mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-07 11:58:12 +02:00
b0c2e2dede
Bumps the go group with 24 updates: | Package | From | To | | --- | --- | --- | | [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.53.0` | `1.55.0` | | [github.com/VictoriaMetrics/fastcache](https://github.com/VictoriaMetrics/fastcache) | `1.12.2` | `1.12.4` | | [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.79.3` | `1.80.0` | | [github.com/docker/docker](https://github.com/docker/docker) | `28.1.1+incompatible` | `28.2.2+incompatible` | | [github.com/exaring/otelpgx](https://github.com/exaring/otelpgx) | `0.9.1` | `0.9.3` | | [github.com/google/go-jsonnet](https://github.com/google/go-jsonnet) | `0.20.0` | `0.21.0` | | [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) | `5.7.4` | `5.7.5` | | [github.com/miekg/dns](https://github.com/miekg/dns) | `1.1.65` | `1.1.66` | | [github.com/minio/minio-go/v7](https://github.com/minio/minio-go) | `7.0.91` | `7.0.92` | | [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.4.2` | `1.5.0` | | [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto) | `0.8.0` | `0.8.1` | | [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) | `0.51.0` | `0.52.0` | | [go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/contrib/propagators/autoprop](https://github.com/open-telemetry/opentelemetry-go-contrib) | `0.60.0` | `0.61.0` | | [go.opentelemetry.io/otel/bridge/opencensus](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) | `1.35.0` | `1.36.0` | | [go.opentelemetry.io/proto/otlp](https://github.com/open-telemetry/opentelemetry-proto-go) | `1.6.0` | `1.7.0` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.230.0` | `0.235.0` | | [google.golang.org/genproto/googleapis/rpc](https://github.com/googleapis/go-genproto) | `0.0.0-20250428153025-10db94c68c34` | `0.0.0-20250528174236-200df99c418a` | | [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `1.72.0` | `1.72.2` | Updates `cloud.google.com/go/storage` from 1.53.0 to 1.55.0 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](googleapis/google-cloud-go@spanner/v1.53.0...spanner/v1.55.0) Updates `github.com/VictoriaMetrics/fastcache` from 1.12.2 to 1.12.4 - [Release notes](https://github.com/VictoriaMetrics/fastcache/releases) - [Commits](VictoriaMetrics/fastcache@v1.12.2...v1.12.4) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.79.3 to 1.80.0 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.79.3...service/s3/v1.80.0) Updates `github.com/docker/docker` from 28.1.1+incompatible to 28.2.2+incompatible - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v28.1.1...v28.2.2) Updates `github.com/exaring/otelpgx` from 0.9.1 to 0.9.3 - [Release notes](https://github.com/exaring/otelpgx/releases) - [Commits](exaring/otelpgx@v0.9.1...v0.9.3) Updates `github.com/google/go-jsonnet` from 0.20.0 to 0.21.0 - [Release notes](https://github.com/google/go-jsonnet/releases) - [Changelog](https://github.com/google/go-jsonnet/blob/master/.goreleaser.yml) - [Commits](google/go-jsonnet@v0.20.0...v0.21.0) Updates `github.com/jackc/pgx/v5` from 5.7.4 to 5.7.5 - [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md) - [Commits](jackc/pgx@v5.7.4...v5.7.5) Updates `github.com/miekg/dns` from 1.1.65 to 1.1.66 - [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release) - [Commits](miekg/dns@v1.1.65...v1.1.66) Updates `github.com/minio/minio-go/v7` from 7.0.91 to 7.0.92 - [Release notes](https://github.com/minio/minio-go/releases) - [Commits](minio/minio-go@v7.0.91...v7.0.92) Updates `github.com/open-policy-agent/opa` from 1.4.2 to 1.5.0 - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](open-policy-agent/opa@v1.4.2...v1.5.0) Updates `github.com/pires/go-proxyproto` from 0.8.0 to 0.8.1 - [Release notes](https://github.com/pires/go-proxyproto/releases) - [Commits](pires/go-proxyproto@v0.8.0...v0.8.1) Updates `github.com/quic-go/quic-go` from 0.51.0 to 0.52.0 - [Release notes](https://github.com/quic-go/quic-go/releases) - [Commits](quic-go/quic-go@v0.51.0...v0.52.0) Updates `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/contrib/propagators/autoprop` from 0.60.0 to 0.61.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go-contrib@zpages/v0.60.0...zpages/v0.61.0) Updates `go.opentelemetry.io/otel/bridge/opencensus` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` from 1.35.0 to 1.36.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.35.0...v1.36.0) Updates `go.opentelemetry.io/proto/otlp` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-proto-go/releases) - [Commits](open-telemetry/opentelemetry-proto-go@v1.6.0...v1.7.0) Updates `google.golang.org/api` from 0.230.0 to 0.235.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](googleapis/google-api-go-client@v0.230.0...v0.235.0) Updates `google.golang.org/genproto/googleapis/rpc` from 0.0.0-20250428153025-10db94c68c34 to 0.0.0-20250528174236-200df99c418a - [Commits](https://github.com/googleapis/go-genproto/commits) Updates `google.golang.org/grpc` from 1.72.0 to 1.72.2 - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.72.0...v1.72.2) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-version: 1.55.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/VictoriaMetrics/fastcache dependency-version: 1.12.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.80.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/docker/docker dependency-version: 28.2.2+incompatible dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/exaring/otelpgx dependency-version: 0.9.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/google/go-jsonnet dependency-version: 0.21.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/jackc/pgx/v5 dependency-version: 5.7.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/miekg/dns dependency-version: 1.1.66 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/minio/minio-go/v7 dependency-version: 7.0.92 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/open-policy-agent/opa dependency-version: 1.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: github.com/pires/go-proxyproto dependency-version: 0.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/quic-go/quic-go dependency-version: 0.52.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/contrib/propagators/autoprop dependency-version: 0.61.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/bridge/opencensus dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp dependency-version: 1.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/proto/otlp dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/api dependency-version: 0.235.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: google.golang.org/genproto/googleapis/rpc dependency-version: 0.0.0-20250528174236-200df99c418a dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: google.golang.org/grpc dependency-version: 1.72.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] <support@github.com>
637 lines
18 KiB
Go
637 lines
18 KiB
Go
package oidc_test
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/go-jose/go-jose/v3"
|
|
"github.com/go-jose/go-jose/v3/jwt"
|
|
"github.com/google/uuid"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"golang.org/x/oauth2"
|
|
|
|
"github.com/pomerium/pomerium/internal/testutil"
|
|
"github.com/pomerium/pomerium/internal/urlutil"
|
|
"github.com/pomerium/pomerium/pkg/identity/oauth"
|
|
"github.com/pomerium/pomerium/pkg/identity/oidc"
|
|
)
|
|
|
|
// Claims implements identity.State. (We can't use identity.Claims directly
|
|
// because it would cause an import cycle.)
|
|
type Claims map[string]any
|
|
|
|
func (c *Claims) SetRawIDToken(idToken string) {
|
|
if *c == nil {
|
|
*c = make(map[string]any)
|
|
}
|
|
(*c)["RawIDToken"] = idToken
|
|
}
|
|
|
|
func TestSignIn(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
redirectURL, _ := url.Parse("https://localhost/oauth2/callback")
|
|
|
|
var srv *httptest.Server
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
switch r.URL.Path {
|
|
case "/.well-known/openid-configuration":
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
"authorization_endpoint": baseURL.ResolveReference(&url.URL{
|
|
Path: "/login",
|
|
}).String(),
|
|
})
|
|
default:
|
|
assert.Failf(t, "unexpected http request", "url: %s", r.URL.String())
|
|
}
|
|
})
|
|
srv = httptest.NewServer(handler)
|
|
t.Cleanup(srv.Close)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
RedirectURL: redirectURL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
AuthCodeOptions: map[string]string{
|
|
"custom_1": "foo",
|
|
"custom_2": "bar",
|
|
},
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, p)
|
|
|
|
rec := httptest.NewRecorder()
|
|
err = p.SignIn(rec, httptest.NewRequest(http.MethodGet, "/", nil), "STATE")
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusFound, rec.Result().StatusCode)
|
|
location, _ := url.Parse(rec.Result().Header.Get("Location"))
|
|
assert.Equal(t, srv.URL, "http://"+location.Host)
|
|
assert.Equal(t, "/login", location.Path)
|
|
assert.Equal(t, url.Values{
|
|
"client_id": {"CLIENT_ID"},
|
|
"custom_1": {"foo"},
|
|
"custom_2": {"bar"},
|
|
"redirect_uri": {"https://localhost/oauth2/callback"},
|
|
"response_type": {"code"},
|
|
"scope": {"openid profile email offline_access"},
|
|
"state": {"STATE"},
|
|
}, location.Query())
|
|
}
|
|
|
|
func TestSignOut(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
redirectURL, _ := url.Parse("https://localhost/oauth2/callback")
|
|
|
|
var srv *httptest.Server
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
switch r.URL.Path {
|
|
case "/.well-known/openid-configuration":
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
"end_session_endpoint": baseURL.ResolveReference(&url.URL{
|
|
Path: "/logout",
|
|
}).String(),
|
|
"frontchannel_logout_supported": true,
|
|
})
|
|
default:
|
|
assert.Failf(t, "unexpected http request", "url: %s", r.URL.String())
|
|
}
|
|
})
|
|
srv = httptest.NewServer(handler)
|
|
t.Cleanup(srv.Close)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
RedirectURL: redirectURL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, p)
|
|
|
|
rec := httptest.NewRecorder()
|
|
r := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
err = p.SignOut(rec, r, "ID_TOKEN", "", "https://localhost/redirect")
|
|
require.NoError(t, err)
|
|
assert.Equal(t, http.StatusFound, rec.Result().StatusCode)
|
|
location, _ := url.Parse(rec.Result().Header.Get("Location"))
|
|
assert.Equal(t, srv.URL, "http://"+location.Host)
|
|
assert.Equal(t, "/logout", location.Path)
|
|
assert.Equal(t, url.Values{
|
|
"client_id": {"CLIENT_ID"},
|
|
"id_token_hint": {"ID_TOKEN"},
|
|
"post_logout_redirect_uri": {"https://localhost/redirect"},
|
|
}, location.Query())
|
|
}
|
|
|
|
func TestAuthenticate(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
redirectURL, _ := url.Parse("https://localhost/oauth2/callback")
|
|
|
|
jwtSigner, jwks := setupJWTSigning(t)
|
|
iat := time.Now()
|
|
exp := iat.Add(time.Hour)
|
|
jti := uuid.NewString()
|
|
|
|
var expectedIDToken string
|
|
|
|
var srv *httptest.Server
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
switch r.URL.Path {
|
|
case "/.well-known/openid-configuration":
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
"jwks_uri": baseURL.ResolveReference(&url.URL{
|
|
Path: "/jwks",
|
|
}).String(),
|
|
"token_endpoint": baseURL.ResolveReference(&url.URL{
|
|
Path: "/token",
|
|
}).String(),
|
|
"userinfo_endpoint": baseURL.ResolveReference(&url.URL{
|
|
Path: "/userinfo",
|
|
}).String(),
|
|
})
|
|
case "/jwks":
|
|
json.NewEncoder(w).Encode(jwks)
|
|
case "/token":
|
|
username, password, _ := r.BasicAuth()
|
|
assert.Equal(t, "CLIENT_ID", username)
|
|
assert.Equal(t, "CLIENT_SECRET", password)
|
|
assert.Equal(t, "authorization_code", r.FormValue("grant_type"))
|
|
assert.Equal(t, "CODE", r.FormValue("code"))
|
|
assert.Equal(t, redirectURL.String(), r.FormValue("redirect_uri"))
|
|
|
|
idToken, err := jwt.Signed(jwtSigner).Claims(jwt.Claims{
|
|
Issuer: srv.URL,
|
|
Subject: "USER_ID",
|
|
Audience: jwt.Audience{"CLIENT_ID"},
|
|
Expiry: jwt.NewNumericDate(exp),
|
|
NotBefore: jwt.NewNumericDate(iat),
|
|
IssuedAt: jwt.NewNumericDate(iat),
|
|
ID: jti,
|
|
}).CompactSerialize()
|
|
require.NoError(t, err)
|
|
expectedIDToken = idToken
|
|
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"access_token": "ACCESS_TOKEN",
|
|
"token_type": "Bearer",
|
|
"refresh_token": "REFRESH_TOKEN",
|
|
"expires_in": 3600,
|
|
"id_token": idToken,
|
|
})
|
|
case "/userinfo":
|
|
assert.Equal(t, "Bearer ACCESS_TOKEN", r.Header.Get("Authorization"))
|
|
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"sub": "USER_ID",
|
|
"name": "John Doe",
|
|
"email": "john.doe@example.com",
|
|
})
|
|
default:
|
|
assert.Failf(t, "unexpected http request", "url: %s", r.URL.String())
|
|
}
|
|
})
|
|
srv = httptest.NewServer(handler)
|
|
t.Cleanup(srv.Close)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
RedirectURL: redirectURL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, p)
|
|
|
|
var claims Claims
|
|
oauthToken, err := p.Authenticate(ctx, "CODE", &claims)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "ACCESS_TOKEN", oauthToken.AccessToken)
|
|
assert.Equal(t, "REFRESH_TOKEN", oauthToken.RefreshToken)
|
|
assert.Equal(t, "Bearer", oauthToken.TokenType)
|
|
assert.Equal(t, Claims{
|
|
"iss": srv.URL,
|
|
"sub": "USER_ID",
|
|
"aud": "CLIENT_ID",
|
|
"exp": float64(exp.Unix()),
|
|
"nbf": float64(iat.Unix()),
|
|
"iat": float64(iat.Unix()),
|
|
"jti": jti,
|
|
"name": "John Doe",
|
|
"email": "john.doe@example.com",
|
|
"RawIDToken": expectedIDToken,
|
|
}, claims)
|
|
}
|
|
|
|
func TestRefresh_WithIDToken(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
redirectURL, _ := url.Parse("https://localhost/oauth2/callback")
|
|
|
|
jwtSigner, jwks := setupJWTSigning(t)
|
|
iat := time.Now()
|
|
exp := iat.Add(time.Hour)
|
|
jti := uuid.NewString()
|
|
|
|
var expectedIDToken string
|
|
|
|
var srv *httptest.Server
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
switch r.URL.Path {
|
|
case "/.well-known/openid-configuration":
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
"jwks_uri": baseURL.ResolveReference(&url.URL{
|
|
Path: "/jwks",
|
|
}).String(),
|
|
"token_endpoint": baseURL.ResolveReference(&url.URL{
|
|
Path: "/token",
|
|
}).String(),
|
|
})
|
|
case "/jwks":
|
|
json.NewEncoder(w).Encode(jwks)
|
|
case "/token":
|
|
username, password, _ := r.BasicAuth()
|
|
assert.Equal(t, "CLIENT_ID", username)
|
|
assert.Equal(t, "CLIENT_SECRET", password)
|
|
assert.Equal(t, "refresh_token", r.FormValue("grant_type"))
|
|
assert.Equal(t, "EXISTING_REFRESH_TOKEN", r.FormValue("refresh_token"))
|
|
|
|
idToken, err := jwt.Signed(jwtSigner).Claims(jwt.Claims{
|
|
Issuer: srv.URL,
|
|
Subject: "USER_ID",
|
|
Audience: jwt.Audience{"CLIENT_ID"},
|
|
Expiry: jwt.NewNumericDate(exp),
|
|
NotBefore: jwt.NewNumericDate(iat),
|
|
IssuedAt: jwt.NewNumericDate(iat),
|
|
ID: jti,
|
|
}).CompactSerialize()
|
|
require.NoError(t, err)
|
|
expectedIDToken = idToken
|
|
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"access_token": "ACCESS_TOKEN",
|
|
"token_type": "Bearer",
|
|
"refresh_token": "NEW_REFRESH_TOKEN", // some providers do rotate refresh tokens
|
|
"expires_in": 3600,
|
|
"id_token": idToken,
|
|
})
|
|
default:
|
|
assert.Failf(t, "unexpected http request", "url: %s", r.URL.String())
|
|
}
|
|
})
|
|
srv = httptest.NewServer(handler)
|
|
t.Cleanup(srv.Close)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
RedirectURL: redirectURL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, p)
|
|
|
|
var claims Claims
|
|
existingToken := &oauth2.Token{
|
|
RefreshToken: "EXISTING_REFRESH_TOKEN",
|
|
}
|
|
newToken, err := p.Refresh(ctx, existingToken, &claims)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "ACCESS_TOKEN", newToken.AccessToken)
|
|
assert.Equal(t, "NEW_REFRESH_TOKEN", newToken.RefreshToken)
|
|
assert.Equal(t, "Bearer", newToken.TokenType)
|
|
assert.Equal(t, Claims{
|
|
"iss": srv.URL,
|
|
"sub": "USER_ID",
|
|
"aud": "CLIENT_ID",
|
|
"exp": float64(exp.Unix()),
|
|
"nbf": float64(iat.Unix()),
|
|
"iat": float64(iat.Unix()),
|
|
"jti": jti,
|
|
"RawIDToken": expectedIDToken,
|
|
}, claims)
|
|
}
|
|
|
|
func TestRefresh_WithoutIDToken(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
redirectURL, _ := url.Parse("https://localhost/oauth2/callback")
|
|
|
|
var srv *httptest.Server
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
switch r.URL.Path {
|
|
case "/.well-known/openid-configuration":
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
"token_endpoint": baseURL.ResolveReference(&url.URL{
|
|
Path: "/token",
|
|
}).String(),
|
|
})
|
|
|
|
case "/token":
|
|
username, password, _ := r.BasicAuth()
|
|
assert.Equal(t, "CLIENT_ID", username)
|
|
assert.Equal(t, "CLIENT_SECRET", password)
|
|
assert.Equal(t, "refresh_token", r.FormValue("grant_type"))
|
|
assert.Equal(t, "EXISTING_REFRESH_TOKEN", r.FormValue("refresh_token"))
|
|
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"access_token": "ACCESS_TOKEN",
|
|
"token_type": "Bearer",
|
|
"refresh_token": "NEW_REFRESH_TOKEN",
|
|
"expires_in": 3600,
|
|
})
|
|
default:
|
|
assert.Failf(t, "unexpected http request", "url: %s", r.URL.String())
|
|
}
|
|
})
|
|
srv = httptest.NewServer(handler)
|
|
t.Cleanup(srv.Close)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
RedirectURL: redirectURL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, p)
|
|
|
|
var claims Claims
|
|
existingToken := &oauth2.Token{
|
|
RefreshToken: "EXISTING_REFRESH_TOKEN",
|
|
}
|
|
newToken, err := p.Refresh(ctx, existingToken, &claims)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, "ACCESS_TOKEN", newToken.AccessToken)
|
|
assert.Equal(t, "NEW_REFRESH_TOKEN", newToken.RefreshToken)
|
|
assert.Equal(t, "Bearer", newToken.TokenType)
|
|
assert.Empty(t, claims)
|
|
}
|
|
|
|
func TestRevoke(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
var srv *httptest.Server
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
switch r.URL.Path {
|
|
case "/.well-known/openid-configuration":
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
"revocation_endpoint": baseURL.ResolveReference(&url.URL{
|
|
Path: "/revoke",
|
|
}).String(),
|
|
})
|
|
case "/revoke":
|
|
assert.Equal(t, "ACCESS_TOKEN", r.FormValue("token"))
|
|
assert.Equal(t, "access_token", r.FormValue("token_type_hint"))
|
|
assert.Equal(t, "CLIENT_ID", r.FormValue("client_id"))
|
|
assert.Equal(t, "CLIENT_SECRET", r.FormValue("client_secret"))
|
|
|
|
default:
|
|
assert.Failf(t, "unexpected http request", "url: %s", r.URL.String())
|
|
}
|
|
})
|
|
srv = httptest.NewServer(handler)
|
|
t.Cleanup(srv.Close)
|
|
|
|
redirectURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
RedirectURL: redirectURL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, p)
|
|
|
|
assert.NoError(t, p.Revoke(ctx, &oauth2.Token{
|
|
AccessToken: "ACCESS_TOKEN",
|
|
}))
|
|
|
|
assert.Equal(t, oidc.ErrMissingAccessToken, p.Revoke(ctx, nil))
|
|
}
|
|
|
|
func TestUnsupportedFeatures(t *testing.T) {
|
|
ctx, clearTimeout := context.WithTimeout(t.Context(), time.Second*10)
|
|
t.Cleanup(clearTimeout)
|
|
|
|
redirectURL, _ := url.Parse("https://localhost/oauth2/callback")
|
|
|
|
var srv *httptest.Server
|
|
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
switch r.URL.Path {
|
|
case "/.well-known/openid-configuration":
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
})
|
|
default:
|
|
assert.Failf(t, "unexpected http request", "url: %s", r.URL.String())
|
|
}
|
|
})
|
|
srv = httptest.NewServer(handler)
|
|
t.Cleanup(srv.Close)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
RedirectURL: redirectURL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
})
|
|
require.NoError(t, err)
|
|
require.NotNil(t, p)
|
|
|
|
rec := httptest.NewRecorder()
|
|
err = p.SignOut(rec, httptest.NewRequest(http.MethodGet, "/", nil), "ID_TOKEN", "", "")
|
|
assert.Equal(t, oidc.ErrSignoutNotImplemented, err)
|
|
|
|
err = p.Revoke(ctx, &oauth2.Token{
|
|
AccessToken: "ACCESS_TOKEN",
|
|
})
|
|
assert.Equal(t, oidc.ErrRevokeNotImplemented, err)
|
|
|
|
_, err = oidc.New(ctx, &oauth.Options{})
|
|
assert.Equal(t, oidc.ErrMissingProviderURL, err)
|
|
}
|
|
|
|
func TestName(t *testing.T) {
|
|
assert.Equal(t, "oidc", (*oidc.Provider)(nil).Name())
|
|
}
|
|
|
|
// setupJWTSigning returns a JWT signer and a corresponding JWKS for signature verification.
|
|
func setupJWTSigning(t *testing.T) (jose.Signer, jose.JSONWebKeySet) {
|
|
t.Helper()
|
|
|
|
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
require.NoError(t, err)
|
|
jwtSigner, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: privateKey}, nil)
|
|
require.NoError(t, err)
|
|
jwks := jose.JSONWebKeySet{
|
|
Keys: []jose.JSONWebKey{{
|
|
Key: privateKey.Public(),
|
|
KeyID: "key",
|
|
Algorithm: "RS256",
|
|
Use: "sig",
|
|
}},
|
|
}
|
|
return jwtSigner, jwks
|
|
}
|
|
|
|
func TestVerifyAccessToken(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx := testutil.GetContext(t, time.Minute)
|
|
|
|
var srv *httptest.Server
|
|
m := http.NewServeMux()
|
|
m.HandleFunc("GET /.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
"userinfo_endpoint": baseURL.ResolveReference(&url.URL{
|
|
Path: "/userinfo",
|
|
}).String(),
|
|
})
|
|
})
|
|
m.HandleFunc("GET /userinfo", func(w http.ResponseWriter, r *http.Request) {
|
|
assert.Equal(t, "Bearer ACCESS_TOKEN", r.Header.Get("Authorization"))
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"aud": "AUDIENCE",
|
|
"sub": "SUBJECT",
|
|
})
|
|
})
|
|
srv = httptest.NewServer(m)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
RedirectURL: urlutil.MustParseAndValidateURL("https://www.example.com"),
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
claims, err := p.VerifyAccessToken(ctx, "ACCESS_TOKEN")
|
|
require.NoError(t, err)
|
|
assert.Equal(t, map[string]any{
|
|
"aud": "AUDIENCE",
|
|
"sub": "SUBJECT",
|
|
}, claims)
|
|
}
|
|
|
|
func TestVerifyIdentityToken(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx := testutil.GetContext(t, time.Minute)
|
|
|
|
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
|
require.NoError(t, err)
|
|
jwtSigner, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: privateKey}, nil)
|
|
require.NoError(t, err)
|
|
iat := time.Now().Unix()
|
|
exp := iat + 3600
|
|
|
|
var srv *httptest.Server
|
|
m := http.NewServeMux()
|
|
m.HandleFunc("GET /.well-known/openid-configuration", func(w http.ResponseWriter, _ *http.Request) {
|
|
baseURL, err := url.Parse(srv.URL)
|
|
require.NoError(t, err)
|
|
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
json.NewEncoder(w).Encode(map[string]any{
|
|
"issuer": baseURL.String(),
|
|
"jwks_uri": baseURL.ResolveReference(&url.URL{
|
|
Path: "/jwks",
|
|
}).String(),
|
|
})
|
|
})
|
|
m.HandleFunc("GET /jwks", func(w http.ResponseWriter, _ *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
json.NewEncoder(w).Encode(jose.JSONWebKeySet{
|
|
Keys: []jose.JSONWebKey{
|
|
{Key: privateKey.Public(), Use: "sig", Algorithm: "RS256"},
|
|
},
|
|
})
|
|
})
|
|
srv = httptest.NewServer(m)
|
|
|
|
rawIdentityToken1, err := jwt.Signed(jwtSigner).Claims(map[string]any{
|
|
"iss": srv.URL,
|
|
"aud": "CLIENT_ID",
|
|
"sub": "subject",
|
|
"exp": exp,
|
|
"iat": iat,
|
|
}).CompactSerialize()
|
|
require.NoError(t, err)
|
|
|
|
p, err := oidc.New(ctx, &oauth.Options{
|
|
ProviderURL: srv.URL,
|
|
ClientID: "CLIENT_ID",
|
|
ClientSecret: "CLIENT_SECRET",
|
|
RedirectURL: urlutil.MustParseAndValidateURL("https://www.example.com"),
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
claims, err := p.VerifyIdentityToken(ctx, rawIdentityToken1)
|
|
require.NoError(t, err)
|
|
delete(claims, "iat")
|
|
delete(claims, "exp")
|
|
assert.Equal(t, map[string]any{
|
|
"aud": "CLIENT_ID",
|
|
"iss": srv.URL,
|
|
"sub": "subject",
|
|
}, claims)
|
|
}
|