@Test public void constructorWhenUserServiceIsNullThenThrowIllegalArgumentException() { this.exception.expect(IllegalArgumentException.class); new OidcAuthorizationCodeAuthenticationProvider(this.accessTokenResponseClient, null); }
@Test public void authenticateWhenAuthoritiesMapperSetThenReturnMappedAuthorities() { Map<String, Object> claims = new HashMap<>(); claims.put(IdTokenClaimNames.ISS, "https://provider.com"); claims.put(IdTokenClaimNames.SUB, "subject1"); claims.put(IdTokenClaimNames.AUD, Arrays.asList("client1", "client2")); claims.put(IdTokenClaimNames.AZP, "client1"); this.setUpIdToken(claims); OidcUser principal = mock(OidcUser.class); List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER"); when(principal.getAuthorities()).thenAnswer( (Answer<List<GrantedAuthority>>) invocation -> authorities); when(this.userService.loadUser(any())).thenReturn(principal); List<GrantedAuthority> mappedAuthorities = AuthorityUtils.createAuthorityList("ROLE_OIDC_USER"); GrantedAuthoritiesMapper authoritiesMapper = mock(GrantedAuthoritiesMapper.class); when(authoritiesMapper.mapAuthorities(anyCollection())).thenAnswer( (Answer<List<GrantedAuthority>>) invocation -> mappedAuthorities); this.authenticationProvider.setAuthoritiesMapper(authoritiesMapper); OAuth2LoginAuthenticationToken authentication = (OAuth2LoginAuthenticationToken) this.authenticationProvider.authenticate( new OAuth2LoginAuthenticationToken(this.clientRegistration, this.authorizationExchange)); assertThat(authentication.getAuthorities()).isEqualTo(mappedAuthorities); }
@Test public void authenticateWhenIdTokenValidationErrorThenThrowOAuth2AuthenticationException() { this.exception.expect(OAuth2AuthenticationException.class); this.exception.expectMessage(containsString("[invalid_id_token] ID Token Validation Error")); JwtDecoder jwtDecoder = mock(JwtDecoder.class); when(jwtDecoder.decode(anyString())).thenThrow(new JwtException("ID Token Validation Error")); this.authenticationProvider.setJwtDecoderFactory(registration -> jwtDecoder); this.authenticationProvider.authenticate( new OAuth2LoginAuthenticationToken(this.clientRegistration, this.authorizationExchange)); }
new OidcAuthorizationCodeAuthenticationProvider(accessTokenResponseClient, oidcUserService); JwtDecoderFactory<ClientRegistration> jwtDecoderFactory = this.getJwtDecoderFactoryBean(); if (jwtDecoderFactory != null) { oidcAuthorizationCodeAuthenticationProvider.setJwtDecoderFactory(jwtDecoderFactory); oidcAuthorizationCodeAuthenticationProvider.setAuthoritiesMapper(userAuthoritiesMapper);
new OidcAuthorizationCodeAuthenticationProvider(accessTokenResponseClient, oidcUserService); if (userAuthoritiesMapper != null) { oidcAuthorizationCodeAuthenticationProvider.setAuthoritiesMapper(userAuthoritiesMapper);
@Test public void setAuthoritiesMapperWhenAuthoritiesMapperIsNullThenThrowIllegalArgumentException() { this.exception.expect(IllegalArgumentException.class); this.authenticationProvider.setAuthoritiesMapper(null); }
@Test public void authenticateWhenTokenSuccessResponseThenAdditionalParametersAddedToUserRequest() { Map<String, Object> claims = new HashMap<>(); claims.put(IdTokenClaimNames.ISS, "https://provider.com"); claims.put(IdTokenClaimNames.SUB, "subject1"); claims.put(IdTokenClaimNames.AUD, Arrays.asList("client1", "client2")); claims.put(IdTokenClaimNames.AZP, "client1"); this.setUpIdToken(claims); OidcUser principal = mock(OidcUser.class); List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER"); when(principal.getAuthorities()).thenAnswer( (Answer<List<GrantedAuthority>>) invocation -> authorities); ArgumentCaptor<OidcUserRequest> userRequestArgCaptor = ArgumentCaptor.forClass(OidcUserRequest.class); when(this.userService.loadUser(userRequestArgCaptor.capture())).thenReturn(principal); this.authenticationProvider.authenticate(new OAuth2LoginAuthenticationToken( this.clientRegistration, this.authorizationExchange)); assertThat(userRequestArgCaptor.getValue().getAdditionalParameters()).containsAllEntriesOf( this.accessTokenResponse.getAdditionalParameters()); }
private void setUpIdToken(Map<String, Object> claims, Instant issuedAt, Instant expiresAt) { Map<String, Object> headers = new HashMap<>(); headers.put("alg", "RS256"); Jwt idToken = new Jwt("id-token", issuedAt, expiresAt, headers, claims); JwtDecoder jwtDecoder = mock(JwtDecoder.class); when(jwtDecoder.decode(anyString())).thenReturn(idToken); this.authenticationProvider.setJwtDecoderFactory(registration -> jwtDecoder); }
throw new OAuth2AuthenticationException(invalidIdTokenError, invalidIdTokenError.toString()); OidcIdToken idToken = createOidcToken(clientRegistration, accessTokenResponse);
@Test public void supportsWhenTypeOAuth2LoginAuthenticationTokenThenReturnTrue() { assertThat(this.authenticationProvider.supports(OAuth2LoginAuthenticationToken.class)).isTrue(); }
private OidcIdToken createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse accessTokenResponse) { JwtDecoder jwtDecoder = getJwtDecoder(clientRegistration); Jwt jwt = jwtDecoder.decode((String) accessTokenResponse.getAdditionalParameters().get( OidcParameterNames.ID_TOKEN)); OidcIdToken idToken = new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims()); OidcTokenValidator.validateIdToken(idToken, clientRegistration); return idToken; }
new OidcAuthorizationCodeAuthenticationProvider(accessTokenResponseClient, oidcUserService); if (userAuthoritiesMapper != null) { oidcAuthorizationCodeAuthenticationProvider.setAuthoritiesMapper(userAuthoritiesMapper);
@Test public void authenticateWhenLoginSuccessThenReturnAuthentication() { Map<String, Object> claims = new HashMap<>(); claims.put(IdTokenClaimNames.ISS, "https://provider.com"); claims.put(IdTokenClaimNames.SUB, "subject1"); claims.put(IdTokenClaimNames.AUD, Arrays.asList("client1", "client2")); claims.put(IdTokenClaimNames.AZP, "client1"); this.setUpIdToken(claims); OidcUser principal = mock(OidcUser.class); List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER"); when(principal.getAuthorities()).thenAnswer( (Answer<List<GrantedAuthority>>) invocation -> authorities); when(this.userService.loadUser(any())).thenReturn(principal); OAuth2LoginAuthenticationToken authentication = (OAuth2LoginAuthenticationToken) this.authenticationProvider.authenticate( new OAuth2LoginAuthenticationToken(this.clientRegistration, this.authorizationExchange)); assertThat(authentication.isAuthenticated()).isTrue(); assertThat(authentication.getPrincipal()).isEqualTo(principal); assertThat(authentication.getCredentials()).isEqualTo(""); assertThat(authentication.getAuthorities()).isEqualTo(authorities); assertThat(authentication.getClientRegistration()).isEqualTo(this.clientRegistration); assertThat(authentication.getAuthorizationExchange()).isEqualTo(this.authorizationExchange); assertThat(authentication.getAccessToken()).isEqualTo(this.accessTokenResponse.getAccessToken()); assertThat(authentication.getRefreshToken()).isEqualTo(this.accessTokenResponse.getRefreshToken()); }
@Test public void setJwtDecoderFactoryWhenNullThenThrowIllegalArgumentException() { this.exception.expect(IllegalArgumentException.class); this.authenticationProvider.setJwtDecoderFactory(null); }
throw new OAuth2AuthenticationException(invalidIdTokenError, invalidIdTokenError.toString()); OidcIdToken idToken = createOidcToken(clientRegistration, accessTokenResponse);
@Test public void constructorWhenAccessTokenResponseClientIsNullThenThrowIllegalArgumentException() { this.exception.expect(IllegalArgumentException.class); new OidcAuthorizationCodeAuthenticationProvider(null, this.userService); }
@Test public void authenticateWhenTokenResponseDoesNotContainIdTokenThenThrowOAuth2AuthenticationException() { this.exception.expect(OAuth2AuthenticationException.class); this.exception.expectMessage(containsString("invalid_id_token")); OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse.withResponse(this.accessTokenSuccessResponse()) .additionalParameters(Collections.emptyMap()) .build(); when(this.accessTokenResponseClient.getTokenResponse(any())).thenReturn(accessTokenResponse); this.authenticationProvider.authenticate( new OAuth2LoginAuthenticationToken(this.clientRegistration, this.authorizationExchange)); }
@Before @SuppressWarnings("unchecked") public void setUp() { this.clientRegistration = clientRegistration().clientId("client1").build(); this.authorizationRequest = request().scope("openid", "profile", "email").build(); this.authorizationResponse = success().build(); this.authorizationExchange = new OAuth2AuthorizationExchange(this.authorizationRequest, this.authorizationResponse); this.accessTokenResponseClient = mock(OAuth2AccessTokenResponseClient.class); this.accessTokenResponse = this.accessTokenSuccessResponse(); this.userService = mock(OAuth2UserService.class); this.authenticationProvider = new OidcAuthorizationCodeAuthenticationProvider(this.accessTokenResponseClient, this.userService); when(this.accessTokenResponseClient.getTokenResponse(any())).thenReturn(this.accessTokenResponse); }
@Test public void authenticateWhenAuthorizationRequestDoesNotContainOpenidScopeThenReturnNull() { OAuth2AuthorizationRequest authorizationRequest = request().scope("scope1").build(); OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest, this.authorizationResponse); OAuth2LoginAuthenticationToken authentication = (OAuth2LoginAuthenticationToken) this.authenticationProvider.authenticate( new OAuth2LoginAuthenticationToken(this.clientRegistration, authorizationExchange)); assertThat(authentication).isNull(); }
@Test public void authenticateWhenJwkSetUriNotSetThenThrowOAuth2AuthenticationException() { this.exception.expect(OAuth2AuthenticationException.class); this.exception.expectMessage(containsString("missing_signature_verifier")); ClientRegistration clientRegistration = clientRegistration().jwkSetUri(null).build(); this.authenticationProvider.authenticate( new OAuth2LoginAuthenticationToken(clientRegistration, this.authorizationExchange)); }