2023-07-14 11:16:16 +00:00
|
|
|
//go:build integration
|
|
|
|
|
|
|
|
|
|
package oidc_test
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"os"
|
|
|
|
|
"testing"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
"github.com/stretchr/testify/require"
|
2023-10-17 15:19:51 +00:00
|
|
|
"github.com/zitadel/oidc/v3/pkg/client/rp"
|
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
2023-07-14 11:16:16 +00:00
|
|
|
"google.golang.org/grpc/metadata"
|
|
|
|
|
|
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/integration"
|
|
|
|
|
"github.com/zitadel/zitadel/pkg/grpc/auth"
|
2024-05-28 08:59:49 +00:00
|
|
|
mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
|
2023-09-13 12:43:01 +00:00
|
|
|
oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
|
|
|
|
|
session "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
|
|
|
|
|
user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
|
2023-07-14 11:16:16 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
CTX context.Context
|
|
|
|
|
CTXLOGIN context.Context
|
2024-05-28 08:59:49 +00:00
|
|
|
CTXIAM context.Context
|
2023-07-14 11:16:16 +00:00
|
|
|
Tester *integration.Tester
|
|
|
|
|
User *user.AddHumanUserResponse
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2023-12-05 17:01:03 +00:00
|
|
|
redirectURI = "https://callback"
|
2023-07-14 11:16:16 +00:00
|
|
|
redirectURIImplicit = "http://localhost:9999/callback"
|
2023-12-05 17:01:03 +00:00
|
|
|
logoutRedirectURI = "https://logged-out"
|
2023-07-14 11:16:16 +00:00
|
|
|
zitadelAudienceScope = domain.ProjectIDScope + domain.ProjectIDScopeZITADEL + domain.AudSuffix
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestMain(m *testing.M) {
|
|
|
|
|
os.Exit(func() int {
|
2024-04-09 13:15:35 +00:00
|
|
|
ctx, _, cancel := integration.Contexts(10 * time.Minute)
|
2023-07-14 11:16:16 +00:00
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
|
|
Tester = integration.NewTester(ctx)
|
|
|
|
|
defer Tester.Done()
|
|
|
|
|
|
2024-04-09 13:15:35 +00:00
|
|
|
CTX = Tester.WithAuthorization(ctx, integration.OrgOwner)
|
2023-07-14 11:16:16 +00:00
|
|
|
User = Tester.CreateHumanUser(CTX)
|
2024-03-28 06:21:21 +00:00
|
|
|
Tester.SetUserPassword(CTX, User.GetUserId(), integration.UserPassword, false)
|
2023-07-14 11:16:16 +00:00
|
|
|
Tester.RegisterUserPasskey(CTX, User.GetUserId())
|
2024-04-09 13:15:35 +00:00
|
|
|
CTXLOGIN = Tester.WithAuthorization(ctx, integration.Login)
|
2024-05-28 08:59:49 +00:00
|
|
|
CTXIAM = Tester.WithAuthorization(ctx, integration.IAMOwner)
|
2023-07-14 11:16:16 +00:00
|
|
|
return m.Run()
|
|
|
|
|
}())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_ZITADEL_API_missing_audience_scope(t *testing.T) {
|
2024-04-09 13:15:35 +00:00
|
|
|
clientID, _ := createClient(t)
|
2023-07-14 11:16:16 +00:00
|
|
|
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID)
|
2023-11-06 09:48:28 +00:00
|
|
|
sessionID, sessionToken, startTime, changeTime := Tester.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
|
2023-07-14 11:16:16 +00:00
|
|
|
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
|
|
|
|
|
AuthRequestId: authRequestID,
|
|
|
|
|
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
|
|
|
|
Session: &oidc_pb.Session{
|
|
|
|
|
SessionId: sessionID,
|
|
|
|
|
SessionToken: sessionToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// code exchange
|
|
|
|
|
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
|
2024-01-18 06:10:49 +00:00
|
|
|
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
|
2023-07-14 11:16:16 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assertTokens(t, tokens, false)
|
2024-05-31 10:10:18 +00:00
|
|
|
assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
|
2023-07-14 11:16:16 +00:00
|
|
|
|
|
|
|
|
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
|
|
|
|
|
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
require.Nil(t, myUserResp)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Test_ZITADEL_API_missing_authentication(t *testing.T) {
|
2024-04-09 13:15:35 +00:00
|
|
|
clientID, _ := createClient(t)
|
2023-07-14 11:16:16 +00:00
|
|
|
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope)
|
|
|
|
|
createResp, err := Tester.Client.SessionV2.CreateSession(CTX, &session.CreateSessionRequest{
|
|
|
|
|
Checks: &session.Checks{
|
|
|
|
|
User: &session.CheckUser{
|
|
|
|
|
Search: &session.CheckUser_UserId{UserId: User.GetUserId()},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
|
|
|
|
|
AuthRequestId: authRequestID,
|
|
|
|
|
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
|
|
|
|
Session: &oidc_pb.Session{
|
|
|
|
|
SessionId: createResp.GetSessionId(),
|
|
|
|
|
SessionToken: createResp.GetSessionToken(),
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// code exchange
|
|
|
|
|
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
|
2024-01-18 06:10:49 +00:00
|
|
|
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
|
2023-07-14 11:16:16 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
|
|
|
|
|
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
require.Nil(t, myUserResp)
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-28 08:59:49 +00:00
|
|
|
func Test_ZITADEL_API_missing_mfa_policy(t *testing.T) {
|
|
|
|
|
clientID, _ := createClient(t)
|
|
|
|
|
org := Tester.CreateOrganization(CTXIAM, fmt.Sprintf("ZITADEL_API_MISSING_MFA_%d", time.Now().UnixNano()), fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()))
|
|
|
|
|
userID := org.CreatedAdmins[0].GetUserId()
|
|
|
|
|
Tester.SetUserPassword(CTXIAM, userID, integration.UserPassword, false)
|
|
|
|
|
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope)
|
|
|
|
|
sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTXLOGIN, userID, integration.UserPassword)
|
|
|
|
|
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
|
|
|
|
|
AuthRequestId: authRequestID,
|
|
|
|
|
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
|
|
|
|
Session: &oidc_pb.Session{
|
|
|
|
|
SessionId: sessionID,
|
|
|
|
|
SessionToken: sessionToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// code exchange
|
|
|
|
|
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
|
|
|
|
|
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
|
|
|
|
|
require.NoError(t, err)
|
2024-05-31 10:10:18 +00:00
|
|
|
assertIDTokenClaims(t, tokens.IDTokenClaims, userID, armPassword, startTime, changeTime, sessionID)
|
2024-05-28 08:59:49 +00:00
|
|
|
|
|
|
|
|
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
|
|
|
|
|
// pre check if request would succeed
|
|
|
|
|
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.Equal(t, userID, myUserResp.GetUser().GetId())
|
|
|
|
|
|
|
|
|
|
// require MFA
|
|
|
|
|
ctxOrg := metadata.AppendToOutgoingContext(CTXIAM, "x-zitadel-orgid", org.GetOrganizationId())
|
|
|
|
|
_, err = Tester.Client.Mgmt.AddCustomLoginPolicy(ctxOrg, &mgmt.AddCustomLoginPolicyRequest{
|
|
|
|
|
ForceMfa: true,
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// make sure policy is projected
|
|
|
|
|
retryDuration := 5 * time.Second
|
|
|
|
|
if ctxDeadline, ok := CTX.Deadline(); ok {
|
|
|
|
|
retryDuration = time.Until(ctxDeadline)
|
|
|
|
|
}
|
|
|
|
|
require.EventuallyWithT(t, func(ttt *assert.CollectT) {
|
|
|
|
|
got, getErr := Tester.Client.Mgmt.GetLoginPolicy(ctxOrg, &mgmt.GetLoginPolicyRequest{})
|
|
|
|
|
assert.NoError(ttt, getErr)
|
|
|
|
|
assert.False(ttt, got.GetPolicy().IsDefault)
|
|
|
|
|
|
|
|
|
|
}, retryDuration, time.Millisecond*100, "timeout waiting for login policy")
|
|
|
|
|
|
|
|
|
|
// now it must fail
|
|
|
|
|
myUserResp, err = Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
require.Nil(t, myUserResp)
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-14 11:16:16 +00:00
|
|
|
func Test_ZITADEL_API_success(t *testing.T) {
|
2024-04-09 13:15:35 +00:00
|
|
|
clientID, _ := createClient(t)
|
2023-07-14 11:16:16 +00:00
|
|
|
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope)
|
2023-11-06 09:48:28 +00:00
|
|
|
sessionID, sessionToken, startTime, changeTime := Tester.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
|
2023-07-14 11:16:16 +00:00
|
|
|
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
|
|
|
|
|
AuthRequestId: authRequestID,
|
|
|
|
|
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
|
|
|
|
Session: &oidc_pb.Session{
|
|
|
|
|
SessionId: sessionID,
|
|
|
|
|
SessionToken: sessionToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// code exchange
|
|
|
|
|
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
|
2024-01-18 06:10:49 +00:00
|
|
|
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
|
2023-07-14 11:16:16 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assertTokens(t, tokens, false)
|
2024-05-31 10:10:18 +00:00
|
|
|
assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
|
2023-07-14 11:16:16 +00:00
|
|
|
|
|
|
|
|
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
|
|
|
|
|
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.Equal(t, User.GetUserId(), myUserResp.GetUser().GetId())
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-28 09:25:18 +00:00
|
|
|
func Test_ZITADEL_API_glob_redirects(t *testing.T) {
|
|
|
|
|
const redirectURI = "https://my-org-1yfnjl2xj-my-app.vercel.app/api/auth/callback/zitadel"
|
2024-04-09 13:15:35 +00:00
|
|
|
clientID, _ := createClientWithOpts(t, clientOpts{
|
2023-12-28 09:25:18 +00:00
|
|
|
redirectURI: "https://my-org-*-my-app.vercel.app/api/auth/callback/zitadel",
|
|
|
|
|
logoutURI: "https://my-org-*-my-app.vercel.app/",
|
|
|
|
|
devMode: true,
|
|
|
|
|
})
|
|
|
|
|
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope)
|
|
|
|
|
sessionID, sessionToken, startTime, changeTime := Tester.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
|
|
|
|
|
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
|
|
|
|
|
AuthRequestId: authRequestID,
|
|
|
|
|
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
|
|
|
|
Session: &oidc_pb.Session{
|
|
|
|
|
SessionId: sessionID,
|
|
|
|
|
SessionToken: sessionToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// code exchange
|
|
|
|
|
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
|
2024-01-18 06:10:49 +00:00
|
|
|
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
|
2023-12-28 09:25:18 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assertTokens(t, tokens, false)
|
2024-05-31 10:10:18 +00:00
|
|
|
assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
|
2023-12-28 09:25:18 +00:00
|
|
|
|
|
|
|
|
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
|
|
|
|
|
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.Equal(t, User.GetUserId(), myUserResp.GetUser().GetId())
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-14 11:16:16 +00:00
|
|
|
func Test_ZITADEL_API_inactive_access_token(t *testing.T) {
|
2024-04-09 13:15:35 +00:00
|
|
|
clientID, _ := createClient(t)
|
2023-07-14 11:16:16 +00:00
|
|
|
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess, zitadelAudienceScope)
|
2023-11-06 09:48:28 +00:00
|
|
|
sessionID, sessionToken, startTime, changeTime := Tester.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
|
2023-07-14 11:16:16 +00:00
|
|
|
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
|
|
|
|
|
AuthRequestId: authRequestID,
|
|
|
|
|
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
|
|
|
|
Session: &oidc_pb.Session{
|
|
|
|
|
SessionId: sessionID,
|
|
|
|
|
SessionToken: sessionToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// code exchange
|
|
|
|
|
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
|
2024-01-18 06:10:49 +00:00
|
|
|
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
|
2023-07-14 11:16:16 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assertTokens(t, tokens, true)
|
2024-05-31 10:10:18 +00:00
|
|
|
assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
|
2023-07-14 11:16:16 +00:00
|
|
|
|
|
|
|
|
// make sure token works
|
|
|
|
|
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.Equal(t, User.GetUserId(), myUserResp.GetUser().GetId())
|
|
|
|
|
|
|
|
|
|
// refresh token
|
|
|
|
|
newTokens, err := refreshTokens(t, clientID, tokens.RefreshToken)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.NotEmpty(t, newTokens.AccessToken)
|
|
|
|
|
|
|
|
|
|
// use invalidated token
|
|
|
|
|
ctx = metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
myUserResp, err = Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
require.Nil(t, myUserResp)
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-19 11:17:39 +00:00
|
|
|
func Test_ZITADEL_API_terminated_session(t *testing.T) {
|
2024-04-09 13:15:35 +00:00
|
|
|
clientID, _ := createClient(t)
|
2023-10-17 15:19:51 +00:00
|
|
|
provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
|
2023-07-19 11:17:39 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess, zitadelAudienceScope)
|
2023-11-06 09:48:28 +00:00
|
|
|
sessionID, sessionToken, startTime, changeTime := Tester.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
|
2023-07-19 11:17:39 +00:00
|
|
|
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
|
|
|
|
|
AuthRequestId: authRequestID,
|
|
|
|
|
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
|
|
|
|
Session: &oidc_pb.Session{
|
|
|
|
|
SessionId: sessionID,
|
|
|
|
|
SessionToken: sessionToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// code exchange
|
|
|
|
|
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
|
2024-01-18 06:10:49 +00:00
|
|
|
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
|
2023-07-19 11:17:39 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assertTokens(t, tokens, true)
|
2024-05-31 10:10:18 +00:00
|
|
|
assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
|
2023-07-19 11:17:39 +00:00
|
|
|
|
|
|
|
|
// make sure token works
|
|
|
|
|
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.Equal(t, User.GetUserId(), myUserResp.GetUser().GetId())
|
|
|
|
|
|
2024-02-28 09:30:05 +00:00
|
|
|
// end session
|
2023-10-17 15:19:51 +00:00
|
|
|
postLogoutRedirect, err := rp.EndSession(CTX, provider, tokens.IDToken, logoutRedirectURI, "state")
|
2023-07-19 11:17:39 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, logoutRedirectURI+"?state=state", postLogoutRedirect.String())
|
|
|
|
|
|
|
|
|
|
// use token from terminated session
|
|
|
|
|
ctx = metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
myUserResp, err = Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
require.Nil(t, myUserResp)
|
|
|
|
|
}
|
|
|
|
|
|
2024-02-28 09:30:05 +00:00
|
|
|
func Test_ZITADEL_API_terminated_session_user_disabled(t *testing.T) {
|
2024-04-09 13:15:35 +00:00
|
|
|
clientID, _ := createClient(t)
|
2024-02-28 09:30:05 +00:00
|
|
|
tests := []struct {
|
|
|
|
|
name string
|
|
|
|
|
disable func(userID string) error
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
name: "deactivated",
|
|
|
|
|
disable: func(userID string) error {
|
|
|
|
|
_, err := Tester.Client.UserV2.DeactivateUser(CTX, &user.DeactivateUserRequest{UserId: userID})
|
|
|
|
|
return err
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "locked",
|
|
|
|
|
disable: func(userID string) error {
|
|
|
|
|
_, err := Tester.Client.UserV2.LockUser(CTX, &user.LockUserRequest{UserId: userID})
|
|
|
|
|
return err
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
name: "deleted",
|
|
|
|
|
disable: func(userID string) error {
|
|
|
|
|
_, err := Tester.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: userID})
|
|
|
|
|
return err
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
disabledUser := Tester.CreateHumanUser(CTX)
|
2024-03-28 06:21:21 +00:00
|
|
|
Tester.SetUserPassword(CTX, disabledUser.GetUserId(), integration.UserPassword, false)
|
2024-02-28 09:30:05 +00:00
|
|
|
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess, zitadelAudienceScope)
|
|
|
|
|
sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTXLOGIN, disabledUser.GetUserId(), integration.UserPassword)
|
|
|
|
|
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
|
|
|
|
|
AuthRequestId: authRequestID,
|
|
|
|
|
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
|
|
|
|
|
Session: &oidc_pb.Session{
|
|
|
|
|
SessionId: sessionID,
|
|
|
|
|
SessionToken: sessionToken,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// code exchange
|
|
|
|
|
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
|
|
|
|
|
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assertTokens(t, tokens, true)
|
2024-05-31 10:10:18 +00:00
|
|
|
assertIDTokenClaims(t, tokens.IDTokenClaims, disabledUser.GetUserId(), armPassword, startTime, changeTime, sessionID)
|
2024-02-28 09:30:05 +00:00
|
|
|
|
|
|
|
|
// make sure token works
|
|
|
|
|
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.Equal(t, disabledUser.GetUserId(), myUserResp.GetUser().GetId())
|
|
|
|
|
|
|
|
|
|
// deactivate user
|
|
|
|
|
err = tt.disable(disabledUser.GetUserId())
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// use token from deactivated user
|
|
|
|
|
ctx = metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
|
|
|
|
|
myUserResp, err = Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
require.Nil(t, myUserResp)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-09 13:15:35 +00:00
|
|
|
func createClient(t testing.TB) (clientID, projectID string) {
|
2023-12-28 09:25:18 +00:00
|
|
|
return createClientWithOpts(t, clientOpts{
|
|
|
|
|
redirectURI: redirectURI,
|
|
|
|
|
logoutURI: logoutRedirectURI,
|
|
|
|
|
devMode: false,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type clientOpts struct {
|
|
|
|
|
redirectURI string
|
|
|
|
|
logoutURI string
|
|
|
|
|
devMode bool
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-09 13:15:35 +00:00
|
|
|
func createClientWithOpts(t testing.TB, opts clientOpts) (clientID, projectID string) {
|
2023-07-14 11:16:16 +00:00
|
|
|
project, err := Tester.CreateProject(CTX)
|
|
|
|
|
require.NoError(t, err)
|
2023-12-28 09:25:18 +00:00
|
|
|
app, err := Tester.CreateOIDCNativeClient(CTX, opts.redirectURI, opts.logoutURI, project.GetId(), opts.devMode)
|
2023-07-14 11:16:16 +00:00
|
|
|
require.NoError(t, err)
|
2024-04-09 13:15:35 +00:00
|
|
|
return app.GetClientId(), project.GetId()
|
2023-07-14 11:16:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createImplicitClient(t testing.TB) string {
|
|
|
|
|
app, err := Tester.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
return app.GetClientId()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createAuthRequest(t testing.TB, clientID, redirectURI string, scope ...string) string {
|
2023-10-17 15:19:51 +00:00
|
|
|
redURL, err := Tester.CreateOIDCAuthRequest(CTX, clientID, Tester.Users[integration.FirstInstanceUsersKey][integration.Login].ID, redirectURI, scope...)
|
2023-07-14 11:16:16 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return redURL
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createAuthRequestImplicit(t testing.TB, clientID, redirectURI string, scope ...string) string {
|
2023-10-17 15:19:51 +00:00
|
|
|
redURL, err := Tester.CreateOIDCAuthRequestImplicit(CTX, clientID, Tester.Users[integration.FirstInstanceUsersKey][integration.Login].ID, redirectURI, scope...)
|
2023-07-14 11:16:16 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
return redURL
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func assertOIDCTime(t *testing.T, actual oidc.Time, expected time.Time) {
|
|
|
|
|
assertOIDCTimeRange(t, actual, expected, expected)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func assertOIDCTimeRange(t *testing.T, actual oidc.Time, expectedStart, expectedEnd time.Time) {
|
|
|
|
|
assert.WithinRange(t, actual.AsTime(), expectedStart.Add(-1*time.Second), expectedEnd.Add(1*time.Second))
|
|
|
|
|
}
|
