2024-05-16 08:07:56 +03:00
|
|
|
//go:build integration
|
|
|
|
|
|
|
|
package oidc_test
|
|
|
|
|
|
|
|
import (
|
2024-10-01 16:38:28 +02:00
|
|
|
"slices"
|
2024-05-16 08:07:56 +03:00
|
|
|
"testing"
|
2024-05-31 12:10:18 +02:00
|
|
|
"time"
|
2024-05-16 08:07:56 +03:00
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/client/profile"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/client/rp"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
2024-09-25 22:40:21 +03:00
|
|
|
"golang.org/x/oauth2"
|
2024-05-16 08:07:56 +03:00
|
|
|
|
|
|
|
oidc_api "github.com/zitadel/zitadel/internal/api/oidc"
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
2024-10-01 16:38:28 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/integration"
|
|
|
|
"github.com/zitadel/zitadel/pkg/grpc/auth"
|
2024-05-16 08:07:56 +03:00
|
|
|
)
|
|
|
|
|
|
|
|
func TestServer_JWTProfile(t *testing.T) {
|
2024-09-06 15:47:57 +03:00
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
user, name, keyData, err := Instance.CreateOIDCJWTProfileClient(CTX)
|
2024-05-16 08:07:56 +03:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
type claims struct {
|
2024-05-31 12:10:18 +02:00
|
|
|
name string
|
|
|
|
username string
|
|
|
|
updated time.Time
|
2024-05-16 08:07:56 +03:00
|
|
|
resourceOwnerID any
|
|
|
|
resourceOwnerName any
|
|
|
|
resourceOwnerPrimaryDomain any
|
|
|
|
orgDomain any
|
|
|
|
}
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
keyData []byte
|
|
|
|
scope []string
|
|
|
|
wantClaims claims
|
|
|
|
wantErr bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "success",
|
|
|
|
keyData: keyData,
|
|
|
|
scope: []string{oidc.ScopeOpenID},
|
|
|
|
},
|
2024-05-31 12:10:18 +02:00
|
|
|
{
|
|
|
|
name: "openid, profile, email",
|
|
|
|
keyData: keyData,
|
|
|
|
scope: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
|
|
|
|
wantClaims: claims{
|
|
|
|
name: name,
|
|
|
|
username: name,
|
|
|
|
updated: user.GetDetails().GetChangeDate().AsTime(),
|
|
|
|
},
|
|
|
|
},
|
2024-10-01 16:38:28 +02:00
|
|
|
{
|
|
|
|
name: "openid, profile, email, zitadel",
|
|
|
|
keyData: keyData,
|
|
|
|
scope: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, domain.ProjectScopeZITADEL},
|
|
|
|
wantClaims: claims{
|
|
|
|
name: name,
|
|
|
|
username: name,
|
|
|
|
updated: user.GetDetails().GetChangeDate().AsTime(),
|
|
|
|
},
|
|
|
|
},
|
2024-05-16 08:07:56 +03:00
|
|
|
{
|
|
|
|
name: "org id and domain scope",
|
|
|
|
keyData: keyData,
|
|
|
|
scope: []string{
|
|
|
|
oidc.ScopeOpenID,
|
2024-09-06 15:47:57 +03:00
|
|
|
domain.OrgIDScope + Instance.DefaultOrg.Id,
|
|
|
|
domain.OrgDomainPrimaryScope + Instance.DefaultOrg.PrimaryDomain,
|
2024-05-16 08:07:56 +03:00
|
|
|
},
|
|
|
|
wantClaims: claims{
|
2024-09-06 15:47:57 +03:00
|
|
|
resourceOwnerID: Instance.DefaultOrg.Id,
|
|
|
|
resourceOwnerName: Instance.DefaultOrg.Name,
|
|
|
|
resourceOwnerPrimaryDomain: Instance.DefaultOrg.PrimaryDomain,
|
|
|
|
orgDomain: Instance.DefaultOrg.PrimaryDomain,
|
2024-05-16 08:07:56 +03:00
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "invalid org domain filtered",
|
|
|
|
keyData: keyData,
|
|
|
|
scope: []string{
|
|
|
|
oidc.ScopeOpenID,
|
2024-09-06 15:47:57 +03:00
|
|
|
domain.OrgDomainPrimaryScope + Instance.DefaultOrg.PrimaryDomain,
|
2024-05-16 08:07:56 +03:00
|
|
|
domain.OrgDomainPrimaryScope + "foo"},
|
|
|
|
wantClaims: claims{
|
2024-09-06 15:47:57 +03:00
|
|
|
orgDomain: Instance.DefaultOrg.PrimaryDomain,
|
2024-05-16 08:07:56 +03:00
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "invalid org id filtered",
|
|
|
|
keyData: keyData,
|
|
|
|
scope: []string{oidc.ScopeOpenID,
|
2024-09-06 15:47:57 +03:00
|
|
|
domain.OrgIDScope + Instance.DefaultOrg.Id,
|
2024-05-16 08:07:56 +03:00
|
|
|
domain.OrgIDScope + "foo",
|
|
|
|
},
|
|
|
|
wantClaims: claims{
|
2024-09-06 15:47:57 +03:00
|
|
|
resourceOwnerID: Instance.DefaultOrg.Id,
|
|
|
|
resourceOwnerName: Instance.DefaultOrg.Name,
|
|
|
|
resourceOwnerPrimaryDomain: Instance.DefaultOrg.PrimaryDomain,
|
2024-05-16 08:07:56 +03:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
2024-09-06 15:47:57 +03:00
|
|
|
tokenSource, err := profile.NewJWTProfileTokenSourceFromKeyFileData(CTX, Instance.OIDCIssuer(), tt.keyData, tt.scope)
|
2024-05-16 08:07:56 +03:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
2024-09-25 22:40:21 +03:00
|
|
|
var tokens *oauth2.Token
|
|
|
|
require.EventuallyWithT(
|
|
|
|
t, func(collect *assert.CollectT) {
|
|
|
|
tokens, err = tokenSource.TokenCtx(CTX)
|
|
|
|
if tt.wantErr {
|
|
|
|
assert.Error(collect, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
assert.NoError(collect, err)
|
|
|
|
assert.NotNil(collect, tokens)
|
|
|
|
},
|
|
|
|
time.Minute, time.Second,
|
|
|
|
)
|
2024-05-16 08:07:56 +03:00
|
|
|
|
2024-09-06 15:47:57 +03:00
|
|
|
provider, err := rp.NewRelyingPartyOIDC(CTX, Instance.OIDCIssuer(), "", "", redirectURI, tt.scope)
|
2024-05-16 08:07:56 +03:00
|
|
|
require.NoError(t, err)
|
2024-05-31 12:10:18 +02:00
|
|
|
userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, user.GetUserId(), provider)
|
2024-05-16 08:07:56 +03:00
|
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, tt.wantClaims.resourceOwnerID, userinfo.Claims[oidc_api.ClaimResourceOwnerID])
|
|
|
|
assert.Equal(t, tt.wantClaims.resourceOwnerName, userinfo.Claims[oidc_api.ClaimResourceOwnerName])
|
|
|
|
assert.Equal(t, tt.wantClaims.resourceOwnerPrimaryDomain, userinfo.Claims[oidc_api.ClaimResourceOwnerPrimaryDomain])
|
|
|
|
assert.Equal(t, tt.wantClaims.orgDomain, userinfo.Claims[domain.OrgDomainPrimaryClaim])
|
2024-05-31 12:10:18 +02:00
|
|
|
assert.Equal(t, tt.wantClaims.name, userinfo.Name)
|
|
|
|
assert.Equal(t, tt.wantClaims.username, userinfo.PreferredUsername)
|
|
|
|
assertOIDCTime(t, userinfo.UpdatedAt, tt.wantClaims.updated)
|
|
|
|
assert.Empty(t, userinfo.UserInfoProfile.FamilyName)
|
|
|
|
assert.Empty(t, userinfo.UserInfoProfile.GivenName)
|
|
|
|
assert.Empty(t, userinfo.UserInfoEmail)
|
|
|
|
assert.Empty(t, userinfo.UserInfoPhone)
|
|
|
|
assert.Empty(t, userinfo.Address)
|
2024-10-01 16:38:28 +02:00
|
|
|
|
|
|
|
_, err = Instance.Client.Auth.GetMyUser(integration.WithAuthorizationToken(CTX, tokens.AccessToken), &auth.GetMyUserRequest{})
|
|
|
|
if slices.Contains(tt.scope, domain.ProjectScopeZITADEL) {
|
|
|
|
require.NoError(t, err)
|
|
|
|
} else {
|
|
|
|
require.Error(t, err)
|
|
|
|
}
|
2024-05-16 08:07:56 +03:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|