Merge branch 'next-minor' into develop
This commit is contained in:
Dennis Schubert
commit
af1c992e01
2 changed files with 71 additions and 46 deletions
|
|
@ -125,6 +125,7 @@ module Api
|
||||||
session[:response_type] = @response_type
|
session[:response_type] = @response_type
|
||||||
session[:redirect_uri] = @redirect_uri
|
session[:redirect_uri] = @redirect_uri
|
||||||
session[:scopes] = scopes_as_space_seperated_values
|
session[:scopes] = scopes_as_space_seperated_values
|
||||||
|
session[:state] = params[:state]
|
||||||
session[:nonce] = params[:nonce]
|
session[:nonce] = params[:nonce]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -149,6 +150,7 @@ module Api
|
||||||
session.delete(:response_type)
|
session.delete(:response_type)
|
||||||
session.delete(:redirect_uri)
|
session.delete(:redirect_uri)
|
||||||
session.delete(:scopes)
|
session.delete(:scopes)
|
||||||
|
session.delete(:state)
|
||||||
session.delete(:nonce)
|
session.delete(:nonce)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -162,6 +164,7 @@ module Api
|
||||||
req.update_param("redirect_uri", session[:redirect_uri])
|
req.update_param("redirect_uri", session[:redirect_uri])
|
||||||
req.update_param("response_type", response_type_as_space_seperated_values)
|
req.update_param("response_type", response_type_as_space_seperated_values)
|
||||||
req.update_param("scope", session[:scopes])
|
req.update_param("scope", session[:scopes])
|
||||||
|
req.update_param("state", session[:state])
|
||||||
req.update_param("nonce", session[:nonce])
|
req.update_param("nonce", session[:nonce])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
describe Api::OpenidConnect::AuthorizationsController, type: :request do
|
||||||
let!(:client) { FactoryGirl.create(:o_auth_application) }
|
let!(:client) { FactoryGirl.create(:o_auth_application) }
|
||||||
let!(:client_with_xss) { FactoryGirl.create(:o_auth_application_with_xss) }
|
let!(:client_with_xss) { FactoryGirl.create(:o_auth_application_with_xss) }
|
||||||
let!(:client_with_multiple_redirects) { FactoryGirl.create(:o_auth_application_with_multiple_redirects) }
|
let!(:client_with_multiple_redirects) { FactoryGirl.create(:o_auth_application_with_multiple_redirects) }
|
||||||
|
|
@ -10,10 +10,10 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
describe "#new" do
|
describe "#new" do
|
||||||
context "when not yet authorized" do
|
context "when not yet authorized" do
|
||||||
context "when valid parameters are passed" do
|
context "when valid parameters are passed" do
|
||||||
render_views
|
|
||||||
context "as GET request" do
|
context "as GET request" do
|
||||||
it "should return a form page" do
|
it "should return a form page" do
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
||||||
expect(response.body).to match("Diaspora Test Client")
|
expect(response.body).to match("Diaspora Test Client")
|
||||||
end
|
end
|
||||||
|
|
@ -21,7 +21,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "using claims" do
|
context "using claims" do
|
||||||
it "should return a form page" do
|
it "should return a form page" do
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid", claims: "{\"userinfo\": {\"name\": {\"essential\": true}}}",
|
scope: "openid", claims: "{\"userinfo\": {\"name\": {\"essential\": true}}}",
|
||||||
nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
||||||
expect(response.body).to match("Diaspora Test Client")
|
expect(response.body).to match("Diaspora Test Client")
|
||||||
|
|
@ -36,7 +37,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
claims: {userinfo: {name: {essential: true}}}}
|
claims: {userinfo: {name: {essential: true}}}}
|
||||||
payload = JWT.encoded_payload(JSON.parse(payload_hash.to_json))
|
payload = JWT.encoded_payload(JSON.parse(payload_hash.to_json))
|
||||||
request_object = header + "." + payload + "."
|
request_object = header + "." + payload + "."
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid", nonce: "hello", state: "hello", request: request_object
|
scope: "openid", nonce: "hello", state: "hello", request: request_object
|
||||||
expect(response.body).to match("Diaspora Test Client")
|
expect(response.body).to match("Diaspora Test Client")
|
||||||
end
|
end
|
||||||
|
|
@ -49,7 +51,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
response_type: "id_token", scope: "openid", nonce: "hello", state: "hello"}
|
response_type: "id_token", scope: "openid", nonce: "hello", state: "hello"}
|
||||||
payload = JWT.encoded_payload(JSON.parse(payload_hash.to_json))
|
payload = JWT.encoded_payload(JSON.parse(payload_hash.to_json))
|
||||||
request_object = header + "." + payload + "."
|
request_object = header + "." + payload + "."
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid", nonce: "hello", state: "hello", request: request_object
|
scope: "openid", nonce: "hello", state: "hello", request: request_object
|
||||||
expect(response.body).to match("Diaspora Test Client")
|
expect(response.body).to match("Diaspora Test Client")
|
||||||
end
|
end
|
||||||
|
|
@ -57,7 +60,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "as POST request" do
|
context "as POST request" do
|
||||||
it "should return a form page" do
|
it "should return a form page" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
||||||
expect(response.body).to match("Diaspora Test Client")
|
expect(response.body).to match("Diaspora Test Client")
|
||||||
end
|
end
|
||||||
|
|
@ -66,7 +70,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when client id is missing" do
|
context "when client id is missing" do
|
||||||
it "should return an bad request error" do
|
it "should return an bad request error" do
|
||||||
post :new, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
post api_openid_connect_authorizations_new_path,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
||||||
expect(response.body).to include("The request was malformed")
|
expect(response.body).to include("The request was malformed")
|
||||||
end
|
end
|
||||||
|
|
@ -79,7 +84,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
# When client has only one redirect uri registered, only that redirect uri can be used. Hence,
|
# When client has only one redirect uri registered, only that redirect uri can be used. Hence,
|
||||||
# we should implicitly assume the client wants to use that registered URI.
|
# we should implicitly assume the client wants to use that registered URI.
|
||||||
# See https://github.com/nov/rack-oauth2/blob/master/lib/rack/oauth2/server/authorize.rb#L63
|
# See https://github.com/nov/rack-oauth2/blob/master/lib/rack/oauth2/server/authorize.rb#L63
|
||||||
post :new, client_id: client.client_id, response_type: "id_token",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id, response_type: "id_token",
|
||||||
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
||||||
expect(response.body).to match("Diaspora Test Client")
|
expect(response.body).to match("Diaspora Test Client")
|
||||||
end
|
end
|
||||||
|
|
@ -88,7 +93,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when multiple redirect URLs are pre-registered" do
|
context "when multiple redirect URLs are pre-registered" do
|
||||||
it "should return an invalid request error" do
|
it "should return an invalid request error" do
|
||||||
post :new, client_id: client_with_multiple_redirects.client_id, response_type: "id_token",
|
post api_openid_connect_authorizations_new_path, client_id: client_with_multiple_redirects.client_id,
|
||||||
|
response_type: "id_token",
|
||||||
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
||||||
expect(response.body).to include("The request was malformed")
|
expect(response.body).to include("The request was malformed")
|
||||||
end
|
end
|
||||||
|
|
@ -96,7 +102,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when redirect URI does not match pre-registered URIs" do
|
context "when redirect URI does not match pre-registered URIs" do
|
||||||
it "should return an invalid request error" do
|
it "should return an invalid request error" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:2000/",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:2000/",
|
||||||
response_type: "id_token", scope: "openid", nonce: SecureRandom.hex(16)
|
response_type: "id_token", scope: "openid", nonce: SecureRandom.hex(16)
|
||||||
expect(response.body).to include("Invalid client id or redirect uri")
|
expect(response.body).to include("Invalid client id or redirect uri")
|
||||||
end
|
end
|
||||||
|
|
@ -104,7 +111,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when an unsupported scope is passed in" do
|
context "when an unsupported scope is passed in" do
|
||||||
it "should return an invalid scope error" do
|
it "should return an invalid scope error" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "random", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
scope: "random", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
||||||
expect(response.body).to match("error=invalid_scope")
|
expect(response.body).to match("error=invalid_scope")
|
||||||
end
|
end
|
||||||
|
|
@ -112,7 +120,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when nonce is missing" do
|
context "when nonce is missing" do
|
||||||
it "should return an invalid request error" do
|
it "should return an invalid request error" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", state: SecureRandom.hex(16)
|
response_type: "id_token", scope: "openid", state: SecureRandom.hex(16)
|
||||||
expect(response.location).to match("error=invalid_request")
|
expect(response.location).to match("error=invalid_request")
|
||||||
end
|
end
|
||||||
|
|
@ -120,7 +129,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when prompt is none" do
|
context "when prompt is none" do
|
||||||
it "should return an interaction required error" do
|
it "should return an interaction required error" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
|
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
|
||||||
expect(response.body).to include("User must already be authorized when `prompt` is `none`")
|
expect(response.body).to include("User must already be authorized when `prompt` is `none`")
|
||||||
end
|
end
|
||||||
|
|
@ -132,7 +142,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return an interaction required error" do
|
it "should return an interaction required error" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
|
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
|
||||||
expect(response.body).to include("User must already be logged in when `prompt` is `none`")
|
expect(response.body).to include("User must already be logged in when `prompt` is `none`")
|
||||||
end
|
end
|
||||||
|
|
@ -140,7 +151,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when prompt is none and consent" do
|
context "when prompt is none and consent" do
|
||||||
it "should return an interaction required error" do
|
it "should return an interaction required error" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none consent"
|
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none consent"
|
||||||
expect(response.location).to match("error=invalid_request")
|
expect(response.location).to match("error=invalid_request")
|
||||||
end
|
end
|
||||||
|
|
@ -148,7 +160,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when prompt is select_account" do
|
context "when prompt is select_account" do
|
||||||
it "should return an account_selection_required error" do
|
it "should return an account_selection_required error" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "select_account"
|
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "select_account"
|
||||||
expect(response.location).to match("error=account_selection_required")
|
expect(response.location).to match("error=account_selection_required")
|
||||||
expect(response.location).to match("state=1234")
|
expect(response.location).to match("state=1234")
|
||||||
|
|
@ -157,7 +170,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when prompt is none and client ID is invalid" do
|
context "when prompt is none and client ID is invalid" do
|
||||||
it "should return an account_selection_required error" do
|
it "should return an account_selection_required error" do
|
||||||
post :new, client_id: "random", redirect_uri: "http://localhost:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: "random", redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
|
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
|
||||||
expect(response.body).to include("Invalid client id or redirect uri")
|
expect(response.body).to include("Invalid client id or redirect uri")
|
||||||
end
|
end
|
||||||
|
|
@ -165,7 +178,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when prompt is none and redirect URI does not match pre-registered URIs" do
|
context "when prompt is none and redirect URI does not match pre-registered URIs" do
|
||||||
it "should return an account_selection_required error" do
|
it "should return an account_selection_required error" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://randomuri:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://randomuri:3000/",
|
||||||
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
|
response_type: "id_token", scope: "openid", state: 1234, display: "page", prompt: "none"
|
||||||
expect(response.body).to include("Invalid client id or redirect uri")
|
expect(response.body).to include("Invalid client id or redirect uri")
|
||||||
end
|
end
|
||||||
|
|
@ -173,7 +187,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when XSS script is passed as name" do
|
context "when XSS script is passed as name" do
|
||||||
it "should escape html" do
|
it "should escape html" do
|
||||||
post :new, client_id: client_with_xss.client_id, redirect_uri: "http://localhost:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: client_with_xss.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
response_type: "id_token", scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
|
||||||
expect(response.body).to_not include("<script>alert(0);</script>")
|
expect(response.body).to_not include("<script>alert(0);</script>")
|
||||||
end
|
end
|
||||||
|
|
@ -188,12 +203,13 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when valid parameters are passed" do
|
context "when valid parameters are passed" do
|
||||||
before do
|
before do
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid", nonce: 413_093_098_3, state: 413_093_098_3
|
scope: "openid", nonce: 413_093_098_3, state: 413_093_098_3
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return the id token in a fragment" do
|
it "should return the id token in a fragment" do
|
||||||
expect(response.location).to have_content("id_token=")
|
expect(response.location).to include("id_token=")
|
||||||
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
|
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
|
||||||
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
|
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
|
||||||
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
|
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
|
||||||
|
|
@ -202,16 +218,17 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return the passed in state" do
|
it "should return the passed in state" do
|
||||||
expect(response.location).to have_content("state=4130930983")
|
expect(response.location).to include("state=4130930983")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when prompt is none" do
|
context "when prompt is none" do
|
||||||
it "should return the id token in a fragment" do
|
it "should return the id token in a fragment" do
|
||||||
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
|
post api_openid_connect_authorizations_new_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", nonce: 413_093_098_3, state: 413_093_098_3,
|
response_type: "id_token", scope: "openid", nonce: 413_093_098_3, state: 413_093_098_3,
|
||||||
display: "page", prompt: "none"
|
display: "page", prompt: "none"
|
||||||
expect(response.location).to have_content("id_token=")
|
expect(response.location).to include("id_token=")
|
||||||
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
|
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
|
||||||
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
|
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
|
||||||
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
|
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
|
||||||
|
|
@ -222,7 +239,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when prompt contains consent" do
|
context "when prompt contains consent" do
|
||||||
it "should return a consent form page" do
|
it "should return a consent form page" do
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/",
|
||||||
response_type: "id_token", scope: "openid", nonce: 413_093_098_3, state: 413_093_098_3,
|
response_type: "id_token", scope: "openid", nonce: 413_093_098_3, state: 413_093_098_3,
|
||||||
display: "page", prompt: "consent"
|
display: "page", prompt: "consent"
|
||||||
expect(response.body).to match("Diaspora Test Client")
|
expect(response.body).to match("Diaspora Test Client")
|
||||||
|
|
@ -231,7 +249,8 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when scopes are escalated" do
|
context "when scopes are escalated" do
|
||||||
before do
|
before do
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid read", nonce: 413_093_098_3, state: 413_093_098_3
|
scope: "openid read", nonce: 413_093_098_3, state: 413_093_098_3
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -240,7 +259,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should overwrite old authorization scope after approval" do
|
it "should overwrite old authorization scope after approval" do
|
||||||
post :create, approve: "true"
|
post api_openid_connect_authorizations_path, approve: "true"
|
||||||
authorization_with_old_scope =
|
authorization_with_old_scope =
|
||||||
Api::OpenidConnect::Authorization.find_by_client_id_user_and_scopes(client.client_id, alice, ["openid"])
|
Api::OpenidConnect::Authorization.find_by_client_id_user_and_scopes(client.client_id, alice, ["openid"])
|
||||||
expect(authorization_with_old_scope).to be_nil
|
expect(authorization_with_old_scope).to be_nil
|
||||||
|
|
@ -252,13 +271,14 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
describe "#create" do
|
describe "#create" do
|
||||||
context "when id_token token" do
|
context "when id_token token" do
|
||||||
before do
|
before do
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token token",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token token",
|
||||||
scope: "openid", nonce: 418_093_098_3, state: 418_093_098_3
|
scope: "openid", nonce: 418_093_098_3, state: 418_093_098_3
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when authorization is approved" do
|
context "when authorization is approved" do
|
||||||
before do
|
before do
|
||||||
post :create, approve: "true"
|
post api_openid_connect_authorizations_path, approve: "true"
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return the id token in a fragment" do
|
it "should return the id token in a fragment" do
|
||||||
|
|
@ -282,17 +302,18 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "when id_token" do
|
context "when id_token" do
|
||||||
before do
|
before do
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "id_token",
|
||||||
scope: "openid", nonce: 418_093_098_3, state: 418_093_098_3
|
scope: "openid", nonce: 418_093_098_3, state: 418_093_098_3
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when authorization is approved" do
|
context "when authorization is approved" do
|
||||||
before do
|
before do
|
||||||
post :create, approve: "true"
|
post api_openid_connect_authorizations_path, approve: "true"
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return the id token in a fragment" do
|
it "should return the id token in a fragment" do
|
||||||
expect(response.location).to have_content("id_token=")
|
expect(response.location).to include("id_token=")
|
||||||
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
|
encoded_id_token = response.location[/(?<=id_token=)[^&]+/]
|
||||||
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
|
decoded_token = OpenIDConnect::ResponseObject::IdToken.decode encoded_id_token,
|
||||||
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
|
Api::OpenidConnect::IdTokenConfig::PUBLIC_KEY
|
||||||
|
|
@ -301,56 +322,57 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return the passed in state" do
|
it "should return the passed in state" do
|
||||||
expect(response.location).to have_content("state=4180930983")
|
expect(response.location).to include("state=4180930983")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when authorization is denied" do
|
context "when authorization is denied" do
|
||||||
before do
|
before do
|
||||||
post :create, approve: "false"
|
post api_openid_connect_authorizations_path, approve: "false"
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return an error in the fragment" do
|
it "should return an error in the fragment" do
|
||||||
expect(response.location).to have_content("error=")
|
expect(response.location).to include("error=")
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should NOT contain a id token in the fragment" do
|
it "should NOT contain a id token in the fragment" do
|
||||||
expect(response.location).to_not have_content("id_token=")
|
expect(response.location).to_not include("id_token=")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when code" do
|
context "when code" do
|
||||||
before do
|
before do
|
||||||
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "code",
|
get new_api_openid_connect_authorization_path, client_id: client.client_id,
|
||||||
|
redirect_uri: "http://localhost:3000/", response_type: "code",
|
||||||
scope: "openid", nonce: 418_093_098_3, state: 418_093_098_3
|
scope: "openid", nonce: 418_093_098_3, state: 418_093_098_3
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when authorization is approved" do
|
context "when authorization is approved" do
|
||||||
before do
|
before do
|
||||||
post :create, approve: "true"
|
post api_openid_connect_authorizations_path, approve: "true"
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return the code" do
|
it "should return the code" do
|
||||||
expect(response.location).to have_content("code")
|
expect(response.location).to include("code")
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return the passed in state" do
|
it "should return the passed in state" do
|
||||||
expect(response.location).to have_content("state=4180930983")
|
expect(response.location).to include("state=4180930983")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when authorization is denied" do
|
context "when authorization is denied" do
|
||||||
before do
|
before do
|
||||||
post :create, approve: "false"
|
post api_openid_connect_authorizations_path, approve: "false"
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should return an error" do
|
it "should return an error" do
|
||||||
expect(response.location).to have_content("error")
|
expect(response.location).to include("error")
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should NOT contain code" do
|
it "should NOT contain code" do
|
||||||
expect(response.location).to_not have_content("code")
|
expect(response.location).to_not include("code")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
@ -361,7 +383,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "with existent authorization" do
|
context "with existent authorization" do
|
||||||
before do
|
before do
|
||||||
delete :destroy, id: auth_with_read.id
|
delete api_openid_connect_authorization_path(auth_with_read.id)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "removes the authorization" do
|
it "removes the authorization" do
|
||||||
|
|
@ -371,7 +393,7 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
|
||||||
|
|
||||||
context "with non-existent authorization" do
|
context "with non-existent authorization" do
|
||||||
it "raises an error" do
|
it "raises an error" do
|
||||||
delete :destroy, id: 123_456_789
|
delete api_openid_connect_authorization_path(123_456_789)
|
||||||
expect(response).to redirect_to(api_openid_connect_user_applications_url)
|
expect(response).to redirect_to(api_openid_connect_user_applications_url)
|
||||||
expect(flash[:error]).to eq("The attempt to revoke the authorization with ID 123456789 failed")
|
expect(flash[:error]).to eq("The attempt to revoke the authorization with ID 123456789 failed")
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue