id_token = token["id_token"]
assert_not_nil id_token
- data, _headers = JWT.decode id_token, Doorkeeper::OpenidConnect.signing_key.keypair, true, {
+ data, _headers = JWT.decode id_token, nil, true, {
:algorithm => [Doorkeeper::OpenidConnect.signing_algorithm.to_s],
:verify_iss => true,
:iss => "#{Settings.server_protocol}://#{Settings.server_url}",
:sub => user.id,
:verify_aud => true,
:aud => client.uid
- }
+ } do |headers, _payload|
+ kid = headers["kid"]
+ get oauth_discovery_keys_path
+ keys = response.parsed_body["keys"]
+ jwk = keys&.detect { |e| e["kid"] == kid }
+ jwk && JWT::JWK::RSA.import(jwk).public_key
+ end
assert_equal user.id.to_s, data["sub"]
assert_not data.key?("preferred_username")
assert_equal user.display_name, userinfo["preferred_username"]
end
+ def test_openid_discovery
+ get oauth_discovery_provider_path
+ assert_response :success
+ openid_config = response.parsed_body
+
+ assert_equal "#{Settings.server_protocol}://#{Settings.server_url}", openid_config["issuer"]
+
+ assert_equal oauth_authorization_path, URI(openid_config["authorization_endpoint"]).path
+ assert_equal oauth_token_path, URI(openid_config["token_endpoint"]).path
+ assert_equal oauth_userinfo_path, URI(openid_config["userinfo_endpoint"]).path
+ assert_equal oauth_discovery_keys_path, URI(openid_config["jwks_uri"]).path
+ end
+
+ def test_openid_key
+ get oauth_discovery_keys_path
+ assert_response :success
+ key_info = response.parsed_body
+ assert key_info.key?("keys")
+ assert_equal 1, key_info["keys"].size
+ assert_equal Doorkeeper::OpenidConnect.signing_key.kid, key_info["keys"][0]["kid"]
+ end
+
private
def authorize_client(user, client, options = {})
}.merge(options)
get oauth_authorization_path(options)
- assert_response :redirect
assert_redirected_to login_path(:referer => request.fullpath)
post login_path(:username => user.email, :password => "test")
end
def test_token(token, user, client)
- get user_preferences_path
+ get api_user_preferences_path
assert_response :unauthorized
auth_header = bearer_authorization_header(token)
- get user_preferences_path, :headers => auth_header
+ get api_user_preferences_path, :headers => auth_header
assert_response :success
- get user_preferences_path(:access_token => token)
+ get api_user_preferences_path(:access_token => token)
assert_response :unauthorized
- get user_preferences_path(:bearer_token => token)
+ get api_user_preferences_path(:bearer_token => token)
assert_response :unauthorized
get api_trace_path(:id => 2), :headers => auth_header
user.suspend!
- get user_preferences_path, :headers => auth_header
+ get api_user_preferences_path, :headers => auth_header
assert_response :forbidden
user.hide!
- get user_preferences_path, :headers => auth_header
+ get api_user_preferences_path, :headers => auth_header
assert_response :forbidden
user.unhide!
- get user_preferences_path, :headers => auth_header
+ get api_user_preferences_path, :headers => auth_header
assert_response :success
post oauth_revoke_path(:token => token)
:client_secret => client.plaintext_secret)
assert_response :success
- get user_preferences_path, :headers => auth_header
+ get api_user_preferences_path, :headers => auth_header
assert_response :unauthorized
end
end
projects / rails.git / blobdiff