+ assert_equal "read_prefs", token["scope"]
+ test_token(token["access_token"], user, client)
+ end
+
+ def test_openid_connect
+ user = create(:user)
+ client = create(:oauth_application, :redirect_uri => "https://some.web.app.example.org/callback", :scopes => "openid read_prefs")
+ state = SecureRandom.urlsafe_base64(16)
+ verifier = SecureRandom.urlsafe_base64(48)
+ challenge = Base64.urlsafe_encode64(Digest::SHA256.digest(verifier), :padding => false)
+
+ authorize_client(user, client, :state => state, :code_challenge => challenge, :code_challenge_method => "S256", :scope => "openid read_prefs")
+ assert_response :redirect
+ code = validate_redirect(client, state)
+
+ token = request_token(client, code, verifier)
+
+ assert_equal "openid read_prefs", token["scope"]
+
+ access_token = token["access_token"]
+ assert_not_nil access_token
+
+ id_token = token["id_token"]
+ assert_not_nil id_token
+
+ data, _headers = JWT.decode id_token, Doorkeeper::OpenidConnect.signing_key.keypair, true, {
+ :algorithm => [Doorkeeper::OpenidConnect.signing_algorithm.to_s],
+ :verify_iss => true,
+ :iss => "#{Settings.server_protocol}://#{Settings.server_url}",
+ :verify_sub => true,
+ :sub => user.id,
+ :verify_aud => true,
+ :aud => client.uid
+ }
+
+ assert_equal user.id.to_s, data["sub"]
+ assert_not data.key?("preferred_username")
+
+ get oauth_userinfo_path
+ assert_response :unauthorized
+
+ auth_header = bearer_authorization_header(access_token)
+ get oauth_userinfo_path, :headers => auth_header
+ assert_response :success
+
+ userinfo = response.parsed_body
+
+ assert_not_nil userinfo
+ assert_equal user.id.to_s, userinfo["sub"]
+ assert_equal user.display_name, userinfo["preferred_username"]