-
-
Notifications
You must be signed in to change notification settings - Fork 583
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
OIDC: navigate to authorization endpoint (#3499)
* utils for authorization step in OIDC code grant * tidy * completeAuthorizationCodeGrant util functions * response_mode=query * add scope to bearertoken type * add is_guest to whoami response type * doc comments Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> * use shimmed TextEncoder * fetchMockJest -> fetchMock * comment * bearertokenresponse * test for lowercase bearer * handle lowercase token_type --------- Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
- Loading branch information
Showing
4 changed files
with
422 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,209 @@ | ||
/* | ||
Copyright 2023 The Matrix.org Foundation C.I.C. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
import fetchMock from "fetch-mock-jest"; | ||
|
||
import { Method } from "../../../src"; | ||
import * as crypto from "../../../src/crypto/crypto"; | ||
import { logger } from "../../../src/logger"; | ||
import { | ||
completeAuthorizationCodeGrant, | ||
generateAuthorizationParams, | ||
generateAuthorizationUrl, | ||
} from "../../../src/oidc/authorize"; | ||
import { OidcError } from "../../../src/oidc/error"; | ||
|
||
// save for resetting mocks | ||
const realSubtleCrypto = crypto.subtleCrypto; | ||
|
||
describe("oidc authorization", () => { | ||
const issuer = "https://auth.com/"; | ||
const authorizationEndpoint = "https://auth.com/authorization"; | ||
const tokenEndpoint = "https://auth.com/token"; | ||
const delegatedAuthConfig = { | ||
issuer, | ||
registrationEndpoint: issuer + "registration", | ||
authorizationEndpoint: issuer + "auth", | ||
tokenEndpoint, | ||
}; | ||
const clientId = "xyz789"; | ||
const baseUrl = "https://test.com"; | ||
|
||
beforeAll(() => { | ||
jest.spyOn(logger, "warn"); | ||
}); | ||
|
||
afterEach(() => { | ||
// @ts-ignore reset any ugly mocking we did | ||
crypto.subtleCrypto = realSubtleCrypto; | ||
}); | ||
|
||
it("should generate authorization params", () => { | ||
const result = generateAuthorizationParams({ redirectUri: baseUrl }); | ||
|
||
expect(result.redirectUri).toEqual(baseUrl); | ||
|
||
// random strings | ||
expect(result.state.length).toEqual(8); | ||
expect(result.nonce.length).toEqual(8); | ||
expect(result.codeVerifier.length).toEqual(64); | ||
|
||
const expectedScope = | ||
"openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:"; | ||
expect(result.scope.startsWith(expectedScope)).toBeTruthy(); | ||
// deviceId of 10 characters is appended to the device scope | ||
expect(result.scope.length).toEqual(expectedScope.length + 10); | ||
}); | ||
|
||
describe("generateAuthorizationUrl()", () => { | ||
it("should generate url with correct parameters", async () => { | ||
// test the no crypto case here | ||
// @ts-ignore mocking | ||
crypto.subtleCrypto = undefined; | ||
|
||
const authorizationParams = generateAuthorizationParams({ redirectUri: baseUrl }); | ||
const authUrl = new URL( | ||
await generateAuthorizationUrl(authorizationEndpoint, clientId, authorizationParams), | ||
); | ||
|
||
expect(authUrl.searchParams.get("response_mode")).toEqual("query"); | ||
expect(authUrl.searchParams.get("response_type")).toEqual("code"); | ||
expect(authUrl.searchParams.get("client_id")).toEqual(clientId); | ||
expect(authUrl.searchParams.get("code_challenge_method")).toEqual("S256"); | ||
expect(authUrl.searchParams.get("scope")).toEqual(authorizationParams.scope); | ||
expect(authUrl.searchParams.get("state")).toEqual(authorizationParams.state); | ||
expect(authUrl.searchParams.get("nonce")).toEqual(authorizationParams.nonce); | ||
|
||
// crypto not available, plain text code_challenge is used | ||
expect(authUrl.searchParams.get("code_challenge")).toEqual(authorizationParams.codeVerifier); | ||
expect(logger.warn).toHaveBeenCalledWith( | ||
"A secure context is required to generate code challenge. Using plain text code challenge", | ||
); | ||
}); | ||
|
||
it("uses a s256 code challenge when crypto is available", async () => { | ||
jest.spyOn(crypto.subtleCrypto, "digest"); | ||
const authorizationParams = generateAuthorizationParams({ redirectUri: baseUrl }); | ||
const authUrl = new URL( | ||
await generateAuthorizationUrl(authorizationEndpoint, clientId, authorizationParams), | ||
); | ||
|
||
const codeChallenge = authUrl.searchParams.get("code_challenge"); | ||
expect(crypto.subtleCrypto.digest).toHaveBeenCalledWith("SHA-256", expect.any(Object)); | ||
|
||
// didn't use plain text code challenge | ||
expect(authorizationParams.codeVerifier).not.toEqual(codeChallenge); | ||
expect(codeChallenge).toBeTruthy(); | ||
}); | ||
}); | ||
|
||
describe("completeAuthorizationCodeGrant", () => { | ||
const codeVerifier = "abc123"; | ||
const redirectUri = baseUrl; | ||
const code = "auth_code_xyz"; | ||
const validBearerTokenResponse = { | ||
token_type: "Bearer", | ||
access_token: "test_access_token", | ||
refresh_token: "test_refresh_token", | ||
expires_in: 12345, | ||
}; | ||
|
||
beforeEach(() => { | ||
fetchMock.mockClear(); | ||
fetchMock.resetBehavior(); | ||
|
||
fetchMock.post(tokenEndpoint, { | ||
status: 200, | ||
body: JSON.stringify(validBearerTokenResponse), | ||
}); | ||
}); | ||
|
||
it("should make correct request to the token endpoint", async () => { | ||
await completeAuthorizationCodeGrant(code, { clientId, codeVerifier, redirectUri, delegatedAuthConfig }); | ||
|
||
expect(fetchMock).toHaveBeenCalledWith(tokenEndpoint, { | ||
method: Method.Post, | ||
headers: { "Content-Type": "application/x-www-form-urlencoded" }, | ||
body: `grant_type=authorization_code&client_id=${clientId}&code_verifier=${codeVerifier}&redirect_uri=https%3A%2F%2Ftest.com&code=${code}`, | ||
}); | ||
}); | ||
|
||
it("should return with valid bearer token", async () => { | ||
const result = await completeAuthorizationCodeGrant(code, { | ||
clientId, | ||
codeVerifier, | ||
redirectUri, | ||
delegatedAuthConfig, | ||
}); | ||
|
||
expect(result).toEqual(validBearerTokenResponse); | ||
}); | ||
|
||
it("should return with valid bearer token where token_type is lowercase", async () => { | ||
const tokenResponse = { | ||
...validBearerTokenResponse, | ||
token_type: "bearer", | ||
}; | ||
fetchMock.post( | ||
tokenEndpoint, | ||
{ | ||
status: 200, | ||
body: JSON.stringify(tokenResponse), | ||
}, | ||
{ overwriteRoutes: true }, | ||
); | ||
|
||
const result = await completeAuthorizationCodeGrant(code, { | ||
clientId, | ||
codeVerifier, | ||
redirectUri, | ||
delegatedAuthConfig, | ||
}); | ||
|
||
// results in token that uses 'Bearer' token type | ||
expect(result).toEqual(validBearerTokenResponse); | ||
expect(result.token_type).toEqual("Bearer"); | ||
}); | ||
|
||
it("should throw with code exchange failed error when request fails", async () => { | ||
fetchMock.post( | ||
tokenEndpoint, | ||
{ | ||
status: 500, | ||
}, | ||
{ overwriteRoutes: true }, | ||
); | ||
await expect(() => | ||
completeAuthorizationCodeGrant(code, { clientId, codeVerifier, redirectUri, delegatedAuthConfig }), | ||
).rejects.toThrow(new Error(OidcError.CodeExchangeFailed)); | ||
}); | ||
|
||
it("should throw invalid token error when token is invalid", async () => { | ||
const invalidBearerTokenResponse = { | ||
...validBearerTokenResponse, | ||
access_token: null, | ||
}; | ||
fetchMock.post( | ||
tokenEndpoint, | ||
{ status: 200, body: JSON.stringify(invalidBearerTokenResponse) }, | ||
{ overwriteRoutes: true }, | ||
); | ||
await expect(() => | ||
completeAuthorizationCodeGrant(code, { clientId, codeVerifier, redirectUri, delegatedAuthConfig }), | ||
).rejects.toThrow(new Error(OidcError.InvalidBearerTokenResponse)); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.