openid_connect 0.6.1 → 2.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/.github/FUNDING.yml +3 -0
- data/.github/workflows/spec.yml +31 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +23 -0
- data/LICENSE +3 -1
- data/README.rdoc +10 -3
- data/Rakefile +6 -6
- data/TODOs +12 -0
- data/VERSION +1 -1
- data/lib/openid_connect/access_token/mtls.rb +9 -0
- data/lib/openid_connect/access_token.rb +14 -6
- data/lib/openid_connect/client/registrar.rb +69 -130
- data/lib/openid_connect/client.rb +7 -12
- data/lib/openid_connect/discovery/provider/config/resource.rb +5 -3
- data/lib/openid_connect/discovery/provider/config/response.rb +73 -78
- data/lib/openid_connect/discovery/provider/config.rb +5 -2
- data/lib/openid_connect/discovery/provider.rb +6 -2
- data/lib/openid_connect/discovery.rb +0 -2
- data/lib/openid_connect/jwtnizable.rb +6 -4
- data/lib/openid_connect/request_object/claimable.rb +4 -6
- data/lib/openid_connect/request_object.rb +6 -13
- data/lib/openid_connect/response_object/id_token.rb +38 -37
- data/lib/openid_connect/response_object/user_info/address.rb +10 -0
- data/lib/openid_connect/response_object/user_info.rb +64 -2
- data/lib/openid_connect.rb +26 -11
- data/lib/rack/oauth2/server/authorize/extension/code_and_id_token.rb +5 -1
- data/lib/rack/oauth2/server/authorize/extension/code_and_id_token_and_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/extension/id_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/extension/id_token_and_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/request_with_connect_params.rb +17 -14
- data/lib/rack/oauth2/server/id_token_response.rb +11 -13
- data/openid_connect.gemspec +19 -13
- data/spec/helpers/crypto_spec_helper.rb +2 -2
- data/spec/helpers/webmock_helper.rb +14 -9
- data/spec/mock_response/access_token/without_token_type.json +3 -0
- data/spec/mock_response/discovery/config.json +3 -3
- data/spec/mock_response/discovery/config_with_custom_port.json +13 -0
- data/spec/mock_response/discovery/config_with_invalid_issuer.json +13 -0
- data/spec/mock_response/discovery/config_with_path.json +13 -0
- data/spec/mock_response/discovery/config_without_issuer.json +12 -0
- data/spec/mock_response/errors/unknown.json +3 -1
- data/spec/mock_response/public_keys/{jwk.json → jwks.json} +1 -1
- data/spec/mock_response/public_keys/jwks_with_private_key.json +8 -0
- data/spec/mock_response/public_keys/private_key.pem +27 -0
- data/spec/openid_connect/access_token_spec.rb +11 -20
- data/spec/openid_connect/client/registrar_spec.rb +93 -208
- data/spec/openid_connect/client_spec.rb +79 -22
- data/spec/openid_connect/connect_object_spec.rb +1 -1
- data/spec/openid_connect/discovery/provider/config/response_spec.rb +76 -284
- data/spec/openid_connect/discovery/provider/config_spec.rb +64 -27
- data/spec/openid_connect/discovery/provider_spec.rb +2 -2
- data/spec/openid_connect/request_object_spec.rb +4 -4
- data/spec/openid_connect/response_object/id_token_spec.rb +94 -52
- data/spec/openid_connect/response_object/user_info/{open_id/address_spec.rb → address_spec.rb} +3 -3
- data/spec/openid_connect/response_object/{user_info/open_id_spec.rb → user_info_spec.rb} +13 -12
- data/spec/openid_connect_spec.rb +19 -19
- data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_and_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/id_token_and_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb +1 -1
- data/spec/rack/oauth2/server/authorize/request_with_connect_params_spec.rb +45 -0
- data/spec/spec_helper.rb +12 -1
- metadata +155 -90
- data/.travis.yml +0 -3
- data/Gemfile.lock +0 -102
- data/lib/openid_connect/debugger/request_filter.rb +0 -28
- data/lib/openid_connect/debugger.rb +0 -3
- data/lib/openid_connect/response_object/user_info/open_id/address.rb +0 -12
- data/lib/openid_connect/response_object/user_info/open_id.rb +0 -64
- data/lib/rack/oauth2/server/resource/error_with_connect_ext.rb +0 -14
- data/spec/mock_response/public_keys/x509.pem +0 -21
- data/spec/openid_connect/debugger/request_filter_spec.rb +0 -33
- data/spec/rack/oauth2/server/resource/error_with_connect_ext_spec.rb +0 -12
- /data/spec/mock_response/{user_info → userinfo}/openid.json +0 -0
@@ -5,140 +5,101 @@ describe OpenIDConnect::Client::Registrar do
|
|
5
5
|
let(:attributes) { minimum_attributes }
|
6
6
|
let(:minimum_attributes) do
|
7
7
|
{
|
8
|
-
|
8
|
+
redirect_uris: ['https://client.example.com/callback']
|
9
9
|
}
|
10
10
|
end
|
11
11
|
let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint, attributes) }
|
12
12
|
let(:endpoint) { 'https://server.example.com/clients' }
|
13
13
|
|
14
14
|
context 'when endpoint given' do
|
15
|
-
context 'when attributes given' do
|
16
|
-
|
17
|
-
|
18
|
-
minimum_attributes
|
19
|
-
end
|
20
|
-
it { should be_valid }
|
21
|
-
end
|
22
|
-
|
23
|
-
context 'when operation=client_update' do
|
24
|
-
context 'when client_id given' do
|
25
|
-
let(:attributes) do
|
26
|
-
{
|
27
|
-
operation: :client_update,
|
28
|
-
client_id: 'client.example.com'
|
29
|
-
}
|
30
|
-
end
|
31
|
-
it { should be_valid }
|
32
|
-
end
|
33
|
-
|
34
|
-
context 'otherwise' do
|
35
|
-
let(:attributes) do
|
36
|
-
{
|
37
|
-
operation: :client_update
|
38
|
-
}
|
39
|
-
end
|
40
|
-
it { should_not be_valid }
|
41
|
-
end
|
42
|
-
end
|
43
|
-
|
44
|
-
context 'otherwise' do
|
45
|
-
let(:attributes) do
|
46
|
-
{
|
47
|
-
operation: :invalid_operation
|
48
|
-
}
|
49
|
-
end
|
50
|
-
it { should_not be_valid }
|
15
|
+
context 'when required attributes given' do
|
16
|
+
let(:attributes) do
|
17
|
+
minimum_attributes
|
51
18
|
end
|
19
|
+
it { should be_valid }
|
52
20
|
end
|
53
21
|
|
54
22
|
context 'otherwise' do
|
55
23
|
let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint) }
|
56
|
-
it do
|
57
|
-
expect do
|
58
|
-
instance
|
59
|
-
end.not_to raise_error
|
60
|
-
end
|
61
24
|
it { should_not be_valid }
|
62
25
|
end
|
63
26
|
end
|
64
27
|
|
65
28
|
context 'otherwise' do
|
66
|
-
let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint) }
|
67
29
|
let(:endpoint) { '' }
|
30
|
+
it { should_not be_valid }
|
31
|
+
end
|
68
32
|
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
33
|
+
describe '#initialize' do
|
34
|
+
it 'creates attribute writers for all attributes' do
|
35
|
+
described_class.metadata_attributes.each do |attr|
|
36
|
+
expect(subject).to respond_to("#{attr}=")
|
37
|
+
end
|
73
38
|
end
|
74
39
|
end
|
75
40
|
|
76
41
|
describe '#sector_identifier' do
|
77
|
-
context 'when
|
42
|
+
context 'when sector_identifier_uri given' do
|
78
43
|
let(:attributes) do
|
79
44
|
minimum_attributes.merge(
|
80
|
-
|
45
|
+
sector_identifier_uri: 'https://client2.example.com/sector_identifier.json'
|
81
46
|
)
|
82
47
|
end
|
83
|
-
its(:sector_identifier) { should == '
|
84
|
-
|
85
|
-
context 'when sector_identifier_url is invalid URI' do
|
86
|
-
let(:attributes) do
|
87
|
-
minimum_attributes.merge(
|
88
|
-
sector_identifier_url: ':invalid'
|
89
|
-
)
|
90
|
-
end
|
91
|
-
its(:sector_identifier) { should be_nil }
|
92
|
-
end
|
48
|
+
its(:sector_identifier) { should == 'client2.example.com' }
|
93
49
|
|
94
|
-
context 'when
|
50
|
+
context 'when sector_identifier_uri is invalid URI' do
|
95
51
|
let(:attributes) do
|
96
52
|
minimum_attributes.merge(
|
97
|
-
|
98
|
-
redirect_uris: 'https://client2.example.com/callback'
|
53
|
+
sector_identifier_uri: 'invalid'
|
99
54
|
)
|
100
55
|
end
|
101
|
-
|
56
|
+
it { should_not be_valid }
|
102
57
|
end
|
103
58
|
end
|
104
59
|
|
105
60
|
context 'otherwise' do
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
61
|
+
let(:attributes) do
|
62
|
+
minimum_attributes.merge(
|
63
|
+
redirect_uris: redirect_uris
|
64
|
+
)
|
65
|
+
end
|
66
|
+
|
67
|
+
context 'when redirect_uris includes only one host' do
|
68
|
+
let(:redirect_uris) do
|
69
|
+
[
|
70
|
+
'https://client.example.com/callback/op1',
|
71
|
+
'https://client.example.com/callback/op2'
|
72
|
+
]
|
117
73
|
end
|
74
|
+
its(:sector_identifier) { should == 'client.example.com' }
|
75
|
+
end
|
118
76
|
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
].join(' ')
|
126
|
-
)
|
127
|
-
end
|
128
|
-
its(:sector_identifier) { should be_nil }
|
77
|
+
context 'when redirect_uris includes multiple hosts' do
|
78
|
+
let(:redirect_uris) do
|
79
|
+
[
|
80
|
+
'https://client1.example.com/callback',
|
81
|
+
'https://client2.example.com/callback'
|
82
|
+
]
|
129
83
|
end
|
84
|
+
its(:sector_identifier) { should be_nil }
|
130
85
|
|
131
|
-
context 'when
|
86
|
+
context 'when subject_type=pairwise' do
|
132
87
|
let(:attributes) do
|
133
88
|
minimum_attributes.merge(
|
134
|
-
redirect_uris:
|
89
|
+
redirect_uris: redirect_uris,
|
90
|
+
subject_type: :pairwise
|
135
91
|
)
|
136
92
|
end
|
137
|
-
|
93
|
+
it { should_not be_valid }
|
138
94
|
end
|
139
95
|
end
|
140
96
|
|
141
|
-
context '
|
97
|
+
context 'when redirect_uris includes invalid URL' do
|
98
|
+
let(:redirect_uris) do
|
99
|
+
[
|
100
|
+
'invalid'
|
101
|
+
]
|
102
|
+
end
|
142
103
|
its(:sector_identifier) { should be_nil }
|
143
104
|
end
|
144
105
|
end
|
@@ -146,7 +107,7 @@ describe OpenIDConnect::Client::Registrar do
|
|
146
107
|
|
147
108
|
describe '#redirect_uris' do
|
148
109
|
let(:base_url) { 'http://client.example.com/callback' }
|
149
|
-
let(:attributes) { minimum_attributes.merge(redirect_uris: redirect_uri) }
|
110
|
+
let(:attributes) { minimum_attributes.merge(redirect_uris: [redirect_uri]) }
|
150
111
|
|
151
112
|
context 'when query included' do
|
152
113
|
let(:redirect_uri) { [base_url, '?foo=bar'].join }
|
@@ -156,41 +117,41 @@ describe OpenIDConnect::Client::Registrar do
|
|
156
117
|
|
157
118
|
context 'when fragment included' do
|
158
119
|
let(:redirect_uri) { [base_url, '#foo=bar'].join }
|
159
|
-
it {
|
120
|
+
it { should be_valid }
|
160
121
|
end
|
161
122
|
end
|
162
123
|
|
163
124
|
describe '#contacts' do
|
164
125
|
context 'when contacts given' do
|
126
|
+
let(:attributes) do
|
127
|
+
minimum_attributes.merge(
|
128
|
+
contacts: contacts
|
129
|
+
)
|
130
|
+
end
|
131
|
+
|
165
132
|
context 'when invalid email included' do
|
166
|
-
let(:
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
].join(' ')
|
172
|
-
)
|
133
|
+
let(:contacts) do
|
134
|
+
[
|
135
|
+
'invalid',
|
136
|
+
'nov@matake.jp'
|
137
|
+
]
|
173
138
|
end
|
174
139
|
it { should_not be_valid }
|
175
140
|
end
|
176
141
|
|
177
142
|
context 'when localhost address included' do
|
178
|
-
let(:
|
179
|
-
|
180
|
-
|
181
|
-
|
182
|
-
|
183
|
-
].join(' ')
|
184
|
-
)
|
143
|
+
let(:contacts) do
|
144
|
+
[
|
145
|
+
'nov@localhost',
|
146
|
+
'nov@matake.jp'
|
147
|
+
]
|
185
148
|
end
|
186
149
|
it { should_not be_valid }
|
187
150
|
end
|
188
151
|
|
189
152
|
context 'otherwise' do
|
190
|
-
let(:
|
191
|
-
|
192
|
-
contacts: 'nov@matake.jp'
|
193
|
-
)
|
153
|
+
let(:contacts) do
|
154
|
+
['nov@matake.jp']
|
194
155
|
end
|
195
156
|
it { should be_valid }
|
196
157
|
end
|
@@ -199,27 +160,16 @@ describe OpenIDConnect::Client::Registrar do
|
|
199
160
|
|
200
161
|
describe '#as_json' do
|
201
162
|
context 'when valid' do
|
202
|
-
let(:attributes) do
|
203
|
-
minimum_attributes.merge(
|
204
|
-
redirect_uris: [
|
205
|
-
'https://client1.example.com/callback',
|
206
|
-
'https://client2.example.com/callback'
|
207
|
-
].join(' ')
|
208
|
-
)
|
209
|
-
end
|
210
163
|
its(:as_json) do
|
211
|
-
should ==
|
212
|
-
operation: 'client_register',
|
213
|
-
redirect_uris: 'https://client1.example.com/callback https://client2.example.com/callback'
|
214
|
-
}
|
164
|
+
should == minimum_attributes
|
215
165
|
end
|
216
166
|
end
|
217
167
|
|
218
168
|
context 'otherwise' do
|
219
169
|
let(:attributes) do
|
220
|
-
|
221
|
-
|
222
|
-
|
170
|
+
minimum_attributes.merge(
|
171
|
+
sector_identifier_uri: 'invalid'
|
172
|
+
)
|
223
173
|
end
|
224
174
|
it do
|
225
175
|
expect do
|
@@ -230,27 +180,19 @@ describe OpenIDConnect::Client::Registrar do
|
|
230
180
|
end
|
231
181
|
|
232
182
|
describe '#register!' do
|
233
|
-
let(:attributes) do
|
234
|
-
{}
|
235
|
-
end
|
236
|
-
|
237
183
|
it 'should return OpenIDConnect::Client' do
|
238
|
-
mock_json :post, endpoint, 'client/registered', params:
|
239
|
-
|
240
|
-
} do
|
241
|
-
client = instance.register!
|
242
|
-
client.should be_instance_of OpenIDConnect::Client
|
243
|
-
client.identifier.should == 'client.example.com'
|
244
|
-
client.secret.should == 'client_secret'
|
245
|
-
client.expires_in.should == 3600
|
184
|
+
client = mock_json :post, endpoint, 'client/registered', params: minimum_attributes do
|
185
|
+
instance.register!
|
246
186
|
end
|
187
|
+
client.should be_instance_of OpenIDConnect::Client
|
188
|
+
client.identifier.should == 'client.example.com'
|
189
|
+
client.secret.should == 'client_secret'
|
190
|
+
client.expires_in.should == 3600
|
247
191
|
end
|
248
192
|
|
249
193
|
context 'when failed' do
|
250
194
|
it 'should raise OpenIDConnect::Client::Registrar::RegistrationFailed' do
|
251
|
-
mock_json :post, endpoint, 'errors/unknown', params:
|
252
|
-
operation: 'client_register'
|
253
|
-
}, status: 400 do
|
195
|
+
mock_json :post, endpoint, 'errors/unknown', params: minimum_attributes, status: 400 do
|
254
196
|
expect do
|
255
197
|
instance.register!
|
256
198
|
end.to raise_error OpenIDConnect::Client::Registrar::RegistrationFailed
|
@@ -259,81 +201,24 @@ describe OpenIDConnect::Client::Registrar do
|
|
259
201
|
end
|
260
202
|
end
|
261
203
|
|
262
|
-
describe '#update!' do
|
263
|
-
let(:attributes) do
|
264
|
-
{
|
265
|
-
client_id: 'client.example.com',
|
266
|
-
client_secret: 'client_secret'
|
267
|
-
}
|
268
|
-
end
|
269
|
-
|
270
|
-
it 'should return OpenIDConnect::Client' do
|
271
|
-
mock_json :post, endpoint, 'client/updated', params: {
|
272
|
-
operation: 'client_update',
|
273
|
-
client_id: 'client.example.com',
|
274
|
-
client_secret: 'client_secret',
|
275
|
-
client_name: 'New Name'
|
276
|
-
} do
|
277
|
-
instance.client_name = 'New Name'
|
278
|
-
client = instance.update!
|
279
|
-
client.should be_instance_of OpenIDConnect::Client
|
280
|
-
client.identifier.should == 'client.example.com'
|
281
|
-
end
|
282
|
-
end
|
283
|
-
|
284
|
-
context 'when failed' do
|
285
|
-
it 'should raise OpenIDConnect::Client::Registrar::RegistrationFailed' do
|
286
|
-
mock_json :post, endpoint, 'errors/unknown', params: {
|
287
|
-
operation: 'client_update',
|
288
|
-
client_id: 'client.example.com',
|
289
|
-
client_secret: 'client_secret'
|
290
|
-
}, status: 400 do
|
291
|
-
expect do
|
292
|
-
instance.update!
|
293
|
-
end.to raise_error OpenIDConnect::Client::Registrar::RegistrationFailed
|
294
|
-
end
|
295
|
-
end
|
296
|
-
end
|
297
|
-
end
|
298
|
-
|
299
|
-
describe '#rotate_secret!' do
|
300
|
-
let(:attributes) do
|
301
|
-
{
|
302
|
-
client_id: 'client.example.com',
|
303
|
-
client_secret: 'client_secret'
|
304
|
-
}
|
305
|
-
end
|
306
|
-
|
307
|
-
it 'should return OpenIDConnect::Client' do
|
308
|
-
mock_json :post, endpoint, 'client/rotated', params: {
|
309
|
-
operation: 'rotate_secret',
|
310
|
-
client_id: 'client.example.com',
|
311
|
-
client_secret: 'client_secret'
|
312
|
-
} do
|
313
|
-
client = instance.rotate_secret!
|
314
|
-
client.should be_instance_of OpenIDConnect::Client
|
315
|
-
client.identifier.should == 'client.example.com'
|
316
|
-
client.secret.should == 'new_client_secret'
|
317
|
-
client.expires_in.should == 3600
|
318
|
-
end
|
319
|
-
end
|
320
|
-
end
|
321
|
-
|
322
204
|
describe '#validate!' do
|
323
205
|
context 'when valid' do
|
324
206
|
it do
|
325
207
|
expect do
|
326
208
|
instance.validate!
|
327
|
-
end.not_to raise_error
|
209
|
+
end.not_to raise_error { |e|
|
210
|
+
e.should be_a OpenIDConnect::ValidationFailed
|
211
|
+
}
|
328
212
|
end
|
329
213
|
end
|
330
214
|
|
331
215
|
context 'otherwise' do
|
332
216
|
let(:attributes) do
|
333
|
-
|
334
|
-
|
335
|
-
|
217
|
+
minimum_attributes.merge(
|
218
|
+
sector_identifier_uri: 'invalid'
|
219
|
+
)
|
336
220
|
end
|
221
|
+
|
337
222
|
it do
|
338
223
|
expect do
|
339
224
|
instance.validate!
|
@@ -345,15 +230,15 @@ describe OpenIDConnect::Client::Registrar do
|
|
345
230
|
describe 'http_client' do
|
346
231
|
subject { instance.send(:http_client) }
|
347
232
|
|
348
|
-
context 'when
|
233
|
+
context 'when initial_access_token given' do
|
349
234
|
let(:attributes) do
|
350
235
|
minimum_attributes.merge(
|
351
|
-
|
236
|
+
initial_access_token: initial_access_token
|
352
237
|
)
|
353
238
|
end
|
354
239
|
|
355
240
|
context 'when Rack::OAuth2::AccessToken::Bearer given' do
|
356
|
-
let(:
|
241
|
+
let(:initial_access_token) do
|
357
242
|
Rack::OAuth2::AccessToken::Bearer.new(access_token: 'access_token')
|
358
243
|
end
|
359
244
|
it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
|
@@ -361,14 +246,14 @@ describe OpenIDConnect::Client::Registrar do
|
|
361
246
|
end
|
362
247
|
|
363
248
|
context 'otherwise' do
|
364
|
-
let(:
|
249
|
+
let(:initial_access_token) { 'access_token' }
|
365
250
|
it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
|
366
251
|
its(:access_token) { should == 'access_token' }
|
367
252
|
end
|
368
253
|
end
|
369
254
|
|
370
255
|
context 'otherwise' do
|
371
|
-
it { should be_instance_of
|
256
|
+
it { should be_instance_of Faraday::Connection }
|
372
257
|
end
|
373
258
|
end
|
374
|
-
end
|
259
|
+
end
|
@@ -19,11 +19,11 @@ describe OpenIDConnect::Client do
|
|
19
19
|
end
|
20
20
|
its(:authorization_uri) { should include 'https://server.example.com/oauth2/authorize' }
|
21
21
|
its(:authorization_uri) { should include 'scope=openid' }
|
22
|
-
its(:
|
22
|
+
its(:userinfo_uri) { should == 'https://server.example.com/userinfo' }
|
23
23
|
end
|
24
24
|
|
25
25
|
context 'otherwise' do
|
26
|
-
[:authorization_uri, :
|
26
|
+
[:authorization_uri, :userinfo_uri].each do |endpoint|
|
27
27
|
describe endpoint do
|
28
28
|
it do
|
29
29
|
expect { client.send endpoint }.to raise_error 'No Host Info'
|
@@ -34,16 +34,53 @@ describe OpenIDConnect::Client do
|
|
34
34
|
end
|
35
35
|
|
36
36
|
describe '#authorization_uri' do
|
37
|
-
|
37
|
+
let(:scope) { nil }
|
38
|
+
let(:prompt) { nil }
|
39
|
+
let(:response_type) { nil }
|
40
|
+
let(:query) do
|
41
|
+
params = {
|
42
|
+
scope: scope,
|
43
|
+
prompt: prompt,
|
44
|
+
response_type: response_type
|
45
|
+
}.reject do |k,v|
|
46
|
+
v.blank?
|
47
|
+
end
|
48
|
+
query = URI.parse(client.authorization_uri params).query
|
49
|
+
Rack::Utils.parse_query(query).with_indifferent_access
|
50
|
+
end
|
51
|
+
let :attributes do
|
52
|
+
required_attributes.merge(
|
53
|
+
host: 'server.example.com'
|
54
|
+
)
|
55
|
+
end
|
56
|
+
|
57
|
+
describe 'response_type' do
|
38
58
|
subject do
|
39
|
-
query
|
40
|
-
Rack::Utils.parse_query(query).with_indifferent_access[:scope]
|
59
|
+
query[:response_type]
|
41
60
|
end
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
61
|
+
|
62
|
+
it { should == 'code' }
|
63
|
+
|
64
|
+
context 'when response_type is given' do
|
65
|
+
context 'when array given' do
|
66
|
+
let(:response_type) { [:code, :token] }
|
67
|
+
it { should == 'code token' }
|
68
|
+
end
|
69
|
+
|
70
|
+
context 'when scalar given' do
|
71
|
+
let(:response_type) { :token }
|
72
|
+
it { should == 'token' }
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
context 'as default' do
|
77
|
+
it { should == 'code' }
|
78
|
+
end
|
79
|
+
end
|
80
|
+
|
81
|
+
describe 'scope' do
|
82
|
+
subject do
|
83
|
+
query[:scope]
|
47
84
|
end
|
48
85
|
|
49
86
|
context 'when scope is given' do
|
@@ -58,10 +95,31 @@ describe OpenIDConnect::Client do
|
|
58
95
|
end
|
59
96
|
end
|
60
97
|
|
61
|
-
context '
|
98
|
+
context 'as default' do
|
62
99
|
it { should == 'openid' }
|
63
100
|
end
|
64
101
|
end
|
102
|
+
|
103
|
+
describe 'prompt' do
|
104
|
+
subject do
|
105
|
+
query[:prompt]
|
106
|
+
end
|
107
|
+
|
108
|
+
context 'when prompt is a scalar value' do
|
109
|
+
let(:prompt) { :login }
|
110
|
+
it { should == 'login' }
|
111
|
+
end
|
112
|
+
|
113
|
+
context 'when prompt is a space-delimited string' do
|
114
|
+
let(:prompt) { 'login consent' }
|
115
|
+
it { should == 'login consent' }
|
116
|
+
end
|
117
|
+
|
118
|
+
context 'when prompt is an array' do
|
119
|
+
let(:prompt) { [:login, :consent] }
|
120
|
+
it { should == 'login consent' }
|
121
|
+
end
|
122
|
+
end
|
65
123
|
end
|
66
124
|
|
67
125
|
describe '#access_token!' do
|
@@ -104,22 +162,21 @@ describe OpenIDConnect::Client do
|
|
104
162
|
end
|
105
163
|
end
|
106
164
|
|
107
|
-
context 'when invalid JSON is returned' do
|
108
|
-
it 'should raise OpenIDConnect::Exception' do
|
109
|
-
mock_json :post, client.token_endpoint, 'access_token/invalid_json', request_header: header_params, params: protocol_params do
|
110
|
-
expect do
|
111
|
-
access_token
|
112
|
-
end.to raise_error OpenIDConnect::Exception, 'Unknown Token Type'
|
113
|
-
end
|
114
|
-
end
|
115
|
-
end
|
116
|
-
|
117
165
|
context 'otherwise' do
|
118
166
|
it 'should raise Unexpected Token Type exception' do
|
119
167
|
mock_json :post, client.token_endpoint, 'access_token/mac', request_header: header_params, params: protocol_params do
|
120
168
|
expect { access_token }.to raise_error OpenIDConnect::Exception, 'Unexpected Token Type: mac'
|
121
169
|
end
|
122
170
|
end
|
171
|
+
|
172
|
+
context 'when token_type is forced' do
|
173
|
+
before { client.force_token_type! :bearer }
|
174
|
+
it 'should use forced token_type' do
|
175
|
+
mock_json :post, client.token_endpoint, 'access_token/without_token_type', request_header: header_params, params: protocol_params do
|
176
|
+
access_token.should be_a OpenIDConnect::AccessToken
|
177
|
+
end
|
178
|
+
end
|
179
|
+
end
|
123
180
|
end
|
124
181
|
end
|
125
|
-
end
|
182
|
+
end
|