mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
kanidm/server/testkit/tests/oauth2_test.rs

1017 lines
34 KiB
Rust
Raw Normal View History

383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
#![deny(warnings)]
of course I started looking at clippy things and now I can't stop (#2560)
2024-02-21 01:52:10 +01:00
use std::collections::{BTreeMap, BTreeSet};
Rework deps (#1079)
2022-10-01 08:08:51 +02:00
use std::convert::TryFrom;
use std::str::FromStr;
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485)
2021-06-29 06:23:39 +02:00
Update to the latest compact-jwt version (#2331)
2023-11-24 03:53:22 +01:00
use compact_jwt::{JwkKeySet, JwsEs256Verifier, JwsVerifier, OidcToken, OidcUnverified};
Splitting the SPAs (#2219) * doing some work for enumerating how the accounts work together * fixing up build scripts and removing extra things * making JavaScript as_tag use the struct field names * making shared.js a module, removing wasmloader.js * don't compress compressed things
2023-10-27 08:03:58 +02:00
use kanidm_proto::constants::uri::{OAUTH2_AUTHORISE, OAUTH2_AUTHORISE_PERMIT};
Less human strings more enums (#1989) * statics or enums you choose * acp rewrite, defined SchemaAcp as a test * macros and targetscopes and filters oh my
2023-08-21 09:16:43 +02:00
use kanidm_proto::constants::*;
2390 1980 allow native applications (#2428)
2024-01-16 01:44:12 +01:00
use kanidm_proto::internal::Oauth2ClaimMapJoin;
20211010 rfc7662 token introspect (#607)
2021-10-26 05:00:02 +02:00
use kanidm_proto::oauth2::{
AccessTokenIntrospectRequest, AccessTokenIntrospectResponse, AccessTokenRequest,
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
AccessTokenResponse, AccessTokenType, AuthorisationResponse, GrantTypeReq,
OidcDiscoveryResponse,
20211010 rfc7662 token introspect (#607)
2021-10-26 05:00:02 +02:00
};
1481 2024 access control rework (#2366) Rework default access controls to better separate roles and access profiles.
2023-12-18 00:10:13 +01:00
use kanidmd_lib::prelude::{Attribute, IDM_ALL_ACCOUNTS};
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485)
2021-06-29 06:23:39 +02:00
use oauth2_ext::PkceCodeChallenge;
Are we JSON yet? Kinda. But we're closer. (#1967)
2023-08-14 00:51:44 +02:00
use reqwest::header::{HeaderValue, CONTENT_TYPE};
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
use reqwest::StatusCode;
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
use uri::{OAUTH2_TOKEN_ENDPOINT, OAUTH2_TOKEN_INTROSPECT_ENDPOINT, OAUTH2_TOKEN_REVOKE_ENDPOINT};
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
use url::{form_urlencoded::parse as query_parse, Url};
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485)
2021-06-29 06:23:39 +02:00
20221022 improve test macros (#1139)
2022-10-24 01:50:31 +02:00
use kanidm_client::KanidmClient;
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
use kanidmd_testkit::{
assert_no_cache, ADMIN_TEST_PASSWORD, ADMIN_TEST_USER, NOT_ADMIN_TEST_EMAIL,
NOT_ADMIN_TEST_PASSWORD, NOT_ADMIN_TEST_USERNAME, TEST_INTEGRATION_RS_DISPLAY,
TEST_INTEGRATION_RS_GROUP_ALL, TEST_INTEGRATION_RS_ID, TEST_INTEGRATION_RS_REDIRECT_URL,
TEST_INTEGRATION_RS_URL,
};
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
/// Tests an OAuth 2.0 / OpenID confidential client Authorisation Client flow.
///
/// ## Arguments
///
/// * `response_mode`: If `Some`, the `response_mode` parameter to pass in the
/// `/oauth2/authorise` request.
///
/// * `response_in_fragment`: If `false`, use the `code` passed in the
/// callback URI's query parameter, and require the fragment to be empty.
///
/// If `true`, use the `code` passed in the callback URI's fragment, and
/// require the query parameter to be empty.
async fn test_oauth2_openid_basic_flow_impl(
rsclient: KanidmClient,
response_mode: Option<&str>,
response_in_fragment: bool,
) {
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let res = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.auth_simple_password(ADMIN_TEST_USER, ADMIN_TEST_PASSWORD)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await;
assert!(res.is_ok());
// Create an oauth2 application integration.
rsclient
.idm_oauth2_rs_basic_create(
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
TEST_INTEGRATION_RS_ID,
TEST_INTEGRATION_RS_DISPLAY,
TEST_INTEGRATION_RS_URL,
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
)
.await
.expect("Failed to create oauth2 config");
Update to 1.4.0-dev (#2943)
2024-07-31 16:02:11 +02:00
rsclient
.idm_oauth2_client_add_origin(
TEST_INTEGRATION_RS_ID,
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
&Url::parse(TEST_INTEGRATION_RS_REDIRECT_URL).expect("Invalid URL"),
Update to 1.4.0-dev (#2943)
2024-07-31 16:02:11 +02:00
)
.await
.expect("Failed to update oauth2 config");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Extend the admin account with extended details for openid claims.
rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_person_account_create(NOT_ADMIN_TEST_USERNAME, NOT_ADMIN_TEST_USERNAME)
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.await
.expect("Failed to create account details");
rsclient
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
.idm_person_account_set_attr(
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
NOT_ADMIN_TEST_USERNAME,
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
Attribute::Mail.as_ref(),
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
&[NOT_ADMIN_TEST_EMAIL],
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.expect("Failed to create account mail");
rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_person_account_primary_credential_set_password(
NOT_ADMIN_TEST_USERNAME,
NOT_ADMIN_TEST_PASSWORD,
)
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.await
.expect("Failed to configure account password");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_oauth2_rs_update(TEST_INTEGRATION_RS_ID, None, None, None, true, true, true)
1063 967 oauth2 improvements (#1102)
2022-10-09 09:11:55 +02:00
.await
.expect("Failed to update oauth2 config");
rsclient
.idm_oauth2_rs_update_scope_map(
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
TEST_INTEGRATION_RS_ID,
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
IDM_ALL_ACCOUNTS.name,
Less human strings more enums (#1989) * statics or enums you choose * acp rewrite, defined SchemaAcp as a test * macros and targetscopes and filters oh my
2023-08-21 09:16:43 +02:00
vec![OAUTH2_SCOPE_READ, OAUTH2_SCOPE_EMAIL, OAUTH2_SCOPE_OPENID],
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
)
.await
1063 967 oauth2 improvements (#1102)
2022-10-09 09:11:55 +02:00
.expect("Failed to update oauth2 scopes");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
1063 967 oauth2 improvements (#1102)
2022-10-09 09:11:55 +02:00
rsclient
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
.idm_oauth2_rs_update_sup_scope_map(
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
TEST_INTEGRATION_RS_ID,
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
IDM_ALL_ACCOUNTS.name,
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
vec![ADMIN_TEST_USER],
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
)
1063 967 oauth2 improvements (#1102)
2022-10-09 09:11:55 +02:00
.await
.expect("Failed to update oauth2 scopes");
let client_secret = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_oauth2_rs_get_basic_secret(TEST_INTEGRATION_RS_ID)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await
.ok()
.flatten()
1063 967 oauth2 improvements (#1102)
2022-10-09 09:11:55 +02:00
.expect("Failed to retrieve test_integration basic secret");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Get our admin's auth token for our new client.
// We have to re-auth to update the mail field.
let res = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.auth_simple_password(NOT_ADMIN_TEST_USERNAME, NOT_ADMIN_TEST_PASSWORD)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.await;
assert!(res.is_ok());
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
let oauth_test_uat = rsclient
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.get_token()
.await
.expect("No user auth token found");
// We need a new reqwest client here.
// from here, we can now begin what would be a "interaction" to the oauth server.
// Create a new reqwest client - we'll be using this manually.
let client = reqwest::Client::builder()
.redirect(reqwest::redirect::Policy::none())
.no_proxy()
.build()
.expect("Failed to create client.");
// Step 0 - get the openid discovery details and the public key.
Add preflight headers (#1829)
2023-07-09 04:06:40 +02:00
let response = client
.request(
reqwest::Method::OPTIONS,
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
rsclient.make_url("/oauth2/openid/test_integration/.well-known/openid-configuration"),
Add preflight headers (#1829)
2023-07-09 04:06:40 +02:00
)
.send()
.await
.expect("Failed to send discovery preflight request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
OpenAPI/swagger docs autogen (#2175) * always be clippyin' * pulling oauth2 api things out into their own module * starting openapi generation
2023-10-14 04:39:14 +02:00
Add preflight headers (#1829)
2023-07-09 04:06:40 +02:00
let cors_header: &str = response
.headers()
OpenAPI/swagger docs autogen (#2175) * always be clippyin' * pulling oauth2 api things out into their own module * starting openapi generation
2023-10-14 04:39:14 +02:00
.get(http::header::ACCESS_CONTROL_ALLOW_ORIGIN)
Add preflight headers (#1829)
2023-07-09 04:06:40 +02:00
.expect("missing access-control-allow-origin header")
.to_str()
.expect("invalid access-control-allow-origin header");
assert!(cors_header.eq("*"));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let response = client
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
.get(rsclient.make_url("/oauth2/openid/test_integration/.well-known/openid-configuration"))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.send()
.await
.expect("Failed to send request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
Minor fixes for oidc with single page applications (#2420)
2024-01-09 00:57:14 +01:00
// Assert CORS on the GET too.
let cors_header: &str = response
.headers()
.get(http::header::ACCESS_CONTROL_ALLOW_ORIGIN)
.expect("missing access-control-allow-origin header")
.to_str()
.expect("invalid access-control-allow-origin header");
assert!(cors_header.eq("*"));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert_no_cache!(response);
let discovery: OidcDiscoveryResponse = response
.json()
.await
.expect("Failed to access response body");
383 164 authentication updates 9 (#956) * implementation of passkeys as an auth mech * listing the current passkeys when asking to remove one * tweaking insecure dev server config so passkeys will work * Fix domain rename Co-authored-by: James Hodgkinson <james@terminaloutcomes.com>
2022-07-30 14:10:24 +02:00
tracing::trace!(?discovery);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Most values are checked in idm/oauth2.rs, but we want to sanity check
// the urls here as an extended function smoke test.
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(
discovery.issuer,
rsclient.make_url("/oauth2/openid/test_integration")
);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(
discovery.authorization_endpoint,
rsclient.make_url("/ui/oauth2")
);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
assert_eq!(
discovery.token_endpoint,
rsclient.make_url(OAUTH2_TOKEN_ENDPOINT)
);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(
discovery.userinfo_endpoint
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
== Some(rsclient.make_url("/oauth2/openid/test_integration/userinfo"))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
);
assert!(
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
discovery.jwks_uri == rsclient.make_url("/oauth2/openid/test_integration/public_key.jwk")
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
);
// Step 0 - get the jwks public key.
let response = client
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
.get(rsclient.make_url("/oauth2/openid/test_integration/public_key.jwk"))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.send()
.await
.expect("Failed to send request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert_no_cache!(response);
let mut jwk_set: JwkKeySet = response
.json()
.await
.expect("Failed to access response body");
let public_jwk = jwk_set.keys.pop().expect("No public key in set!");
Update to the latest compact-jwt version (#2331)
2023-11-24 03:53:22 +01:00
let jws_validator = JwsEs256Verifier::try_from(&public_jwk).expect("failed to build validator");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Step 1 - the Oauth2 Resource Server would send a redirect to the authorisation
// server, where the url contains a series of authorisation request parameters.
//
// Since we are a client, we can just "pretend" we got the redirect, and issue the
// get call directly. This should be a 200. (?)
let (pkce_code_challenge, pkce_code_verifier) = PkceCodeChallenge::new_random_sha256();
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
let mut query = vec![
("response_type", "code"),
("client_id", TEST_INTEGRATION_RS_ID),
("state", "YWJjZGVm"),
("code_challenge", pkce_code_challenge.as_str()),
("code_challenge_method", "S256"),
("redirect_uri", TEST_INTEGRATION_RS_REDIRECT_URL),
("scope", "email read openid"),
("max_age", "1"),
];
if let Some(response_mode) = response_mode {
query.push(("response_mode", response_mode));
}
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let response = client
Splitting the SPAs (#2219) * doing some work for enumerating how the accounts work together * fixing up build scripts and removing extra things * making JavaScript as_tag use the struct field names * making shared.js a module, removing wasmloader.js * don't compress compressed things
2023-10-27 08:03:58 +02:00
.get(rsclient.make_url(OAUTH2_AUTHORISE))
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.bearer_auth(oauth_test_uat.clone())
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
.query(&query)
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.send()
.await
.expect("Failed to send request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert_no_cache!(response);
636 consent remembering in oauth2 (#824)
2022-06-20 03:37:39 +02:00
let consent_req: AuthorisationResponse = response
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.json()
.await
.expect("Failed to access response body");
1063 967 oauth2 improvements (#1102)
2022-10-09 09:11:55 +02:00
let consent_token = if let AuthorisationResponse::ConsentRequested {
consent_token,
scopes,
..
} = consent_req
{
// Note the supplemental scope here (admin)
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
dbg!(&scopes);
enforcen den clippen (#2990) * enforcen den clippen * updating outdated oauth2-related docs * sorry clippy, we tried
2024-08-21 02:32:56 +02:00
assert!(scopes.contains("admin"));
1063 967 oauth2 improvements (#1102)
2022-10-09 09:11:55 +02:00
consent_token
} else {
unreachable!();
};
636 consent remembering in oauth2 (#824)
2022-06-20 03:37:39 +02:00
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Step 2 - we now send the consent get to the server which yields a redirect with a
// state and code.
let response = client
Splitting the SPAs (#2219) * doing some work for enumerating how the accounts work together * fixing up build scripts and removing extra things * making JavaScript as_tag use the struct field names * making shared.js a module, removing wasmloader.js * don't compress compressed things
2023-10-27 08:03:58 +02:00
.get(rsclient.make_url(OAUTH2_AUTHORISE_PERMIT))
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
.bearer_auth(oauth_test_uat)
636 consent remembering in oauth2 (#824)
2022-06-20 03:37:39 +02:00
.query(&[("token", consent_token.as_str())])
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.send()
.await
.expect("Failed to send request.");
// This should yield a 302 redirect with some query params.
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::FOUND);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert_no_cache!(response);
// And we should have a URL in the location header.
let redir_str = response
.headers()
.get("Location")
20230125 pre rel cleanup (#1348)
2023-01-28 04:52:44 +01:00
.and_then(|hv| hv.to_str().ok().map(str::to_string))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.expect("Invalid redirect url");
// Now check it's content
let redir_url = Url::parse(&redir_str).expect("Url parse failure");
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
let pairs: BTreeMap<_, _> = if response_in_fragment {
assert!(redir_url.query().is_none());
let fragment = redir_url.fragment().expect("missing URL fragment");
query_parse(fragment.as_bytes()).collect()
} else {
// response_mode = query is default for response_type = code
assert!(redir_url.fragment().is_none());
redir_url.query_pairs().collect()
};
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// We should have state and code.
let code = pairs.get("code").expect("code not found!");
let state = pairs.get("state").expect("state not found!");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(state, "YWJjZGVm");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// Step 3 - the "resource server" then uses this state and code to directly contact
// the authorisation server to request a token.
20230330 oauth2 refresh tokens (#1502)
2023-04-20 00:34:21 +02:00
let form_req: AccessTokenRequest = GrantTypeReq::AuthorizationCode {
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
code: code.to_string(),
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
redirect_uri: Url::parse(TEST_INTEGRATION_RS_REDIRECT_URL).expect("Invalid URL"),
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
code_verifier: Some(pkce_code_verifier.secret().clone()),
20230330 oauth2 refresh tokens (#1502)
2023-04-20 00:34:21 +02:00
}
.into();
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_ENDPOINT))
.basic_auth(TEST_INTEGRATION_RS_ID, Some(client_secret.clone()))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.form(&form_req)
.send()
.await
.expect("Failed to send code exchange request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
Minor fixes for oidc with single page applications (#2420)
2024-01-09 00:57:14 +01:00
let cors_header: &str = response
.headers()
.get(http::header::ACCESS_CONTROL_ALLOW_ORIGIN)
.expect("missing access-control-allow-origin header")
.to_str()
.expect("invalid access-control-allow-origin header");
assert!(cors_header.eq("*"));
Are we JSON yet? Kinda. But we're closer. (#1967)
2023-08-14 00:51:44 +02:00
assert!(
response.headers().get(CONTENT_TYPE) == Some(&HeaderValue::from_static(APPLICATION_JSON))
);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert_no_cache!(response);
// The body is a json AccessTokenResponse
let atr = response
.json::<AccessTokenResponse>()
.await
.expect("Unable to decode AccessTokenResponse");
// Step 4 - inspect the granted token.
let intr_request = AccessTokenIntrospectRequest {
token: atr.access_token.clone(),
token_type_hint: None,
};
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_INTROSPECT_ENDPOINT))
.basic_auth(TEST_INTEGRATION_RS_ID, Some(client_secret.clone()))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.form(&intr_request)
.send()
.await
.expect("Failed to send token introspect request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
Fixing test release (#1983) * Fixing cargo test --release * more tracing less dbg
2023-08-15 07:42:15 +02:00
tracing::trace!("{:?}", response.headers());
Are we JSON yet? Kinda. But we're closer. (#1967)
2023-08-14 00:51:44 +02:00
assert!(
response.headers().get(CONTENT_TYPE) == Some(&HeaderValue::from_static(APPLICATION_JSON))
);
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert_no_cache!(response);
let tir = response
.json::<AccessTokenIntrospectResponse>()
.await
.expect("Unable to decode AccessTokenIntrospectResponse");
assert!(tir.active);
20240927 SCIM put (#3151)
2024-11-30 07:56:17 +01:00
assert!(!tir.scope.is_empty());
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
assert_eq!(tir.client_id.as_deref(), Some(TEST_INTEGRATION_RS_ID));
assert_eq!(
tir.username.as_deref(),
Some(format!("{}@localhost", NOT_ADMIN_TEST_USERNAME).as_str())
);
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(tir.token_type, Some(AccessTokenType::Bearer));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(tir.exp.is_some());
assert!(tir.iat.is_some());
assert!(tir.nbf.is_some());
assert!(tir.sub.is_some());
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
assert_eq!(tir.aud.as_deref(), Some(TEST_INTEGRATION_RS_ID));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
assert!(tir.iss.is_none());
assert!(tir.jti.is_none());
// Step 5 - check that the id_token (openid) matches the userinfo endpoint.
let oidc_unverified =
OidcUnverified::from_str(atr.id_token.as_ref().unwrap()).expect("Failed to parse id_token");
Update to the latest compact-jwt version (#2331)
2023-11-24 03:53:22 +01:00
let oidc = jws_validator
.verify(&oidc_unverified)
.expect("Failed to verify oidc")
.verify_exp(0)
.expect("Failed to check exp");
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
// This is mostly checked inside of idm/oauth2.rs. This is more to check the oidc
// token and the userinfo endpoints.
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(
oidc.iss,
rsclient.make_url("/oauth2/openid/test_integration")
);
20220817 ldap service tokens (#1002)
2022-09-02 06:21:20 +02:00
eprintln!("{:?}", oidc.s_claims.email);
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
assert_eq!(oidc.s_claims.email.as_deref(), Some(NOT_ADMIN_TEST_EMAIL));
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(oidc.s_claims.email_verified, Some(true));
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
let response = client
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
.get(rsclient.make_url("/oauth2/openid/test_integration/userinfo"))
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.bearer_auth(atr.access_token.clone())
.send()
.await
.expect("Failed to send userinfo request.");
Fixing test release (#1983) * Fixing cargo test --release * more tracing less dbg
2023-08-15 07:42:15 +02:00
tracing::trace!("{:?}", response.headers());
Are we JSON yet? Kinda. But we're closer. (#1967)
2023-08-14 00:51:44 +02:00
assert!(
response.headers().get(CONTENT_TYPE) == Some(&HeaderValue::from_static(APPLICATION_JSON))
);
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
let userinfo = response
.json::<OidcToken>()
.await
.expect("Unable to decode OidcToken from userinfo");
eprintln!("userinfo {userinfo:?}");
eprintln!("oidc {oidc:?}");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(userinfo, oidc);
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
Allow POST on oauth userinfo (#3395)
2025-02-04 07:22:32 +01:00
let response = client
.post(rsclient.make_url("/oauth2/openid/test_integration/userinfo"))
.bearer_auth(atr.access_token.clone())
.send()
.await
.expect("Failed to send userinfo POST request.");
tracing::trace!("{:?}", response.headers());
assert!(
response.headers().get(CONTENT_TYPE) == Some(&HeaderValue::from_static(APPLICATION_JSON))
);
let userinfo_post = response
.json::<OidcToken>()
.await
.expect("Unable to decode OidcToken from POST userinfo");
assert_eq!(userinfo_post, userinfo);
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation
2024-02-01 03:00:29 +01:00
// Step 6 - Show that our client can perform a client credentials grant
let form_req: AccessTokenRequest = GrantTypeReq::ClientCredentials {
scope: Some(BTreeSet::from([
"email".to_string(),
"read".to_string(),
"openid".to_string(),
])),
}
.into();
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_ENDPOINT))
.basic_auth(TEST_INTEGRATION_RS_ID, Some(client_secret.clone()))
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation
2024-02-01 03:00:29 +01:00
.form(&form_req)
.send()
.await
.expect("Failed to send client credentials request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation
2024-02-01 03:00:29 +01:00
let atr = response
.json::<AccessTokenResponse>()
.await
.expect("Unable to decode AccessTokenResponse");
// Step 7 - inspect the granted client credentials token.
let intr_request = AccessTokenIntrospectRequest {
token: atr.access_token.clone(),
token_type_hint: None,
};
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_INTROSPECT_ENDPOINT))
.basic_auth(TEST_INTEGRATION_RS_ID, Some(client_secret))
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation
2024-02-01 03:00:29 +01:00
.form(&intr_request)
.send()
.await
.expect("Failed to send token introspect request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation
2024-02-01 03:00:29 +01:00
let tir = response
.json::<AccessTokenIntrospectResponse>()
.await
.expect("Unable to decode AccessTokenIntrospectResponse");
assert!(tir.active);
20240927 SCIM put (#3151)
2024-11-30 07:56:17 +01:00
assert!(!tir.scope.is_empty());
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
assert_eq!(tir.client_id.as_deref(), Some(TEST_INTEGRATION_RS_ID));
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(tir.username.as_deref(), Some("test_integration@localhost"));
assert_eq!(tir.token_type, Some(AccessTokenType::Bearer));
20240125 2217 client credentials grant (#2456) * Huge fix of a replication problem. * Update test * Increase min replication level * Client Credentials Grant implementation
2024-02-01 03:00:29 +01:00
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
// auth back with admin so we can test deleting things
let res = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.auth_simple_password(ADMIN_TEST_USER, ADMIN_TEST_PASSWORD)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await;
assert!(res.is_ok());
rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_oauth2_rs_delete_sup_scope_map(TEST_INTEGRATION_RS_ID, TEST_INTEGRATION_RS_GROUP_ALL)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await
.expect("Failed to update oauth2 scopes");
}
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
/// Test an OAuth 2.0/OpenID confidential client Authorisation Code flow, with
/// `response_mode` unset.
///
/// The response should be returned as a query parameter.
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
#[kanidmd_testkit::test]
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
async fn test_oauth2_openid_basic_flow_mode_unset(rsclient: KanidmClient) {
test_oauth2_openid_basic_flow_impl(rsclient, None, false).await;
}
/// Test an OAuth 2.0/OpenID confidential client Authorisation Code flow, with
/// `response_mode=query`.
///
/// The response should be returned as a query parameter.
#[kanidmd_testkit::test]
async fn test_oauth2_openid_basic_flow_mode_query(rsclient: KanidmClient) {
test_oauth2_openid_basic_flow_impl(rsclient, Some("query"), false).await;
}
/// Test an OAuth 2.0/OpenID confidential client Authorisation Code flow, with
/// `response_mode=fragment`.
///
/// The response should be returned in the URI's fragment.
#[kanidmd_testkit::test]
async fn test_oauth2_openid_basic_flow_mode_fragment(rsclient: KanidmClient) {
test_oauth2_openid_basic_flow_impl(rsclient, Some("fragment"), true).await;
}
/// Tests an OAuth 2.0 / OpenID public client Authorisation Client flow.
///
/// ## Arguments
///
/// * `response_mode`: If `Some`, the `response_mode` parameter to pass in the
/// `/oauth2/authorise` request.
///
/// * `response_in_fragment`: If `false`, use the `code` passed in the
/// callback URI's query parameter, and require the fragment to be empty.
///
/// If `true`, use the `code` passed in the callback URI's fragment, and
/// require the query parameter to be empty.
async fn test_oauth2_openid_public_flow_impl(
rsclient: KanidmClient,
response_mode: Option<&str>,
response_in_fragment: bool,
) {
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
let res = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.auth_simple_password(ADMIN_TEST_USER, ADMIN_TEST_PASSWORD)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await;
assert!(res.is_ok());
// Create an oauth2 application integration.
rsclient
.idm_oauth2_rs_public_create(
TEST_INTEGRATION_RS_ID,
TEST_INTEGRATION_RS_DISPLAY,
TEST_INTEGRATION_RS_URL,
)
.await
.expect("Failed to create oauth2 config");
Update to 1.4.0-dev (#2943)
2024-07-31 16:02:11 +02:00
rsclient
.idm_oauth2_client_add_origin(
TEST_INTEGRATION_RS_ID,
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
&Url::parse(TEST_INTEGRATION_RS_REDIRECT_URL).expect("Invalid URL"),
Update to 1.4.0-dev (#2943)
2024-07-31 16:02:11 +02:00
)
.await
.expect("Failed to update oauth2 config");
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
// Extend the admin account with extended details for openid claims.
rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_person_account_create(NOT_ADMIN_TEST_USERNAME, NOT_ADMIN_TEST_USERNAME)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await
.expect("Failed to create account details");
rsclient
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
.idm_person_account_set_attr(
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
NOT_ADMIN_TEST_USERNAME,
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
Attribute::Mail.as_ref(),
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
&[NOT_ADMIN_TEST_EMAIL],
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await
.expect("Failed to create account mail");
rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_person_account_primary_credential_set_password(
NOT_ADMIN_TEST_USERNAME,
ADMIN_TEST_PASSWORD,
)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await
.expect("Failed to configure account password");
rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_oauth2_rs_update(TEST_INTEGRATION_RS_ID, None, None, None, true, true, true)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await
.expect("Failed to update oauth2 config");
rsclient
.idm_oauth2_rs_update_scope_map(
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
TEST_INTEGRATION_RS_ID,
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
IDM_ALL_ACCOUNTS.name,
Less human strings more enums (#1989) * statics or enums you choose * acp rewrite, defined SchemaAcp as a test * macros and targetscopes and filters oh my
2023-08-21 09:16:43 +02:00
vec![OAUTH2_SCOPE_READ, OAUTH2_SCOPE_EMAIL, OAUTH2_SCOPE_OPENID],
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
)
.await
.expect("Failed to update oauth2 scopes");
rsclient
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
.idm_oauth2_rs_update_sup_scope_map(
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
TEST_INTEGRATION_RS_ID,
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
IDM_ALL_ACCOUNTS.name,
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
vec![ADMIN_TEST_USER],
Cinco de yakko (#2108) * there are always more yaks * see? ldap yaks. * fixing stupid radius container build thing
2023-09-16 04:11:06 +02:00
)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await
.expect("Failed to update oauth2 scopes");
2390 1980 allow native applications (#2428)
2024-01-16 01:44:12 +01:00
// Add a custom claim map.
rsclient
.idm_oauth2_rs_update_claim_map(
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
TEST_INTEGRATION_RS_ID,
2390 1980 allow native applications (#2428)
2024-01-16 01:44:12 +01:00
"test_claim",
IDM_ALL_ACCOUNTS.name,
&["claim_a".to_string(), "claim_b".to_string()],
)
.await
.expect("Failed to update oauth2 claims");
// Set an alternate join
rsclient
.idm_oauth2_rs_update_claim_map_join(
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
TEST_INTEGRATION_RS_ID,
2390 1980 allow native applications (#2428)
2024-01-16 01:44:12 +01:00
"test_claim",
Oauth2ClaimMapJoin::Ssv,
)
.await
.expect("Failed to update oauth2 claims");
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
// Get our admin's auth token for our new client.
// We have to re-auth to update the mail field.
let res = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.auth_simple_password(NOT_ADMIN_TEST_USERNAME, ADMIN_TEST_PASSWORD)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.await;
assert!(res.is_ok());
let oauth_test_uat = rsclient
.get_token()
.await
.expect("No user auth token found");
// We need a new reqwest client here.
// from here, we can now begin what would be a "interaction" to the oauth server.
// Create a new reqwest client - we'll be using this manually.
let client = reqwest::Client::builder()
.redirect(reqwest::redirect::Policy::none())
.no_proxy()
.build()
.expect("Failed to create client.");
// Step 0 - get the jwks public key.
let response = client
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
.get(rsclient.make_url("/oauth2/openid/test_integration/public_key.jwk"))
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.send()
.await
.expect("Failed to send request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
assert_no_cache!(response);
let mut jwk_set: JwkKeySet = response
.json()
.await
.expect("Failed to access response body");
let public_jwk = jwk_set.keys.pop().expect("No public key in set!");
Update to the latest compact-jwt version (#2331)
2023-11-24 03:53:22 +01:00
let jws_validator = JwsEs256Verifier::try_from(&public_jwk).expect("failed to build validator");
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
// Step 1 - the Oauth2 Resource Server would send a redirect to the authorisation
// server, where the url contains a series of authorisation request parameters.
//
// Since we are a client, we can just "pretend" we got the redirect, and issue the
// get call directly. This should be a 200. (?)
let (pkce_code_challenge, pkce_code_verifier) = PkceCodeChallenge::new_random_sha256();
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
let mut query = vec![
("response_type", "code"),
("client_id", TEST_INTEGRATION_RS_ID),
("state", "YWJjZGVm"),
("code_challenge", pkce_code_challenge.as_str()),
("code_challenge_method", "S256"),
("redirect_uri", TEST_INTEGRATION_RS_REDIRECT_URL),
("scope", "email read openid"),
];
if let Some(response_mode) = response_mode {
query.push(("response_mode", response_mode));
}
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
let response = client
Splitting the SPAs (#2219) * doing some work for enumerating how the accounts work together * fixing up build scripts and removing extra things * making JavaScript as_tag use the struct field names * making shared.js a module, removing wasmloader.js * don't compress compressed things
2023-10-27 08:03:58 +02:00
.get(rsclient.make_url(OAUTH2_AUTHORISE))
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.bearer_auth(oauth_test_uat.clone())
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
.query(&query)
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.send()
.await
.expect("Failed to send request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
assert_no_cache!(response);
let consent_req: AuthorisationResponse = response
.json()
.await
.expect("Failed to access response body");
let consent_token = if let AuthorisationResponse::ConsentRequested {
consent_token,
scopes,
..
} = consent_req
{
// Note the supplemental scope here (admin)
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
assert!(scopes.contains(ADMIN_TEST_USER));
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
consent_token
} else {
unreachable!();
};
// Step 2 - we now send the consent get to the server which yields a redirect with a
// state and code.
let response = client
Splitting the SPAs (#2219) * doing some work for enumerating how the accounts work together * fixing up build scripts and removing extra things * making JavaScript as_tag use the struct field names * making shared.js a module, removing wasmloader.js * don't compress compressed things
2023-10-27 08:03:58 +02:00
.get(rsclient.make_url(OAUTH2_AUTHORISE_PERMIT))
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.bearer_auth(oauth_test_uat)
.query(&[("token", consent_token.as_str())])
.send()
.await
.expect("Failed to send request.");
// This should yield a 302 redirect with some query params.
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::FOUND);
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
assert_no_cache!(response);
// And we should have a URL in the location header.
let redir_str = response
.headers()
.get("Location")
.and_then(|hv| hv.to_str().ok().map(str::to_string))
.expect("Invalid redirect url");
// Now check it's content
let redir_url = Url::parse(&redir_str).expect("Url parse failure");
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
let pairs: BTreeMap<_, _> = if response_in_fragment {
assert!(redir_url.query().is_none());
let fragment = redir_url.fragment().expect("missing URL fragment");
query_parse(fragment.as_bytes()).collect()
} else {
// response_mode = query is default for response_type = code
assert!(redir_url.fragment().is_none());
redir_url.query_pairs().collect()
};
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
// We should have state and code.
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
let code = pairs.get("code").expect("code not found!");
let state = pairs.get("state").expect("state not found!");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(state, "YWJjZGVm");
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
// Step 3 - the "resource server" then uses this state and code to directly contact
// the authorisation server to request a token.
let form_req = AccessTokenRequest {
grant_type: GrantTypeReq::AuthorizationCode {
code: code.to_string(),
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
redirect_uri: Url::parse(TEST_INTEGRATION_RS_REDIRECT_URL).expect("Invalid URL"),
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
code_verifier: Some(pkce_code_verifier.secret().clone()),
},
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
client_id: Some(TEST_INTEGRATION_RS_ID.to_string()),
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
client_secret: None,
};
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_ENDPOINT))
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
.form(&form_req)
.send()
.await
.expect("Failed to send code exchange request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
assert_no_cache!(response);
// The body is a json AccessTokenResponse
let atr = response
.json::<AccessTokenResponse>()
.await
.expect("Unable to decode AccessTokenResponse");
// Step 5 - check that the id_token (openid) matches the userinfo endpoint.
let oidc_unverified =
OidcUnverified::from_str(atr.id_token.as_ref().unwrap()).expect("Failed to parse id_token");
Update to the latest compact-jwt version (#2331)
2023-11-24 03:53:22 +01:00
let oidc = jws_validator
.verify(&oidc_unverified)
.expect("Failed to verify oidc")
.verify_exp(0)
.expect("Failed to check exp");
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
// This is mostly checked inside of idm/oauth2.rs. This is more to check the oidc
// token and the userinfo endpoints.
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(
oidc.iss,
rsclient.make_url("/oauth2/openid/test_integration")
);
1792 public oauth clients (#1821)
2023-07-07 10:53:31 +02:00
eprintln!("{:?}", oidc.s_claims.email);
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
assert_eq!(oidc.s_claims.email.as_deref(), Some(NOT_ADMIN_TEST_EMAIL));
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(oidc.s_claims.email_verified, Some(true));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
2390 1980 allow native applications (#2428)
2024-01-16 01:44:12 +01:00
eprintln!("{:?}", oidc.claims);
assert_eq!(
oidc.claims.get("test_claim").and_then(|v| v.as_str()),
Some("claim_a claim_b")
);
Add preflight headers (#1829)
2023-07-09 04:06:40 +02:00
// Check the preflight works.
let response = client
.request(
reqwest::Method::OPTIONS,
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
rsclient.make_url("/oauth2/openid/test_integration/userinfo"),
Add preflight headers (#1829)
2023-07-09 04:06:40 +02:00
)
.send()
.await
.expect("Failed to send userinfo preflight request.");
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), reqwest::StatusCode::OK);
Add preflight headers (#1829)
2023-07-09 04:06:40 +02:00
let cors_header: &str = response
.headers()
OpenAPI/swagger docs autogen (#2175) * always be clippyin' * pulling oauth2 api things out into their own module * starting openapi generation
2023-10-14 04:39:14 +02:00
.get(http::header::ACCESS_CONTROL_ALLOW_ORIGIN)
Add preflight headers (#1829)
2023-07-09 04:06:40 +02:00
.expect("missing access-control-allow-origin header")
.to_str()
.expect("invalid access-control-allow-origin header");
assert!(cors_header.eq("*"));
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
let response = client
error handling and web server logging fixes (#1960) * Fixing the setup_dev_environment script * clippy calming * handle_internalunixusertokenread throwing 500's without context Fixes #1958
2023-08-14 12:47:49 +02:00
.get(rsclient.make_url("/oauth2/openid/test_integration/userinfo"))
383 170 164 authentication updates 3 (#723)
2022-04-29 05:03:21 +02:00
.bearer_auth(atr.access_token.clone())
.send()
.await
.expect("Failed to send userinfo request.");
let userinfo = response
.json::<OidcToken>()
.await
.expect("Unable to decode OidcToken from userinfo");
RADIUS container fixes (#1424)
2023-03-07 02:50:45 +01:00
eprintln!("userinfo {userinfo:?}");
eprintln!("oidc {oidc:?}");
406 session revocation (#1123)
2022-10-17 12:09:47 +02:00
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(userinfo, oidc);
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
// auth back with admin so we can test deleting things
let res = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.auth_simple_password(ADMIN_TEST_USER, ADMIN_TEST_PASSWORD)
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.await;
assert!(res.is_ok());
rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.idm_oauth2_rs_delete_sup_scope_map(TEST_INTEGRATION_RS_ID, TEST_INTEGRATION_RS_GROUP_ALL)
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.await
.expect("Failed to update oauth2 scopes");
}
Add OAuth2 `response_mode=fragment` (#3335) * Add response_mode=fragment to discovery documents * Add test for `response_mode=query` * refactor OAuth 2.0 tests back into regular functions, because macros are messy * Disallow some `response_type` x `response_mode` combinations per spec
2025-01-08 06:41:01 +01:00
/// Test an OAuth 2.0/OpenID public client Authorisation Code flow, with
/// `response_mode` unset.
///
/// The response should be returned as a query parameter.
#[kanidmd_testkit::test]
async fn test_oauth2_openid_public_flow_mode_unset(rsclient: KanidmClient) {
test_oauth2_openid_public_flow_impl(rsclient, None, false).await;
}
/// Test an OAuth 2.0/OpenID public client Authorisation Code flow, with
/// `response_mode=query`.
///
/// The response should be returned as a query parameter.
#[kanidmd_testkit::test]
async fn test_oauth2_openid_public_flow_mode_query(rsclient: KanidmClient) {
test_oauth2_openid_public_flow_impl(rsclient, Some("query"), false).await;
}
/// Test an OAuth 2.0/OpenID public client Authorisation Code flow, with
/// `response_mode=fragment`.
///
/// The response should be returned in the URI's fragment.
#[kanidmd_testkit::test]
async fn test_oauth2_openid_public_flow_mode_fragment(rsclient: KanidmClient) {
test_oauth2_openid_public_flow_impl(rsclient, Some("fragment"), true).await;
}
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
#[kanidmd_testkit::test]
async fn test_oauth2_token_post_bad_bodies(rsclient: KanidmClient) {
let res = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.auth_simple_password(ADMIN_TEST_USER, ADMIN_TEST_PASSWORD)
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.await;
assert!(res.is_ok());
let client = reqwest::Client::builder()
.redirect(reqwest::redirect::Policy::none())
.no_proxy()
.build()
.expect("Failed to create client.");
// test for a bad-body request on token
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_ENDPOINT))
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.form(&serde_json::json!({}))
// .bearer_auth(atr.access_token.clone())
.send()
.await
.expect("Failed to send token request.");
println!("{:?}", response);
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), StatusCode::UNPROCESSABLE_ENTITY);
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
// test for a bad-auth request
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_INTROSPECT_ENDPOINT))
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.form(&serde_json::json!({ "token": "lol" }))
.send()
.await
.expect("Failed to send token introspection request.");
println!("{:?}", response);
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
}
#[kanidmd_testkit::test]
async fn test_oauth2_token_revoke_post(rsclient: KanidmClient) {
let res = rsclient
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.auth_simple_password(ADMIN_TEST_USER, ADMIN_TEST_PASSWORD)
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.await;
assert!(res.is_ok());
let client = reqwest::Client::builder()
.redirect(reqwest::redirect::Policy::none())
.no_proxy()
.build()
.expect("Failed to create client.");
// test for a bad-body request on token
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_REVOKE_ENDPOINT))
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.form(&serde_json::json!({}))
.bearer_auth("lolol")
.send()
.await
.expect("Failed to send token request.");
println!("{:?}", response);
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), StatusCode::UNPROCESSABLE_ENTITY);
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
// test for a invalid format request on token
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_REVOKE_ENDPOINT))
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.json("")
.bearer_auth("lolol")
.send()
.await
.expect("Failed to send token request.");
println!("{:?}", response);
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), StatusCode::UNSUPPORTED_MEDIA_TYPE);
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
// test for a bad-body request on token
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_REVOKE_ENDPOINT))
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.form(&serde_json::json!({}))
.bearer_auth("Basic lolol")
.send()
.await
.expect("Failed to send token request.");
println!("{:?}", response);
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), StatusCode::UNPROCESSABLE_ENTITY);
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
// test for a bad-body request on token
let response = client
OAuth2 Device flow foundations (#3098)
2024-10-26 04:08:48 +02:00
.post(rsclient.make_url(OAUTH2_TOKEN_REVOKE_ENDPOINT))
Converting from tide to axum (#1797) * Starting to chase down testing * commenting out unused/inactive endpoints, adding more tests * clippyism * making clippy happy v2 * testing when things are not right * moar checkpoint * splitting up testkit things a bit * moving https -> tide * mad lad be crabbin * spawning like a frog * something something different spawning * woot it works ish * more server things * adding version header to requests * adding kopid_middleware * well that was supposed to be an hour... four later * more nonsense * carrying on with the conversion * first pass through the conversion is DONE! * less pub more better * session storage works better, fixed some paths * axum-csp version thing * try a typedheader * better openssl config things * updating lockfile * http2 * actually sending JSON when we say we will! * just about to do something dumb * flargl * more yak shaving * So many clippy-isms, fixing up a query handler bleep bloop * So many clippy-isms, fixing up a query handler bleep bloop * fmt * all tests pass including basic web logins and nav * so much clippyism * stripping out old comments * fmt * commenty things * stripping out tide * updates * de-tiding things * fmt * adding optional header matching ,thanks @cuberoot74088 * oauth2 stuff to match #1807 but in axum * CLIPPY IS FINALLY SATED * moving scim from /v1/scim to /scim * one day clippy will make sense * cleanups * removing sketching middleware * cleanup, strip a broken test endpoint (routemap), more clippy * docs fmt * pulling axum-csp from the wrong cargo.toml * docs fmt * fmt fixes
2023-07-05 14:26:39 +02:00
.body(serde_json::json!({}).to_string())
.bearer_auth("Basic lolol")
.send()
.await
.expect("Failed to send token request.");
println!("{:?}", response);
OAuth2 Token Type (#3008) * fix(OAuth2): Invalid `token_type` for token introspection Fixes #3005 * fix(aut): `assert_eq` instead of `assert ==` * fix(OAuth2): IANA registry access token types * fix(OAuth2): deserialize case insensitively
2024-08-26 01:30:20 +02:00
assert_eq!(response.status(), StatusCode::UNSUPPORTED_MEDIA_TYPE);
Add the ability to configure and provide Oauth2 authentication for Kanidm. (#485)
2021-06-29 06:23:39 +02:00
}
Reference in a new issue Copy permalink