custom-adal 1.0.1

data/spec/adal/logging_spec.rb

@@ -0,0 +1,48 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+describe ADAL::Logging do
+  describe '::log_level=' do
+    context 'with an invalid log level' do
+      it 'should throw an error' do
+        expect { ADAL::Logging.log_level = 'abc' }.to raise_error(ArgumentError)
+      end
+    end
+
+    context 'with a valid log level' do
+      it 'should not throw an error' do
+        expect { ADAL::Logging.log_level = ADAL::Logger::VERBOSE }
+          .to_not raise_error
+        expect { ADAL::Logging.log_level = ADAL::Logger::INFO }
+          .to_not raise_error
+        expect { ADAL::Logging.log_level = ADAL::Logger::WARN }
+          .to_not raise_error
+        expect { ADAL::Logging.log_level = ADAL::Logger::ERROR }
+          .to_not raise_error
+        expect { ADAL::Logging.log_level = ADAL::Logger::FATAL }
+          .to_not raise_error
+      end
+    end
+  end
+end

data/spec/adal/memory_cache_spec.rb

@@ -0,0 +1,107 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+describe ADAL::MemoryCache do
+  let(:authority) { ADAL::Authority.new('login.windows.net', 'contoso.org') }
+  let(:client) { ADAL::ClientCredential.new('my client id', 'client secret') }
+  let(:cache) { ADAL::MemoryCache.new }
+
+  # Note that this test also relies on the correctness of TokenResponse#to_json
+  # and CachedTokenResponse#to_json.
+  describe '#to_json' do
+    subject { cache.to_json }
+
+    context 'when empty' do
+      it { is_expected.to eq '[]' }
+    end
+
+    context 'with many tokens' do
+      let(:expected_json) do
+        "[{\"access_token\":\"abc\",\"token_type\":\"JWT\"},{\"access_token\"" \
+        ":\"abc\",\"scope\":\"openid\"},{\"access_token\":\"abc\",\"resource" \
+        "\":\"http://graph.windows.net\"}]"
+      end
+      let(:expected_json) do
+        "[{\"authority\":[\"login.windows.net\",\"contoso.org\"],\"client_id" \
+        "\":\"my client id\",\"token_response\":{\"access_token\":\"abc\",\"t" \
+        "oken_type\":\"JWT\"}},{\"authority\":[\"login.windows.net\",\"contos" \
+        "o.org\"],\"client_id\":\"my client id\",\"token_response\":{\"access" \
+        "_token\":\"abc\",\"scope\":\"openid\"}},{\"authority\":[\"login.wind" \
+        "ows.net\",\"contoso.org\"],\"client_id\":\"my client id\",\"token_re" \
+        "sponse\":{\"access_token\":\"abc\",\"resource\":\"http://graph.windo" \
+        "ws.net\"}}]"
+      end
+      before(:each) do
+        cache_driver = ADAL::CacheDriver.new(authority, client, cache)
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc', token_type: 'JWT'))
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc', scope: 'openid'))
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc',
+                                    resource: 'http://graph.windows.net'))
+      end
+
+      it 'properly serializes the cache' do
+        expect(subject).to eq expected_json
+      end
+    end
+  end
+
+  describe '#from_json' do
+    subject { ADAL::MemoryCache.from_json(json) }
+
+    context 'when empty' do
+      let(:json) { '[]' }
+      it 'should contain no entries' do
+        expect(subject.entries.length).to eq 0
+      end
+    end
+
+    context 'with many tokens' do
+      let(:json) { cache.to_json }
+      before(:each) do
+        cache_driver = ADAL::CacheDriver.new(authority, client, cache)
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc', token_type: 'JWT'))
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc', scope: 'openid'))
+        cache_driver.add(
+          ADAL::SuccessResponse.new(access_token: 'abc',
+                                    resource: 'http://graph.windows.net'))
+      end
+
+      it 'has the correct number of entries' do
+        expect(subject.entries.length).to eq 3
+      end
+
+      it 'reconstructs the entries' do
+        subject.entries.each do |cache_entry|
+          expect(cache_entry.authority.host).to eq authority.host
+          expect(cache_entry.authority.tenant).to eq authority.tenant
+        end
+      end
+    end
+  end
+end

data/spec/adal/mex_request_spec.rb

@@ -0,0 +1,57 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+describe ADAL::MexRequest do
+  describe '#initialize' do
+    context 'with an invalid endpoint' do
+      let(:uri) { 'not a uri' }
+
+      it 'should raise an error' do
+        expect { ADAL::MexRequest.new(uri) }.to raise_error(
+          URI::InvalidURIError)
+      end
+    end
+  end
+
+  describe '#execute' do
+    let(:response_body) { 'response body' }
+    let(:uri) { 'https://abc.def/' }
+
+    before(:each) do
+      @http_request = nil
+      expect_any_instance_of(Net::HTTP).to receive(:request) do |_, req|
+        @http_request = req
+      end.and_return(double(body: response_body))
+      expect(ADAL::MexResponse).to receive(:parse)
+      ADAL::MexRequest.new(uri).execute
+    end
+
+    describe 'http request' do
+      subject { @http_request }
+
+      it { expect(subject['Content-Type']).to eq 'application/soap+xml' }
+      it { expect(subject.path).to eq '/' }
+    end
+  end
+end

data/spec/adal/mex_response_spec.rb

@@ -0,0 +1,143 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+MEX_FIXTURES = File.expand_path('../../fixtures/mex', __FILE__)
+
+describe ADAL::MexResponse do
+  describe '::parse' do
+    let(:response) { File.read(File.expand_path(file_name, MEX_FIXTURES)) }
+
+    context 'with both 1.3 and 2005 endpoints' do
+      let(:file_name) { 'microsoft.xml' }
+      let(:wstrust_url_13) do
+        'https://corp.sts.microsoft.com/adfs/services/trust/13/usernamemixed'
+      end
+
+      it 'should not raise an error' do
+        expect { ADAL::MexResponse.parse(response) }.to_not raise_error
+      end
+
+      it 'should prefer the 1.3 endpoint' do
+        expect(ADAL::MexResponse.parse(response).wstrust_url.to_s)
+          .to eq(wstrust_url_13)
+      end
+    end
+
+    context 'with only 1.3 wstrust endpoint' do
+      let(:file_name) { 'only_13.xml' }
+      let(:wstrust_13_url) do
+        'https://fs.ajmichael.net/adfs/services/trust/13/usernamemixed'
+      end
+
+      it 'should parse the 1.3 wstrust endpoint' do
+        expect(ADAL::MexResponse.parse(response).wstrust_url.to_s)
+          .to eq(wstrust_13_url)
+      end
+    end
+
+    context 'with only 2005 wstrust endpoint' do
+      let(:file_name) { 'only_2005.xml' }
+      let(:wstrust_2005_url) do
+        'https://fs.ajmichael.net/adfs/services/trust/2005/usernamemixed'
+      end
+
+      it 'should parse the 2005 wstrust endpoint' do
+        expect(ADAL::MexResponse.parse(response).wstrust_url.to_s)
+          .to eq(wstrust_2005_url)
+      end
+    end
+
+    context 'with a malformed response' do
+      let(:file_name) { 'malformed.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(
+            ADAL::MexResponse::MexError, /No username token policy nodes/)
+      end
+    end
+
+    context 'with insecure address' do
+      let(:file_name) { 'insecureaddress.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(ArgumentError)
+      end
+    end
+
+    context 'with invalid namespaces' do
+      let(:file_name) { 'invalid_namespaces.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(
+            ADAL::MexResponse::MexError, /No username token policy nodes/)
+      end
+    end
+
+    context 'with no policy nodes' do
+      let(:file_name) { 'no_username_token_policies.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(
+            ADAL::MexResponse::MexError, /No username token policy nodes/)
+      end
+    end
+
+    context 'with no wstrust endpoints' do
+      let(:file_name) { 'no_wstrust_endpoints.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(
+            ADAL::MexResponse::MexError, /No valid WS-Trust endpoints/)
+      end
+    end
+
+    context 'with no matching bindings' do
+      let(:file_name) { 'no_matching_bindings.xml' }
+
+      it 'should throw an error' do
+        expect { ADAL::MexResponse.parse(response) }
+          .to raise_error(ADAL::MexResponse::MexError, /No matching bindings/)
+      end
+    end
+
+    context 'with multiple valid endpoints' do
+      let(:file_name) { 'multiple_endpoints.xml' }
+      let(:first_wstrust_url) do
+        'https://this.is.first.com/adfs/services/trust/13/usernamemixed'
+      end
+      subject { ADAL::MexResponse.parse(response) }
+
+      it { expect { subject }.to_not raise_error }
+
+      it 'should use the first endpoint' do
+        expect(subject.wstrust_url.to_s).to eq(first_wstrust_url)
+      end
+    end
+  end
+end

data/spec/adal/self_signed_jwt_factory_spec.rb

@@ -0,0 +1,63 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+require 'jwt'
+
+include FakeData
+
+describe ADAL::SelfSignedJwtFactory do
+  describe '#create_and_sign_jwt' do
+    before(:each) do
+      key = OpenSSL::PKey::RSA.new 2048
+      @cert = OpenSSL::X509::Certificate.new
+      @cert.public_key = key.public_key
+      @jwt = ADAL::SelfSignedJwtFactory
+             .new(CLIENT_ID, 'some_token_endpoint')
+             .create_and_sign_jwt(@cert, key)
+    end
+
+    it 'should be decodable with the public key' do
+      expect do
+        JWT.decode(@jwt, @cert.public_key)
+      end.to_not raise_error
+    end
+
+    it 'should contain the correct keys in the payload' do
+      payload, = JWT.decode(@jwt, @cert.public_key)
+      expect(payload.keys).to contain_exactly(
+        'aud', 'iss', 'sub', 'nbf', 'exp', 'jti')
+    end
+
+    it 'should containt the correct keys in the header' do
+      _, header = JWT.decode(@jwt, @cert.public_key)
+      expect(header.keys).to contain_exactly('x5t', 'alg', 'typ')
+    end
+
+    it 'should contain the correct thumbprint from the certificate' do
+      thumbprint = OpenSSL::Digest::SHA1.new(@cert.to_der).base64digest
+      _, header = JWT.decode(@jwt, @cert.public_key)
+      expect(header['x5t']).to eq(thumbprint)
+    end
+  end
+end

data/spec/adal/token_request_spec.rb

@@ -0,0 +1,150 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../support/fake_data'
+
+require 'spec_helper'
+
+include FakeData
+
+describe ADAL::TokenRequest do
+  let(:authority) { ADAL::Authority.new(AUTHORITY, TENANT) }
+  let(:cache) { ADAL::MemoryCache.new }
+  let(:client) { ADAL::ClientCredential.new(CLIENT_ID, CLIENT_SECRET) }
+  let(:token_request) { ADAL::TokenRequest.new(authority, client, cache) }
+  let(:token_response) do
+    ADAL::SuccessResponse.new(expires_in: 100, resource: RESOURCE)
+  end
+
+  # The mocking seam is the OAuthRequest class.
+  def mock_oauth_request(result = nil)
+    instance_double('oauth_request', execute: result)
+  end
+
+  describe '#get_with_authorization_code' do
+    context 'with a matching token in the cache' do
+      before(:each) do
+        ADAL::CacheDriver.new(authority, client, cache).add(token_response)
+      end
+
+      it 'should not make an OAuthRequest' do
+        expect(ADAL::OAuthRequest).to_not receive(:new)
+        token_request.get_with_authorization_code(
+          AUTH_CODE, REDIRECT_URI, RESOURCE)
+      end
+
+      it 'should retrieve the token response from the cache' do
+        expect(
+          token_request.get_with_authorization_code(
+            AUTH_CODE, REDIRECT_URI, RESOURCE)
+        ).to eq(token_response)
+      end
+    end
+
+    context 'without a matching token in the cache' do
+      before(:each) do
+        allow(ADAL::OAuthRequest).to receive(:new)
+          .and_return(mock_oauth_request(token_response))
+      end
+
+      it 'should make an OAuthRequest' do
+        expect(ADAL::OAuthRequest).to receive(:new).once
+        token_request.get_with_authorization_code(AUTH_CODE, REDIRECT_URI)
+      end
+
+      it 'should return the token response from the OAuth flow' do
+        expect(
+          token_request.get_with_authorization_code(AUTH_CODE, REDIRECT_URI)
+        ).to eq(token_response)
+      end
+    end
+  end
+
+  describe '#get_for_client' do
+    context 'with a matching token in the cache' do
+      before(:each) do
+        ADAL::CacheDriver.new(authority, client, cache).add(token_response)
+      end
+
+      it 'should not make an OAuthRequest' do
+        expect(ADAL::OAuthRequest).to_not receive(:new)
+        token_request.get_for_client(RESOURCE)
+      end
+
+      it 'should retrieve the token response from the cache' do
+        expect(token_request.get_for_client(RESOURCE)).to eq(token_response)
+      end
+    end
+
+    context 'without a matching token in the cache' do
+      before(:each) do
+        allow(ADAL::OAuthRequest).to receive(:new)
+          .and_return(mock_oauth_request(token_response))
+      end
+
+      it 'should make an OAuthRequest' do
+        expect(ADAL::OAuthRequest).to receive(:new).once
+        token_request.get_for_client(RESOURCE)
+      end
+
+      it 'should return the token response from the OAuth flow' do
+        expect(token_request.get_for_client(RESOURCE)).to eq(token_response)
+      end
+    end
+  end
+
+  describe '#get_with_refresh_token' do
+    let(:refresh_token_response) { ADAL::SuccessResponse.new }
+    before(:each) do
+      allow(ADAL::OAuthRequest).to receive(:new)
+        .and_return(mock_oauth_request(refresh_token_response))
+    end
+
+    context 'with a matching token in the cache' do
+      before(:each) do
+        ADAL::CacheDriver.new(authority, client, cache).add(token_response)
+      end
+
+      it 'should make an OAuth request' do
+        expect(ADAL::OAuthRequest).to receive(:new).once
+        token_request.get_with_refresh_token(REFRESH_TOKEN, RESOURCE)
+      end
+
+      it 'should return the refreshed token response' do
+        expect(token_request.get_with_refresh_token(REFRESH_TOKEN, RESOURCE))
+          .to eq(refresh_token_response)
+      end
+    end
+
+    context 'without a matching token in the cache' do
+      it 'should make an OAuth request' do
+        expect(ADAL::OAuthRequest).to receive(:new).once
+        token_request.get_with_refresh_token(REFRESH_TOKEN, RESOURCE)
+      end
+
+      it 'should return the refreshed token response' do
+        expect(token_request.get_with_refresh_token(REFRESH_TOKEN, RESOURCE))
+          .to eq(refresh_token_response)
+      end
+    end
+  end
+end

data/spec/adal/token_response_spec.rb

@@ -0,0 +1,102 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+OAUTH_FIXTURES = File.expand_path('../../fixtures/oauth', __FILE__)
+
+describe ADAL::TokenResponse do
+  let(:response) { File.read(File.expand_path(file_name, OAUTH_FIXTURES)) }
+
+  describe '::parse' do
+    context 'with a successful response' do
+      context 'with an id token' do
+        let(:file_name) { 'success_with_id_token.json' }
+
+        it 'should not raise any errors' do
+          expect { ADAL::TokenResponse.parse(response) }.to_not raise_error
+        end
+
+        describe 'response' do
+          subject { ADAL::TokenResponse.parse(response) }
+
+          it { is_expected.to be_instance_of ADAL::SuccessResponse }
+
+          describe '#error?' do
+            # RSpec does some metaprogramming voodoo; this calls subject.error?.
+            it { is_expected.to_not be_error }
+          end
+        end
+      end
+
+      context 'without an id token' do
+        let(:file_name) { 'success.json' }
+
+        it 'should not raise any errors' do
+          expect { ADAL::TokenResponse.parse(response) }.to_not raise_error
+        end
+
+        describe 'response' do
+          subject { ADAL::TokenResponse.parse(response) }
+
+          it { is_expected.to be_instance_of ADAL::SuccessResponse }
+
+          describe '#error?' do
+            it { is_expected.to_not be_error }
+          end
+        end
+      end
+    end
+
+    context 'with an error response' do
+      let(:file_name) { 'error.json' }
+
+      it 'should not raise any errors' do
+        expect { ADAL::TokenResponse.parse(response) }.to_not raise_error
+      end
+
+      describe 'response' do
+        subject { ADAL::TokenResponse.parse(response) }
+
+        it { is_expected.to be_instance_of ADAL::ErrorResponse }
+
+        describe '#error?' do
+          it { is_expected.to be_error }
+        end
+      end
+    end
+  end
+
+  context 'with a successful response' do
+    let(:file_name) { 'success.json' }
+
+    describe '::parse' do
+    end
+  end
+
+  context 'with an error response' do
+    let(:file_name) { 'error.json' }
+
+    describe '::parse' do
+    end
+  end
+end