OIDC refactoring

split token method by response type factor ID token generation between implicit and hybrid flows still a lot to do!
5 years ago · 34928123f3
parent 168dc75f96
commit 34928123f3
7 changed files with 502 additions and 520 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-hybrid.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-hybrid.t
@ -198,6 +198,12 @@ ok( $prms{state},         ' state found' );
 ok( $prms{session_state}, ' session_state found' );
 count(6);

+my $id_token_payload = id_token_payload($prms{id_token});
+ok( $id_token_payload->{c_hash}, "ID token contains c_hash");
+ok( $id_token_payload->{at_hash}, "ID token contains at_hash");
+is( $id_token_payload->{nonce}, "qwerty", "ID token contains nonce");
+count(3);
+
 my $at;
 ok( $at = $rp->p->_userDB->getUserInfo( 'op', $prms{access_token} ),
    'Get access token' );
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit-no-token.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit-no-token.t
@ -144,9 +144,7 @@ ok( $prms{state},         ' state found' );
 count(5);

 # Check attributes in ID Token
-my ( $id_token_header, $id_token_payload, $id_token_signature ) =
-  split( /\./, $prms{id_token} );
-my $id_token_decoded = decode_json( decode_base64url($id_token_payload) );
+my $id_token_decoded = id_token_payload($prms{id_token});
 ok( $id_token_decoded->{sub} eq "dwho",        'Check sub value' );
 ok( $id_token_decoded->{name} eq "Doctor Who", 'Check name value' );
 count(2);
--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit.t
+++ b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-implicit.t
@ -143,10 +143,13 @@ ok( $prms{access_token},  ' access_token found' );
 ok( $prms{state},         ' state found' );
 count(5);

+my $id_token_payload = id_token_payload($prms{id_token});
+diag Dumper($id_token_payload);
+is ($id_token_payload->{acr}, "customacr-1", "Check ACR value");
+count(1);
+
 # Check attributes in ID Token
-my ( $id_token_header, $id_token_payload, $id_token_signature ) =
-  split( /\./, $prms{id_token} );
-my $id_token_decoded = decode_json( decode_base64url($id_token_payload) );
+my $id_token_decoded = id_token_payload($prms{id_token});
 ok( $id_token_decoded->{sub} eq "dwho", 'Check sub value' );
 ok( !$id_token_decoded->{name},         'Claim name must not be in ID token' );
 count(2);
@ -247,7 +250,7 @@ sub op {
                oidcOPMetaDataJWKS              => {},
                oidcServiceMetaDataAuthnContext => {
                    'loa-4' => 4,
-                    'loa-1' => 1,
+                    'customacr-1' => 1,
                    'loa-5' => 5,
                    'loa-2' => 2,
                    'loa-3' => 3
--- a/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Offline-Session.t
@ -116,8 +116,7 @@ ok( $refresh_token, "Got refresh token" );
 ok( $id_token,      "Got ID token" );
 count(3);

-my $id_token_payload =
-  JSON::from_json( decode_base64( [ split /\./, $id_token ]->[1] ) );
+my $id_token_payload = id_token_payload($id_token);
 is( $id_token_payload->{name}, 'Frédéric Accents',
    'Found claim in ID token' );
 count(1);
@ -168,8 +167,7 @@ ok( $id_token,                "Got refreshed ID token" );
 ok( !defined $refresh_token2, "Refresh token not present" );
 count(3);

-$id_token_payload =
-  JSON::from_json( decode_base64( [ split /\./, $id_token ]->[1] ) );
+$id_token_payload = id_token_payload($id_token);
 is( $id_token_payload->{name}, 'Frédéric Accents',
    'Found claim in ID token' );
 count(1);
@ -224,8 +222,7 @@ ok( $id_token,                "Got refreshed ID token" );
 ok( !defined $refresh_token2, "Refresh token not present" );
 count(3);

-$id_token_payload =
-  JSON::from_json( decode_base64( [ split /\./, $id_token ]->[1] ) );
+$id_token_payload = id_token_payload($id_token);
 is( $id_token_payload->{name}, 'Frédéric Accents',
    'Found claim in ID token' );
 count(1);
--- a/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
+++ b/lemonldap-ng-portal/t/32-OIDC-Refresh-Token.t
@ -116,8 +116,7 @@ ok( $access_token,  "Got access token" );
 ok( $refresh_token, "Got refresh token" );
 ok( $id_token,      "Got ID token" );

-my $id_token_payload =
-  JSON::from_json( decode_base64( [ split /\./, $id_token ]->[1] ) );
+my $id_token_payload = id_token_payload($id_token);
 is( $id_token_payload->{name}, 'Frédéric Accents',
    'Found claim in ID token' );

@ -177,8 +176,7 @@ ok( $access_token,                   "Got refreshed Access token" );
 ok( $id_token,                       "Got refreshed ID token" );
 ok( !defined $json->{refresh_token}, "Refresh token not present" );

-$id_token_payload =
-  JSON::from_json( decode_base64( [ split /\./, $id_token ]->[1] ) );
+$id_token_payload = id_token_payload($id_token);
 is( $id_token_payload->{name}, 'Frédéric Accents',
    'Found claim in ID token' );

--- a/lemonldap-ng-portal/t/oidc-lib.pm
+++ b/lemonldap-ng-portal/t/oidc-lib.pm
@ -40,4 +40,8 @@ GQIDAQAB
 -----END PUBLIC KEY-----";
 }

+sub id_token_payload {
+    my $token = shift;
+    JSON::from_json( decode_base64( [ split /\./, $token ]->[1] ) );
+}
 1;