forked from mystiq/dex
f926d74157
Accept the following response_type for the implicit flow: id_token token id_token And the following for hybrid flow code id_token code token code token id_token This corrects the previous behavior of the implicit flow, which only accepted "token" (now correctly rejected).
150 lines
3.6 KiB
Go
150 lines
3.6 KiB
Go
package server
|
|
|
|
import (
|
|
"context"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"testing"
|
|
|
|
"github.com/coreos/dex/storage"
|
|
)
|
|
|
|
func TestParseAuthorizationRequest(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
clients []storage.Client
|
|
supportedResponseTypes []string
|
|
|
|
queryParams map[string]string
|
|
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "normal request",
|
|
clients: []storage.Client{
|
|
{
|
|
ID: "foo",
|
|
RedirectURIs: []string{"https://example.com/foo"},
|
|
},
|
|
},
|
|
supportedResponseTypes: []string{"code"},
|
|
queryParams: map[string]string{
|
|
"client_id": "foo",
|
|
"redirect_uri": "https://example.com/foo",
|
|
"response_type": "code",
|
|
"scope": "openid email profile",
|
|
},
|
|
},
|
|
{
|
|
name: "invalid client id",
|
|
clients: []storage.Client{
|
|
{
|
|
ID: "foo",
|
|
RedirectURIs: []string{"https://example.com/foo"},
|
|
},
|
|
},
|
|
supportedResponseTypes: []string{"code"},
|
|
queryParams: map[string]string{
|
|
"client_id": "bar",
|
|
"redirect_uri": "https://example.com/foo",
|
|
"response_type": "code",
|
|
"scope": "openid email profile",
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "invalid redirect uri",
|
|
clients: []storage.Client{
|
|
{
|
|
ID: "bar",
|
|
RedirectURIs: []string{"https://example.com/bar"},
|
|
},
|
|
},
|
|
supportedResponseTypes: []string{"code"},
|
|
queryParams: map[string]string{
|
|
"client_id": "bar",
|
|
"redirect_uri": "https://example.com/foo",
|
|
"response_type": "code",
|
|
"scope": "openid email profile",
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "implicit flow",
|
|
clients: []storage.Client{
|
|
{
|
|
ID: "bar",
|
|
RedirectURIs: []string{"https://example.com/bar"},
|
|
},
|
|
},
|
|
supportedResponseTypes: []string{"code", "id_token", "token"},
|
|
queryParams: map[string]string{
|
|
"client_id": "bar",
|
|
"redirect_uri": "https://example.com/bar",
|
|
"response_type": "code id_token",
|
|
"scope": "openid email profile",
|
|
},
|
|
},
|
|
{
|
|
name: "unsupported response type",
|
|
clients: []storage.Client{
|
|
{
|
|
ID: "bar",
|
|
RedirectURIs: []string{"https://example.com/bar"},
|
|
},
|
|
},
|
|
supportedResponseTypes: []string{"code"},
|
|
queryParams: map[string]string{
|
|
"client_id": "bar",
|
|
"redirect_uri": "https://example.com/bar",
|
|
"response_type": "code id_token",
|
|
"scope": "openid email profile",
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "only token response type",
|
|
clients: []storage.Client{
|
|
{
|
|
ID: "bar",
|
|
RedirectURIs: []string{"https://example.com/bar"},
|
|
},
|
|
},
|
|
supportedResponseTypes: []string{"code", "id_token", "token"},
|
|
queryParams: map[string]string{
|
|
"client_id": "bar",
|
|
"redirect_uri": "https://example.com/bar",
|
|
"response_type": "token",
|
|
"scope": "openid email profile",
|
|
},
|
|
wantErr: true,
|
|
},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
func() {
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
|
|
httpServer, server := newTestServer(ctx, t, func(c *Config) {
|
|
c.SupportedResponseTypes = tc.supportedResponseTypes
|
|
c.Storage = storage.WithStaticClients(c.Storage, tc.clients)
|
|
})
|
|
defer httpServer.Close()
|
|
|
|
params := url.Values{}
|
|
for k, v := range tc.queryParams {
|
|
params.Set(k, v)
|
|
}
|
|
|
|
req := httptest.NewRequest("GET", httpServer.URL+"/auth?"+params.Encode(), nil)
|
|
_, err := server.parseAuthorizationRequest(req)
|
|
if err != nil && !tc.wantErr {
|
|
t.Errorf("%s: %v", tc.name, err)
|
|
}
|
|
if err == nil && tc.wantErr {
|
|
t.Errorf("%s: expected error", tc.name)
|
|
}
|
|
}()
|
|
}
|
|
}
|