Class TokenFlowTest
- java.lang.Object
-
- org.springframework.test.context.testng.AbstractTestNGSpringContextTests
-
- net.shibboleth.idp.test.flows.AbstractFlowTest
-
- net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcFlowTest
-
- net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcApiFlowTest
-
- net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
-
- net.shibboleth.idp.plugin.oidc.op.profile.flow.TokenFlowTest
-
- All Implemented Interfaces:
Aware,ApplicationContextAware,IHookable,ITestNGListener
public class TokenFlowTest extends AbstractOidcClientAuthenticationFlowTest
Unit tests for the token flow.
-
-
Field Summary
Fields Modifier and Type Field Description (package private) StringclientIdCustomTokens(package private) StringclientIdPkcePlain(package private) StringclientIdPkcePlainPublic(package private) StringclientIdPkcePlainUnforced(package private) StringclientIdPkcePlainUnforcedPublic(package private) StringclientIdPkceS256(package private) StringclientIdPkceS256Public(package private) StringclientIdRefreshTokenRotation(package private) StringcodeVerifierstatic StringFLOW_ID(package private) StringredirectUri(package private) RevocationCacherevocationCache(package private) com.nimbusds.oauth2.sdk.Scopescope(package private) StorageServicestorageService-
Fields inherited from class net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
clientId, clientIdSaml, clientSecret, clientSecretSaml, jwtAud, rsaPrivateKey, rsaPublicKey
-
Fields inherited from class net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcFlowTest
END_STATE_ID
-
Fields inherited from class net.shibboleth.idp.test.flows.AbstractFlowTest
builderFactory, certFactoryBean, directoryServer, END_STATE_OUTPUT_ATTR_EXPR, END_STATE_OUTPUT_ATTR_NAME, externalContext, flowExecutor, idGenerator, IDP_ENTITY_ID, idpCredential, IP_ADDRESS_AUTHN_FLOW_ID, IP_ADDRESS_AUTHN_MAP_BEAN_NAME, KEYSTORE_FILE, LDIF_FILE, marshallerFactory, parserPool, request, response, SAML1_TRANSFORM_C14N_BEAN_NAME, SAML2_TRANSFORM_C14N_BEAN_NAME, SP_ACS_URL, SP_ENTITY_ID, SP_RELAY_STATE, spCredential, unmarshallerFactory
-
Fields inherited from class org.springframework.test.context.testng.AbstractTestNGSpringContextTests
applicationContext, logger
-
-
Constructor Summary
Constructors Constructor Description TokenFlowTest()
-
Method Summary
-
Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcClientAuthenticationFlowTest
buildPrivateKeyJwtAuth, buildSecretJwtAuth, claimsSetExpiredExp, claimsSetIssuedInTheFuture, claimsSetMissingAud, claimsSetMissingExp, claimsSetMissingIss, claimsSetMissingJti, claimsSetMissingSub, initKeys, populateClientAssertionParams, populateClientAssertionParams, testInvalidPrivateKeyJWT_expiredExp, testInvalidPrivateKeyJWT_issuedInTheFuture, testInvalidPrivateKeyJWT_missingAud, testInvalidPrivateKeyJWT_missingExp, testInvalidPrivateKeyJWT_missingIss, testInvalidPrivateKeyJWT_missingJti, testInvalidPrivateKeyJWT_missingSub, testInvalidPrivateKeyJWT_replayJti, testInvalidSecretJWT_expiredExp, testInvalidSecretJWT_issuedInTheFuture, testInvalidSecretJWT_missingAud, testInvalidSecretJWT_missingExp, testInvalidSecretJWT_missingIss, testInvalidSecretJWT_missingJti, testInvalidSecretJWT_missingSub, testInvalidSecretJWT_replayJti, testValidPrivateKeyJWT, validClaimsSet
-
Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcApiFlowTest
buildJWTToken, buildJWTToken, buildLegacyToken, buildLegacyToken, buildRefreshToken, buildToken, buildToken, buildToken
-
Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.flow.AbstractOidcFlowTest
assertErrorCode, assertErrorDescriptionContains, buildJsonForLegacyToken, createPrivateKeyJWT, createSecretJWT, getDataSealer, initializeMocks, initializeThreadLocals, parseErrorResponse, parseResponse, parseSuccessResponse, removeMetadata, setBasicAuth, setHttpFormRequest, setJsonRequest, setRequest, storeConsent, storeMetadata, storeMetadata, storeMetadata, storeMetadata, storeMetadata
-
Methods inherited from class net.shibboleth.idp.test.flows.AbstractFlowTest
assertFlowExecutionOutcome, assertFlowExecutionOutcome, assertFlowExecutionResult, assertProfileRequestContext, buildSOAP11Envelope, clearThreadLocals, getFlow, initializeFlowExecutor, initializeXMLObjectSupport, overrideEndStateOutput, overrideEndStateOutput, registerFlowsInParentRegistry, retrieveProfileRequestContext, setupDirectoryServer, teardownDirectoryServer
-
Methods inherited from class org.springframework.test.context.testng.AbstractTestNGSpringContextTests
run, setApplicationContext, springTestContextAfterTestClass, springTestContextAfterTestMethod, springTestContextBeforeTestClass, springTestContextBeforeTestMethod, springTestContextPrepareTestInstance
-
-
-
-
Field Detail
-
FLOW_ID
public static final String FLOW_ID
- See Also:
- Constant Field Values
-
redirectUri
String redirectUri
-
clientIdPkcePlain
String clientIdPkcePlain
-
clientIdPkcePlainUnforced
String clientIdPkcePlainUnforced
-
clientIdPkceS256
String clientIdPkceS256
-
clientIdPkcePlainPublic
String clientIdPkcePlainPublic
-
clientIdPkcePlainUnforcedPublic
String clientIdPkcePlainUnforcedPublic
-
clientIdPkceS256Public
String clientIdPkceS256Public
-
clientIdCustomTokens
String clientIdCustomTokens
-
clientIdRefreshTokenRotation
String clientIdRefreshTokenRotation
-
codeVerifier
String codeVerifier
-
scope
com.nimbusds.oauth2.sdk.Scope scope
-
storageService
@Autowired @Qualifier("shibboleth.StorageService") StorageService storageService
-
revocationCache
@Autowired @Qualifier("shibboleth.oidc.RevocationCache") RevocationCache revocationCache
-
-
Method Detail
-
removeMetadata
@AfterMethod public void removeMetadata() throws IOException
- Throws:
IOException
-
testNoClientId
public void testNoClientId() throws IOException, ParseException- Throws:
IOExceptionParseException
-
testNoGrantType
public void testNoGrantType() throws IOException, ParseException- Throws:
IOExceptionParseException
-
testUntrustedClient
public void testUntrustedClient() throws IOException, ParseException- Throws:
IOExceptionParseException
-
testUnauthorizedGrant
public void testUnauthorizedGrant() throws IOException, ParseException- Throws:
IOExceptionParseException
-
testInvalidGrant
public void testInvalidGrant() throws ParseException, IOException- Throws:
ParseExceptionIOException
-
testNoScopes
public void testNoScopes() throws ExceptionTODO: This test "fails" now because it's honoring a non-OIDC request by assuming there has to be a requested and allowed audience/resource. The original success outcome was an anomaly due to the original grant handling not supporting the audience notion.- Throws:
Exception
-
initializeGrantAndRequest
protected void initializeGrantAndRequest(String clientId, Map<String,String> requestParameters) throws IOException
- Throws:
IOException
-
initializeGrantAndRequest
protected void initializeGrantAndRequest(String clientId, Map<String,String> requestParameters, boolean doBasicAuth, com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod registeredMethod) throws IOException
- Throws:
IOException
-
testValidGrantNonMatchingRedirectURI
public void testValidGrantNonMatchingRedirectURI() throws Exception- Throws:
Exception
-
testValidGrantNoRedirectURISingleTrusted
public void testValidGrantNoRedirectURISingleTrusted() throws Exception- Throws:
Exception
-
testValidGrantNoRedirectURISingleTrustedNotMatchingAuthzCode
public void testValidGrantNoRedirectURISingleTrustedNotMatchingAuthzCode() throws Exception- Throws:
Exception
-
testValidGrantNoRedirectURIMultipleTrusted
public void testValidGrantNoRedirectURIMultipleTrusted() throws Exception- Throws:
Exception
-
testValidGrantWithCustomTokens
public void testValidGrantWithCustomTokens() throws Exception- Throws:
Exception
-
testValidGrantWithWrongRegisteredAuthType
public void testValidGrantWithWrongRegisteredAuthType() throws Exception- Throws:
Exception
-
testValidGrantWithoutAuthentication
public void testValidGrantWithoutAuthentication() throws Exception- Throws:
Exception
-
testValidGrantRefreshTokensDisabledInSSOProfile
public void testValidGrantRefreshTokensDisabledInSSOProfile() throws Exception- Throws:
Exception
-
testValidGrantRefreshTokensDisabledInTokenProfile
public void testValidGrantRefreshTokensDisabledInTokenProfile() throws Exception- Throws:
Exception
-
testValidGrantWithRequestedScope
public void testValidGrantWithRequestedScope() throws Exception- Throws:
Exception
-
testValidLegacyConsentGrant
public void testValidLegacyConsentGrant() throws Exception- Throws:
Exception
-
validateConsentFromAccessToken
protected void validateConsentFromAccessToken(com.nimbusds.openid.connect.sdk.OIDCTokenResponse response, boolean value) throws Exception- Throws:
Exception
-
buildAuthorizationCode
protected String buildAuthorizationCode(String clientId) throws Exception
- Throws:
Exception
-
buildAuthorizationCode
protected String buildAuthorizationCode(String clientId, String verifier) throws Exception
- Throws:
Exception
-
buildAuthorizationCode
protected String buildAuthorizationCode(String clientId, String verifier, net.minidev.json.JSONObject deliveryClaims, net.minidev.json.JSONObject deliveryClaimsIDToken, net.minidev.json.JSONObject deliveryClaimsUserInfo) throws Exception
- Throws:
Exception
-
buildLegacyAuthorizationCode
protected String buildLegacyAuthorizationCode(String clientId, String... consentedClaims) throws Exception
- Throws:
Exception
-
buildLegacyRefreshToken
protected String buildLegacyRefreshToken(String clientId, String... consentedClaims) throws Exception
- Throws:
Exception
-
buildRefreshToken
protected String buildRefreshToken(String clientId, String id, String rootId, String... consentedClaims) throws Exception
- Throws:
Exception
-
testValidSecretJWT
public void testValidSecretJWT() throws Exception- Overrides:
testValidSecretJWTin classAbstractOidcClientAuthenticationFlowTest- Throws:
Exception
-
testValidGrantValidRequestMissingPlainPKCE
public void testValidGrantValidRequestMissingPlainPKCE() throws Exception- Throws:
Exception
-
testValidGrantInvalidUnforcedPlainPKCE
public void testValidGrantInvalidUnforcedPlainPKCE() throws Exception- Throws:
Exception
-
testValidGrantInvalidPlainPKCE
public void testValidGrantInvalidPlainPKCE() throws Exception- Throws:
Exception
-
testValidGrantValidPlainPKCE
public void testValidGrantValidPlainPKCE() throws Exception- Throws:
Exception
-
testValidGrantValidPlainPKCE_publicClient
public void testValidGrantValidPlainPKCE_publicClient() throws Exception- Throws:
Exception
-
testValidGrantValidUnforcedPlainPKCE
public void testValidGrantValidUnforcedPlainPKCE() throws Exception- Throws:
Exception
-
testValidGrantValidUnforcedPlainPKCE_publicClient
public void testValidGrantValidUnforcedPlainPKCE_publicClient() throws Exception- Throws:
Exception
-
testValidGrantValidRequestMissingS256PKCE
public void testValidGrantValidRequestMissingS256PKCE() throws Exception- Throws:
Exception
-
testValidGrantInvalidUnforcedS256PKCE
public void testValidGrantInvalidUnforcedS256PKCE() throws Exception- Throws:
Exception
-
testValidGrantInvalidS256PKCE
public void testValidGrantInvalidS256PKCE() throws Exception- Throws:
Exception
-
testValidGrantValidS256PKCE
public void testValidGrantValidS256PKCE() throws Exception- Throws:
Exception
-
testValidGrantValidS256PKCE_publicClient
public void testValidGrantValidS256PKCE_publicClient() throws Exception- Throws:
Exception
-
testValidGrantValidUnforcedS256PKCE
public void testValidGrantValidUnforcedS256PKCE() throws Exception- Throws:
Exception
-
testValidGrantWrappedClaimsUI
public void testValidGrantWrappedClaimsUI() throws Exception- Throws:
Exception
-
testValidGrantWrappedClaims
public void testValidGrantWrappedClaims() throws Exception- Throws:
Exception
-
testValidLegacyRefreshTokenGrant
public void testValidLegacyRefreshTokenGrant() throws Exception- Throws:
Exception
-
testValidLegacyConsentRefreshTokenGrant
public void testValidLegacyConsentRefreshTokenGrant() throws Exception- Throws:
Exception
-
testValidRefreshTokenGrant
public void testValidRefreshTokenGrant() throws Exception- Throws:
Exception
-
testValidRefreshTokenGrantRefreshTokenRotation
public void testValidRefreshTokenGrantRefreshTokenRotation() throws Exception- Throws:
Exception
-
testRevokedRefreshTokenGrantRefreshTokenRotation
public void testRevokedRefreshTokenGrantRefreshTokenRotation() throws Exception- Throws:
Exception
-
testRevokedChainInRefreshTokenGrant
public void testRevokedChainInRefreshTokenGrant() throws Exception- Throws:
Exception
-
testRevokedChainViaJtiInRefreshTokenGrant
public void testRevokedChainViaJtiInRefreshTokenGrant() throws Exception- Throws:
Exception
-
unwrapAccessToken
private AccessTokenClaimsSet unwrapAccessToken(com.nimbusds.openid.connect.sdk.OIDCTokenResponse tokenResponse)
-
plainVerifier
private String plainVerifier()
-
s256Verifier
private String s256Verifier()
-
launchWithJwtAuthentication
protected FlowExecutionResult launchWithJwtAuthentication(com.nimbusds.oauth2.sdk.auth.JWTAuthentication authnMethod, com.nimbusds.jose.JWSAlgorithm algorithm) throws Exception
- Throws:
Exception
-
launchWithJwtAuthentication
protected FlowExecutionResult launchWithJwtAuthentication(com.nimbusds.oauth2.sdk.auth.JWTAuthentication authnMethod, com.nimbusds.jose.JWSAlgorithm algorithm, String requestedScope) throws Exception
- Throws:
Exception
-
launchWithJwtAuthentication
protected FlowExecutionResult launchWithJwtAuthentication(com.nimbusds.jwt.SignedJWT jwt, com.nimbusds.jose.JWSAlgorithm algorithm, com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod method) throws Exception
Description copied from class:AbstractOidcClientAuthenticationFlowTestLaunch the flow with the JWT client authentication method.- Specified by:
launchWithJwtAuthenticationin classAbstractOidcClientAuthenticationFlowTest- Parameters:
jwt- The JWT to be used for client authentication.algorithm- The algorithm to be used in the client authentication.method- The client authentication method.- Returns:
- The flow execution result.
- Throws:
Exception
-
createRequestParameters
protected Map<String,String> createRequestParameters(String redirectUri, String grantType, String code, String clientId)
-
createRequestParameters
protected Map<String,String> createRequestParameters(String redirectUri, String grantType, String code, String clientId, String codeChallenge, String codeChallengeMethod, String codeVerifier)
-
getErrorDetaisForJWTValidation
protected Pair<String,String> getErrorDetaisForJWTValidation()
Description copied from class:AbstractOidcClientAuthenticationFlowTestGet the pair of error code and error description for the error produced via eventEventIds.ACCESS_DENIED. This is abstract due to the fact that each endpoint may have its own mappings.- Specified by:
getErrorDetaisForJWTValidationin classAbstractOidcClientAuthenticationFlowTest- Returns:
- The pair of error code and error description.
-
assertSuccessResponse
protected void assertSuccessResponse(FlowExecutionResult result)
Description copied from class:AbstractOidcClientAuthenticationFlowTestVerify that the given result is a success response.- Specified by:
assertSuccessResponsein classAbstractOidcClientAuthenticationFlowTest- Parameters:
result- The flow execution result to be verified.
-
-