openid_connect 0.3.3 → 0.3.4
Sign up to get free protection for your applications and to get access to all the features.
- data/Gemfile +1 -9
- data/Gemfile.lock +8 -11
- data/Rakefile +10 -16
- data/VERSION +1 -1
- data/lib/openid_connect.rb +1 -1
- data/lib/openid_connect/access_token.rb +2 -2
- data/lib/openid_connect/client.rb +2 -2
- data/lib/openid_connect/client/registrar.rb +16 -15
- data/lib/openid_connect/discovery/principal.rb +5 -5
- data/lib/openid_connect/discovery/provider/config.rb +1 -1
- data/lib/openid_connect/discovery/provider/config/resource.rb +4 -3
- data/lib/openid_connect/discovery/provider/config/response.rb +41 -1
- data/lib/openid_connect/request_object/claimable.rb +2 -2
- data/lib/openid_connect/response_object/id_token.rb +1 -1
- data/lib/openid_connect/response_object/user_info/open_id.rb +5 -5
- data/lib/rack/oauth2/server/authorize/error_with_connect_ext.rb +7 -7
- data/lib/rack/oauth2/server/id_token_response.rb +1 -1
- data/openid_connect.gemspec +1 -5
- data/spec/mock_response/public_keys/jwk.json +7 -0
- data/spec/mock_response/public_keys/x509.pem +21 -0
- data/spec/openid_connect/access_token_spec.rb +23 -23
- data/spec/openid_connect/client/registrar_spec.rb +45 -45
- data/spec/openid_connect/client_spec.rb +12 -12
- data/spec/openid_connect/connect_object_spec.rb +6 -6
- data/spec/openid_connect/debugger/request_filter_spec.rb +1 -1
- data/spec/openid_connect/discovery/principal_spec.rb +5 -5
- data/spec/openid_connect/discovery/provider/config/response_spec.rb +265 -3
- data/spec/openid_connect/discovery/provider/config_spec.rb +11 -0
- data/spec/openid_connect/discovery/provider_spec.rb +3 -3
- data/spec/openid_connect/request_object_spec.rb +36 -36
- data/spec/openid_connect/response_object/id_token_spec.rb +26 -26
- data/spec/openid_connect/response_object/user_info/open_id_spec.rb +7 -7
- data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_and_token_spec.rb +7 -7
- data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_spec.rb +6 -6
- data/spec/rack/oauth2/server/authorize/extension/id_token_and_token_spec.rb +7 -7
- data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb +6 -6
- data/spec/rack/oauth2/server/token/authorization_code_spec.rb +14 -14
- data/spec/rack/oauth2/server/token/refresh_token_spec.rb +13 -13
- data/spec/spec_helper.rb +1 -3
- metadata +15 -11
@@ -3,7 +3,7 @@ require 'spec_helper'
|
|
3
3
|
describe OpenIDConnect::Debugger::RequestFilter do
|
4
4
|
let(:resource_endpoint) { 'https://example.com/resources' }
|
5
5
|
let(:request) { HTTP::Message.new_request(:get, URI.parse(resource_endpoint)) }
|
6
|
-
let(:response) { HTTP::Message.new_response({:
|
6
|
+
let(:response) { HTTP::Message.new_response({hello: 'world'}.to_json) }
|
7
7
|
let(:request_filter) { OpenIDConnect::Debugger::RequestFilter.new }
|
8
8
|
|
9
9
|
describe '#filter_request' do
|
@@ -26,11 +26,11 @@ describe OpenIDConnect::Discovery::Principal do
|
|
26
26
|
context 'when port specified' do
|
27
27
|
it do
|
28
28
|
SWD.should_receive(:discover!).with(
|
29
|
-
:
|
30
|
-
:
|
31
|
-
:
|
32
|
-
:
|
33
|
-
:
|
29
|
+
principal: "https://example.com:8080",
|
30
|
+
service: "http://openid.net/specs/connect/1.0/issuer",
|
31
|
+
host: "example.com",
|
32
|
+
port: 8080,
|
33
|
+
cache: {}
|
34
34
|
)
|
35
35
|
OpenIDConnect::Discovery::Principal.parse('example.com:8080').discover!
|
36
36
|
end
|
@@ -15,13 +15,13 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
|
|
15
15
|
|
16
16
|
context 'when no attributes given' do
|
17
17
|
it do
|
18
|
-
should == {:
|
18
|
+
should == {version: '3.0'}
|
19
19
|
end
|
20
20
|
end
|
21
21
|
|
22
22
|
context 'when user_info_endpoint given' do
|
23
23
|
let :attributes do
|
24
|
-
{:
|
24
|
+
{user_info_endpoint: 'https://server.example.com/user_info'}
|
25
25
|
end
|
26
26
|
it do
|
27
27
|
should include :userinfo_endpoint
|
@@ -33,7 +33,7 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
|
|
33
33
|
|
34
34
|
context 'when user_info_algs_supported given' do
|
35
35
|
let :attributes do
|
36
|
-
{:
|
36
|
+
{user_info_algs_supported: [:HS256, :RS256]}
|
37
37
|
end
|
38
38
|
it do
|
39
39
|
should include :userinfo_algs_supported
|
@@ -43,4 +43,266 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
|
|
43
43
|
end
|
44
44
|
end
|
45
45
|
end
|
46
|
+
|
47
|
+
describe '#signing_key and #encryption_key' do
|
48
|
+
subject { config }
|
49
|
+
let(:config) { instance }
|
50
|
+
let(:attributes) do
|
51
|
+
{
|
52
|
+
x509_url: x509_url,
|
53
|
+
x509_encryption_url: x509_encryption_url,
|
54
|
+
jwk_url: jwk_url,
|
55
|
+
jwk_encryption_url: jwk_encryption_url
|
56
|
+
}.delete_if do |key, value|
|
57
|
+
value.nil?
|
58
|
+
end
|
59
|
+
end
|
60
|
+
let(:x509_url) { nil }
|
61
|
+
let(:x509_encryption_url) { nil }
|
62
|
+
let(:jwk_url) { nil }
|
63
|
+
let(:jwk_encryption_url) { nil }
|
64
|
+
|
65
|
+
context 'when x509_url is given' do
|
66
|
+
let(:x509_url) { 'http://provider.example.com/x509.pem' }
|
67
|
+
|
68
|
+
context 'when x509_encryption_url is given' do
|
69
|
+
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
70
|
+
|
71
|
+
it 'should fetch signing_key from x509_url' do
|
72
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
73
|
+
config.signing_key
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
78
|
+
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
79
|
+
config.encryption_key
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
83
|
+
|
84
|
+
context 'when jwk_encryption_url is given' do
|
85
|
+
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
86
|
+
|
87
|
+
it 'should fetch signing_key from x509_url' do
|
88
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
89
|
+
config.signing_key
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
it 'should fetch encryption_key from jwk_encryption_url' do
|
94
|
+
mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
|
95
|
+
config.encryption_key
|
96
|
+
end
|
97
|
+
end
|
98
|
+
end
|
99
|
+
|
100
|
+
context 'when both x509_encryption_url and jwk_encryption_url are given' do
|
101
|
+
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
102
|
+
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
103
|
+
|
104
|
+
it 'should fetch signing_key from x509_url' do
|
105
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
106
|
+
config.signing_key
|
107
|
+
end
|
108
|
+
end
|
109
|
+
|
110
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
111
|
+
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
112
|
+
config.encryption_key
|
113
|
+
end
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
|
118
|
+
it 'should fetch signing_key from x509_url' do
|
119
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
120
|
+
config.signing_key
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
125
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
126
|
+
config.encryption_key
|
127
|
+
end
|
128
|
+
end
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
132
|
+
context 'when jwk_url is given' do
|
133
|
+
let(:jwk_url) { 'http://provider.example.com/jwk.json' }
|
134
|
+
|
135
|
+
context 'when x509_encryption_url is given' do
|
136
|
+
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
137
|
+
|
138
|
+
it 'should fetch signing_key from jwk_url' do
|
139
|
+
mock_json :get, jwk_url, 'public_keys/jwk' do
|
140
|
+
config.signing_key
|
141
|
+
end
|
142
|
+
end
|
143
|
+
|
144
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
145
|
+
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
146
|
+
config.encryption_key
|
147
|
+
end
|
148
|
+
end
|
149
|
+
end
|
150
|
+
|
151
|
+
context 'when jwk_encryption_url is given' do
|
152
|
+
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
153
|
+
|
154
|
+
it 'should fetch signing_key from jwk_url' do
|
155
|
+
mock_json :get, jwk_url, 'public_keys/jwk' do
|
156
|
+
config.signing_key
|
157
|
+
end
|
158
|
+
end
|
159
|
+
|
160
|
+
it 'should fetch encryption_key from jwk_encryption_url' do
|
161
|
+
mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
|
162
|
+
config.encryption_key
|
163
|
+
end
|
164
|
+
end
|
165
|
+
end
|
166
|
+
|
167
|
+
context 'when both x509_encryption_url and jwk_encryption_url are given' do
|
168
|
+
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
169
|
+
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
170
|
+
|
171
|
+
it 'should fetch signing_key from jwk_url' do
|
172
|
+
mock_json :get, jwk_url, 'public_keys/jwk' do
|
173
|
+
config.signing_key
|
174
|
+
end
|
175
|
+
end
|
176
|
+
|
177
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
178
|
+
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
179
|
+
config.encryption_key
|
180
|
+
end
|
181
|
+
end
|
182
|
+
end
|
183
|
+
|
184
|
+
context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
|
185
|
+
it 'should fetch signing_key from jwk_url' do
|
186
|
+
mock_json :get, jwk_url, 'public_keys/jwk' do
|
187
|
+
config.signing_key
|
188
|
+
end
|
189
|
+
end
|
190
|
+
|
191
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
192
|
+
mock_json :get, jwk_url, 'public_keys/jwk' do
|
193
|
+
config.encryption_key
|
194
|
+
end
|
195
|
+
end
|
196
|
+
end
|
197
|
+
end
|
198
|
+
|
199
|
+
context 'when both x509_url and jwk_url are given' do
|
200
|
+
let(:x509_url) { 'http://provider.example.com/cert.pem' }
|
201
|
+
let(:jwk_url) { 'http://provider.example.com/jwk.json' }
|
202
|
+
|
203
|
+
context 'when x509_encryption_url is given' do
|
204
|
+
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
205
|
+
|
206
|
+
it 'should fetch signing_key from x509_url' do
|
207
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
208
|
+
config.signing_key
|
209
|
+
end
|
210
|
+
end
|
211
|
+
|
212
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
213
|
+
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
214
|
+
config.encryption_key
|
215
|
+
end
|
216
|
+
end
|
217
|
+
end
|
218
|
+
|
219
|
+
context 'when jwk_encryption_url is given' do
|
220
|
+
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
221
|
+
|
222
|
+
it 'should fetch signing_key from x509_url' do
|
223
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
224
|
+
config.signing_key
|
225
|
+
end
|
226
|
+
end
|
227
|
+
|
228
|
+
it 'should fetch encryption_key from jwk_encryption_url' do
|
229
|
+
mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
|
230
|
+
config.encryption_key
|
231
|
+
end
|
232
|
+
end
|
233
|
+
end
|
234
|
+
|
235
|
+
context 'when both x509_encryption_url and jwk_encryption_url are given' do
|
236
|
+
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
237
|
+
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
238
|
+
|
239
|
+
it 'should fetch signing_key from x509_url' do
|
240
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
241
|
+
config.signing_key
|
242
|
+
end
|
243
|
+
end
|
244
|
+
|
245
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
246
|
+
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
247
|
+
config.encryption_key
|
248
|
+
end
|
249
|
+
end
|
250
|
+
end
|
251
|
+
|
252
|
+
context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
|
253
|
+
it 'should fetch signing_key from x509_url' do
|
254
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
255
|
+
config.signing_key
|
256
|
+
end
|
257
|
+
end
|
258
|
+
|
259
|
+
it 'should fetch encryption_key from x509_url' do
|
260
|
+
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
261
|
+
config.encryption_key
|
262
|
+
end
|
263
|
+
end
|
264
|
+
end
|
265
|
+
end
|
266
|
+
|
267
|
+
context 'when neither x509_url nor jwk_url are given' do
|
268
|
+
context 'when x509_encryption_url is given' do
|
269
|
+
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
270
|
+
its(:signing_key) { should be_nil }
|
271
|
+
|
272
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
273
|
+
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
274
|
+
config.encryption_key
|
275
|
+
end
|
276
|
+
end
|
277
|
+
end
|
278
|
+
|
279
|
+
context 'when jwk_encryption_url is given' do
|
280
|
+
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
281
|
+
its(:signing_key) { should be_nil }
|
282
|
+
|
283
|
+
it 'should fetch encryption_key from jwk_encryption_url' do
|
284
|
+
mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
|
285
|
+
config.encryption_key
|
286
|
+
end
|
287
|
+
end
|
288
|
+
end
|
289
|
+
|
290
|
+
context 'when both x509_encryption_url and jwk_encryption_url are given' do
|
291
|
+
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
292
|
+
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
293
|
+
its(:signing_key) { should be_nil }
|
294
|
+
|
295
|
+
it 'should fetch encryption_key from x509_encryption_url' do
|
296
|
+
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
297
|
+
config.encryption_key
|
298
|
+
end
|
299
|
+
end
|
300
|
+
end
|
301
|
+
|
302
|
+
context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
|
303
|
+
its(:signing_key) { should be_nil }
|
304
|
+
its(:encryption_key) { should be_nil }
|
305
|
+
end
|
306
|
+
end
|
307
|
+
end
|
46
308
|
end
|
@@ -26,4 +26,15 @@ describe OpenIDConnect::Discovery::Provider::Config do
|
|
26
26
|
end
|
27
27
|
end
|
28
28
|
end
|
29
|
+
|
30
|
+
context 'when OP identifier includes custom port' do
|
31
|
+
let(:provider) { 'https://connect-op.heroku.com:8080' }
|
32
|
+
let(:endpoint) { "https://connect-op.heroku.com:8080/.well-known/openid-configuration" }
|
33
|
+
|
34
|
+
it 'should construct well-known URI with given port' do
|
35
|
+
mock_json :get, endpoint, 'discovery/config' do
|
36
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
37
|
+
end
|
38
|
+
end
|
39
|
+
end
|
29
40
|
end
|
@@ -6,14 +6,14 @@ describe OpenIDConnect::Discovery::Provider do
|
|
6
6
|
let(:endpoint) { "https://#{host}/.well-known/simple-web-discovery" }
|
7
7
|
let(:query) do
|
8
8
|
{
|
9
|
-
:
|
10
|
-
:
|
9
|
+
service: OpenIDConnect::Discovery::Provider::SERVICE_URI,
|
10
|
+
principal: principal
|
11
11
|
}
|
12
12
|
end
|
13
13
|
|
14
14
|
shared_examples_for :discover_provider do
|
15
15
|
it "should succeed" do
|
16
|
-
mock_json :get, endpoint, 'discovery/swd', :
|
16
|
+
mock_json :get, endpoint, 'discovery/swd', params: query do
|
17
17
|
res = discover
|
18
18
|
res.should be_a SWD::Response
|
19
19
|
res.location.should == provider
|
@@ -7,25 +7,25 @@ describe OpenIDConnect::RequestObject do
|
|
7
7
|
context 'with all attributes' do
|
8
8
|
let(:attributes) do
|
9
9
|
{
|
10
|
-
:
|
11
|
-
:
|
12
|
-
:
|
13
|
-
:
|
14
|
-
:
|
15
|
-
:
|
16
|
-
:
|
17
|
-
:
|
18
|
-
:
|
19
|
-
:
|
20
|
-
:
|
21
|
-
:
|
10
|
+
client_id: 'client_id',
|
11
|
+
response_type: 'token id_token',
|
12
|
+
redirect_uri: 'https://client.example.com',
|
13
|
+
scope: 'openid email',
|
14
|
+
state: 'state1234',
|
15
|
+
nonce: 'nonce1234',
|
16
|
+
display: 'touch',
|
17
|
+
prompt: 'none',
|
18
|
+
userinfo: {
|
19
|
+
claims: {
|
20
|
+
name: :required,
|
21
|
+
email: :optional
|
22
22
|
}
|
23
23
|
},
|
24
|
-
:
|
25
|
-
:
|
26
|
-
:
|
27
|
-
:
|
28
|
-
:
|
24
|
+
id_token: {
|
25
|
+
max_age: 10,
|
26
|
+
claims: {
|
27
|
+
acr: {
|
28
|
+
values: ['2', '3', '4']
|
29
29
|
}
|
30
30
|
}
|
31
31
|
}
|
@@ -36,29 +36,29 @@ describe OpenIDConnect::RequestObject do
|
|
36
36
|
end
|
37
37
|
let(:jsonized) do
|
38
38
|
{
|
39
|
-
:
|
40
|
-
:
|
41
|
-
:
|
42
|
-
:
|
43
|
-
:
|
44
|
-
:
|
45
|
-
:
|
46
|
-
:
|
47
|
-
:
|
48
|
-
:
|
49
|
-
:
|
50
|
-
:
|
39
|
+
client_id: "client_id",
|
40
|
+
response_type: "token id_token",
|
41
|
+
redirect_uri: "https://client.example.com",
|
42
|
+
scope: "openid email",
|
43
|
+
state: "state1234",
|
44
|
+
nonce: "nonce1234",
|
45
|
+
display: "touch",
|
46
|
+
prompt: "none",
|
47
|
+
id_token: {
|
48
|
+
claims: {
|
49
|
+
acr: {
|
50
|
+
values: ['2', '3', '4']
|
51
51
|
}
|
52
52
|
},
|
53
|
-
:
|
53
|
+
max_age: 10
|
54
54
|
},
|
55
|
-
:
|
56
|
-
:
|
57
|
-
:
|
58
|
-
:
|
55
|
+
userinfo: {
|
56
|
+
claims: {
|
57
|
+
name: {
|
58
|
+
essential: true
|
59
59
|
},
|
60
|
-
:
|
61
|
-
:
|
60
|
+
email: {
|
61
|
+
essential: false
|
62
62
|
}
|
63
63
|
}
|
64
64
|
}
|
@@ -8,11 +8,11 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
8
8
|
let(:iat) { Time.now }
|
9
9
|
let :required_attributes do
|
10
10
|
{
|
11
|
-
:
|
12
|
-
:
|
13
|
-
:
|
14
|
-
:
|
15
|
-
:
|
11
|
+
iss: 'https://server.example.com',
|
12
|
+
user_id: 'user_id',
|
13
|
+
aud: 'client_id',
|
14
|
+
exp: ext,
|
15
|
+
iat: iat
|
16
16
|
}
|
17
17
|
end
|
18
18
|
|
@@ -26,8 +26,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
26
26
|
context 'when both issuer, client_id are valid' do
|
27
27
|
it do
|
28
28
|
id_token.verify!(
|
29
|
-
:
|
30
|
-
:
|
29
|
+
issuer: attributes[:iss],
|
30
|
+
client_id: attributes[:aud]
|
31
31
|
).should be_true
|
32
32
|
end
|
33
33
|
|
@@ -36,8 +36,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
36
36
|
it do
|
37
37
|
expect do
|
38
38
|
id_token.verify!(
|
39
|
-
:
|
40
|
-
:
|
39
|
+
issuer: attributes[:iss],
|
40
|
+
client_id: attributes[:aud]
|
41
41
|
)
|
42
42
|
end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
|
43
43
|
end
|
@@ -48,8 +48,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
48
48
|
it do
|
49
49
|
expect do
|
50
50
|
id_token.verify!(
|
51
|
-
:
|
52
|
-
:
|
51
|
+
issuer: 'invalid_issuer',
|
52
|
+
client_id: attributes[:aud]
|
53
53
|
)
|
54
54
|
end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
|
55
55
|
end
|
@@ -59,7 +59,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
59
59
|
it do
|
60
60
|
expect do
|
61
61
|
id_token.verify!(
|
62
|
-
:
|
62
|
+
client_id: attributes[:aud]
|
63
63
|
)
|
64
64
|
end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
|
65
65
|
end
|
@@ -69,8 +69,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
69
69
|
it do
|
70
70
|
expect do
|
71
71
|
id_token.verify!(
|
72
|
-
:
|
73
|
-
:
|
72
|
+
issuer: attributes[:iss],
|
73
|
+
client_id: 'invalid_client'
|
74
74
|
)
|
75
75
|
end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
|
76
76
|
end
|
@@ -80,21 +80,21 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
80
80
|
it do
|
81
81
|
expect do
|
82
82
|
id_token.verify!(
|
83
|
-
:
|
83
|
+
issuer: attributes[:iss]
|
84
84
|
)
|
85
85
|
end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
|
86
86
|
end
|
87
87
|
end
|
88
88
|
|
89
89
|
context 'when nonce is given' do
|
90
|
-
let(:attributes) { required_attributes.merge(:
|
90
|
+
let(:attributes) { required_attributes.merge(nonce: 'nonce') }
|
91
91
|
|
92
92
|
context 'when nonce is valid' do
|
93
93
|
it do
|
94
94
|
id_token.verify!(
|
95
|
-
:
|
96
|
-
:
|
97
|
-
:
|
95
|
+
issuer: attributes[:iss],
|
96
|
+
client_id: attributes[:aud],
|
97
|
+
nonce: attributes[:nonce]
|
98
98
|
).should be_true
|
99
99
|
end
|
100
100
|
end
|
@@ -103,9 +103,9 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
103
103
|
it do
|
104
104
|
expect do
|
105
105
|
id_token.verify!(
|
106
|
-
:
|
107
|
-
:
|
108
|
-
:
|
106
|
+
issuer: attributes[:iss],
|
107
|
+
client_id: attributes[:aud],
|
108
|
+
nonce: 'invalid_nonce'
|
109
109
|
)
|
110
110
|
end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
|
111
111
|
end
|
@@ -115,8 +115,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
115
115
|
it do
|
116
116
|
expect do
|
117
117
|
id_token.verify!(
|
118
|
-
:
|
119
|
-
:
|
118
|
+
issuer: attributes[:iss],
|
119
|
+
client_id: attributes[:aud]
|
120
120
|
)
|
121
121
|
end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
|
122
122
|
end
|
@@ -161,7 +161,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
161
161
|
context 'when self-issued' do
|
162
162
|
context 'when valid' do
|
163
163
|
let(:self_issued) do
|
164
|
-
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.
|
164
|
+
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlbGYtaXNzdWVkLm1lIiwidXNlcl9pZCI6ImhXSnphYnYweEY2Q08ycmJMb0hhMGlHamVSOWFCTFFUaDBYbkhPR2xYNk0iLCJhdWQiOiJiYWZkOGI3ODdhMDQyOWRiZDBiNmY5ZTE4Mzk3OThjNDFkNGQxOTJhYWYzMTFhZGY0MGRhMmM0ZDQxNGU1OGZkIiwiZXhwIjoxMzUwMzI1OTg3LCJpYXQiOjEzNTAzMjIzODcsInVzZXJfandrIjp7ImFsZyI6IlJTQSIsIm1vZCI6InB4WmNhN1hrajFZalR5dlNOLThNaFlPU1RuMGluTF9fYTNEZWg5dlZoS1dLaG9FWFlENHNpR0RGSTVIaFBrLWp1SU5HWk9IX0FDc1hIOFNoRWlqMXZzSHpmSTRKeDdxOFREc2ZmZzNNT0d0aWFqZjFJZ250SjR6ck9OeHYzOU5QdEJ6dml2Q3ZLa2MzSXJsSS00X216ajg4R2JER1B6NnBLRDRhcmNndFg0VEdCYmdPTUZaa09nRWk5bml0VzhDbV9zMHFlQ3FtMWxMS0l0QXFaYWJYa2d2cGN5Qjdjb1ZNNnZkLWNYVXY3TDg5MmgxVm9uenVRZTNfUF9MTy1HNV9FNGRVY1B0NmJDbUo4QjNPd3A0bmdQQmpKSHdiTHlqT0F5VjZ2aXRPeUdjZnVPRVE3dkZQdGRNc0hLX29TZnZqU2s2My1xdjRiRDFKaml3OVBBU1NRUSIsInhwbyI6IkFRQUIifX0.YbcccWDBwgtvIMravxJQi3Wmq4fH2BR1Y7qBpt39QH3MKpaHbfpRfkpU2H9SPS4tJZzHnz-iDPVghrWTyLeBZHZigES8oMPM28NxswSKNuDYid-G4d0DAN1A2LdMBPqZd-pAbjop6o8FU1V11WTUoWcQR8OJg912q6I_zZIvCUnlGc9Jx0hnDioW7j2DAYfwji9sLtRybE85-KC8dHwRjrgl5doh3J72QQAi9Vn-KkHz3d5nTFngE-7MFa2ndLiR_7qcqWlCLjEOEDFyj2GtLv-aDYRocOt7TDJmxzDnzRPuNoTuiPiHmSM599kbiKBR_734wqUBunbRQCIOhOrp9Q'
|
165
165
|
end
|
166
166
|
|
167
167
|
context 'when key == :self_issued' do
|
@@ -183,7 +183,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
|
|
183
183
|
|
184
184
|
context 'when invalid user_id' do
|
185
185
|
let(:self_issued) do
|
186
|
-
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.
|
186
|
+
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlbGYtaXNzdWVkLm1lIiwidXNlcl9pZCI6ImludmFsaWQiLCJhdWQiOiJ0YXBpZC50YXBpZGVudGl0eS5jb20iLCJleHAiOjEzNTAzMjYyNjEsImlhdCI6MTM1MDMyMjY2MSwidXNlcl9qd2siOnsiYWxnIjoiUlNBIiwibW9kIjoidnVLay1YdDR3bXF3Wl9HR2FXMTNVeV9RUExobThJVUM1SGpsZlJTZEpXRGY4bnRWV1p2bVRZcjEyd2tfUU1XN3RkQ25Eb0d2dnd0VVczajhIaTlEOG5aNW84c0FhSUxmbm1MSE9sdHNVT01IWTRlOWZtVzQ5eWJUS25sbFRkTGlJMy13NWJtZC1VTVE4WnBSQ2dhN0Z5WERMR2tpeXNrSTNtdjAxcUVfOURMc0dEVTFjWHBaM19TY05MY1RuN0hYSHRCcnVVOHhhOHZkUGxncEdXQjFTaTIxRWhubnNOQnZmUmkzUW9UcFlkbnFqTGk4NzQtWDd4anJWUDNzRURoRnNvdzdNR0s2WVF3X2JsNzAxdGJIU3F1SG5aWDZ0ZklQaFNMYVNWbXdGVzNTem9GdDBWNGxpbzlPOHhqNWlpQnBNV0cwcDd4MTJpYno1bEktaGYzcTJ3IiwieHBvIjoiQVFBQiJ9fQ.p_Zh-nLBVaDQXTvDe3YCDQsA8QKepMfEtEzmBBQEmnFEmLSDAcsTnAbkTNlRZ-BQ-CuEF_NFJ2KK0B8s4GEfb5IO3afBHi5nxk269d1BLypuLRG1oI5GWoO5kPPjcjdZHUHXv56w_c8KeOtRazCKhcVwvErs8vXi1hlAfln5cGMhJ-jlBztk1ZUHefvdCecGyqxzCVnjowA1MsMDhdchDX3njza6qxL8IkPZ04u57KnLsfYTh84jZ4vv0_5bdCs_-fSWXDMvyhDN69_YRT6QqX312421IJqDsIjUWk6VpCFi6Yti7iRZ8qixd5UVyxLHMkomY8okVG04oMHs9lMzDQ'
|
187
187
|
end
|
188
188
|
|
189
189
|
it do
|