openid_connect 0.6.1 → 2.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/.github/FUNDING.yml +3 -0
- data/.github/workflows/spec.yml +31 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +23 -0
- data/LICENSE +3 -1
- data/README.rdoc +10 -3
- data/Rakefile +6 -6
- data/TODOs +12 -0
- data/VERSION +1 -1
- data/lib/openid_connect/access_token/mtls.rb +9 -0
- data/lib/openid_connect/access_token.rb +14 -6
- data/lib/openid_connect/client/registrar.rb +69 -130
- data/lib/openid_connect/client.rb +7 -12
- data/lib/openid_connect/discovery/provider/config/resource.rb +5 -3
- data/lib/openid_connect/discovery/provider/config/response.rb +73 -78
- data/lib/openid_connect/discovery/provider/config.rb +5 -2
- data/lib/openid_connect/discovery/provider.rb +6 -2
- data/lib/openid_connect/discovery.rb +0 -2
- data/lib/openid_connect/jwtnizable.rb +6 -4
- data/lib/openid_connect/request_object/claimable.rb +4 -6
- data/lib/openid_connect/request_object.rb +6 -13
- data/lib/openid_connect/response_object/id_token.rb +38 -37
- data/lib/openid_connect/response_object/user_info/address.rb +10 -0
- data/lib/openid_connect/response_object/user_info.rb +64 -2
- data/lib/openid_connect.rb +26 -11
- data/lib/rack/oauth2/server/authorize/extension/code_and_id_token.rb +5 -1
- data/lib/rack/oauth2/server/authorize/extension/code_and_id_token_and_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/extension/id_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/extension/id_token_and_token.rb +1 -1
- data/lib/rack/oauth2/server/authorize/request_with_connect_params.rb +17 -14
- data/lib/rack/oauth2/server/id_token_response.rb +11 -13
- data/openid_connect.gemspec +19 -13
- data/spec/helpers/crypto_spec_helper.rb +2 -2
- data/spec/helpers/webmock_helper.rb +14 -9
- data/spec/mock_response/access_token/without_token_type.json +3 -0
- data/spec/mock_response/discovery/config.json +3 -3
- data/spec/mock_response/discovery/config_with_custom_port.json +13 -0
- data/spec/mock_response/discovery/config_with_invalid_issuer.json +13 -0
- data/spec/mock_response/discovery/config_with_path.json +13 -0
- data/spec/mock_response/discovery/config_without_issuer.json +12 -0
- data/spec/mock_response/errors/unknown.json +3 -1
- data/spec/mock_response/public_keys/{jwk.json → jwks.json} +1 -1
- data/spec/mock_response/public_keys/jwks_with_private_key.json +8 -0
- data/spec/mock_response/public_keys/private_key.pem +27 -0
- data/spec/openid_connect/access_token_spec.rb +11 -20
- data/spec/openid_connect/client/registrar_spec.rb +93 -208
- data/spec/openid_connect/client_spec.rb +79 -22
- data/spec/openid_connect/connect_object_spec.rb +1 -1
- data/spec/openid_connect/discovery/provider/config/response_spec.rb +76 -284
- data/spec/openid_connect/discovery/provider/config_spec.rb +64 -27
- data/spec/openid_connect/discovery/provider_spec.rb +2 -2
- data/spec/openid_connect/request_object_spec.rb +4 -4
- data/spec/openid_connect/response_object/id_token_spec.rb +94 -52
- data/spec/openid_connect/response_object/user_info/{open_id/address_spec.rb → address_spec.rb} +3 -3
- data/spec/openid_connect/response_object/{user_info/open_id_spec.rb → user_info_spec.rb} +13 -12
- data/spec/openid_connect_spec.rb +19 -19
- data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_and_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/id_token_and_token_spec.rb +11 -0
- data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb +1 -1
- data/spec/rack/oauth2/server/authorize/request_with_connect_params_spec.rb +45 -0
- data/spec/spec_helper.rb +12 -1
- metadata +155 -90
- data/.travis.yml +0 -3
- data/Gemfile.lock +0 -102
- data/lib/openid_connect/debugger/request_filter.rb +0 -28
- data/lib/openid_connect/debugger.rb +0 -3
- data/lib/openid_connect/response_object/user_info/open_id/address.rb +0 -12
- data/lib/openid_connect/response_object/user_info/open_id.rb +0 -64
- data/lib/rack/oauth2/server/resource/error_with_connect_ext.rb +0 -14
- data/spec/mock_response/public_keys/x509.pem +0 -21
- data/spec/openid_connect/debugger/request_filter_spec.rb +0 -33
- data/spec/rack/oauth2/server/resource/error_with_connect_ext_spec.rb +0 -12
- /data/spec/mock_response/{user_info → userinfo}/openid.json +0 -0
@@ -4,311 +4,103 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
|
|
4
4
|
let :instance do
|
5
5
|
OpenIDConnect::Discovery::Provider::Config::Response.new attributes
|
6
6
|
end
|
7
|
-
let :
|
8
|
-
|
7
|
+
let :jwks_uri do
|
8
|
+
'https://server.example.com/jwks.json'
|
9
9
|
end
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
10
|
+
let :minimum_attributes do
|
11
|
+
{
|
12
|
+
issuer: 'https://server.example.com',
|
13
|
+
authorization_endpoint: 'https://server.example.com/authorize',
|
14
|
+
jwks_uri: jwks_uri,
|
15
|
+
response_types_supported: [
|
16
|
+
:code, :id_token, 'token id_token'
|
17
|
+
],
|
18
|
+
subject_types_supported: [
|
19
|
+
:public, :pairwise
|
20
|
+
],
|
21
|
+
id_token_signing_alg_values_supported: [
|
22
|
+
:RS256
|
23
|
+
]
|
14
24
|
}
|
25
|
+
end
|
26
|
+
let :attributes do
|
27
|
+
minimum_attributes
|
28
|
+
end
|
29
|
+
subject { instance }
|
15
30
|
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
end
|
20
|
-
end
|
21
|
-
|
22
|
-
context 'when user_info_endpoint given' do
|
23
|
-
let :attributes do
|
24
|
-
{user_info_endpoint: 'https://server.example.com/user_info'}
|
25
|
-
end
|
26
|
-
it do
|
27
|
-
should include :userinfo_endpoint
|
28
|
-
end
|
29
|
-
it do
|
30
|
-
should_not include :user_info_endpoint
|
31
|
-
end
|
31
|
+
context 'when required attributes missing' do
|
32
|
+
let :attributes do
|
33
|
+
{}
|
32
34
|
end
|
35
|
+
it { should_not be_valid }
|
36
|
+
end
|
33
37
|
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
let :attributes do
|
41
|
-
{key => [:x, :y]}
|
42
|
-
end
|
43
|
-
it do
|
44
|
-
should include key.to_s.sub('user_info', 'userinfo').to_sym
|
45
|
-
end
|
46
|
-
it do
|
47
|
-
should_not include key
|
48
|
-
end
|
49
|
-
end
|
38
|
+
context 'when end_session_endpoint given' do
|
39
|
+
let(:end_session_endpoint) { 'https://server.example.com/end_session' }
|
40
|
+
let :attributes do
|
41
|
+
minimum_attributes.merge(
|
42
|
+
end_session_endpoint: end_session_endpoint
|
43
|
+
)
|
50
44
|
end
|
45
|
+
it { should be_valid }
|
46
|
+
its(:end_session_endpoint) { should == end_session_endpoint }
|
51
47
|
end
|
52
48
|
|
53
|
-
|
54
|
-
|
55
|
-
let
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
x509_encryption_url: x509_encryption_url,
|
60
|
-
jwk_url: jwk_url,
|
61
|
-
jwk_encryption_url: jwk_encryption_url
|
62
|
-
}.delete_if do |key, value|
|
63
|
-
value.nil?
|
64
|
-
end
|
49
|
+
context 'when check_session_iframe given' do
|
50
|
+
let(:check_session_iframe) { 'https://server.example.com/check_session_iframe.html' }
|
51
|
+
let :attributes do
|
52
|
+
minimum_attributes.merge(
|
53
|
+
check_session_iframe: check_session_iframe
|
54
|
+
)
|
65
55
|
end
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
let(:jwk_encryption_url) { nil }
|
70
|
-
|
71
|
-
context 'when x509_url is given' do
|
72
|
-
let(:x509_url) { 'http://provider.example.com/x509.pem' }
|
73
|
-
|
74
|
-
context 'when x509_encryption_url is given' do
|
75
|
-
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
76
|
-
|
77
|
-
it 'should fetch signing_key from x509_url' do
|
78
|
-
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
79
|
-
config.signing_key
|
80
|
-
end
|
81
|
-
end
|
82
|
-
|
83
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
84
|
-
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
85
|
-
config.encryption_key
|
86
|
-
end
|
87
|
-
end
|
88
|
-
end
|
89
|
-
|
90
|
-
context 'when jwk_encryption_url is given' do
|
91
|
-
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
92
|
-
|
93
|
-
it 'should fetch signing_key from x509_url' do
|
94
|
-
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
95
|
-
config.signing_key
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
it 'should fetch encryption_key from jwk_encryption_url' do
|
100
|
-
mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
|
101
|
-
config.encryption_key
|
102
|
-
end
|
103
|
-
end
|
104
|
-
end
|
105
|
-
|
106
|
-
context 'when both x509_encryption_url and jwk_encryption_url are given' do
|
107
|
-
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
108
|
-
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
56
|
+
it { should be_valid }
|
57
|
+
its(:check_session_iframe) { should == check_session_iframe }
|
58
|
+
end
|
109
59
|
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
end
|
60
|
+
describe '#as_json' do
|
61
|
+
subject { instance.as_json }
|
62
|
+
it { should == minimum_attributes }
|
63
|
+
end
|
115
64
|
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
end
|
65
|
+
describe '#validate!' do
|
66
|
+
context 'when required attributes missing' do
|
67
|
+
let :attributes do
|
68
|
+
{}
|
121
69
|
end
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
config.signing_key
|
127
|
-
end
|
128
|
-
end
|
129
|
-
|
130
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
131
|
-
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
132
|
-
config.encryption_key
|
133
|
-
end
|
134
|
-
end
|
70
|
+
it do
|
71
|
+
expect do
|
72
|
+
instance.validate!
|
73
|
+
end.to raise_error OpenIDConnect::ValidationFailed
|
135
74
|
end
|
136
75
|
end
|
137
76
|
|
138
|
-
context '
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
|
145
|
-
mock_json :get, jwk_url, 'public_keys/jwk' do
|
146
|
-
config.signing_key
|
147
|
-
end
|
148
|
-
end
|
149
|
-
|
150
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
151
|
-
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
152
|
-
config.encryption_key
|
153
|
-
end
|
154
|
-
end
|
155
|
-
end
|
156
|
-
|
157
|
-
context 'when jwk_encryption_url is given' do
|
158
|
-
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
159
|
-
|
160
|
-
it 'should fetch signing_key from jwk_url' do
|
161
|
-
mock_json :get, jwk_url, 'public_keys/jwk' do
|
162
|
-
config.signing_key
|
163
|
-
end
|
164
|
-
end
|
165
|
-
|
166
|
-
it 'should fetch encryption_key from jwk_encryption_url' do
|
167
|
-
mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
|
168
|
-
config.encryption_key
|
169
|
-
end
|
170
|
-
end
|
171
|
-
end
|
172
|
-
|
173
|
-
context 'when both x509_encryption_url and jwk_encryption_url are given' do
|
174
|
-
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
175
|
-
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
176
|
-
|
177
|
-
it 'should fetch signing_key from jwk_url' do
|
178
|
-
mock_json :get, jwk_url, 'public_keys/jwk' do
|
179
|
-
config.signing_key
|
180
|
-
end
|
181
|
-
end
|
182
|
-
|
183
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
184
|
-
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
185
|
-
config.encryption_key
|
186
|
-
end
|
187
|
-
end
|
188
|
-
end
|
189
|
-
|
190
|
-
context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
|
191
|
-
it 'should fetch signing_key from jwk_url' do
|
192
|
-
mock_json :get, jwk_url, 'public_keys/jwk' do
|
193
|
-
config.signing_key
|
194
|
-
end
|
195
|
-
end
|
196
|
-
|
197
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
198
|
-
mock_json :get, jwk_url, 'public_keys/jwk' do
|
199
|
-
config.encryption_key
|
200
|
-
end
|
201
|
-
end
|
77
|
+
context 'otherwise' do
|
78
|
+
it do
|
79
|
+
expect do
|
80
|
+
instance.validate!
|
81
|
+
end.not_to raise_error{ |e|
|
82
|
+
e.should be_a OpenIDConnect::ValidationFailed
|
83
|
+
}
|
202
84
|
end
|
203
85
|
end
|
86
|
+
end
|
204
87
|
|
205
|
-
|
206
|
-
|
207
|
-
|
208
|
-
|
209
|
-
context 'when x509_encryption_url is given' do
|
210
|
-
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
211
|
-
|
212
|
-
it 'should fetch signing_key from x509_url' do
|
213
|
-
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
214
|
-
config.signing_key
|
215
|
-
end
|
216
|
-
end
|
217
|
-
|
218
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
219
|
-
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
220
|
-
config.encryption_key
|
221
|
-
end
|
222
|
-
end
|
223
|
-
end
|
224
|
-
|
225
|
-
context 'when jwk_encryption_url is given' do
|
226
|
-
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
227
|
-
|
228
|
-
it 'should fetch signing_key from x509_url' do
|
229
|
-
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
230
|
-
config.signing_key
|
231
|
-
end
|
232
|
-
end
|
233
|
-
|
234
|
-
it 'should fetch encryption_key from jwk_encryption_url' do
|
235
|
-
mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
|
236
|
-
config.encryption_key
|
237
|
-
end
|
238
|
-
end
|
239
|
-
end
|
240
|
-
|
241
|
-
context 'when both x509_encryption_url and jwk_encryption_url are given' do
|
242
|
-
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
243
|
-
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
244
|
-
|
245
|
-
it 'should fetch signing_key from x509_url' do
|
246
|
-
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
247
|
-
config.signing_key
|
248
|
-
end
|
249
|
-
end
|
250
|
-
|
251
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
252
|
-
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
253
|
-
config.encryption_key
|
254
|
-
end
|
255
|
-
end
|
256
|
-
end
|
257
|
-
|
258
|
-
context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
|
259
|
-
it 'should fetch signing_key from x509_url' do
|
260
|
-
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
261
|
-
config.signing_key
|
262
|
-
end
|
263
|
-
end
|
264
|
-
|
265
|
-
it 'should fetch encryption_key from x509_url' do
|
266
|
-
mock_json :get, x509_url, 'public_keys/x509', format: :pem do
|
267
|
-
config.encryption_key
|
268
|
-
end
|
269
|
-
end
|
88
|
+
describe '#jwks' do
|
89
|
+
it do
|
90
|
+
jwks = mock_json :get, jwks_uri, 'public_keys/jwks' do
|
91
|
+
instance.jwks
|
270
92
|
end
|
93
|
+
jwks.should be_instance_of JSON::JWK::Set
|
271
94
|
end
|
95
|
+
end
|
272
96
|
|
273
|
-
|
274
|
-
|
275
|
-
|
276
|
-
|
277
|
-
|
278
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
279
|
-
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
280
|
-
config.encryption_key
|
281
|
-
end
|
282
|
-
end
|
283
|
-
end
|
284
|
-
|
285
|
-
context 'when jwk_encryption_url is given' do
|
286
|
-
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
287
|
-
its(:signing_key) { should be_nil }
|
288
|
-
|
289
|
-
it 'should fetch encryption_key from jwk_encryption_url' do
|
290
|
-
mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
|
291
|
-
config.encryption_key
|
292
|
-
end
|
293
|
-
end
|
294
|
-
end
|
295
|
-
|
296
|
-
context 'when both x509_encryption_url and jwk_encryption_url are given' do
|
297
|
-
let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
|
298
|
-
let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
|
299
|
-
its(:signing_key) { should be_nil }
|
300
|
-
|
301
|
-
it 'should fetch encryption_key from x509_encryption_url' do
|
302
|
-
mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
|
303
|
-
config.encryption_key
|
304
|
-
end
|
305
|
-
end
|
306
|
-
end
|
307
|
-
|
308
|
-
context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
|
309
|
-
its(:signing_key) { should be_nil }
|
310
|
-
its(:encryption_key) { should be_nil }
|
97
|
+
describe '#public_keys' do
|
98
|
+
it do
|
99
|
+
public_keys = mock_json :get, jwks_uri, 'public_keys/jwks' do
|
100
|
+
instance.public_keys
|
311
101
|
end
|
102
|
+
public_keys.should be_instance_of Array
|
103
|
+
public_keys.first.should be_instance_of OpenSSL::PKey::RSA
|
312
104
|
end
|
313
105
|
end
|
314
|
-
end
|
106
|
+
end
|
@@ -2,28 +2,47 @@ require 'spec_helper'
|
|
2
2
|
|
3
3
|
describe OpenIDConnect::Discovery::Provider::Config do
|
4
4
|
let(:provider) { 'https://connect-op.heroku.com' }
|
5
|
-
let(:endpoint) {
|
5
|
+
let(:endpoint) { 'https://connect-op.heroku.com/.well-known/openid-configuration' }
|
6
6
|
|
7
7
|
describe 'discover!' do
|
8
8
|
it 'should setup given attributes' do
|
9
9
|
mock_json :get, endpoint, 'discovery/config' do
|
10
10
|
config = OpenIDConnect::Discovery::Provider::Config.discover! provider
|
11
11
|
config.should be_instance_of OpenIDConnect::Discovery::Provider::Config::Response
|
12
|
-
config.version.should == '3.0'
|
13
12
|
config.issuer.should == 'https://connect-op.heroku.com'
|
14
13
|
config.authorization_endpoint.should == 'https://connect-op.heroku.com/authorizations/new'
|
15
14
|
config.token_endpoint.should == 'https://connect-op.heroku.com/access_tokens'
|
16
|
-
config.
|
17
|
-
config.
|
18
|
-
config.end_session_endpoint.should be_nil
|
19
|
-
config.jwk_url.should be_nil
|
20
|
-
config.x509_url.should == 'https://connect-op.heroku.com/cert.pem'
|
15
|
+
config.userinfo_endpoint.should == 'https://connect-op.heroku.com/userinfo'
|
16
|
+
config.jwks_uri.should == 'https://connect-op.heroku.com/jwks.json'
|
21
17
|
config.registration_endpoint.should == 'https://connect-op.heroku.com/connect/client'
|
22
|
-
config.scopes_supported.should == [
|
23
|
-
config.response_types_supported.should == [
|
18
|
+
config.scopes_supported.should == ['openid', 'profile', 'email', 'address']
|
19
|
+
config.response_types_supported.should == ['code', 'token', 'id_token', 'code token', 'code id_token', 'id_token token']
|
24
20
|
config.acr_values_supported.should be_nil
|
25
|
-
config.subject_types_supported.should == [
|
26
|
-
config.claims_supported.should == [
|
21
|
+
config.subject_types_supported.should == ['public', 'pairwise']
|
22
|
+
config.claims_supported.should == ['sub', 'iss', 'name', 'email']
|
23
|
+
config.id_token_signing_alg_values_supported.should == ['RS256']
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
context 'when OP identifier includes custom port' do
|
28
|
+
let(:provider) { 'https://connect-op.heroku.com:8080' }
|
29
|
+
let(:endpoint) { 'https://connect-op.heroku.com:8080/.well-known/openid-configuration' }
|
30
|
+
|
31
|
+
it 'should construct well-known URI with given port' do
|
32
|
+
mock_json :get, endpoint, 'discovery/config_with_custom_port' do
|
33
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
context 'when OP identifier includes path' do
|
39
|
+
let(:provider) { 'https://connect.openid4.us/abop' }
|
40
|
+
let(:endpoint) { 'https://connect.openid4.us/abop/.well-known/openid-configuration' }
|
41
|
+
|
42
|
+
it 'should construct well-known URI with given port' do
|
43
|
+
mock_json :get, endpoint, 'discovery/config_with_path' do
|
44
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
45
|
+
end
|
27
46
|
end
|
28
47
|
end
|
29
48
|
|
@@ -36,27 +55,45 @@ describe OpenIDConnect::Discovery::Provider::Config do
|
|
36
55
|
end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
|
37
56
|
end
|
38
57
|
end
|
39
|
-
end
|
40
58
|
|
41
|
-
|
42
|
-
|
43
|
-
|
59
|
+
describe 'when response include invalid issuer' do
|
60
|
+
context 'with normal configuration' do
|
61
|
+
it do
|
62
|
+
expect do
|
63
|
+
mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
|
64
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
65
|
+
end
|
66
|
+
end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
|
67
|
+
end
|
68
|
+
end
|
44
69
|
|
45
|
-
|
46
|
-
|
47
|
-
|
70
|
+
context 'when issuer validation is disabled.' do
|
71
|
+
before :each do
|
72
|
+
OpenIDConnect.validate_discovery_issuer = false
|
73
|
+
end
|
74
|
+
|
75
|
+
after :each do
|
76
|
+
OpenIDConnect.validate_discovery_issuer = true
|
77
|
+
end
|
78
|
+
|
79
|
+
it do
|
80
|
+
expect do
|
81
|
+
mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
|
82
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
83
|
+
end
|
84
|
+
end.not_to raise_error
|
85
|
+
end
|
48
86
|
end
|
49
87
|
end
|
50
|
-
end
|
51
88
|
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
OpenIDConnect::Discovery::
|
89
|
+
context 'when response include no issuer' do
|
90
|
+
it do
|
91
|
+
expect do
|
92
|
+
mock_json :get, endpoint, 'discovery/config_without_issuer' do
|
93
|
+
OpenIDConnect::Discovery::Provider::Config.discover! provider
|
94
|
+
end
|
95
|
+
end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
|
59
96
|
end
|
60
97
|
end
|
61
98
|
end
|
62
|
-
end
|
99
|
+
end
|
@@ -6,7 +6,7 @@ describe OpenIDConnect::Discovery::Provider do
|
|
6
6
|
let(:endpoint) { "https://#{host}/.well-known/webfinger" }
|
7
7
|
let(:query) do
|
8
8
|
{
|
9
|
-
rel: OpenIDConnect::Discovery::REL_VALUE,
|
9
|
+
rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE,
|
10
10
|
resource: resource
|
11
11
|
}
|
12
12
|
end
|
@@ -51,7 +51,7 @@ describe OpenIDConnect::Discovery::Provider do
|
|
51
51
|
|
52
52
|
context 'when Email is given' do
|
53
53
|
let(:identifier) { "nov@#{host}" }
|
54
|
-
let(:resource) { identifier }
|
54
|
+
let(:resource) { "acct:#{identifier}" }
|
55
55
|
it_behaves_like :discover_provider
|
56
56
|
end
|
57
57
|
|
@@ -93,15 +93,15 @@ describe OpenIDConnect::RequestObject do
|
|
93
93
|
|
94
94
|
describe '#required?' do
|
95
95
|
it do
|
96
|
-
request_object.
|
97
|
-
request_object.
|
96
|
+
request_object.userinfo.required?(:name).should == true
|
97
|
+
request_object.userinfo.optional?(:name).should == false
|
98
98
|
end
|
99
99
|
end
|
100
100
|
|
101
101
|
describe '#optional' do
|
102
102
|
it do
|
103
|
-
request_object.
|
104
|
-
request_object.
|
103
|
+
request_object.userinfo.required?(:email).should == false
|
104
|
+
request_object.userinfo.optional?(:email).should == true
|
105
105
|
end
|
106
106
|
end
|
107
107
|
end
|