authenticate: fix user-info call for AWS cognito (#792)

2025-08-03 08:50:42 +02:00 · 2020-05-27 15:37:42 -06:00 · 2020-05-27 15:37:42 -06:00 · 988477c90d
commit 988477c90d
parent b16bc5e090
3 changed files with 140 additions and 1 deletions
--- a/internal/identity/oidc/userinfo_test.go
+++ b/internal/identity/oidc/userinfo_test.go
@ -0,0 +1,74 @@
+package oidc
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/coreos/go-oidc"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/oauth2"
+)
+
+func TestUserInfoRoundTrip(t *testing.T) {
+	var srv *httptest.Server
+	srv = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/.well-known/openid-configuration":
+			w.Header().Set("Content-Type", "application/json")
+			io.WriteString(w, `
+            {
+                "authorization_endpoint": "`+srv.URL+`/oauth2/authorize",
+                "id_token_signing_alg_values_supported": [
+                    "RS256"
+                ],
+                "issuer": "`+srv.URL+`",
+                "jwks_uri": "`+srv.URL+`/.well-known/jwks.json",
+                "response_types_supported": [
+                    "code",
+                    "token"
+                ],
+                "scopes_supported": [
+                    "openid",
+                    "email",
+                    "phone",
+                    "profile"
+                ],
+                "subject_types_supported": [
+                    "public"
+                ],
+                "token_endpoint": "`+srv.URL+`/oauth2/token",
+                "token_endpoint_auth_methods_supported": [
+                    "client_secret_basic",
+                    "client_secret_post"
+                ],
+                "userinfo_endpoint": "`+srv.URL+`/oauth2/userInfo"
+            }`)
+		case "/oauth2/userInfo":
+			w.Header().Set("Content-Type", "application/json")
+			io.WriteString(w, `{ "email_verified": "true" }`)
+		}
+	}))
+	defer srv.Close()
+
+	provider, err := oidc.NewProvider(context.Background(), srv.URL)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	token := oauth2.StaticTokenSource(&oauth2.Token{
+		AccessToken:  "access-token",
+		TokenType:    "Bearer",
+		RefreshToken: "refresh-token",
+		Expiry:       time.Now().Add(time.Minute),
+	})
+
+	userInfo, err := getUserInfo(context.Background(), provider, token)
+	if !assert.NoError(t, err) {
+		return
+	}
+	assert.True(t, userInfo.EmailVerified)
+}