2021-05-05 05:06:05 +07:00
package validator
import (
"errors"
"fmt"
"testing"
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
"time"
2021-05-05 05:06:05 +07:00
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
2021-08-11 08:04:35 +07:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
2021-05-05 05:06:05 +07:00
)
func TestShouldRaiseErrorWhenInvalidOIDCServerConfiguration ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "abc" ,
IssuerPrivateKey : "" ,
} ,
}
ValidateIdentityProviders ( config , validator )
require . Len ( t , validator . Errors ( ) , 2 )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , errFmtOIDCNoPrivateKey )
assert . EqualError ( t , validator . Errors ( ) [ 1 ] , errFmtOIDCNoClientsConfigured )
2021-05-05 05:06:05 +07:00
}
func TestShouldRaiseErrorWhenOIDCServerIssuerPrivateKeyPathInvalid ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "rLABDrx87et5KvRHVUgTm3pezWWd8LMN" ,
IssuerPrivateKey : "key-material" ,
} ,
}
ValidateIdentityProviders ( config , validator )
require . Len ( t , validator . Errors ( ) , 1 )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , errFmtOIDCNoClientsConfigured )
2021-05-05 05:06:05 +07:00
}
func TestShouldRaiseErrorWhenOIDCServerClientBadValues ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "rLABDrx87et5KvRHVUgTm3pezWWd8LMN" ,
IssuerPrivateKey : "key-material" ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "" ,
Secret : "" ,
Policy : "" ,
RedirectURIs : [ ] string {
"tcp://google.com" ,
} ,
} ,
{
ID : "a-client" ,
Secret : "a-secret" ,
Policy : "a-policy" ,
RedirectURIs : [ ] string {
"https://google.com" ,
} ,
} ,
{
ID : "a-client" ,
Secret : "a-secret" ,
Policy : "a-policy" ,
RedirectURIs : [ ] string {
"https://google.com" ,
} ,
} ,
{
ID : "client-check-uri-parse" ,
Secret : "a-secret" ,
2021-08-03 16:55:21 +07:00
Policy : policyTwoFactor ,
2021-05-05 05:06:05 +07:00
RedirectURIs : [ ] string {
"http://abc@%two" ,
} ,
} ,
2021-07-15 18:02:03 +07:00
{
ID : "client-check-uri-abs" ,
Secret : "a-secret" ,
2021-08-03 16:55:21 +07:00
Policy : policyTwoFactor ,
2021-07-15 18:02:03 +07:00
RedirectURIs : [ ] string {
"google.com" ,
} ,
} ,
2021-05-05 05:06:05 +07:00
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
2021-07-15 18:02:03 +07:00
require . Len ( t , validator . Errors ( ) , 8 )
2021-05-05 05:06:05 +07:00
assert . Equal ( t , schema . DefaultOpenIDConnectClientConfiguration . Policy , config . OIDC . Clients [ 0 ] . Policy )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , fmt . Sprintf ( errFmtOIDCClientInvalidSecret , "" ) )
assert . EqualError ( t , validator . Errors ( ) [ 1 ] , fmt . Sprintf ( errFmtOIDCClientRedirectURI , "" , "tcp://google.com" , "tcp" ) )
assert . EqualError ( t , validator . Errors ( ) [ 2 ] , fmt . Sprintf ( errFmtOIDCClientInvalidPolicy , "a-client" , "a-policy" ) )
assert . EqualError ( t , validator . Errors ( ) [ 3 ] , fmt . Sprintf ( errFmtOIDCClientInvalidPolicy , "a-client" , "a-policy" ) )
assert . EqualError ( t , validator . Errors ( ) [ 4 ] , fmt . Sprintf ( errFmtOIDCClientRedirectURICantBeParsed , "client-check-uri-parse" , "http://abc@%two" , errors . New ( "parse \"http://abc@%two\": invalid URL escape \"%tw\"" ) ) )
2021-07-15 18:02:03 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 5 ] , fmt . Sprintf ( errFmtOIDCClientRedirectURIAbsolute , "client-check-uri-abs" , "google.com" ) )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 6 ] , errFmtOIDCClientsWithEmptyID )
assert . EqualError ( t , validator . Errors ( ) [ 7 ] , errFmtOIDCClientsDuplicateID )
2021-05-05 05:06:05 +07:00
}
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
func TestShouldRaiseErrorWhenOIDCClientConfiguredWithBadScopes ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "rLABDrx87et5KvRHVUgTm3pezWWd8LMN" ,
IssuerPrivateKey : "key-material" ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "good_id" ,
Secret : "good_secret" ,
Policy : "two_factor" ,
Scopes : [ ] string { "openid" , "bad_scope" } ,
RedirectURIs : [ ] string {
"https://google.com/callback" ,
} ,
} ,
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
require . Len ( t , validator . Errors ( ) , 1 )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , "openid connect provider: client with ID 'good_id' has an invalid scope " +
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
"'bad_scope', must be one of: 'openid', 'email', 'profile', 'groups', 'offline_access'" )
}
func TestShouldRaiseErrorWhenOIDCClientConfiguredWithBadGrantTypes ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "rLABDrx87et5KvRHVUgTm3pezWWd8LMN" ,
IssuerPrivateKey : "key-material" ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "good_id" ,
Secret : "good_secret" ,
Policy : "two_factor" ,
GrantTypes : [ ] string { "bad_grant_type" } ,
RedirectURIs : [ ] string {
"https://google.com/callback" ,
} ,
} ,
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
require . Len ( t , validator . Errors ( ) , 1 )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , "openid connect provider: client with ID 'good_id' has an invalid grant type " +
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
"'bad_grant_type', must be one of: 'implicit', 'refresh_token', 'authorization_code', " +
"'password', 'client_credentials'" )
}
func TestShouldRaiseErrorWhenOIDCClientConfiguredWithBadResponseModes ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "rLABDrx87et5KvRHVUgTm3pezWWd8LMN" ,
IssuerPrivateKey : "key-material" ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "good_id" ,
Secret : "good_secret" ,
Policy : "two_factor" ,
ResponseModes : [ ] string { "bad_responsemode" } ,
RedirectURIs : [ ] string {
"https://google.com/callback" ,
} ,
} ,
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
require . Len ( t , validator . Errors ( ) , 1 )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , "openid connect provider: client with ID 'good_id' has an invalid response mode " +
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
"'bad_responsemode', must be one of: 'form_post', 'query', 'fragment'" )
}
2021-07-10 11:56:33 +07:00
func TestShouldRaiseErrorWhenOIDCClientConfiguredWithBadUserinfoAlg ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "rLABDrx87et5KvRHVUgTm3pezWWd8LMN" ,
IssuerPrivateKey : "key-material" ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "good_id" ,
Secret : "good_secret" ,
Policy : "two_factor" ,
UserinfoSigningAlgorithm : "rs256" ,
RedirectURIs : [ ] string {
"https://google.com/callback" ,
} ,
} ,
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
require . Len ( t , validator . Errors ( ) , 1 )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , "openid connect provider: client with ID 'good_id' has an invalid userinfo " +
2021-07-10 11:56:33 +07:00
"signing algorithm 'rs256', must be one of: 'none, RS256'" )
}
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
func TestValidateIdentityProvidersShouldRaiseWarningOnSecurityIssue ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "abc" ,
IssuerPrivateKey : "abc" ,
MinimumParameterEntropy : 1 ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "good_id" ,
Secret : "good_secret" ,
Policy : "two_factor" ,
RedirectURIs : [ ] string {
"https://google.com/callback" ,
} ,
} ,
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
assert . Len ( t , validator . Errors ( ) , 0 )
require . Len ( t , validator . Warnings ( ) , 1 )
2021-08-03 16:55:21 +07:00
assert . EqualError ( t , validator . Warnings ( ) [ 0 ] , "openid connect provider: SECURITY ISSUE - minimum parameter entropy is configured to an unsafe value, it should be above 8 but it's configured to 1" )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
}
2021-07-15 18:02:03 +07:00
func TestValidateIdentityProvidersShouldRaiseErrorsOnInvalidClientTypes ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "hmac1" ,
IssuerPrivateKey : "key2" ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "client-with-invalid-secret" ,
Secret : "a-secret" ,
Public : true ,
Policy : "two_factor" ,
RedirectURIs : [ ] string {
"https://localhost" ,
} ,
} ,
{
ID : "client-with-bad-redirect-uri" ,
Secret : "a-secret" ,
Public : false ,
Policy : "two_factor" ,
RedirectURIs : [ ] string {
oauth2InstalledApp ,
} ,
} ,
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
require . Len ( t , validator . Errors ( ) , 2 )
assert . Len ( t , validator . Warnings ( ) , 0 )
assert . EqualError ( t , validator . Errors ( ) [ 0 ] , fmt . Sprintf ( errFmtOIDCClientPublicInvalidSecret , "client-with-invalid-secret" ) )
assert . EqualError ( t , validator . Errors ( ) [ 1 ] , fmt . Sprintf ( errFmtOIDCClientRedirectURIPublic , "client-with-bad-redirect-uri" , oauth2InstalledApp ) )
}
func TestValidateIdentityProvidersShouldNotRaiseErrorsOnValidPublicClients ( t * testing . T ) {
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "hmac1" ,
IssuerPrivateKey : "key2" ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "installed-app-client" ,
Public : true ,
Policy : "two_factor" ,
RedirectURIs : [ ] string {
oauth2InstalledApp ,
} ,
} ,
{
ID : "client-with-https-scheme" ,
Public : true ,
Policy : "two_factor" ,
RedirectURIs : [ ] string {
"https://localhost:9000" ,
} ,
} ,
{
ID : "client-with-loopback" ,
Public : true ,
Policy : "two_factor" ,
RedirectURIs : [ ] string {
"http://127.0.0.1" ,
} ,
} ,
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
assert . Len ( t , validator . Errors ( ) , 0 )
assert . Len ( t , validator . Warnings ( ) , 0 )
}
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
func TestValidateIdentityProvidersShouldSetDefaultValues ( t * testing . T ) {
2021-05-05 05:06:05 +07:00
validator := schema . NewStructValidator ( )
config := & schema . IdentityProvidersConfiguration {
OIDC : & schema . OpenIDConnectConfiguration {
HMACSecret : "rLABDrx87et5KvRHVUgTm3pezWWd8LMN" ,
IssuerPrivateKey : "../../../README.md" ,
Clients : [ ] schema . OpenIDConnectClientConfiguration {
{
ID : "a-client" ,
Secret : "a-client-secret" ,
RedirectURIs : [ ] string {
"https://google.com" ,
} ,
} ,
{
2021-07-10 11:56:33 +07:00
ID : "b-client" ,
Description : "Normal Description" ,
Secret : "b-client-secret" ,
2021-08-03 16:55:21 +07:00
Policy : policyOneFactor ,
2021-07-10 11:56:33 +07:00
UserinfoSigningAlgorithm : "RS256" ,
2021-05-05 05:06:05 +07:00
RedirectURIs : [ ] string {
"https://google.com" ,
} ,
Scopes : [ ] string {
"groups" ,
} ,
GrantTypes : [ ] string {
"refresh_token" ,
} ,
ResponseTypes : [ ] string {
"token" ,
"code" ,
} ,
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
ResponseModes : [ ] string {
"form_post" ,
"fragment" ,
} ,
2021-05-05 05:06:05 +07:00
} ,
} ,
} ,
}
ValidateIdentityProviders ( config , validator )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
assert . Len ( t , validator . Warnings ( ) , 0 )
2021-05-05 05:06:05 +07:00
assert . Len ( t , validator . Errors ( ) , 0 )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
// Assert Clients[0] Policy is set to the default, and the default doesn't override Clients[1]'s Policy.
2021-08-03 16:55:21 +07:00
assert . Equal ( t , policyTwoFactor , config . OIDC . Clients [ 0 ] . Policy )
assert . Equal ( t , policyOneFactor , config . OIDC . Clients [ 1 ] . Policy )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
2021-08-03 16:55:21 +07:00
assert . Equal ( t , "none" , config . OIDC . Clients [ 0 ] . UserinfoSigningAlgorithm )
assert . Equal ( t , "RS256" , config . OIDC . Clients [ 1 ] . UserinfoSigningAlgorithm )
2021-07-10 11:56:33 +07:00
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
// Assert Clients[0] Description is set to the Clients[0] ID, and Clients[1]'s Description is not overridden.
2021-05-05 05:06:05 +07:00
assert . Equal ( t , config . OIDC . Clients [ 0 ] . ID , config . OIDC . Clients [ 0 ] . Description )
assert . Equal ( t , "Normal Description" , config . OIDC . Clients [ 1 ] . Description )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
// Assert Clients[0] ends up configured with the default Scopes.
2021-05-05 05:06:05 +07:00
require . Len ( t , config . OIDC . Clients [ 0 ] . Scopes , 4 )
assert . Equal ( t , "openid" , config . OIDC . Clients [ 0 ] . Scopes [ 0 ] )
assert . Equal ( t , "groups" , config . OIDC . Clients [ 0 ] . Scopes [ 1 ] )
assert . Equal ( t , "profile" , config . OIDC . Clients [ 0 ] . Scopes [ 2 ] )
assert . Equal ( t , "email" , config . OIDC . Clients [ 0 ] . Scopes [ 3 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
// Assert Clients[1] ends up configured with the configured Scopes and the openid Scope.
2021-05-05 05:06:05 +07:00
require . Len ( t , config . OIDC . Clients [ 1 ] . Scopes , 2 )
assert . Equal ( t , "groups" , config . OIDC . Clients [ 1 ] . Scopes [ 0 ] )
assert . Equal ( t , "openid" , config . OIDC . Clients [ 1 ] . Scopes [ 1 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
// Assert Clients[0] ends up configured with the default GrantTypes.
require . Len ( t , config . OIDC . Clients [ 0 ] . GrantTypes , 2 )
assert . Equal ( t , "refresh_token" , config . OIDC . Clients [ 0 ] . GrantTypes [ 0 ] )
assert . Equal ( t , "authorization_code" , config . OIDC . Clients [ 0 ] . GrantTypes [ 1 ] )
// Assert Clients[1] ends up configured with only the configured GrantTypes.
2021-05-05 05:06:05 +07:00
require . Len ( t , config . OIDC . Clients [ 1 ] . GrantTypes , 1 )
assert . Equal ( t , "refresh_token" , config . OIDC . Clients [ 1 ] . GrantTypes [ 0 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
// Assert Clients[0] ends up configured with the default ResponseTypes.
require . Len ( t , config . OIDC . Clients [ 0 ] . ResponseTypes , 1 )
assert . Equal ( t , "code" , config . OIDC . Clients [ 0 ] . ResponseTypes [ 0 ] )
// Assert Clients[1] ends up configured only with the configured ResponseTypes.
2021-05-05 05:06:05 +07:00
require . Len ( t , config . OIDC . Clients [ 1 ] . ResponseTypes , 2 )
assert . Equal ( t , "token" , config . OIDC . Clients [ 1 ] . ResponseTypes [ 0 ] )
assert . Equal ( t , "code" , config . OIDC . Clients [ 1 ] . ResponseTypes [ 1 ] )
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
// Assert Clients[0] ends up configured with the default ResponseModes.
require . Len ( t , config . OIDC . Clients [ 0 ] . ResponseModes , 3 )
assert . Equal ( t , "form_post" , config . OIDC . Clients [ 0 ] . ResponseModes [ 0 ] )
assert . Equal ( t , "query" , config . OIDC . Clients [ 0 ] . ResponseModes [ 1 ] )
assert . Equal ( t , "fragment" , config . OIDC . Clients [ 0 ] . ResponseModes [ 2 ] )
// Assert Clients[1] ends up configured only with the configured ResponseModes.
require . Len ( t , config . OIDC . Clients [ 1 ] . ResponseModes , 2 )
assert . Equal ( t , "form_post" , config . OIDC . Clients [ 1 ] . ResponseModes [ 0 ] )
assert . Equal ( t , "fragment" , config . OIDC . Clients [ 1 ] . ResponseModes [ 1 ] )
assert . Equal ( t , false , config . OIDC . EnableClientDebugMessages )
assert . Equal ( t , time . Hour , config . OIDC . AccessTokenLifespan )
assert . Equal ( t , time . Minute , config . OIDC . AuthorizeCodeLifespan )
assert . Equal ( t , time . Hour , config . OIDC . IDTokenLifespan )
assert . Equal ( t , time . Minute * 90 , config . OIDC . RefreshTokenLifespan )
2021-05-05 05:06:05 +07:00
}