openid_connect 0.3.3 → 0.3.4

data/spec/openid_connect/debugger/request_filter_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 describe OpenIDConnect::Debugger::RequestFilter do
   let(:resource_endpoint) { 'https://example.com/resources' }
   let(:request) { HTTP::Message.new_request(:get, URI.parse(resource_endpoint)) }
-  let(:response) { HTTP::Message.new_response({:hello => 'world'}.to_json) }
+  let(:response) { HTTP::Message.new_response({hello: 'world'}.to_json) }
   let(:request_filter) { OpenIDConnect::Debugger::RequestFilter.new }
 
   describe '#filter_request' do

data/spec/openid_connect/discovery/principal_spec.rb

@@ -26,11 +26,11 @@ describe OpenIDConnect::Discovery::Principal do
     context 'when port specified' do
       it do
         SWD.should_receive(:discover!).with(
-          :principal => "https://example.com:8080",
-          :service => "http://openid.net/specs/connect/1.0/issuer",
-          :host => "example.com",
-          :port => 8080,
-          :cache => {}
+          principal: "https://example.com:8080",
+          service: "http://openid.net/specs/connect/1.0/issuer",
+          host: "example.com",
+          port: 8080,
+          cache: {}
         )
         OpenIDConnect::Discovery::Principal.parse('example.com:8080').discover!
       end

data/spec/openid_connect/discovery/provider/config/response_spec.rb

@@ -15,13 +15,13 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
 
     context 'when no attributes given' do
       it do
-        should == {:version => '3.0'}
+        should == {version: '3.0'}
       end
     end
 
     context 'when user_info_endpoint given' do
       let :attributes do
-        {:user_info_endpoint => 'https://server.example.com/user_info'}
+        {user_info_endpoint: 'https://server.example.com/user_info'}
       end
       it do
         should include :userinfo_endpoint
@@ -33,7 +33,7 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
 
     context 'when user_info_algs_supported given' do
       let :attributes do
-        {:user_info_algs_supported => [:HS256, :RS256]}
+        {user_info_algs_supported: [:HS256, :RS256]}
       end
       it do
         should include :userinfo_algs_supported
@@ -43,4 +43,266 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
       end
     end
   end
+
+  describe '#signing_key and #encryption_key' do
+    subject { config }
+    let(:config) { instance }
+    let(:attributes) do
+      {
+        x509_url: x509_url,
+        x509_encryption_url: x509_encryption_url,
+        jwk_url: jwk_url,
+        jwk_encryption_url: jwk_encryption_url
+      }.delete_if do |key, value|
+        value.nil?
+      end
+    end
+    let(:x509_url)            { nil }
+    let(:x509_encryption_url) { nil }
+    let(:jwk_url)             { nil }
+    let(:jwk_encryption_url)  { nil }
+
+    context 'when x509_url is given' do
+      let(:x509_url) { 'http://provider.example.com/x509.pem' }
+
+      context 'when x509_encryption_url is given' do
+        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
+
+        it 'should fetch signing_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when jwk_encryption_url is given' do
+        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+
+        it 'should fetch signing_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from jwk_encryption_url' do
+          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when both x509_encryption_url and jwk_encryption_url are given' do
+        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
+        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+
+        it 'should fetch signing_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
+        it 'should fetch signing_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+    end
+
+    context 'when jwk_url is given' do
+      let(:jwk_url) { 'http://provider.example.com/jwk.json' }
+
+      context 'when x509_encryption_url is given' do
+        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
+
+        it 'should fetch signing_key from jwk_url' do
+          mock_json :get, jwk_url, 'public_keys/jwk' do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when jwk_encryption_url is given' do
+        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+
+        it 'should fetch signing_key from jwk_url' do
+          mock_json :get, jwk_url, 'public_keys/jwk' do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from jwk_encryption_url' do
+          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when both x509_encryption_url and jwk_encryption_url are given' do
+        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
+        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+
+        it 'should fetch signing_key from jwk_url' do
+          mock_json :get, jwk_url, 'public_keys/jwk' do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
+        it 'should fetch signing_key from jwk_url' do
+          mock_json :get, jwk_url, 'public_keys/jwk' do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, jwk_url, 'public_keys/jwk' do
+            config.encryption_key
+          end
+        end
+      end
+    end
+
+    context 'when both x509_url and jwk_url are given' do
+      let(:x509_url) { 'http://provider.example.com/cert.pem' }
+      let(:jwk_url) { 'http://provider.example.com/jwk.json' }
+
+      context 'when x509_encryption_url is given' do
+        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
+
+        it 'should fetch signing_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when jwk_encryption_url is given' do
+        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+
+        it 'should fetch signing_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from jwk_encryption_url' do
+          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when both x509_encryption_url and jwk_encryption_url are given' do
+        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
+        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+
+        it 'should fetch signing_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
+        it 'should fetch signing_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.signing_key
+          end
+        end
+
+        it 'should fetch encryption_key from x509_url' do
+          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+    end
+
+    context 'when neither x509_url nor jwk_url are given' do
+      context 'when x509_encryption_url is given' do
+        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
+        its(:signing_key) { should be_nil }
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when jwk_encryption_url is given' do
+        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+        its(:signing_key) { should be_nil }
+
+        it 'should fetch encryption_key from jwk_encryption_url' do
+          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when both x509_encryption_url and jwk_encryption_url are given' do
+        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
+        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+        its(:signing_key) { should be_nil }
+
+        it 'should fetch encryption_key from x509_encryption_url' do
+          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
+            config.encryption_key
+          end
+        end
+      end
+
+      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
+        its(:signing_key) { should be_nil }
+        its(:encryption_key) { should be_nil }
+      end
+    end
+  end
 end

data/spec/openid_connect/discovery/provider/config_spec.rb

@@ -26,4 +26,15 @@ describe OpenIDConnect::Discovery::Provider::Config do
       end
     end
   end
+
+  context 'when OP identifier includes custom port' do
+    let(:provider) { 'https://connect-op.heroku.com:8080' }
+    let(:endpoint) { "https://connect-op.heroku.com:8080/.well-known/openid-configuration" }
+
+    it 'should construct well-known URI with given port' do
+      mock_json :get, endpoint, 'discovery/config' do
+        OpenIDConnect::Discovery::Provider::Config.discover! provider
+      end
+    end
+  end
 end

data/spec/openid_connect/discovery/provider_spec.rb

@@ -6,14 +6,14 @@ describe OpenIDConnect::Discovery::Provider do
   let(:endpoint) { "https://#{host}/.well-known/simple-web-discovery" }
   let(:query) do
     {
-      :service => OpenIDConnect::Discovery::Provider::SERVICE_URI,
-      :principal => principal
+      service: OpenIDConnect::Discovery::Provider::SERVICE_URI,
+      principal: principal
     }
   end
 
   shared_examples_for :discover_provider do
     it "should succeed" do
-      mock_json :get, endpoint, 'discovery/swd', :params => query do
+      mock_json :get, endpoint, 'discovery/swd', params: query do
         res = discover
         res.should be_a SWD::Response
         res.location.should == provider

data/spec/openid_connect/request_object_spec.rb

@@ -7,25 +7,25 @@ describe OpenIDConnect::RequestObject do
   context 'with all attributes' do
     let(:attributes) do
       {
-        :client_id => 'client_id',
-        :response_type => 'token id_token',
-        :redirect_uri => 'https://client.example.com',
-        :scope => 'openid email',
-        :state => 'state1234',
-        :nonce => 'nonce1234',
-        :display => 'touch',
-        :prompt => 'none',
-        :userinfo => {
-          :claims => {
-            :name => :required,
-            :email => :optional
+        client_id: 'client_id',
+        response_type: 'token id_token',
+        redirect_uri: 'https://client.example.com',
+        scope: 'openid email',
+        state: 'state1234',
+        nonce: 'nonce1234',
+        display: 'touch',
+        prompt: 'none',
+        userinfo: {
+          claims: {
+            name: :required,
+            email: :optional
           }
         },
-        :id_token => {
-          :max_age => 10,
-          :claims => {
-            :acr => {
-              :values => ['2', '3', '4']
+        id_token: {
+          max_age: 10,
+          claims: {
+            acr: {
+              values: ['2', '3', '4']
             }
           }
         }
@@ -36,29 +36,29 @@ describe OpenIDConnect::RequestObject do
     end
     let(:jsonized) do
       {
-        :client_id => "client_id",
-        :response_type => "token id_token",
-        :redirect_uri => "https://client.example.com",
-        :scope => "openid email",
-        :state => "state1234",
-        :nonce => "nonce1234",
-        :display => "touch",
-        :prompt => "none",
-        :id_token => {
-          :claims => {
-            :acr => {
-              :values => ['2', '3', '4']
+        client_id: "client_id",
+        response_type: "token id_token",
+        redirect_uri: "https://client.example.com",
+        scope: "openid email",
+        state: "state1234",
+        nonce: "nonce1234",
+        display: "touch",
+        prompt: "none",
+        id_token: {
+          claims: {
+            acr: {
+              values: ['2', '3', '4']
             }
           },
-          :max_age => 10
+          max_age: 10
         },
-        :userinfo => {
-          :claims => {
-            :name => {
-              :essential => true
+        userinfo: {
+          claims: {
+            name: {
+              essential: true
             },
-            :email => {
-              :essential => false
+            email: {
+              essential: false
             }
           }
         }

data/spec/openid_connect/response_object/id_token_spec.rb

@@ -8,11 +8,11 @@ describe OpenIDConnect::ResponseObject::IdToken do
   let(:iat)         { Time.now }
   let :required_attributes do
     {
-      :iss => 'https://server.example.com',
-      :user_id => 'user_id',
-      :aud => 'client_id',
-      :exp => ext,
-      :iat => iat
+      iss: 'https://server.example.com',
+      user_id: 'user_id',
+      aud: 'client_id',
+      exp: ext,
+      iat: iat
     }
   end
 
@@ -26,8 +26,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
     context 'when both issuer, client_id are valid' do
       it do
         id_token.verify!(
-          :issuer => attributes[:iss],
-          :client_id => attributes[:aud]
+          issuer: attributes[:iss],
+          client_id: attributes[:aud]
         ).should be_true
       end
 
@@ -36,8 +36,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
         it do
           expect do
             id_token.verify!(
-              :issuer => attributes[:iss],
-              :client_id => attributes[:aud]
+              issuer: attributes[:iss],
+              client_id: attributes[:aud]
             )
           end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
         end
@@ -48,8 +48,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
       it do
         expect do
           id_token.verify!(
-            :issuer => 'invalid_issuer',
-            :client_id => attributes[:aud]
+            issuer: 'invalid_issuer',
+            client_id: attributes[:aud]
           )
         end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
       end
@@ -59,7 +59,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
       it do
         expect do
           id_token.verify!(
-            :client_id => attributes[:aud]
+            client_id: attributes[:aud]
           )
         end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
       end
@@ -69,8 +69,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
       it do
         expect do
           id_token.verify!(
-            :issuer => attributes[:iss],
-            :client_id => 'invalid_client'
+            issuer: attributes[:iss],
+            client_id: 'invalid_client'
           )
         end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
       end
@@ -80,21 +80,21 @@ describe OpenIDConnect::ResponseObject::IdToken do
       it do
         expect do
           id_token.verify!(
-            :issuer => attributes[:iss]
+            issuer: attributes[:iss]
           )
         end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
       end
     end
 
     context 'when nonce is given' do
-      let(:attributes)  { required_attributes.merge(:nonce => 'nonce') }
+      let(:attributes)  { required_attributes.merge(nonce: 'nonce') }
 
       context 'when nonce is valid' do
         it do
           id_token.verify!(
-            :issuer => attributes[:iss],
-            :client_id => attributes[:aud],
-            :nonce => attributes[:nonce]
+            issuer: attributes[:iss],
+            client_id: attributes[:aud],
+            nonce: attributes[:nonce]
           ).should be_true
         end
       end
@@ -103,9 +103,9 @@ describe OpenIDConnect::ResponseObject::IdToken do
         it do
           expect do
             id_token.verify!(
-              :issuer => attributes[:iss],
-              :client_id => attributes[:aud],
-              :nonce => 'invalid_nonce'
+              issuer: attributes[:iss],
+              client_id: attributes[:aud],
+              nonce: 'invalid_nonce'
             )
           end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
         end
@@ -115,8 +115,8 @@ describe OpenIDConnect::ResponseObject::IdToken do
         it do
           expect do
             id_token.verify!(
-              :issuer => attributes[:iss],
-              :client_id => attributes[:aud]
+              issuer: attributes[:iss],
+              client_id: attributes[:aud]
             )
           end.to raise_error OpenIDConnect::ResponseObject::IdToken::InvalidToken
         end
@@ -161,7 +161,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
     context 'when self-issued' do
       context 'when valid' do
         let(:self_issued) do
-          'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlbGYtaXNzdWVkLm1lIiwidXNlcl9pZCI6IkN5amplQ0trLU9xSS1YcW5GYzduX1pSOG4xaXlLNFlIcXNzNkp1SHlnNkUiLCJhdWQiOiJ0YXBpZC50YXBpZGVudGl0eS5jb20iLCJleHAiOjEzNDkyNDc3ODAsImlhdCI6MTM0OTI0NDE4MCwidXNlcl9qd2siOnsiYWxnIjoiUlNBIiwibW9kIjoibWtra29uTXZuQkxiWkRCZE9lNkM3Ukk3T2xLbjVZazl0eTBSQ0NFa2E5TkVDVVhWRmJqaHdrVjlNeFpSekQ2Q3ZIZDQzUmU5ak5iRFFVQVloNm1peHZtdFFSODlDUFlMeWNvOXIzTlEySXpEZmVPZjlUbFpMUXhpOG9FSVBOeURyN1FoSHlpUTlBRkd6YUhNLW1DU1hCcTRnM0Z4Nko4U1d0MFBRSERoZV9MN3FURTJHbzA4NGRyZUtXMFZSazhBRkxrM2V3cVlvV0RQRXhjcFlNYWNNSUhnaFd1N0pRSG9xX0xId2hmdnk3cnN2MFh1QTR0ai1oNnhvaDhubUR6MjBfdUc5Wm9MZHJ0cE44ZHF1MTdOTDgwTmQ1cVotaHRwVUpSemUzVzdyN3F4Y0dwNEtzQnRhc0NqWlcyWGlyQlZ1eXU2bDNqc3JnTlB2S1NaZ2NpUGdRIiwiZXhwIjoiQVFBQiJ9fQ.gp7Yr3mT3oneZusYMOKB3_777QwJNrQlqiK4x7HpYreuPNbBYHOKo8Jsmqe8gCnrWcOtGHe2Flt1NvN_Yy-7TgVP9L8XyaM9KnWrVEPVCDlf2tIqIAd6MSOfWtiDsA--a7AHfg7o2HcxH3-V3JXS3LQJnzpKBHuaJJIYwj1_8W9sUXwljqNCmnCytrqkmIWocQazoAy5mvmUcpcTWGnSsiibQGk_eQTRjZaiouDDbHWi87IneVQ7UeuurPIYoVK6PWhj0894zcJEyJFWkf2UshgP1grGVO8FC6dvlF5dayt6aUYeGMrTEV8KL6FNYAB9dZKR7xDC4uOjumHTjvQFfA'
+          'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlbGYtaXNzdWVkLm1lIiwidXNlcl9pZCI6ImhXSnphYnYweEY2Q08ycmJMb0hhMGlHamVSOWFCTFFUaDBYbkhPR2xYNk0iLCJhdWQiOiJiYWZkOGI3ODdhMDQyOWRiZDBiNmY5ZTE4Mzk3OThjNDFkNGQxOTJhYWYzMTFhZGY0MGRhMmM0ZDQxNGU1OGZkIiwiZXhwIjoxMzUwMzI1OTg3LCJpYXQiOjEzNTAzMjIzODcsInVzZXJfandrIjp7ImFsZyI6IlJTQSIsIm1vZCI6InB4WmNhN1hrajFZalR5dlNOLThNaFlPU1RuMGluTF9fYTNEZWg5dlZoS1dLaG9FWFlENHNpR0RGSTVIaFBrLWp1SU5HWk9IX0FDc1hIOFNoRWlqMXZzSHpmSTRKeDdxOFREc2ZmZzNNT0d0aWFqZjFJZ250SjR6ck9OeHYzOU5QdEJ6dml2Q3ZLa2MzSXJsSS00X216ajg4R2JER1B6NnBLRDRhcmNndFg0VEdCYmdPTUZaa09nRWk5bml0VzhDbV9zMHFlQ3FtMWxMS0l0QXFaYWJYa2d2cGN5Qjdjb1ZNNnZkLWNYVXY3TDg5MmgxVm9uenVRZTNfUF9MTy1HNV9FNGRVY1B0NmJDbUo4QjNPd3A0bmdQQmpKSHdiTHlqT0F5VjZ2aXRPeUdjZnVPRVE3dkZQdGRNc0hLX29TZnZqU2s2My1xdjRiRDFKaml3OVBBU1NRUSIsInhwbyI6IkFRQUIifX0.YbcccWDBwgtvIMravxJQi3Wmq4fH2BR1Y7qBpt39QH3MKpaHbfpRfkpU2H9SPS4tJZzHnz-iDPVghrWTyLeBZHZigES8oMPM28NxswSKNuDYid-G4d0DAN1A2LdMBPqZd-pAbjop6o8FU1V11WTUoWcQR8OJg912q6I_zZIvCUnlGc9Jx0hnDioW7j2DAYfwji9sLtRybE85-KC8dHwRjrgl5doh3J72QQAi9Vn-KkHz3d5nTFngE-7MFa2ndLiR_7qcqWlCLjEOEDFyj2GtLv-aDYRocOt7TDJmxzDnzRPuNoTuiPiHmSM599kbiKBR_734wqUBunbRQCIOhOrp9Q'
         end
 
         context 'when key == :self_issued' do
@@ -183,7 +183,7 @@ describe OpenIDConnect::ResponseObject::IdToken do
 
       context 'when invalid user_id' do
         let(:self_issued) do
-          'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlbGYtaXNzdWVkLm1lIiwidXNlcl9pZCI6ImludmFsaWRfdXNlcl9pZCIsImF1ZCI6InRhcGlkLnRhcGlkZW50aXR5LmNvbSIsImV4cCI6MTM0OTI0ODgxOCwiaWF0IjoxMzQ5MjQ1MjE4LCJ1c2VyX2p3ayI6eyJhbGciOiJSU0EiLCJtb2QiOiJta2trb25Ndm5CTGJaREJkT2U2QzdSSTdPbEtuNVlrOXR5MFJDQ0VrYTlORUNVWFZGYmpod2tWOU14WlJ6RDZDdkhkNDNSZTlqTmJEUVVBWWg2bWl4dm10UVI4OUNQWUx5Y285cjNOUTJJekRmZU9mOVRsWkxReGk4b0VJUE55RHI3UWhIeWlROUFGR3phSE0tbUNTWEJxNGczRng2SjhTV3QwUFFIRGhlX0w3cVRFMkdvMDg0ZHJlS1cwVlJrOEFGTGszZXdxWW9XRFBFeGNwWU1hY01JSGdoV3U3SlFIb3FfTEh3aGZ2eTdyc3YwWHVBNHRqLWg2eG9oOG5tRHoyMF91Rzlab0xkcnRwTjhkcXUxN05MODBOZDVxWi1odHBVSlJ6ZTNXN3I3cXhjR3A0S3NCdGFzQ2paVzJYaXJCVnV5dTZsM2pzcmdOUHZLU1pnY2lQZ1EiLCJleHAiOiJBUUFCIn19.JTIAhIrjbI5s4-1QelTveJYqFjHz2vMQrkRo---TLtSkSDL4IaBXxXabQm_hgXR_Rh80GV2nAD9BR7PSdH2v4BK-xBzHnVzOIfWGzbB-fySvwEF3AO0cQpy8v95no6R8cbVF6exzVmuC5kLesS3BCjoHjywl-fS1H9fUMhUwDS6OatVg4AC3guz0_9l-cM1JE4Ryko-zLAzAkE8cfvVYyH0UCHAQUcTd2T45JmW4_hzN37ziuTs-xKkQ4fZ6TLURS_Q0sxX2vNIhdP1QQWzBwHwxObFK1O_Zb00KVe7MCB7Uxfisz1FDlFgq0Z0QCrQHuVyFqHqcJQjvPh3ORv0_6g'
+          'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL3NlbGYtaXNzdWVkLm1lIiwidXNlcl9pZCI6ImludmFsaWQiLCJhdWQiOiJ0YXBpZC50YXBpZGVudGl0eS5jb20iLCJleHAiOjEzNTAzMjYyNjEsImlhdCI6MTM1MDMyMjY2MSwidXNlcl9qd2siOnsiYWxnIjoiUlNBIiwibW9kIjoidnVLay1YdDR3bXF3Wl9HR2FXMTNVeV9RUExobThJVUM1SGpsZlJTZEpXRGY4bnRWV1p2bVRZcjEyd2tfUU1XN3RkQ25Eb0d2dnd0VVczajhIaTlEOG5aNW84c0FhSUxmbm1MSE9sdHNVT01IWTRlOWZtVzQ5eWJUS25sbFRkTGlJMy13NWJtZC1VTVE4WnBSQ2dhN0Z5WERMR2tpeXNrSTNtdjAxcUVfOURMc0dEVTFjWHBaM19TY05MY1RuN0hYSHRCcnVVOHhhOHZkUGxncEdXQjFTaTIxRWhubnNOQnZmUmkzUW9UcFlkbnFqTGk4NzQtWDd4anJWUDNzRURoRnNvdzdNR0s2WVF3X2JsNzAxdGJIU3F1SG5aWDZ0ZklQaFNMYVNWbXdGVzNTem9GdDBWNGxpbzlPOHhqNWlpQnBNV0cwcDd4MTJpYno1bEktaGYzcTJ3IiwieHBvIjoiQVFBQiJ9fQ.p_Zh-nLBVaDQXTvDe3YCDQsA8QKepMfEtEzmBBQEmnFEmLSDAcsTnAbkTNlRZ-BQ-CuEF_NFJ2KK0B8s4GEfb5IO3afBHi5nxk269d1BLypuLRG1oI5GWoO5kPPjcjdZHUHXv56w_c8KeOtRazCKhcVwvErs8vXi1hlAfln5cGMhJ-jlBztk1ZUHefvdCecGyqxzCVnjowA1MsMDhdchDX3njza6qxL8IkPZ04u57KnLsfYTh84jZ4vv0_5bdCs_-fSWXDMvyhDN69_YRT6QqX312421IJqDsIjUWk6VpCFi6Yti7iRZ8qixd5UVyxLHMkomY8okVG04oMHs9lMzDQ'
         end
 
         it do