oauth2 1.4.9 → 2.0.0

data/lib/oauth2/mac_token.rb

@@ -1,130 +0,0 @@
-# frozen_string_literal: true
-
-require 'base64'
-require 'digest'
-require 'openssl'
-require 'securerandom'
-
-module OAuth2
-  class MACToken < AccessToken
-    # Generates a MACToken from an AccessToken and secret
-    #
-    # @param [AccessToken] token the OAuth2::Token instance
-    # @option [String] secret the secret key value
-    # @param [Hash] opts the options to create the Access Token with
-    # @see MACToken#initialize
-    def self.from_access_token(token, secret, options = {})
-      new(token.client, token.token, secret, token.params.merge(:refresh_token => token.refresh_token, :expires_in => token.expires_in, :expires_at => token.expires_at).merge(options))
-    end
-
-    attr_reader :secret, :algorithm
-
-    # Initalize a MACToken
-    #
-    # @param [Client] client the OAuth2::Client instance
-    # @param [String] token the Access Token value
-    # @option [String] secret the secret key value
-    # @param [Hash] opts the options to create the Access Token with
-    # @option opts [String] :refresh_token (nil) the refresh_token value
-    # @option opts [FixNum, String] :expires_in (nil) the number of seconds in which the AccessToken will expire
-    # @option opts [FixNum, String] :expires_at (nil) the epoch time in seconds in which AccessToken will expire
-    # @option opts [FixNum, String] :algorithm (hmac-sha-256) the algorithm to use for the HMAC digest (one of 'hmac-sha-256', 'hmac-sha-1')
-    def initialize(client, token, secret, opts = {})
-      @secret = secret
-      self.algorithm = opts.delete(:algorithm) || 'hmac-sha-256'
-
-      super(client, token, opts)
-    end
-
-    # Make a request with the MAC Token
-    #
-    # @param [Symbol] verb the HTTP request method
-    # @param [String] path the HTTP URL path of the request
-    # @param [Hash] opts the options to make the request with
-    # @see Client#request
-    def request(verb, path, opts = {}, &block)
-      url = client.connection.build_url(path, opts[:params]).to_s
-
-      opts[:headers] ||= {}
-      opts[:headers]['Authorization'] = header(verb, url)
-
-      @client.request(verb, path, opts, &block)
-    end
-
-    # Get the headers hash (always an empty hash)
-    def headers
-      {}
-    end
-
-    # Generate the MAC header
-    #
-    # @param [Symbol] verb the HTTP request method
-    # @param [String] url the HTTP URL path of the request
-    def header(verb, url)
-      timestamp = Time.now.utc.to_i
-      nonce = Digest::MD5.hexdigest([timestamp, SecureRandom.hex].join(':'))
-
-      uri = URI.parse(url)
-
-      raise(ArgumentError, "could not parse \"#{url}\" into URI") unless uri.is_a?(URI::HTTP)
-
-      mac = signature(timestamp, nonce, verb, uri)
-
-      "MAC id=\"#{token}\", ts=\"#{timestamp}\", nonce=\"#{nonce}\", mac=\"#{mac}\""
-    end
-
-    # Generate the Base64-encoded HMAC digest signature
-    #
-    # @param [Fixnum] timestamp the timestamp of the request in seconds since epoch
-    # @param [String] nonce the MAC header nonce
-    # @param [Symbol] verb the HTTP request method
-    # @param [String] url the HTTP URL path of the request
-    def signature(timestamp, nonce, verb, uri)
-      signature = [
-        timestamp,
-        nonce,
-        verb.to_s.upcase,
-        uri.request_uri,
-        uri.host,
-        uri.port,
-        '', nil
-      ].join("\n")
-
-      strict_encode64(OpenSSL::HMAC.digest(@algorithm, secret, signature))
-    end
-
-    # Set the HMAC algorithm
-    #
-    # @param [String] alg the algorithm to use (one of 'hmac-sha-1', 'hmac-sha-256')
-    def algorithm=(alg)
-      @algorithm = case alg.to_s
-                   when 'hmac-sha-1'
-                     begin
-                       OpenSSL::Digest('SHA1').new
-                     rescue StandardError
-                       OpenSSL::Digest.new('SHA1')
-                     end
-                   when 'hmac-sha-256'
-                     begin
-                       OpenSSL::Digest('SHA256').new
-                     rescue StandardError
-                       OpenSSL::Digest.new('SHA256')
-                     end
-                   else
-                     raise(ArgumentError, 'Unsupported algorithm')
-                   end
-    end
-
-  private
-
-    # No-op since we need the verb and path
-    # and the MAC always goes in a header
-    def token=(_noop)
-    end
-
-    # Base64.strict_encode64 is not available on Ruby 1.8.7
-    def strict_encode64(str)
-      Base64.encode64(str).delete("\n")
-    end
-  end
-end

data/spec/fixtures/README.md

@@ -1,11 +0,0 @@
-# RS256
-
-## How keys were made
-
-```shell
-# No passphrase
-# Generates the public and private keys:
-ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key
-# Converts the key to PEM format
-openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
-```

data/spec/fixtures/RS256/jwtRS256.key

@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKwIBAAKCAgEA5hdXV/4YSymY1T9VNvK2bWRfulwIty1RnAPNINQmfh3aRRkV
-+PNrbC2Crji9G0AHmQwgW1bZ3kgkkpIm6RVn44fHvBvuXkZ9ABgXw0d2cLIHmwOF
-xSKmWAm/EW//GszUTLLLsMZUe2udtFJW0jxXB2GRY0WVYuo6Oo58RCeP719lw3Ag
-s0YF9/IobxKkGd4BautUPw6ZszAa3o+j0zR74x7ouPxybZAOuPsMxqanyeYJeH4o
-sJjLMYV9qem9uG2sj7GENJ8UszcpmGbqxBhexPEB7mgDeONIF0XJF23zdOf8ANE5
-mAU2h2v7M6moAfkdUzJ+j48+VT2omHAzAL5yNcmrl2xiWdyoxOw1Y1UmfEmJYV5V
-gGYyZ12JZRKY+szPT+vR+MDuYxbquF40O7kvkFNBfL1yCpzfSQCLnEs4rX8qRzZX
-ciLeyq4Ht5FLuRFgxjA//XI8LAmp0u7gk+Q7FUH1UgW3kmJDTG0XaxQxYTBSIO7m
-cmyjDyBgKVuQmt5E1ycFeteOVdPD/CG/fPYhthvc4UytEFwsMdNy3iD6/wuUH68t
-AKam28UZaOb0qK+00cQQD8fulY9rKtSL10LvJFWUOa/SJyLvk9vUmfvFn182il1n
-X6GpyxyMmE/FCnH4CT/DjrSZf08mOO8eL5ofYHMK/oiXr1eODqx+pOwClNsCAwEA
-AQKCAgEAy34vMFI4WBk04rx9d/hWoQ7Znu8QgjihaZLvEy6t0HJEfUH/bcqS4fyq
-C72Aeh452gCgiUeZrf4t4jdCFHhrBg8q9dHaEiTTHocwVPPZ6zd4hH8sCrpnVYth
-IWHkw2YOCLtEbFYrl3AI7Na5lHvrGEsREzQSN4Yh83Has0guAy1iyeNb+FFgq/XO
-DtX0ri/rHw1717zo8FIGIXn2EK/lNWw7tIcICKAUdUMK/JGd6XD6RUeGYxDu/CAs
-kF55/Sd6Kyd7XjKnUwzhS7kRvlYzUog4BgqVr4+LTZHZlFAYtfcJqAtinXFW1ZQJ
-eZp9TSlt5wvMZNjx7t92QUNRyEGmrQAU+8COHnT0/drFf0MCiyHSUN0E7/5fswhc
-uMSU9XiJA9G0wYvJl4zIuOuIYWZWhIqvjYSkvdlP70t9XO2gk/ZcCWsMW8i+xbwC
-w1+MMjsKsNedXxI99TIPPHcCNMxqlt1E1kHH3SAwCuEH/ez7PRMyEQQ0EyAk22x/
-piYIWXkX5835cLbLRIYafXgOiugWZjCwIqfRIcIpscmcijZwCF2DyevveYdx3krR
-FGA2PFydFyxCNG7XwvKb9kHb7WBERUPV/H3eCqu2SZ/RvF+I94LUYP4bu6CmFdO9
-wCJcGJoL1P7tVhS9lA5Oj0QWczrjnejCoI9XMMduWk032rR1VYECggEBAPZDnTBY
-H2uiVmGdMfWTAmX86kiHVpkL03OG6rgvDMsMOYKnik9Lb3gNeUIuPeAWFNrXCoD1
-qp0loxPhKSojNOOM8Yiz/GwQ/QI9dzgtxs7E7rFFyTuJcY48Do8uOFyUHbAbeOBF
-b9UL/uBfWZGVV1YY753xyqYlCpxTVQGms1jsbVFdZE1iVpOwAkFVuoLYaHLut4zB
-01ORyBSoWan173P+IQH6F1uNXE2Kk/FIMDN6bgP1pXkdkrTx4WjAmRnP/Sc4r38/
-F1xN+gxnWGPUKDVRPYBpVzDR036w65ODgg2FROK2vIxlStiAC/rc0JLsvaWfb1Rn
-dsWdJJ1V6mZ6a5sCggEBAO8wC1jcIoiBz3xoA8E5BSt8qLJ7ZuSFaaidvWX2/xj6
-lSWJxCGQfhR7P6ozvH6UDo1WbJT6nNyXPkiDkAzcmAdsYVjULW3K2LI9oPajaJxY
-L7KJpylgh9JhMvbMz3VVjTgYRt+kjX+3uFMZNx1YfiBP+S6xx5sjK9CKDz3H99kC
-q9bX95YFqZ7yFE3aBCR6CENo2tXpMN96CLQGpwa0bwt3xNzC4MhZMXbGR3DdBYbD
-tS9lJfQvAVUYxbSE/2FBgjpO6ArMyU2ZUEDFx9J6IhfhVbQV4VeITMyRNo0XwBiQ
-/+XpLXgHkw7LiNMIoc7d+M7yLA1Vz7+r8XxWHHZCL8ECggEBAPK8VrYORno7e1Wg
-MlxS2WxZzTxMWmlkpLoc5END7SI/HHjSV5wtSORWs40uM0MrwMasa+gNPmzDamjv
-6Tllln4ssO8EKe0DGcAZgefYBzxMFNKbbOzIXyvJurga4Ocv/8tUaOL2znJ67nGO
-yqSbRYjR724JpKv7mufXo9SK0gD2mhI3MeSs55WPScnIjJzoXpva/QU7D+gxq7vg
-7PCAP9RfS329W0Sco7yyuXx8oTY8mTBB8ybcpXzBZmNwY/hzcJ42W5XbRFVxbuTH
-APL1beSP/UUTkCPIzuTz0mCGoaxeDjZB1Lu2I/4eyLAu80+/FneoHX5etU23xR1o
-UDFOvb0CggEBALTTc6CoPAtLaBs7X6tSelAYHEli9bTKD8kEB83wX4b42ozYjEh7
-vnWpf8Yi+twO/rlnnws6NCCoztNvcxXmJ6FlFGtdbULV2eFWqjwL6ehY2yZ03sVv
-Tv+DsE3ZJPYlyW+hGuO0uazWrilUpNAwuJmhHFdq2+azPkqYNVGVvhB37oWsHGd0
-vHmHtkXtDris8VZVDSwu8V3iGnZPmTJ+cn0O/OuRAPM2SyjqWdQ/pA/wIShFpd3n
-M3CsG7uP2KokJloCkXaov39E6uEtJRZAc0nudyaAbC4Kw1Tca4tba0SnSm78S/20
-bD8BLN2uZvXH5nQ9rYQfXcIgMZ64UygsfYECggEBAIw0fQaIVmafa0Hz3ipD4PJI
-5QNkh2t9hvOCSKm1xYTNATl0q/VIkZoy1WoxY6SSchcObLxQKbJ9ORi4XNr+IJK5
-3C1Qz/3iv/S3/ktgmqGhQiqybkkHZcbqTXB2wxrx+aaLS7PEfYiuYCrPbX93160k
-MVns8PjvYU8KCNMbL2e+AiKEt1KkKAZIpNQdeeJOEhV9wuLYFosd400aYssuSOVW
-IkJhGI0lT/7FDJaw0LV98DhQtauANPSUQKN5iw6vciwtsaF1kXMfGlMXj58ntiMq
-NizQPR6/Ar1ewLPMh1exDoAfLnCIMk8nbSraW+cebLAZctPugUpfpu3j2LM98aE=
------END RSA PRIVATE KEY-----

data/spec/fixtures/RS256/jwtRS256.key.pub

@@ -1,14 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5hdXV/4YSymY1T9VNvK2
-bWRfulwIty1RnAPNINQmfh3aRRkV+PNrbC2Crji9G0AHmQwgW1bZ3kgkkpIm6RVn
-44fHvBvuXkZ9ABgXw0d2cLIHmwOFxSKmWAm/EW//GszUTLLLsMZUe2udtFJW0jxX
-B2GRY0WVYuo6Oo58RCeP719lw3Ags0YF9/IobxKkGd4BautUPw6ZszAa3o+j0zR7
-4x7ouPxybZAOuPsMxqanyeYJeH4osJjLMYV9qem9uG2sj7GENJ8UszcpmGbqxBhe
-xPEB7mgDeONIF0XJF23zdOf8ANE5mAU2h2v7M6moAfkdUzJ+j48+VT2omHAzAL5y
-Ncmrl2xiWdyoxOw1Y1UmfEmJYV5VgGYyZ12JZRKY+szPT+vR+MDuYxbquF40O7kv
-kFNBfL1yCpzfSQCLnEs4rX8qRzZXciLeyq4Ht5FLuRFgxjA//XI8LAmp0u7gk+Q7
-FUH1UgW3kmJDTG0XaxQxYTBSIO7mcmyjDyBgKVuQmt5E1ycFeteOVdPD/CG/fPYh
-thvc4UytEFwsMdNy3iD6/wuUH68tAKam28UZaOb0qK+00cQQD8fulY9rKtSL10Lv
-JFWUOa/SJyLvk9vUmfvFn182il1nX6GpyxyMmE/FCnH4CT/DjrSZf08mOO8eL5of
-YHMK/oiXr1eODqx+pOwClNsCAwEAAQ==
------END PUBLIC KEY-----

data/spec/helper.rb

@@ -1,33 +0,0 @@
-# frozen_string_literal: true
-
-DEBUG = ENV['DEBUG'] == 'true'
-RUN_COVERAGE = ENV['CI_CODECOV'] || ENV['CI'].nil?
-
-ruby_version = Gem::Version.new(RUBY_VERSION)
-minimum_version = ->(version) { ruby_version >= Gem::Version.new(version) && RUBY_ENGINE == 'ruby' }
-coverage = minimum_version.call('2.7') && RUN_COVERAGE
-debug = minimum_version.call('2.5') && DEBUG
-
-require 'simplecov' if coverage
-require 'byebug' if debug
-
-require 'oauth2'
-require 'addressable/uri'
-require 'rspec'
-require 'rspec/stubbed_env'
-require 'rspec/pending_for'
-require 'silent_stream'
-
-RSpec.configure do |config|
-  config.expect_with :rspec do |c|
-    c.syntax = :expect
-  end
-end
-
-Faraday.default_adapter = :test
-
-RSpec.configure do |conf|
-  conf.include SilentStream
-end
-
-VERBS = [:get, :post, :put, :delete].freeze

data/spec/oauth2/access_token_spec.rb

@@ -1,218 +0,0 @@
-# frozen_string_literal: true
-
-describe OAuth2::AccessToken do
-  subject { described_class.new(client, token) }
-
-  let(:token) { 'monkey' }
-  let(:refresh_body) { MultiJson.encode(:access_token => 'refreshed_foo', :expires_in => 600, :refresh_token => 'refresh_bar') }
-  let(:client) do
-    OAuth2::Client.new('abc', 'def', :site => 'https://api.example.com') do |builder|
-      builder.request :url_encoded
-      builder.adapter :test do |stub|
-        VERBS.each do |verb|
-          stub.send(verb, '/token/header') { |env| [200, {}, env[:request_headers]['Authorization']] }
-          stub.send(verb, "/token/query?access_token=#{token}") { |env| [200, {}, Addressable::URI.parse(env[:url]).query_values['access_token']] }
-          stub.send(verb, '/token/query_string') { |env| [200, {}, CGI.unescape(Addressable::URI.parse(env[:url]).query)] }
-          stub.send(verb, '/token/body') { |env| [200, {}, env[:body]] }
-        end
-        stub.post('/oauth/token') { |env| [200, {'Content-Type' => 'application/json'}, refresh_body] }
-      end
-    end
-  end
-
-  describe '#initialize' do
-    it 'assigns client and token' do
-      expect(subject.client).to eq(client)
-      expect(subject.token).to eq(token)
-    end
-
-    it 'assigns extra params' do
-      target = described_class.new(client, token, 'foo' => 'bar')
-      expect(target.params).to include('foo')
-      expect(target.params['foo']).to eq('bar')
-    end
-
-    def assert_initialized_token(target)
-      expect(target.token).to eq(token)
-      expect(target).to be_expires
-      expect(target.params.keys).to include('foo')
-      expect(target.params['foo']).to eq('bar')
-    end
-
-    it 'initializes with a Hash' do
-      hash = {:access_token => token, :expires_at => Time.now.to_i + 200, 'foo' => 'bar'}
-      target = described_class.from_hash(client, hash)
-      assert_initialized_token(target)
-    end
-
-    it 'from_hash does not modify opts hash' do
-      hash = {:access_token => token, :expires_at => Time.now.to_i}
-      hash_before = hash.dup
-      described_class.from_hash(client, hash)
-      expect(hash).to eq(hash_before)
-    end
-
-    it 'initializes with a form-urlencoded key/value string' do
-      kvform = "access_token=#{token}&expires_at=#{Time.now.to_i + 200}&foo=bar"
-      target = described_class.from_kvform(client, kvform)
-      assert_initialized_token(target)
-    end
-
-    it 'sets options' do
-      target = described_class.new(client, token, :param_name => 'foo', :header_format => 'Bearer %', :mode => :body)
-      expect(target.options[:param_name]).to eq('foo')
-      expect(target.options[:header_format]).to eq('Bearer %')
-      expect(target.options[:mode]).to eq(:body)
-    end
-
-    it 'does not modify opts hash' do
-      opts = {:param_name => 'foo', :header_format => 'Bearer %', :mode => :body}
-      opts_before = opts.dup
-      described_class.new(client, token, opts)
-      expect(opts).to eq(opts_before)
-    end
-
-    describe 'expires_at' do
-      let(:expires_at) { 1_361_396_829 }
-      let(:hash) do
-        {
-          :access_token => token,
-          :expires_at => expires_at.to_s,
-          'foo' => 'bar',
-        }
-      end
-
-      it 'initializes with an integer timestamp expires_at' do
-        target = described_class.from_hash(client, hash.merge(:expires_at => expires_at))
-        assert_initialized_token(target)
-        expect(target.expires_at).to eql(expires_at)
-      end
-
-      it 'initializes with a string timestamp expires_at' do
-        target = described_class.from_hash(client, hash)
-        assert_initialized_token(target)
-        expect(target.expires_at).to eql(expires_at)
-      end
-
-      it 'initializes with a string time expires_at' do
-        target = described_class.from_hash(client, hash.merge(:expires_at => Time.at(expires_at).iso8601))
-        assert_initialized_token(target)
-        expect(target.expires_at).to eql(expires_at)
-      end
-    end
-  end
-
-  describe '#request' do
-    context 'with :mode => :header' do
-      before do
-        subject.options[:mode] = :header
-      end
-
-      VERBS.each do |verb|
-        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
-          expect(subject.post('/token/header').body).to include(token)
-        end
-      end
-    end
-
-    context 'with :mode => :query' do
-      before do
-        subject.options[:mode] = :query
-      end
-
-      VERBS.each do |verb|
-        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
-          expect(subject.post('/token/query').body).to eq(token)
-        end
-
-        it "sends a #{verb.to_s.upcase} request and options[:param_name] include [number]." do
-          subject.options[:param_name] = 'auth[1]'
-          expect(subject.__send__(verb, '/token/query_string').body).to include("auth[1]=#{token}")
-        end
-      end
-    end
-
-    context 'with :mode => :body' do
-      before do
-        subject.options[:mode] = :body
-      end
-
-      VERBS.each do |verb|
-        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
-          expect(subject.post('/token/body').body.split('=').last).to eq(token)
-        end
-      end
-    end
-
-    context 'params include [number]' do
-      VERBS.each do |verb|
-        it "sends #{verb.to_s.upcase} correct query" do
-          expect(subject.__send__(verb, '/token/query_string', :params => {'foo[bar][1]' => 'val'}).body).to include('foo[bar][1]=val')
-        end
-      end
-    end
-  end
-
-  describe '#expires?' do
-    it 'is false if there is no expires_at' do
-      expect(described_class.new(client, token)).not_to be_expires
-    end
-
-    it 'is true if there is an expires_in' do
-      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 600)).to be_expires
-    end
-
-    it 'is true if there is an expires_at' do
-      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => Time.now.getutc.to_i + 600)).to be_expires
-    end
-  end
-
-  describe '#expired?' do
-    it 'is false if there is no expires_in or expires_at' do
-      expect(described_class.new(client, token)).not_to be_expired
-    end
-
-    it 'is false if expires_in is in the future' do
-      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 10_800)).not_to be_expired
-    end
-
-    it 'is true if expires_at is in the past' do
-      access = described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 600)
-      @now = Time.now + 10_800
-      allow(Time).to receive(:now).and_return(@now)
-      expect(access).to be_expired
-    end
-  end
-
-  describe '#refresh!' do
-    let(:access) do
-      described_class.new(client, token, :refresh_token => 'abaca',
-                                         :expires_in => 600,
-                                         :param_name => 'o_param')
-    end
-
-    it 'returns a refresh token with appropriate values carried over' do
-      refreshed = access.refresh!
-      expect(access.client).to eq(refreshed.client)
-      expect(access.options[:param_name]).to eq(refreshed.options[:param_name])
-    end
-
-    context 'with a nil refresh_token in the response' do
-      let(:refresh_body) { MultiJson.encode(:access_token => 'refreshed_foo', :expires_in => 600, :refresh_token => nil) }
-
-      it 'copies the refresh_token from the original token' do
-        refreshed = access.refresh!
-
-        expect(refreshed.refresh_token).to eq(access.refresh_token)
-      end
-    end
-  end
-
-  describe '#to_hash' do
-    it 'return a hash equals to the hash used to initialize access token' do
-      hash = {:access_token => token, :refresh_token => 'foobar', :expires_at => Time.now.to_i + 200, 'foo' => 'bar'}
-      access_token = described_class.from_hash(client, hash.clone)
-      expect(access_token.to_hash).to eq(hash)
-    end
-  end
-end

data/spec/oauth2/authenticator_spec.rb

@@ -1,86 +0,0 @@
-# frozen_string_literal: true
-
-describe OAuth2::Authenticator do
-  subject do
-    described_class.new(client_id, client_secret, mode)
-  end
-
-  let(:client_id) { 'foo' }
-  let(:client_secret) { 'bar' }
-  let(:mode) { :undefined }
-
-  it 'raises NotImplementedError for unknown authentication mode' do
-    expect { subject.apply({}) }.to raise_error(NotImplementedError)
-  end
-
-  describe '#apply' do
-    context 'with parameter-based authentication' do
-      let(:mode) { :request_body }
-
-      it 'adds client_id and client_secret to params' do
-        output = subject.apply({})
-        expect(output).to eq('client_id' => 'foo', 'client_secret' => 'bar')
-      end
-
-      it 'does not overwrite existing credentials' do
-        input = {'client_secret' => 's3cr3t'}
-        output = subject.apply(input)
-        expect(output).to eq('client_id' => 'foo', 'client_secret' => 's3cr3t')
-      end
-
-      it 'preserves other parameters' do
-        input = {'state' => '42', :headers => {'A' => 'b'}}
-        output = subject.apply(input)
-        expect(output).to eq(
-          'client_id' => 'foo',
-          'client_secret' => 'bar',
-          'state' => '42',
-          :headers => {'A' => 'b'}
-        )
-      end
-
-      context 'using tls client authentication' do
-        let(:mode) { :tls_client_auth }
-
-        it 'does not add client_secret' do
-          output = subject.apply({})
-          expect(output).to eq('client_id' => 'foo')
-        end
-      end
-
-      context 'using private key jwt authentication' do
-        let(:mode) { :private_key_jwt }
-
-        it 'does not add client_secret or client_id' do
-          output = subject.apply({})
-          expect(output).to eq({})
-        end
-      end
-    end
-
-    context 'with Basic authentication' do
-      let(:mode) { :basic_auth }
-      let(:header) { 'Basic ' + Base64.encode64("#{client_id}:#{client_secret}").delete("\n") }
-
-      it 'encodes credentials in headers' do
-        output = subject.apply({})
-        expect(output).to eq(:headers => {'Authorization' => header})
-      end
-
-      it 'does not overwrite existing credentials' do
-        input = {:headers => {'Authorization' => 'Bearer abc123'}}
-        output = subject.apply(input)
-        expect(output).to eq(:headers => {'Authorization' => 'Bearer abc123'})
-      end
-
-      it 'does not overwrite existing params or headers' do
-        input = {'state' => '42', :headers => {'A' => 'b'}}
-        output = subject.apply(input)
-        expect(output).to eq(
-          'state' => '42',
-          :headers => {'A' => 'b', 'Authorization' => header}
-        )
-      end
-    end
-  end
-end