descope 1.0.6 → 1.0.7

data/spec/integration/lib.descope/api/v1/management/user_spec.rb

@@ -4,17 +4,21 @@ require 'spec_helper'
 
 describe Descope::Api::V1::Management::User do
   before(:all) do
+    raise 'DESCOPE_MANAGEMENT_KEY is not set' if ENV['DESCOPE_MANAGEMENT_KEY'].nil?
+
+    @client = DescopeClient.new(Configuration.config)
+
     @password = SpecUtils.generate_password
     @new_password = SpecUtils.generate_password
     @user = build(:user)
-    @client = DescopeClient.new(Configuration.config)
+
     include Descope::Mixins::Common::DeliveryMethod
   end
 
   after(:all) do
     all_users = @client.search_all_users
     all_users['users'].each do |user|
-      if user['middleName'] == 'Ruby SDK User'
+      if user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User"
         puts "Deleting ruby spec test user #{user['loginIds'][0]}"
         @client.delete_user(user['loginIds'][0])
       end
@@ -58,6 +62,41 @@ describe Descope::Api::V1::Management::User do
     expect(updated_user['first_name']).to eq(created_user[updated_first_name])
   end
 
+  it 'should patch a user' do
+    user = build(:user)
+    role_name = 'some-new-role'
+
+    # ensure no roles exist with that name
+    all_roles = @client.load_all_roles
+    all_roles['roles'].each do |role|
+      @client.delete_role(name: role['name']) if role['name'] == role_name
+    end
+
+    @client.create_role(name: role_name)
+    @client.create_user(**user)['user']
+    updated_first_name = 'new name'
+    updated_given_name = 'new given name'
+    update_phone_number = "+1#{Faker::Number.number(digits: 10)}"
+    updated_role_names = [role_name]
+    updated_middle_name = 'new middle name'
+    updated_user = @client.patch_user(
+      **user,
+      name: updated_first_name,
+      given_name: updated_given_name,
+      phone: update_phone_number,
+      role_names: updated_role_names,
+      middle_name: updated_middle_name
+    )['user']
+
+    puts "updated_user #{updated_user}"
+
+    expect(updated_user['name']).to eq(updated_first_name)
+    expect(updated_user['givenName']).to eq(updated_given_name)
+    expect(updated_user['phone']).to eq(update_phone_number)
+    expect(updated_user['roleNames']).to eq(updated_role_names)
+    expect(updated_user['middleName']).to eq(updated_middle_name)
+  end
+
   it 'should delete a user' do
     user = build(:user)
     created_user = @client.create_user(**user)['user']
@@ -77,18 +116,28 @@ describe Descope::Api::V1::Management::User do
     users = FactoryBot.build_list(:user, 5)
     @client.create_batch_users(users)
     all_users = @client.search_all_users
-    sdk_users = all_users['users'].select { |user| user['middleName'] == 'Ruby SDK User' }
+    sdk_users = all_users['users'].select { |user| user['middleName'] == "#{SpecUtils.build_prefix}Ruby-SDK-User" }
     expect(sdk_users.length).to be >= 5
   end
 
   it 'should create a test user' do
     @client.delete_all_test_users
+    # ensure no roles exist with that name
+    role_name = 'some-new-role'
+    all_roles = @client.load_all_roles
+    all_roles['roles'].each do |role|
+      @client.delete_role(name: role['name']) if role['name'] == role_name
+    end
     sleep 5
+
     user_args = build(:user)
     test_user = @client.create_test_user(**user_args)['user']
-    test_users = @client.search_all_users(test_users_only: true)['users']
+    @client.create_role(name: role_name)
+    @client.user_add_roles(login_id: test_user['loginIds'][0], role_names: [role_name])
+    test_users = @client.search_all_test_users(role_names: [role_name])['users']
     expect(test_users.length).to be >= 1
     expect(test_users[0]['loginIds'][0]).to eq(test_user['loginIds'][0])
+    expect(test_users[0]['roleNames']).to eq([role_name])
   end
 
   it 'should update user status' do
@@ -191,8 +240,8 @@ describe Descope::Api::V1::Management::User do
       new_password = SpecUtils.generate_password
       @client.set_password(login_id: user['loginIds'][0], password: new_password)
       @client.password_sign_in(login_id: user['loginIds'][0], password:)
-    rescue Descope::ServerError => e
-      expect(e.message).to match(/"errorCode":"E062909"/)
+    rescue Descope::Unauthorized => e
+      expect(e.message).to match(/"Invalid signin credentials"/)
     end
   end
 

data/spec/lib.descope/api/v1/auth/enchantedlink_spec.rb

@@ -51,7 +51,7 @@ describe Descope::Api::V1::EnchantedLink do
 
     it 'is expected to validate refresh token and not raise an error with refresh token and valid login options' do
       expect do
-        @instance.send(:validate_refresh_token_provided, { mfa: true, stepup: true },  'some-token')
+        @instance.send(:validate_refresh_token_provided, { mfa: true, stepup: true }, 'some-token')
       end.not_to raise_error
     end
 
@@ -148,7 +148,16 @@ describe Descope::Api::V1::EnchantedLink do
     end
 
     it 'is expected to get session by pending ref with enchanted link' do
-      jwt_response = { 'fake': 'response' }
+      jwt_response = {
+        'sessionJwt' => 'fake_session_jwt',
+        'refreshJwt' => 'fake_refresh_jwt',
+        'cookies' => {
+          'refresh_token' => 'fake_refresh_cookie'
+        }
+      }
+      allow(@instance).to receive(:post).with(
+        GET_SESSION_ENCHANTEDLINK_AUTH_PATH, { pendingRef: 'pendingRef' }
+      ).and_return(jwt_response)
       allow(@instance).to receive(:generate_jwt_response).and_return(jwt_response)
 
       expect do

data/spec/lib.descope/api/v1/auth/password_spec.rb

@@ -43,9 +43,18 @@ describe Descope::Api::V1::Password do
     end
 
     it 'is expected to sign in with password' do
+      response_body = {
+        'sessionJwt' => 'fake_session_jwt',
+        'refreshJwt' => 'fake_refresh_jwt',
+        'cookies' => {
+          'refresh_token' => 'fake_refresh_cookie'
+        }
+      }
+
       expect(@instance).to receive(:post).with(
         SIGN_IN_PASSWORD_PATH, { loginId: 'test', password: 's3cr3t', ssoAppId: nil }
-      )
+      ).and_return(response_body)
+
       # stub the jwt_get_unverified_header method to return the kid of the public key created above
       allow(@instance).to receive(:generate_jwt_response).and_return({})
       expect { @instance.password_sign_in(login_id: 'test', password: 's3cr3t') }.not_to raise_error

data/spec/lib.descope/api/v1/auth_spec.rb

@@ -249,7 +249,13 @@ describe Descope::Api::V1::Auth do
     end
 
     it 'is expected to select tenant' do
-      jwt_response = { 'fake': 'response' }
+      jwt_response = {
+        'sessionJwt' => 'fake_session_jwt',
+        'refreshJwt' => 'fake_refresh_jwt',
+        'cookies' => {
+          'refresh_token' => 'fake_refresh_cookie'
+        }
+      }
 
       expect(@instance).to receive(:post).with(
         SELECT_TENANT_PATH, { tenantId: 'tenant123' }, {}, 'refresh-token'
@@ -390,20 +396,26 @@ describe Descope::Api::V1::Auth do
     end
 
     it 'is expected to successfully exchange access key without login_options' do
-      jwt_response = { 'fake': 'response' }
+      jwt_response = {
+        'sessionJwt' => 'fake_session_jwt',
+        'refreshJwt' => 'fake_refresh_jwt'
+      }
       access_key = 'abc'
 
       expect(@instance).to receive(:post).with(
         EXCHANGE_AUTH_ACCESS_KEY_PATH, { loginOptions: {}, audience: 'IT' }, {}, access_key
       ).and_return(jwt_response)
 
-      allow(@instance).to receive(:generate_jwt_response).and_return(jwt_response)
+      allow(@instance).to receive(:generate_auth_info).and_return(jwt_response)
 
       expect { @instance.exchange_access_key(access_key:, audience: 'IT') }.not_to raise_error
     end
 
     it 'is expected to successfully exchange access key with login_options' do
-      jwt_response = { 'fake': 'response' }
+      jwt_response = {
+        'sessionJwt' => 'fake_session_jwt',
+        'refreshJwt' => 'fake_refresh_jwt'
+      }
       access_key = 'abc'
 
       expect(@instance).to receive(:post).with(
@@ -413,9 +425,159 @@ describe Descope::Api::V1::Auth do
         access_key
       ).and_return(jwt_response)
 
-      allow(@instance).to receive(:generate_jwt_response).and_return(jwt_response)
+      allow(@instance).to receive(:generate_auth_info).and_return(jwt_response)
 
       expect { @instance.exchange_access_key(access_key:, login_options: { customClaims: { k1: 'v1' } }, audience: 'IT') }.not_to raise_error
     end
   end
+
+  describe '#generate_auth_info cookie handling enhancements' do
+    let(:audience) { nil }
+    let(:session_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwaS5kZXNjb3BlLmNvbSJ9.session_sig' }
+    let(:refresh_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwaS5kZXNjb3BlLmNvbSJ9.refresh_sig' }
+    
+    let(:mock_token_validation) do
+      {
+        'iss' => 'https://api.descope.com/P2abcde12345',
+        'sub' => 'U2abcde12345',
+        'permissions' => ['read', 'write'],
+        'roles' => ['admin'],
+        'tenants' => { 'tenant1' => { 'permissions' => ['read'] } }
+      }
+    end
+
+    before do
+      allow(@instance).to receive(:validate_token).and_return(mock_token_validation)
+    end
+
+    context 'when session token is in cookies (custom domain scenario)' do
+      let(:response_body) do
+        {
+          'userId' => 'test123',
+          'cookieExpiration' => 1640704758,
+          'cookieDomain' => 'dev.lulukuku.com',
+          'cookies' => {
+            'DS' => session_jwt,      # Session token in cookies
+            'DSR' => refresh_jwt      # Refresh token in cookies
+          }
+        }
+      end
+
+      it 'extracts session token from cookies when not in response body' do
+        result = @instance.send(:generate_auth_info, response_body, nil, true, audience)
+        
+        expect(result['sessionToken']).to eq(mock_token_validation)
+        expect(result['refreshSessionToken']).to eq(mock_token_validation)
+      end
+
+      it 'validates session token from cookies' do
+        expect(@instance).to receive(:validate_token).with(session_jwt, audience).and_return(mock_token_validation)
+        expect(@instance).to receive(:validate_token).with(refresh_jwt, audience).and_return(mock_token_validation)
+        
+        @instance.send(:generate_auth_info, response_body, nil, true, audience)
+      end
+
+      it 'includes permissions and roles from cookie tokens' do
+        result = @instance.send(:generate_auth_info, response_body, nil, true, audience)
+        
+        expect(result['permissions']).to eq(['read', 'write'])
+        expect(result['roles']).to eq(['admin'])
+        expect(result['tenants']).to eq({ 'tenant1' => { 'permissions' => ['read'] } })
+      end
+    end
+
+    context 'when session token is in response body and refresh token in cookies' do
+      let(:response_body) do
+        {
+          'sessionJwt' => session_jwt,  # Session token in response body
+          'userId' => 'test123',
+          'cookies' => {
+            'DSR' => refresh_jwt        # Only refresh token in cookies
+          }
+        }
+      end
+
+      it 'uses session token from response body and refresh token from cookies' do
+        expect(@instance).to receive(:validate_token).with(session_jwt, audience).and_return(mock_token_validation)
+        expect(@instance).to receive(:validate_token).with(refresh_jwt, audience).and_return(mock_token_validation)
+        
+        result = @instance.send(:generate_auth_info, response_body, nil, true, audience)
+        
+        expect(result['sessionToken']).to eq(mock_token_validation)
+        expect(result['refreshSessionToken']).to eq(mock_token_validation)
+      end
+    end
+
+    context 'when refresh token is passed as parameter' do
+      let(:response_body) do
+        {
+          'userId' => 'test123',
+          'cookies' => {
+            'DS' => session_jwt         # Only session token in cookies
+          }
+        }
+      end
+
+      it 'uses passed refresh token when not in response body or cookies' do
+        expect(@instance).to receive(:validate_token).with(session_jwt, audience).and_return(mock_token_validation)
+        expect(@instance).to receive(:validate_token).with(refresh_jwt, audience).and_return(mock_token_validation)
+        
+        result = @instance.send(:generate_auth_info, response_body, refresh_jwt, true, audience)
+        
+        expect(result['sessionToken']).to eq(mock_token_validation)
+        expect(result['refreshSessionToken']).to eq(mock_token_validation)
+      end
+    end
+
+    context 'error handling for missing tokens' do
+      let(:response_body) do
+        {
+          'userId' => 'test123',
+          'cookieExpiration' => 1640704758,
+          'cookies' => {}  # No tokens anywhere
+        }
+      end
+
+      it 'raises helpful error when no refresh token is found' do
+        expect {
+          @instance.send(:generate_auth_info, response_body, nil, true, audience)
+        }.to raise_error(Descope::AuthException, /Could not find refreshJwt in response body \/ cookies \/ passed in refresh_token/)
+      end
+    end
+
+    context 'backward compatibility' do
+      let(:traditional_response_body) do
+        {
+          'sessionJwt' => session_jwt,
+          'refreshJwt' => refresh_jwt,
+          'userId' => 'test123'
+        }
+      end
+
+      it 'continues to work with traditional response body tokens' do
+        expect(@instance).to receive(:validate_token).with(session_jwt, audience).and_return(mock_token_validation)
+        expect(@instance).to receive(:validate_token).with(refresh_jwt, audience).and_return(mock_token_validation)
+        
+        result = @instance.send(:generate_auth_info, traditional_response_body, nil, true, audience)
+        
+        expect(result['sessionToken']).to eq(mock_token_validation)
+        expect(result['refreshSessionToken']).to eq(mock_token_validation)
+      end
+
+      it 'works with same-domain cookies (existing RestClient behavior)' do
+        response_with_restclient_cookies = {
+          'userId' => 'test123',
+          'cookies' => {
+            'DSR' => refresh_jwt
+          }
+        }
+
+        expect(@instance).to receive(:validate_token).with(refresh_jwt, audience).and_return(mock_token_validation)
+        
+        result = @instance.send(:generate_auth_info, response_with_restclient_cookies, nil, false, audience)
+        
+        expect(result['refreshSessionToken']).to eq(mock_token_validation)
+      end
+    end
+  end
 end

data/spec/lib.descope/api/v1/cookie_domain_fix_integration_spec.rb

@@ -0,0 +1,245 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'Cookie Domain Fix Integration' do
+  before(:all) do
+    dummy_instance = DummyClass.new
+    dummy_instance.extend(Descope::Api::V1::Session)
+    dummy_instance.extend(Descope::Api::V1::Auth)
+    dummy_instance.extend(Descope::Mixins::HTTP)
+    dummy_instance.extend(Descope::Mixins::Common::EndpointsV1)
+    @instance = dummy_instance
+  end
+
+  describe 'refresh_session with custom domain cookies' do
+    let(:refresh_token) { 'test_refresh_token' }
+    let(:audience) { nil }
+    
+    let(:session_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwaS5kZXNjb3BlLmNvbS9QMmFiY2RlMTIzNDUiLCJzdWIiOiJVMmFiY2RlMTIzNDUifQ.session_signature' }
+    let(:refresh_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwaS5kZXNjb3BlLmNvbS9QMmFiY2RlMTIzNDUiLCJzdWIiOiJVMmFiY2RlMTIzNDUifQ.refresh_signature' }
+
+    context 'when Descope is configured for cookie-only tokens with custom domain' do
+      let(:api_response_body) do
+        # Response body without sessionJwt/refreshJwt (cookie-only configuration)
+        {
+          'userId' => 'test123',
+          'cookieExpiration' => 1640704758,
+          'cookieDomain' => 'dev.lulukuku.com',
+          'cookiePath' => '/'
+        }
+      end
+
+      let(:set_cookie_headers) do
+        [
+          "DS=#{session_jwt}; Path=/; Domain=dev.lulukuku.com; HttpOnly; Secure; SameSite=None",
+          "DSR=#{refresh_jwt}; Path=/; Domain=dev.lulukuku.com; HttpOnly; Secure; SameSite=None; Max-Age=2592000"
+        ]
+      end
+
+      let(:mock_response) do
+        double('response').tap do |response|
+          allow(response).to receive(:code).and_return(200)
+          allow(response).to receive(:body).and_return(api_response_body.to_json)
+          allow(response).to receive(:cookies).and_return({}) # RestClient filters out custom domain cookies
+          allow(response).to receive(:headers).and_return({ 'set-cookie' => set_cookie_headers })
+        end
+      end
+
+      before do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({
+          'iss' => 'https://api.descope.com/P2abcde12345',
+          'sub' => 'U2abcde12345',
+          'permissions' => [],
+          'roles' => [],
+          'tenants' => {}
+        })
+        allow(@instance).to receive(:call).and_return(mock_response)
+      end
+
+      it 'successfully extracts tokens from Set-Cookie headers' do
+        result = @instance.refresh_session(refresh_token: refresh_token, audience: audience)
+        expect(result).to be_a(Hash)
+        expect(result['sessionToken']).to be_a(Hash)
+        expect(result['sessionToken']['iss']).to eq('https://api.descope.com/P2abcde12345')
+        expect(result['sessionToken']['sub']).to eq('U2abcde12345')
+        
+        expect(result['refreshSessionToken']).to be_a(Hash)
+        expect(result['refreshSessionToken']['iss']).to eq('https://api.descope.com/P2abcde12345')
+        expect(result['refreshSessionToken']['sub']).to eq('U2abcde12345')
+        
+        expect(result['cookieData'][:domain]).to eq('dev.lulukuku.com')
+      end
+
+      it 'validates the extracted session token' do
+        expect(@instance).to receive(:validate_token).with(session_jwt, audience).and_return({
+          'iss' => 'https://api.descope.com/P2abcde12345',
+          'sub' => 'U2abcde12345'
+        })
+
+        @instance.refresh_session(refresh_token: refresh_token, audience: audience)
+      end
+
+      it 'validates the extracted refresh token' do
+        expect(@instance).to receive(:validate_token).with(refresh_jwt, audience).and_return({
+          'iss' => 'https://api.descope.com/P2abcde12345',
+          'sub' => 'U2abcde12345'
+        })
+
+        @instance.refresh_session(refresh_token: refresh_token, audience: audience)
+      end
+
+      it 'includes cookie metadata in response' do
+        result = @instance.refresh_session(refresh_token: refresh_token, audience: audience)
+        expect(result['cookieData'][:domain]).to eq('dev.lulukuku.com')
+      end
+    end
+
+    context 'when only refresh token is in cookies (partial custom domain)' do
+      let(:api_response_body) do
+        {
+          'sessionJwt' => session_jwt,  # Session token in response body
+          'userId' => 'test123',
+          'cookieExpiration' => 1640704758,
+          'cookieDomain' => 'dev.lulukuku.com'
+        }
+      end
+
+      let(:set_cookie_headers) do
+        [
+          "DSR=#{refresh_jwt}; Path=/; Domain=dev.lulukuku.com; HttpOnly; Secure; Max-Age=2592000"
+        ]
+      end
+
+      let(:mock_response) do
+        double('response').tap do |response|
+          allow(response).to receive(:code).and_return(200)
+          allow(response).to receive(:body).and_return(api_response_body.to_json)
+          allow(response).to receive(:cookies).and_return({})
+          allow(response).to receive(:headers).and_return({ 'set-cookie' => set_cookie_headers })
+        end
+      end
+
+      before do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({
+          'iss' => 'https://api.descope.com/P2abcde12345',
+          'sub' => 'U2abcde12345',
+          'permissions' => [],
+          'roles' => [],
+          'tenants' => {}
+        })
+        allow(@instance).to receive(:call).and_return(mock_response)
+      end
+
+      it 'handles mixed token sources (response body + custom domain cookies)' do
+        result = @instance.refresh_session(refresh_token: refresh_token, audience: audience)
+        
+        expect(result).to be_a(Hash)
+        expect(result['sessionToken']).to_not be_nil
+        expect(result['refreshSessionToken']).to_not be_nil
+      end
+    end
+
+    context 'error handling for custom domain configurations' do
+      let(:api_response_body) do
+        {
+          'userId' => 'test123',
+          'cookieExpiration' => 1640704758,
+          'cookieDomain' => 'dev.lulukuku.com'
+        }
+      end
+
+      let(:mock_response_no_cookies) do
+        double('response').tap do |response|
+          allow(response).to receive(:code).and_return(200)
+          allow(response).to receive(:body).and_return(api_response_body.to_json)
+          allow(response).to receive(:cookies).and_return({})
+          allow(response).to receive(:headers).and_return({}) # No Set-Cookie headers
+        end
+      end
+
+      before do
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({
+          'iss' => 'https://api.descope.com/P2abcde12345',
+          'sub' => 'U2abcde12345'
+        })
+        allow(@instance).to receive(:call).and_return(mock_response_no_cookies)
+      end
+
+      it 'provides helpful error message when no tokens are found' do
+        result = @instance.refresh_session(refresh_token: refresh_token, audience: audience)
+        expect(result).to be_a(Hash)
+        expect(result['sessionToken']).to be_nil
+        expect(result['refreshSessionToken']).to_not be_nil
+      end
+    end
+  end
+
+  describe 'validate_and_refresh_session with custom domain cookies' do
+    let(:session_token) { 'expired_session_token' }
+    let(:refresh_token) { 'valid_refresh_token' }
+    let(:audience) { nil }
+
+    context 'when session is expired and refresh uses custom domain cookies' do
+      let(:refresh_jwt) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2FwaS5kZXNjb3BlLmNvbSJ9.signature' }
+      
+      let(:api_response_body) do
+        {
+          'userId' => 'test123',
+          'cookieExpiration' => 1640704758,
+          'cookieDomain' => 'dev.lulukuku.com'
+        }
+      end
+
+      let(:set_cookie_headers) do
+        [
+          "DS=new_session_jwt; Path=/; Domain=dev.lulukuku.com; HttpOnly; Secure",
+          "DSR=#{refresh_jwt}; Path=/; Domain=dev.lulukuku.com; HttpOnly; Secure; Max-Age=2592000"
+        ]
+      end
+
+      let(:mock_response) do
+        double('response').tap do |response|
+          allow(response).to receive(:code).and_return(200)
+          allow(response).to receive(:body).and_return(api_response_body.to_json)
+          allow(response).to receive(:cookies).and_return({})
+          allow(response).to receive(:headers).and_return({ 'set-cookie' => set_cookie_headers })
+        end
+      end
+
+      before do
+        # Mock session validation to fail (expired token)
+        allow(@instance).to receive(:validate_session).and_raise(Descope::AuthException.new('Token expired'))
+        
+        # Mock refresh_session to work with custom domain cookies
+        allow(@instance).to receive(:validate_refresh_token_not_nil).and_return(true)
+        allow(@instance).to receive(:validate_token).and_return({
+          'iss' => 'https://api.descope.com/P2abcde12345',
+          'sub' => 'U2abcde12345',
+          'permissions' => [],
+          'roles' => [],
+          'tenants' => {}
+        })
+        allow(@instance).to receive(:call).and_return(mock_response)
+      end
+
+      it 'falls back to refresh_session when validate_session fails' do
+        expect(@instance).to receive(:refresh_session).with(
+          refresh_token: refresh_token,
+          audience: audience
+        ).and_call_original
+
+        result = @instance.validate_and_refresh_session(
+          session_token: session_token,
+          refresh_token: refresh_token,
+          audience: audience
+        )
+
+        expect(result).to be_a(Hash)
+      end
+    end
+  end
+end