worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
LemonLDAP::NG Web SSO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11053 Commits
107 Branches
123 Tags
110 MiB
 
 
 
 
 
Tag: Branch: Tree: e477a1cef8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e477a1cef8'
${ noResults }
lemonldap-ng/lemonldap-ng-portal/t/32-OIDC-ClientCredentials-G...

178 lines
5.6 KiB
Raw Blame History

use lib 'inc';
use Test::More;
use strict;
use IO::String;
use LWP::UserAgent;
use LWP::Protocol::PSGI;
use MIME::Base64;
use JSON;
BEGIN {
require 't/test-lib.pm';
require 't/oidc-lib.pm';
}
my $debug = 'error';
# Initialization
my $op = LLNG::Manager::Test->new( {
ini => {
logLevel => $debug,
domain => 'op.com',
portal => 'http://auth.op.com',
authentication => 'Demo',
userDB => 'Same',
issuerDBOpenIDConnectActivation => 1,
oidcRPMetaDataExportedVars => {
rp => {
"name" => "mymacro",
}
},
oidcRPMetaDataMacros => {
rp => {
"mymacro" => "'foo'",
}
},
oidcRPMetaDataOptions => {
rp => {
oidcRPMetaDataOptionsDisplayName => "RP",
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
oidcRPMetaDataOptionsClientID => "rpid",
oidcRPMetaDataOptionsAllowOffline => 1,
oidcRPMetaDataOptionsAllowClientCredentialsGrant => 1,
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
oidcRPMetaDataOptionsClientSecret => "rpsecret",
oidcRPMetaDataOptionsUserIDAttr => "",
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
oidcRPMetaDataOptionsBypassConsent => 1,
oidcRPMetaDataOptionsRefreshToken => 1,
oidcRPMetaDataOptionsIDTokenForceClaims => 1,
oidcRPMetaDataOptionsRule => '$_scope =~ /\bread\b/',
},
pubrp => {
oidcRPMetaDataOptionsAccessTokenExpiration => 3600,
oidcRPMetaDataOptionsAllowClientCredentialsGrant => 1,
oidcRPMetaDataOptionsAllowOffline => 1,
oidcRPMetaDataOptionsBypassConsent => 1,
oidcRPMetaDataOptionsClientID => "rpid2",
oidcRPMetaDataOptionsDisplayName => "RP",
oidcRPMetaDataOptionsIDTokenExpiration => 3600,
oidcRPMetaDataOptionsIDTokenForceClaims => 1,
oidcRPMetaDataOptionsIDTokenSignAlg => "HS512",
oidcRPMetaDataOptionsPublic => 1,
oidcRPMetaDataOptionsRule => '$uid eq "french"',
oidcRPMetaDataOptionsUserIDAttr => "",
}
},
oidcRPMetaDataScopeRules => {
rp => {
"read" => '$requested',
"always" => '1',
},
},
oidcServicePrivateKeySig => oidc_key_op_private_sig,
oidcServicePublicKeySig => oidc_key_op_public_sig,
loginHistoryEnabled => 1,
bruteForceProtection => 1,
bruteForceProtectionTempo => 5,
bruteForceProtectionMaxFailed => 4,
failedLoginNumber => 6,
successLoginNumber => 4,
}
}
);
my $res;
# Resource Owner Password Credentials Grant
# Access Token Request
# https://tools.ietf.org/html/rfc6749#section-4.3
my $badquery = buildForm( {
client_id => 'rpid2',
grant_type => 'client_credentials',
scope => 'openid profile email',
}
);
my $badquery2 = buildForm( {
client_id => 'rpid',
client_secret => 'rpsecret',
grant_type => 'client_credentials',
scope => 'openid profile email',
}
);
my $goodquery = buildForm( {
client_id => 'rpid',
client_secret => 'rpsecret',
grant_type => 'client_credentials',
scope => 'read profile',
}
);
## Test a public RP
$res = $op->_post(
"/oauth2/token",
IO::String->new($badquery),
accept => 'application/json',
length => length($badquery),
);
expectBadRequest($res);
## Test failing rule
$res = $op->_post(
"/oauth2/token",
IO::String->new($badquery2),
accept => 'application/json',
length => length($badquery2),
);
expectBadRequest($res);
## Test a confidential RP
$res = $op->_post(
"/oauth2/token",
IO::String->new($goodquery),
accept => 'application/json',
length => length($goodquery),
);
my $payload = expectJSON($res);
my $access_token = $payload->{access_token};
ok( $access_token, "Access Token found" );
count(1);
# Get userinfo
$res = $op->_post(
"/oauth2/userinfo",
IO::String->new(''),
accept => 'application/json',
length => 0,
custom => {
HTTP_AUTHORIZATION => "Bearer " . $access_token,
},
);
$payload = expectJSON($res);
is( $payload->{sub}, 'rpid' );
is( $payload->{name}, 'foo' );
my $query = "token=$access_token";
ok(
$res = $op->_post(
"/oauth2/introspect",
IO::String->new($query),
accept => 'text/html',
length => length $query,
custom => {
HTTP_AUTHORIZATION => "Basic " . encode_base64("rpid:rpsecret"),
},
),
"Post introspection"
);
$payload = expectJSON($res);
like( $payload->{scope}, qr/\bread\b/, "Scope read found" );
like( $payload->{scope}, qr/\balways\b/, "Rule-enforced scope found" );
clean_sessions();
done_testing();