(t *testing.T)
| 30 | ) |
| 31 | |
| 32 | func TestClientCredentials(t *testing.T) { |
| 33 | t.Parallel() |
| 34 | |
| 35 | ctx := context.Background() |
| 36 | reg := testhelpers.NewRegistryMemory(t, driver.WithConfigOptions(configx.WithValue(config.KeyAccessTokenStrategy, "opaque"))) |
| 37 | public, admin := testhelpers.NewOAuth2Server(ctx, t, reg) |
| 38 | |
| 39 | var newCustomClient = func(t *testing.T, c *hc.Client) (*hc.Client, clientcredentials.Config) { |
| 40 | unhashedSecret := c.Secret |
| 41 | require.NoError(t, reg.ClientManager().CreateClient(ctx, c)) |
| 42 | return c, clientcredentials.Config{ |
| 43 | ClientID: c.GetID(), |
| 44 | ClientSecret: unhashedSecret, |
| 45 | TokenURL: reg.Config().OAuth2TokenURL(ctx).String(), |
| 46 | Scopes: strings.Split(c.Scope, " "), |
| 47 | EndpointParams: url.Values{"audience": c.Audience}, |
| 48 | } |
| 49 | } |
| 50 | |
| 51 | var newClient = func(t *testing.T) (*hc.Client, clientcredentials.Config) { |
| 52 | return newCustomClient(t, &hc.Client{ |
| 53 | Secret: uuid.Must(uuid.NewV4()).String(), |
| 54 | RedirectURIs: []string{public.URL + "/callback"}, |
| 55 | ResponseTypes: []string{"token"}, |
| 56 | GrantTypes: []string{"client_credentials"}, |
| 57 | Scope: "foobar", |
| 58 | Audience: []string{"https://api.ory.sh/"}, |
| 59 | }) |
| 60 | } |
| 61 | |
| 62 | var getToken = func(t *testing.T, conf clientcredentials.Config) (*goauth2.Token, error) { |
| 63 | conf.AuthStyle = goauth2.AuthStyleInHeader |
| 64 | return conf.Token(context.Background()) |
| 65 | } |
| 66 | |
| 67 | var encodeOr = func(t *testing.T, val interface{}, or string) string { |
| 68 | out, err := json.Marshal(val) |
| 69 | require.NoError(t, err) |
| 70 | if string(out) == "null" { |
| 71 | return or |
| 72 | } |
| 73 | |
| 74 | return string(out) |
| 75 | } |
| 76 | |
| 77 | var inspectToken = func(t *testing.T, token *goauth2.Token, cl *hc.Client, conf clientcredentials.Config, strategy string, expectedExp time.Time, checkExtraClaims bool) { |
| 78 | introspection := testhelpers.IntrospectToken(t, token.AccessToken, admin) |
| 79 | |
| 80 | check := func(res gjson.Result) { |
| 81 | assert.EqualValues(t, cl.GetID(), res.Get("client_id").String(), "%s", res.Raw) |
| 82 | assert.EqualValues(t, cl.GetID(), res.Get("sub").String(), "%s", res.Raw) |
| 83 | assert.EqualValues(t, reg.Config().IssuerURL(ctx).String(), res.Get("iss").String(), "%s", res.Raw) |
| 84 | |
| 85 | assert.EqualValues(t, res.Get("nbf").Int(), res.Get("iat").Int(), "%s", res.Raw) |
| 86 | assert.WithinDuration(t, expectedExp, time.Unix(res.Get("exp").Int(), 0), 2*time.Second) |
| 87 | |
| 88 | assert.EqualValues(t, encodeOr(t, conf.EndpointParams["audience"], "[]"), res.Get("aud").Raw, "%s", res.Raw) |
| 89 |
nothing calls this directly
no test coverage detected