github/wonderwall
1
0
Fork 0
mirror of https://github.com/nais/wonderwall.git synced 2026-05-16 13:26:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ca9d76043f3409cf39ed0921bc737a6cddac64d5
wonderwall/pkg/openid/client/client_test.go
Trong Huu Nguyen ca8c09ae10 fix(openid/client): flatten audience for client assertion 
In accordance with OpenID Connect 1.0 Core, draft 36 incorporating
errata set 3:

> aud
>    REQUIRED. Audience. The aud (audience) Claim. [...] The Audience value MUST be the OP's Issuer Identifier passed as a string, and not a single-element array.
2025-04-02 13:44:37 +02:00

76 lines
2.2 KiB
Go
Raw Blame History

package client_test
import (
"encoding/base64"
"encoding/json"
"strings"
"testing"
"time"
"github.com/lestrrat-go/jwx/v2/jwt"
"github.com/stretchr/testify/assert"
"github.com/nais/wonderwall/pkg/mock"
"github.com/nais/wonderwall/pkg/openid/client"
)
func TestMakeAssertion(t *testing.T) {
cfg := mock.Config()
cfg.OpenID.ClientID = "some-client-id"
openidConfig := mock.NewTestConfiguration(cfg)
openidConfig.TestProvider.SetIssuer("some-issuer")
c := newTestClientWithConfig(openidConfig)
expiry := 30 * time.Second
jwtAssertion, err := c.MakeAssertion(expiry)
assert.NoError(t, err)
assertFlattenedAudience(t, jwtAssertion)
key := openidConfig.Client().ClientJWK()
publicKey, err := key.PublicKey()
assert.NoError(t, err)
opts := []jwt.ParseOption{
jwt.WithKey(publicKey.Algorithm(), publicKey),
jwt.WithRequiredClaim(jwt.IssuedAtKey),
jwt.WithRequiredClaim(jwt.ExpirationKey),
jwt.WithRequiredClaim(jwt.JwtIDKey),
}
assertion, err := jwt.ParseString(jwtAssertion, opts...)
assert.NoError(t, err)
assert.ElementsMatch(t, []string{"some-issuer"}, assertion.Audience())
assert.Equal(t, "some-client-id", assertion.Issuer())
assert.Equal(t, "some-client-id", assertion.Subject())
assert.True(t, assertion.IssuedAt().Before(time.Now()))
assert.True(t, assertion.Expiration().After(time.Now()))
assert.True(t, assertion.Expiration().Before(time.Now().Add(expiry)))
}
// assertFlattenedAudience asserts that the raw JWT assertion has a flattened audience claim, i.e. aud is a string value.
// We do this as the jwx library only exposes the audience as a slice of strings for parsed JWTs.
func assertFlattenedAudience(t *testing.T, jwtAssertion string) {
parts := strings.Split(jwtAssertion, ".")
assert.Len(t, parts, 3)
rawClaims, err := base64.RawURLEncoding.DecodeString(parts[1])
assert.NoError(t, err)
claims := make(map[string]any)
err = json.Unmarshal(rawClaims, &claims)
assert.NoError(t, err)
assert.Equal(t, "some-issuer", claims["aud"])
}
func newTestClientWithConfig(config *mock.TestConfiguration) *client.Client {
jwksProvider := mock.NewTestJwksProvider()
return client.NewClient(config, jwksProvider)
}
func newTestClient() *client.Client {
return newTestClientWithConfig(mock.NewTestConfiguration(mock.Config()))
}
Reference in New Issue View Git Blame Copy Permalink