Update ID token tests for latest Fosite.
The new version has different behavior for the `nonce` claim, which is now omitted if it would be empty (see https://github.com/ory/fosite/pull/570). Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
parent
87c7e89b13
commit
e25de9e559
@ -799,7 +799,7 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
require.NoError(t, json.Unmarshal(parsedJWT.UnsafePayloadWithoutVerification(), &tokenClaims))
|
require.NoError(t, json.Unmarshal(parsedJWT.UnsafePayloadWithoutVerification(), &tokenClaims))
|
||||||
|
|
||||||
// Make sure that these are the only fields in the token.
|
// Make sure that these are the only fields in the token.
|
||||||
idTokenFields := []string{"sub", "aud", "iss", "jti", "nonce", "auth_time", "exp", "iat", "rat", "groups", "username"}
|
idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "groups", "username"}
|
||||||
require.ElementsMatch(t, idTokenFields, getMapKeys(tokenClaims))
|
require.ElementsMatch(t, idTokenFields, getMapKeys(tokenClaims))
|
||||||
|
|
||||||
// Assert that the returned token has expected claims values.
|
// Assert that the returned token has expected claims values.
|
||||||
@ -808,7 +808,6 @@ func TestTokenExchange(t *testing.T) {
|
|||||||
require.NotEmpty(t, tokenClaims["exp"])
|
require.NotEmpty(t, tokenClaims["exp"])
|
||||||
require.NotEmpty(t, tokenClaims["iat"])
|
require.NotEmpty(t, tokenClaims["iat"])
|
||||||
require.NotEmpty(t, tokenClaims["rat"])
|
require.NotEmpty(t, tokenClaims["rat"])
|
||||||
require.Empty(t, tokenClaims["nonce"]) // ID tokens only contain nonce during an authcode exchange
|
|
||||||
require.Len(t, tokenClaims["aud"], 1)
|
require.Len(t, tokenClaims["aud"], 1)
|
||||||
require.Contains(t, tokenClaims["aud"], test.requestedAudience)
|
require.Contains(t, tokenClaims["aud"], test.requestedAudience)
|
||||||
require.Equal(t, goodSubject, tokenClaims["sub"])
|
require.Equal(t, goodSubject, tokenClaims["sub"])
|
||||||
@ -1717,10 +1716,13 @@ func requireValidIDToken(
|
|||||||
// Note that there is a bug in fosite which prevents the `at_hash` claim from appearing in this ID token
|
// Note that there is a bug in fosite which prevents the `at_hash` claim from appearing in this ID token
|
||||||
// during the initial authcode exchange, but does not prevent `at_hash` from appearing in the refreshed ID token.
|
// during the initial authcode exchange, but does not prevent `at_hash` from appearing in the refreshed ID token.
|
||||||
// We can add a workaround for this later.
|
// We can add a workaround for this later.
|
||||||
idTokenFields := []string{"sub", "aud", "iss", "jti", "nonce", "auth_time", "exp", "iat", "rat", "groups", "username"}
|
idTokenFields := []string{"sub", "aud", "iss", "jti", "auth_time", "exp", "iat", "rat", "groups", "username"}
|
||||||
if wantAtHashClaimInIDToken {
|
if wantAtHashClaimInIDToken {
|
||||||
idTokenFields = append(idTokenFields, "at_hash")
|
idTokenFields = append(idTokenFields, "at_hash")
|
||||||
}
|
}
|
||||||
|
if wantNonceValueInIDToken {
|
||||||
|
idTokenFields = append(idTokenFields, "nonce")
|
||||||
|
}
|
||||||
|
|
||||||
// make sure that these are the only fields in the token
|
// make sure that these are the only fields in the token
|
||||||
var m map[string]interface{}
|
var m map[string]interface{}
|
||||||
|
@ -408,10 +408,11 @@ func testSupervisorLogin(
|
|||||||
refreshedTokenResponse, err := refreshSource.Token()
|
refreshedTokenResponse, err := refreshSource.Token()
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
expectedIDTokenClaims = append(expectedIDTokenClaims, "at_hash")
|
// When refreshing, expect to get an "at_hash" claim, but no "nonce" claim.
|
||||||
|
expectRefreshedIDTokenClaims := []string{"iss", "exp", "sub", "aud", "auth_time", "iat", "jti", "rat", "username", "groups", "at_hash"}
|
||||||
verifyTokenResponse(t,
|
verifyTokenResponse(t,
|
||||||
refreshedTokenResponse, discovery, downstreamOAuth2Config, "",
|
refreshedTokenResponse, discovery, downstreamOAuth2Config, "",
|
||||||
expectedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch, wantDownstreamIDTokenGroups)
|
expectRefreshedIDTokenClaims, wantDownstreamIDTokenSubjectToMatch, wantDownstreamIDTokenUsernameToMatch, wantDownstreamIDTokenGroups)
|
||||||
|
|
||||||
require.NotEqual(t, tokenResponse.AccessToken, refreshedTokenResponse.AccessToken)
|
require.NotEqual(t, tokenResponse.AccessToken, refreshedTokenResponse.AccessToken)
|
||||||
require.NotEqual(t, tokenResponse.RefreshToken, refreshedTokenResponse.RefreshToken)
|
require.NotEqual(t, tokenResponse.RefreshToken, refreshedTokenResponse.RefreshToken)
|
||||||
|
Loading…
Reference in New Issue
Block a user