStore, authCode)
|
||||||
}
|
}
|
||||||
@ -390,6 +391,10 @@ func TestTokenEndpoint(t *testing.T) {
|
|||||||
requireValidAccessTokenStorage(t, m, oauthStore, wantOpenidScope)
|
requireValidAccessTokenStorage(t, m, oauthStore, wantOpenidScope)
|
||||||
requireInvalidPKCEStorage(t, code, oauthStore)
|
requireInvalidPKCEStorage(t, code, oauthStore)
|
||||||
requireValidOIDCStorage(t, m, code, oauthStore, wantOpenidScope)
|
requireValidOIDCStorage(t, m, code, oauthStore, wantOpenidScope)
|
||||||
|
|
||||||
|
if wantOpenidScope {
|
||||||
|
requireValidIDToken(t, m, jwtSigningKey)
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
require.JSONEq(t, test.wantExactBody, rsp.Body.String())
|
require.JSONEq(t, test.wantExactBody, rsp.Body.String())
|
||||||
}
|
}
|
||||||
@ -399,7 +404,7 @@ func TestTokenEndpoint(t *testing.T) {
|
|||||||
t.Run("auth code is used twice", func(t *testing.T) {
|
t.Run("auth code is used twice", func(t *testing.T) {
|
||||||
authRequest := deepCopyRequestForm(happyAuthRequest)
|
authRequest := deepCopyRequestForm(happyAuthRequest)
|
||||||
oauthStore := storage.NewMemoryStore()
|
oauthStore := storage.NewMemoryStore()
|
||||||
oauthHelper, authCode := makeHappyOauthHelper(t, authRequest, oauthStore)
|
oauthHelper, authCode, jwtSigningKey := makeHappyOauthHelper(t, authRequest, oauthStore)
|
||||||
subject := NewHandler(oauthHelper)
|
subject := NewHandler(oauthHelper)
|
||||||
|
|
||||||
req := httptest.NewRequest("POST", "/path/shouldn't/matter", happyBody(authCode).ReadCloser())
|
req := httptest.NewRequest("POST", "/path/shouldn't/matter", happyBody(authCode).ReadCloser())
|
||||||
@ -425,6 +430,7 @@ func TestTokenEndpoint(t *testing.T) {
|
|||||||
requireValidAccessTokenStorage(t, m, oauthStore, wantOpenidScope)
|
requireValidAccessTokenStorage(t, m, oauthStore, wantOpenidScope)
|
||||||
requireInvalidPKCEStorage(t, code, oauthStore)
|
requireInvalidPKCEStorage(t, code, oauthStore)
|
||||||
requireValidOIDCStorage(t, m, code, oauthStore, wantOpenidScope)
|
requireValidOIDCStorage(t, m, code, oauthStore, wantOpenidScope)
|
||||||
|
requireValidIDToken(t, m, jwtSigningKey)
|
||||||
|
|
||||||
// Second call - should be unsuccessful since auth code was already used.
|
// Second call - should be unsuccessful since auth code was already used.
|
||||||
//
|
//
|
||||||
@ -503,7 +509,7 @@ func makeHappyOauthHelper(
|
|||||||
t *testing.T,
|
t *testing.T,
|
||||||
authRequest *http.Request,
|
authRequest *http.Request,
|
||||||
store *storage.MemoryStore,
|
store *storage.MemoryStore,
|
||||||
) (fosite.OAuth2Provider, string) {
|
) (fosite.OAuth2Provider, string, *ecdsa.PrivateKey) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
|
||||||
jwtSigningKey := generateJWTSigningKey(t)
|
jwtSigningKey := generateJWTSigningKey(t)
|
||||||
@ -533,7 +539,7 @@ func makeHappyOauthHelper(
|
|||||||
authResponder, err := oauthHelper.NewAuthorizeResponse(ctx, authRequester, session)
|
authResponder, err := oauthHelper.NewAuthorizeResponse(ctx, authRequester, session)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
return oauthHelper, authResponder.GetCode()
|
return oauthHelper, authResponder.GetCode(), jwtSigningKey
|
||||||
}
|
}
|
||||||
|
|
||||||
func generateJWTSigningKey(t *testing.T) *ecdsa.PrivateKey {
|
func generateJWTSigningKey(t *testing.T) *ecdsa.PrivateKey {
|
||||||
@ -765,6 +771,23 @@ func requireValidAuthRequest(
|
|||||||
require.Equal(t, goodSubject, session.Subject)
|
require.Equal(t, goodSubject, session.Subject)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func requireValidIDToken(t *testing.T, body map[string]interface{}, jwtSigningKey *ecdsa.PrivateKey) {
|
||||||
|
idToken, ok := body["id_token"]
|
||||||
|
require.Truef(t, ok, "body did not contain 'id_token': %s", body)
|
||||||
|
idTokenString, ok := idToken.(string)
|
||||||
|
require.Truef(t, ok, "wanted id_token to be a string, but got %T", idToken)
|
||||||
|
|
||||||
|
// The go-oidc library will validate the signature and the client claim in the ID token.
|
||||||
|
keySet := newStaticKeySet(jwtSigningKey) // TODO: implement this static key set
|
||||||
|
verifyConfig := coreosoidc.Config{ClientID: goodClient, SupportedSigningAlgs: []string{coreosoidc.ES256}}
|
||||||
|
verifier := coreosoidc.NewVerifier(goodIssuer, keySet, &verifyConfig)
|
||||||
|
token, err := verifier.Verify(context.Background(), idTokenString)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
// TODO: we will need to validate all of the other claims!
|
||||||
|
_ = token
|
||||||
|
}
|
||||||
|
|
||||||
// TODO: de-dup me.
|
// TODO: de-dup me.
|
||||||
func requireEqualContentType(t *testing.T, actual string, expected string) {
|
func requireEqualContentType(t *testing.T, actual string, expected string) {
|
||||||
t.Helper()
|
t.Helper()
|
||||||
|
Loading…
Reference in New Issue
Block a user