omniauth-auth0 3.1.1 → 3.2.0

data/spec/omniauth/strategies/auth0_spec.rb

@@ -3,6 +3,7 @@
 require 'spec_helper'
 require 'jwt'
 require 'multi_json'
+require 'cgi'
 
 OmniAuth.config.allowed_request_methods = [:get, :post]
 
@@ -10,10 +11,231 @@ RSpec.shared_examples 'site has valid domain url' do |url|
   it { expect(subject.site).to eq(url) }
 end
 
+RSpec.shared_examples 'client_options with valid configuration' do
+  context 'domain with https' do
+    let(:domain_url) { 'https://samples.auth0.com' }
+    it_behaves_like 'site has valid domain url', 'https://samples.auth0.com'
+  end
+
+  context 'domain with http' do
+    let(:domain_url) { 'http://mydomain.com' }
+    it_behaves_like 'site has valid domain url', 'http://mydomain.com'
+  end
+
+  context 'domain with host only' do
+    let(:domain_url) { 'samples.auth0.com' }
+    it_behaves_like 'site has valid domain url', 'https://samples.auth0.com'
+  end
+
+  it 'should have correct authorize path' do
+    expect(subject.options[:authorize_url]).to eq('/authorize')
+  end
+
+  it 'should have the correct userinfo path' do
+    expect(subject.options[:userinfo_url]).to eq('/userinfo')
+  end
+
+  it 'should have the correct token path' do
+    expect(subject.options[:token_url]).to eq('/oauth/token')
+  end
+end
+
+RSpec.shared_examples 'oauth redirects with various parameters' do
+  it 'redirects to hosted login page' do
+    get 'auth/auth0'
+    expect(last_response.status).to eq(302)
+    redirect_url = last_response.headers['Location']
+    expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+    expect(redirect_url).to have_query('response_type', 'code')
+    expect(redirect_url).to have_query('state')
+    expect(redirect_url).to have_query('client_id')
+    expect(redirect_url).to have_query('redirect_uri')
+    expect(redirect_url).not_to have_query('auth0Client')
+    expect(redirect_url).not_to have_query('connection')
+    expect(redirect_url).not_to have_query('connection_scope')
+    expect(redirect_url).not_to have_query('prompt')
+    expect(redirect_url).not_to have_query('screen_hint')
+    expect(redirect_url).not_to have_query('login_hint')
+    expect(redirect_url).not_to have_query('organization')
+    expect(redirect_url).not_to have_query('invitation')
+  end
+
+  it 'redirects to hosted login page' do
+    get 'auth/auth0?connection=abcd'
+    expect(last_response.status).to eq(302)
+    redirect_url = last_response.headers['Location']
+    expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+    expect(redirect_url).to have_query('response_type', 'code')
+    expect(redirect_url).to have_query('state')
+    expect(redirect_url).to have_query('client_id')
+    expect(redirect_url).to have_query('redirect_uri')
+    expect(redirect_url).to have_query('connection', 'abcd')
+    expect(redirect_url).not_to have_query('auth0Client')
+    expect(redirect_url).not_to have_query('connection_scope')
+    expect(redirect_url).not_to have_query('prompt')
+    expect(redirect_url).not_to have_query('screen_hint')
+    expect(redirect_url).not_to have_query('login_hint')
+    expect(redirect_url).not_to have_query('organization')
+    expect(redirect_url).not_to have_query('invitation')
+  end
+
+  it 'redirects to the hosted login page with connection_scope' do
+    get 'auth/auth0?connection_scope=identity_provider_scope'
+    expect(last_response.status).to eq(302)
+    redirect_url = last_response.headers['Location']
+    expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+    expect(redirect_url)
+      .to have_query('connection_scope', 'identity_provider_scope')
+  end
+
+  it 'redirects to hosted login page with prompt=login' do
+    get 'auth/auth0?prompt=login'
+    expect(last_response.status).to eq(302)
+    redirect_url = last_response.headers['Location']
+    expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+    expect(redirect_url).to have_query('response_type', 'code')
+    expect(redirect_url).to have_query('state')
+    expect(redirect_url).to have_query('client_id')
+    expect(redirect_url).to have_query('redirect_uri')
+    expect(redirect_url).to have_query('prompt', 'login')
+    expect(redirect_url).not_to have_query('auth0Client')
+    expect(redirect_url).not_to have_query('connection')
+    expect(redirect_url).not_to have_query('login_hint')
+    expect(redirect_url).not_to have_query('organization')
+    expect(redirect_url).not_to have_query('invitation')
+  end
+
+  it 'redirects to hosted login page with screen_hint=signup' do
+    get 'auth/auth0?screen_hint=signup'
+    expect(last_response.status).to eq(302)
+    redirect_url = last_response.headers['Location']
+    expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+    expect(redirect_url).to have_query('response_type', 'code')
+    expect(redirect_url).to have_query('state')
+    expect(redirect_url).to have_query('client_id')
+    expect(redirect_url).to have_query('redirect_uri')
+    expect(redirect_url).to have_query('screen_hint', 'signup')
+    expect(redirect_url).not_to have_query('auth0Client')
+    expect(redirect_url).not_to have_query('connection')
+    expect(redirect_url).not_to have_query('login_hint')
+    expect(redirect_url).not_to have_query('organization')
+    expect(redirect_url).not_to have_query('invitation')
+  end
+
+  it 'redirects to hosted login page with organization=TestOrg and invitation=TestInvite' do
+    get 'auth/auth0?organization=TestOrg&invitation=TestInvite'
+    expect(last_response.status).to eq(302)
+    redirect_url = last_response.headers['Location']
+    expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+    expect(redirect_url).to have_query('response_type', 'code')
+    expect(redirect_url).to have_query('state')
+    expect(redirect_url).to have_query('client_id')
+    expect(redirect_url).to have_query('redirect_uri')
+    expect(redirect_url).to have_query('organization', 'TestOrg')
+    expect(redirect_url).to have_query('invitation', 'TestInvite')
+    expect(redirect_url).not_to have_query('auth0Client')
+    expect(redirect_url).not_to have_query('connection')
+    expect(redirect_url).not_to have_query('connection_scope')
+    expect(redirect_url).not_to have_query('prompt')
+    expect(redirect_url).not_to have_query('screen_hint')
+    expect(redirect_url).not_to have_query('login_hint')
+  end
+
+  it 'redirects to hosted login page with login_hint=example@mail.com' do
+    get 'auth/auth0?login_hint=example@mail.com'
+    expect(last_response.status).to eq(302)
+    redirect_url = last_response.headers['Location']
+    expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+    expect(redirect_url).to have_query('response_type', 'code')
+    expect(redirect_url).to have_query('state')
+    expect(redirect_url).to have_query('client_id')
+    expect(redirect_url).to have_query('redirect_uri')
+    expect(redirect_url).to have_query('login_hint', 'example@mail.com')
+    expect(redirect_url).not_to have_query('auth0Client')
+    expect(redirect_url).not_to have_query('connection')
+    expect(redirect_url).not_to have_query('connection_scope')
+    expect(redirect_url).not_to have_query('prompt')
+    expect(redirect_url).not_to have_query('screen_hint')
+    expect(redirect_url).not_to have_query('organization')
+    expect(redirect_url).not_to have_query('invitation')
+  end
+
+  it "stores session['authorize_params'] as a plain Ruby Hash" do
+    get '/auth/auth0'
+    expect(session['authorize_params'].class).to eq(::Hash)
+  end
+end
+
+RSpec.shared_examples 'basic oauth callback assertions' do
+  it 'to succeed' do
+    expect(last_response.status).to eq(200)
+  end
+
+  it 'has credentials' do
+    expect(subject['credentials']['token']).to eq(access_token)
+    expect(subject['credentials']['expires']).to be true
+    expect(subject['credentials']['expires_at']).to_not be_nil
+  end
+
+  it 'has basic values' do
+    expect(subject['provider']).to eq('auth0')
+    expect(subject['uid']).to eq(user_id)
+    expect(subject['info']['name']).to eq(name)
+  end
+
+  it 'should use the user info endpoint' do
+    expect(subject['extra']['raw_info']).to eq(basic_user_info)
+  end
+end
+
+RSpec.shared_examples 'basic oauth refresh token callback assertions' do
+  it 'to succeed' do
+    expect(last_response.status).to eq(200)
+  end
+
+  it 'has credentials' do
+    expect(subject['credentials']['token']).to eq(access_token)
+    expect(subject['credentials']['refresh_token']).to eq(refresh_token)
+    expect(subject['credentials']['expires']).to be true
+    expect(subject['credentials']['expires_at']).to_not be_nil
+  end
+end
+
+RSpec.shared_examples 'oidc callback assertions' do
+  it 'to succeed' do
+    expect(last_response.status).to eq(200)
+  end
+
+  it 'has credentials' do
+    expect(subject['credentials']['token']).to eq(access_token)
+    expect(subject['credentials']['expires']).to be true
+    expect(subject['credentials']['expires_at']).to_not be_nil
+    expect(subject['credentials']['id_token']).to eq(id_token)
+  end
+
+  it 'has basic values' do
+    expect(subject['provider']).to eq('auth0')
+    expect(subject['uid']).to eq(user_id)
+  end
+
+  it 'has info' do
+    expect(subject['info']['name']).to eq(name)
+    expect(subject['info']['nickname']).to eq(nickname)
+    expect(subject['info']['image']).to eq(picture)
+    expect(subject['info']['email']).to eq(email)
+  end
+
+  it 'has extra' do
+    expect(subject['extra']['raw_info']['email_verified']).to be true
+  end
+end
+
 describe OmniAuth::Strategies::Auth0 do
   let(:client_id) { 'CLIENT_ID' }
   let(:client_secret) { 'CLIENT_SECRET' }
   let(:domain_url) { 'https://samples.auth0.com' }
+  let(:client_assertion_signing_algorithm) { 'RS256' }
+  let(:client_assertion_signing_key) { OpenSSL::PKey::RSA.generate(2048) }
   let(:application) do
     lambda do
       [200, {}, ['Hello.']]
@@ -27,176 +249,97 @@ describe OmniAuth::Strategies::Auth0 do
       domain_url
     )
   end
-
-  describe 'client_options' do
-    let(:subject) { OmniAuth::Strategies::Auth0.new(
+  let(:auth0_client_assertion_signing_key) do
+    OmniAuth::Strategies::Auth0.new(
       application,
       client_id,
-      client_secret,
-      domain_url
-    ).client }
-
-    context 'domain with https' do
-      let(:domain_url) { 'https://samples.auth0.com' }
-      it_behaves_like 'site has valid domain url', 'https://samples.auth0.com'
-    end
-
-    context 'domain with http' do
-      let(:domain_url) { 'http://mydomain.com' }
-      it_behaves_like 'site has valid domain url', 'http://mydomain.com'
-    end
-
-    context 'domain with host only' do
-      let(:domain_url) { 'samples.auth0.com' }
-      it_behaves_like 'site has valid domain url', 'https://samples.auth0.com'
+      nil,
+      domain_url,
+      { client_assertion_signing_key: client_assertion_signing_key,
+        client_assertion_signing_algorithm: client_assertion_signing_algorithm}
+    )
+  end
+  describe 'client_options' do
+    context 'when using client_secret authentication' do
+      let(:subject) { OmniAuth::Strategies::Auth0.new(
+        application,
+        client_id,
+        client_secret,
+        domain_url
+      ).client }
+
+      it_behaves_like 'client_options with valid configuration'
     end
 
-    it 'should have correct authorize path' do
-      expect(subject.options[:authorize_url]).to eq('/authorize')
-    end
+    context 'when using client assertion signing key authentication' do
+      let(:subject) do
+        OmniAuth::Strategies::Auth0.new(
+          application,
+          client_id,
+          nil,
+          domain_url,
+          { client_assertion_signing_key: client_assertion_signing_key,
+            client_assertion_signing_algorithm: client_assertion_signing_algorithm }
+        ).client
+      end
 
-    it 'should have the correct userinfo path' do
-      expect(subject.options[:userinfo_url]).to eq('/userinfo')
-    end
+      it_behaves_like 'client_options with valid configuration'
 
-    it 'should have the correct token path' do
-      expect(subject.options[:token_url]).to eq('/oauth/token')
+      it 'should have the correct auth_scheme' do
+        expect(subject.options[:auth_scheme]).to eq(:request_body)
+      end
     end
   end
 
   describe 'options' do
-    let(:subject) { auth0.options }
+    context 'when using client_secret authentication' do
+      let(:subject) { auth0.options }
 
-    it 'should have the correct client_id' do
-      expect(subject[:client_id]).to eq(client_id)
-    end
+      it 'should have the correct client_id' do
+        expect(subject[:client_id]).to eq(client_id)
+      end
 
-    it 'should have the correct client secret' do
-      expect(subject[:client_secret]).to eq(client_secret)
-    end
-    it 'should have correct domain' do
-      expect(subject[:domain]).to eq(domain_url)
+      it 'should have the correct client secret' do
+        expect(subject[:client_secret]).to eq(client_secret)
+      end
+      it 'should have correct domain' do
+        expect(subject[:domain]).to eq(domain_url)
+      end
     end
-  end
 
-  describe 'oauth' do
-    it 'redirects to hosted login page' do
-      get 'auth/auth0'
-      expect(last_response.status).to eq(302)
-      redirect_url = last_response.headers['Location']
-      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
-      expect(redirect_url).to have_query('response_type', 'code')
-      expect(redirect_url).to have_query('state')
-      expect(redirect_url).to have_query('client_id')
-      expect(redirect_url).to have_query('redirect_uri')
-      expect(redirect_url).not_to have_query('auth0Client')
-      expect(redirect_url).not_to have_query('connection')
-      expect(redirect_url).not_to have_query('connection_scope')
-      expect(redirect_url).not_to have_query('prompt')
-      expect(redirect_url).not_to have_query('screen_hint')
-      expect(redirect_url).not_to have_query('login_hint')
-      expect(redirect_url).not_to have_query('organization')
-      expect(redirect_url).not_to have_query('invitation')
-    end
+    context 'when using client assertion signing key authentication' do
+      let(:subject) { auth0_client_assertion_signing_key.options }
 
-    it 'redirects to hosted login page' do
-      get 'auth/auth0?connection=abcd'
-      expect(last_response.status).to eq(302)
-      redirect_url = last_response.headers['Location']
-      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
-      expect(redirect_url).to have_query('response_type', 'code')
-      expect(redirect_url).to have_query('state')
-      expect(redirect_url).to have_query('client_id')
-      expect(redirect_url).to have_query('redirect_uri')
-      expect(redirect_url).to have_query('connection', 'abcd')
-      expect(redirect_url).not_to have_query('auth0Client')
-      expect(redirect_url).not_to have_query('connection_scope')
-      expect(redirect_url).not_to have_query('prompt')
-      expect(redirect_url).not_to have_query('screen_hint')
-      expect(redirect_url).not_to have_query('login_hint')
-      expect(redirect_url).not_to have_query('organization')
-      expect(redirect_url).not_to have_query('invitation')
-    end
+      it 'should have the correct client_id' do
+        expect(subject[:client_id]).to eq(client_id)
+      end
 
-    it 'redirects to the hosted login page with connection_scope' do
-      get 'auth/auth0?connection_scope=identity_provider_scope'
-      expect(last_response.status).to eq(302)
-      redirect_url = last_response.headers['Location']
-      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
-      expect(redirect_url)
-        .to have_query('connection_scope', 'identity_provider_scope')
-    end
+      it 'should have the correct client secret' do
+        expect(subject[:client_secret]).to eq(nil)
+      end
+      it 'should have correct domain' do
+        expect(subject[:domain]).to eq(domain_url)
+      end
 
-    it 'redirects to hosted login page with prompt=login' do
-      get 'auth/auth0?prompt=login'
-      expect(last_response.status).to eq(302)
-      redirect_url = last_response.headers['Location']
-      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
-      expect(redirect_url).to have_query('response_type', 'code')
-      expect(redirect_url).to have_query('state')
-      expect(redirect_url).to have_query('client_id')
-      expect(redirect_url).to have_query('redirect_uri')
-      expect(redirect_url).to have_query('prompt', 'login')
-      expect(redirect_url).not_to have_query('auth0Client')
-      expect(redirect_url).not_to have_query('connection')
-      expect(redirect_url).not_to have_query('login_hint')
-      expect(redirect_url).not_to have_query('organization')
-      expect(redirect_url).not_to have_query('invitation')
+      it 'should have the correct client_assertion_signing_key' do
+        expect(subject[:client_assertion_signing_key]).to eq(client_assertion_signing_key)
+      end
     end
+  end
 
-    it 'redirects to hosted login page with screen_hint=signup' do
-      get 'auth/auth0?screen_hint=signup'
-      expect(last_response.status).to eq(302)
-      redirect_url = last_response.headers['Location']
-      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
-      expect(redirect_url).to have_query('response_type', 'code')
-      expect(redirect_url).to have_query('state')
-      expect(redirect_url).to have_query('client_id')
-      expect(redirect_url).to have_query('redirect_uri')
-      expect(redirect_url).to have_query('screen_hint', 'signup')
-      expect(redirect_url).not_to have_query('auth0Client')
-      expect(redirect_url).not_to have_query('connection')
-      expect(redirect_url).not_to have_query('login_hint')
-      expect(redirect_url).not_to have_query('organization')
-      expect(redirect_url).not_to have_query('invitation')
+  describe 'oauth' do
+    context 'when using client_secret authentication' do
+      it_behaves_like 'oauth redirects with various parameters'
     end
 
-    it 'redirects to hosted login page with organization=TestOrg and invitation=TestInvite' do
-      get 'auth/auth0?organization=TestOrg&invitation=TestInvite'
-      expect(last_response.status).to eq(302)
-      redirect_url = last_response.headers['Location']
-      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
-      expect(redirect_url).to have_query('response_type', 'code')
-      expect(redirect_url).to have_query('state')
-      expect(redirect_url).to have_query('client_id')
-      expect(redirect_url).to have_query('redirect_uri')
-      expect(redirect_url).to have_query('organization', 'TestOrg')
-      expect(redirect_url).to have_query('invitation', 'TestInvite')
-      expect(redirect_url).not_to have_query('auth0Client')
-      expect(redirect_url).not_to have_query('connection')
-      expect(redirect_url).not_to have_query('connection_scope')
-      expect(redirect_url).not_to have_query('prompt')
-      expect(redirect_url).not_to have_query('screen_hint')
-      expect(redirect_url).not_to have_query('login_hint')
-    end
+    context 'when using client assertion signing key authentication' do
+      before do
+        @app = make_application(client_secret: nil,
+                                client_assertion_signing_key: client_assertion_signing_key,
+                                client_assertion_signing_algorithm: client_assertion_signing_algorithm)
+      end
 
-    it 'redirects to hosted login page with login_hint=example@mail.com' do
-      get 'auth/auth0?login_hint=example@mail.com'
-      expect(last_response.status).to eq(302)
-      redirect_url = last_response.headers['Location']
-      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
-      expect(redirect_url).to have_query('response_type', 'code')
-      expect(redirect_url).to have_query('state')
-      expect(redirect_url).to have_query('client_id')
-      expect(redirect_url).to have_query('redirect_uri')
-      expect(redirect_url).to have_query('login_hint', 'example@mail.com')
-      expect(redirect_url).not_to have_query('auth0Client')
-      expect(redirect_url).not_to have_query('connection')
-      expect(redirect_url).not_to have_query('connection_scope')
-      expect(redirect_url).not_to have_query('prompt')
-      expect(redirect_url).not_to have_query('screen_hint')
-      expect(redirect_url).not_to have_query('organization')
-      expect(redirect_url).not_to have_query('invitation')
+      it_behaves_like 'oauth redirects with various parameters'
     end
 
     def session
@@ -206,12 +349,6 @@ describe OmniAuth::Strategies::Auth0 do
       Marshal.load(decoded_session_data)
     end
 
-    it "stores session['authorize_params'] as a plain Ruby Hash" do
-      get '/auth/auth0'
-
-      expect(session['authorize_params'].class).to eq(::Hash)
-    end
-
     describe 'callback' do
       let(:access_token) { 'access token' }
       let(:expires_in) { 2000 }
@@ -227,20 +364,6 @@ describe OmniAuth::Strategies::Auth0 do
       let(:email) { 'mail@mail.com' }
       let(:email_verified) { true }
 
-      let(:id_token) do
-        payload = {}
-        payload['sub'] = user_id
-        payload['iss'] = "#{domain_url}/"
-        payload['aud'] = client_id
-        payload['name'] = name
-        payload['nickname'] = nickname
-        payload['picture'] = picture
-        payload['email'] = email
-        payload['email_verified'] = email_verified
-
-        JWT.encode payload, client_secret, 'HS256'
-      end
-
       let(:oauth_response) do
         {
           access_token: access_token,
@@ -260,15 +383,6 @@ describe OmniAuth::Strategies::Auth0 do
 
       let(:basic_user_info) { { "sub" => user_id, "name" => name } }
 
-      def stub_auth(body)
-        stub_request(:post, 'https://samples.auth0.com/oauth/token')
-          .with(headers: { 'Auth0-Client' => telemetry_value })
-          .to_return(
-            headers: { 'Content-Type' => 'application/json' },
-            body: MultiJson.encode(body)
-          )
-      end
-
       def stub_userinfo(body)
         stub_request(:get, 'https://samples.auth0.com/userinfo')
           .to_return(
@@ -290,91 +404,217 @@ describe OmniAuth::Strategies::Auth0 do
         MultiJson.decode(last_response.body)
       end
 
-      context 'basic oauth' do
-        before do
-          stub_auth(oauth_response)
-          stub_userinfo(basic_user_info)
-          trigger_callback
+      context 'when using client_secret authentication' do
+        let(:id_token) do
+          payload = {}
+          payload['sub'] = user_id
+          payload['iss'] = "#{domain_url}/"
+          payload['aud'] = client_id
+          payload['name'] = name
+          payload['nickname'] = nickname
+          payload['picture'] = picture
+          payload['email'] = email
+          payload['email_verified'] = email_verified
+
+          JWT.encode payload, client_secret, 'HS256'
         end
 
-        it 'to succeed' do
-          expect(last_response.status).to eq(200)
+        def stub_auth(body)
+          stub_request(:post, 'https://samples.auth0.com/oauth/token')
+            .with(headers: { 'Auth0-Client' => telemetry_value })
+            .to_return(
+              headers: { 'Content-Type' => 'application/json' },
+              body: MultiJson.encode(body)
+            )
         end
 
-        it 'has credentials' do
-          expect(subject['credentials']['token']).to eq(access_token)
-          expect(subject['credentials']['expires']).to be true
-          expect(subject['credentials']['expires_at']).to_not be_nil
+        context 'basic oauth' do
+          before do
+            stub_auth(oauth_response)
+            stub_userinfo(basic_user_info)
+            trigger_callback
+          end
+
+          it_behaves_like 'basic oauth callback assertions'
         end
 
-        it 'has basic values'  do
-          expect(subject['provider']).to eq('auth0')
-          expect(subject['uid']).to eq(user_id)
-          expect(subject['info']['name']).to eq(name)
+        context 'basic oauth w/refresh token' do
+          before do
+            stub_auth(oauth_response.merge(refresh_token: refresh_token))
+            stub_userinfo(basic_user_info)
+            trigger_callback
+          end
+
+          it_behaves_like 'basic oauth refresh token callback assertions'
         end
 
-        it 'should use the user info endpoint' do
-          expect(subject['extra']['raw_info']).to eq(basic_user_info)
+        context 'oidc' do
+          before do
+            stub_auth(oidc_response)
+            trigger_callback
+          end
+
+          it_behaves_like 'oidc callback assertions'
         end
       end
 
-      context 'basic oauth w/refresh token' do
-        before do
-          stub_auth(oauth_response.merge(refresh_token: refresh_token))
-          stub_userinfo(basic_user_info)
-          trigger_callback
+      context 'when using client assertion signing key authentication' do
+        let(:jwt_token) { JWT.encode({ sub: client_id }, client_assertion_signing_key, 'RS256') }
+        let(:valid_jwks_kid) { 'NkJCQzIyQzRBMEU4NjhGNUU4MzU4RkY0M0ZDQzkwOUQ0Q0VGNUMwQg' }
+
+        let(:rsa_private_key) do
+          OpenSSL::PKey::RSA.generate 2048
         end
 
-        it 'to succeed' do
-          expect(last_response.status).to eq(200)
+        let(:valid_jwks) do
+          {
+            keys: [
+              {
+                kid: valid_jwks_kid,
+                x5c: [Base64.encode64(make_cert(rsa_private_key).to_der)]
+              }
+            ]
+          }.to_json
         end
 
-        it 'has credentials' do
-          expect(subject['credentials']['token']).to eq(access_token)
-          expect(subject['credentials']['refresh_token']).to eq(refresh_token)
-          expect(subject['credentials']['expires']).to be true
-          expect(subject['credentials']['expires_at']).to_not be_nil
+        let(:id_token) do
+          payload = {}
+          payload['sub'] = user_id
+          payload['iss'] = "#{domain_url}/"
+          payload['aud'] = client_id
+          payload['name'] = name
+          payload['nickname'] = nickname
+          payload['picture'] = picture
+          payload['email'] = email
+          payload['email_verified'] = email_verified
+
+          JWT.encode payload, rsa_private_key, 'RS256', kid: valid_jwks_kid
         end
-      end
 
-      context 'oidc' do
-        before do
-          stub_auth(oidc_response)
-          trigger_callback
+        def jwt_token?(token)
+          JWT.decode(token, nil, false)
+          true
+        rescue JWT::DecodeError, ArgumentError
+          false
         end
 
-        it 'to succeed' do
-          expect(last_response.status).to eq(200)
+        def make_cert(private_key)
+          cert = OpenSSL::X509::Certificate.new
+          cert.issuer = OpenSSL::X509::Name.parse('/C=BE/O=Auth0/OU=Auth0/CN=Auth0')
+          cert.subject = cert.issuer
+          cert.not_before = Time.now
+          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.public_key = private_key.public_key
+          cert.serial = 0x0
+          cert.version = 2
+
+          ef = OpenSSL::X509::ExtensionFactory.new
+          ef.subject_certificate = cert
+          ef.issuer_certificate = cert
+          cert.extensions = [
+            ef.create_extension('basicConstraints', 'CA:TRUE', true),
+            ef.create_extension('subjectKeyIdentifier', 'hash')
+          ]
+          cert.add_extension ef.create_extension(
+            'authorityKeyIdentifier',
+            'keyid:always,issuer:always'
+          )
+
+          cert.sign private_key, OpenSSL::Digest.new('SHA1')
         end
 
-        it 'has credentials' do
-          expect(subject['credentials']['token']).to eq(access_token)
-          expect(subject['credentials']['expires']).to be true
-          expect(subject['credentials']['expires_at']).to_not be_nil
-          expect(subject['credentials']['id_token']).to eq(id_token)
+        def stub_auth(body, stubbed_jwt_token: true)
+          stub_request(:post, "#{domain_url}/oauth/token")
+            .with do |request|
+              params = URI.decode_www_form(request.body).to_h
+              token = params['client_assertion']
+
+              request.headers['Auth0-Client'] == telemetry_value &&
+                params['grant_type'] == described_class::AUTHORIZATION_CODE_GRANT_TYPE &&
+                params['client_id'] == client_id &&
+                params['client_assertion_type'] == described_class::CLIENT_ASSERTION_TYPE &&
+                (stubbed_jwt_token ? token == jwt_token : jwt_token?(token))
+            end
+            .to_return(
+              headers: { 'Content-Type' => 'application/json' },
+              body: MultiJson.encode(body)
+            )
         end
 
-        it 'has basic values' do
-          expect(subject['provider']).to eq('auth0')
-          expect(subject['uid']).to eq(user_id)
+        def stub_expected_jwks
+          stub_request(:get, 'https://samples.auth0.com/.well-known/jwks.json')
+            .to_return(
+              headers: { 'Content-Type' => 'application/json' },
+              body: valid_jwks,
+              status: 200
+            )
         end
 
-        it 'has info' do
-          expect(subject['info']['name']).to eq(name)
-          expect(subject['info']['nickname']).to eq(nickname)
-          expect(subject['info']['image']).to eq(picture)
-          expect(subject['info']['email']).to eq(email)
+        def stub_jwt_token(algorithm: client_assertion_signing_algorithm)
+          allow(OmniAuth::Auth0::JWTToken).to receive(:new)
+            .with(client_id,
+                  domain_url,
+                  client_assertion_signing_key,
+                  algorithm)
+            .and_return(instance_double(OmniAuth::Auth0::JWTToken, jwt_token: jwt_token))
         end
 
-        it 'has extra' do
-          expect(subject['extra']['raw_info']['email_verified']).to be true
+        context 'basic oauth' do
+          before do
+            @app = make_application(client_secret: nil, client_assertion_signing_key: client_assertion_signing_key)
+            stub_jwt_token(algorithm: nil)
+            stub_auth(oauth_response)
+            stub_userinfo(basic_user_info)
+            trigger_callback
+          end
+
+          it_behaves_like 'basic oauth callback assertions'
+        end
+
+        context 'basic oath without stubbing jwt token' do
+          before do
+            @app = make_application(client_secret: nil, client_assertion_signing_key: client_assertion_signing_key)
+            stub_auth(oauth_response, stubbed_jwt_token: false)
+            stub_userinfo(basic_user_info)
+            trigger_callback
+          end
+
+          it_behaves_like 'basic oauth callback assertions'
+        end
+
+        context 'basic oauth w/refresh token' do
+          before do
+            @app = make_application(client_secret: nil,
+                                    client_assertion_signing_key: client_assertion_signing_key,
+                                    client_assertion_signing_algorithm: client_assertion_signing_algorithm)
+            stub_jwt_token
+            stub_auth(oauth_response.merge(refresh_token: refresh_token))
+            stub_userinfo(basic_user_info)
+            trigger_callback
+          end
+
+          it_behaves_like 'basic oauth refresh token callback assertions'
+        end
+
+        context 'oidc' do
+          before do
+            @app = make_application(client_secret: nil,
+                                    client_assertion_signing_key: client_assertion_signing_key,
+                                    client_assertion_signing_algorithm: client_assertion_signing_algorithm)
+            stub_jwt_token
+            stub_auth(oidc_response)
+            stub_expected_jwks
+            trigger_callback
+          end
+
+          it_behaves_like 'oidc callback assertions'
         end
       end
     end
   end
 
   describe 'error_handling' do
-    it 'fails when missing client_id' do
+    it 'fails when missing client_id and client_assertion_signing_key' do
       @app = make_application(client_id: nil)
       get 'auth/auth0'
       expect(last_response.status).to eq(302)
@@ -382,7 +622,7 @@ describe OmniAuth::Strategies::Auth0 do
       expect(redirect_url).to fail_auth_with('missing_client_id')
     end
 
-    it 'fails when missing client_secret' do
+    it 'fails when missing client_secret and client_assertion_signing_key' do
       @app = make_application(client_secret: nil)
       get 'auth/auth0'
       expect(last_response.status).to eq(302)
@@ -397,6 +637,14 @@ describe OmniAuth::Strategies::Auth0 do
       redirect_url = last_response.headers['Location']
       expect(redirect_url).to fail_auth_with('missing_domain')
     end
+
+    it 'fails when missing client_assertion_signing_key' do
+      @app = make_application(client_secret: nil, client_assertion_signing_key: nil)
+      get 'auth/auth0'
+      expect(last_response.status).to eq(302)
+      redirect_url = last_response.headers['Location']
+      expect(redirect_url).to fail_auth_with('missing_client_assertion_signing_key')
+    end
   end
 end