Skip to content

Commit

Permalink
nimbus no longer permits scope param in token requests
Browse files Browse the repository at this point in the history
  • Loading branch information
@jksolbakken
jksolbakken committed Jan 30, 2024
1 parent a2106d0 commit c960757
Show file tree
Hide file tree
Showing 11 changed files with 16 additions and 26 deletions.
2 changes: 1 addition & 1 deletion build.gradle.kts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
val assertjVersion = "3.25.2"
val kotlinLoggingVersion = "3.0.5"
val logbackVersion = "1.4.14"
val nimbusSdkVersion = "11.9.1"
val nimbusSdkVersion = "11.7"
val mockWebServerVersion = "4.12.0"
val jacksonVersion = "2.16.1"
val nettyVersion = "4.1.106.Final"
Expand Down
1 change: 1 addition & 0 deletions src/main/kotlin/no/nav/security/mock/oauth2/debugger/SessionManager.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ class SessionManager {
null
},
)

companion object {
const val DEBUGGER_SESSION_COOKIE = "debugger-session"
}
Expand Down
11 changes: 6 additions & 5 deletions src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpServer.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,11 +102,12 @@ MockWebServerWrapper

override fun port(): Int = mockWebServer.port

override fun url(path: String): HttpUrl = mockWebServer
.url(path)
.newBuilder()
.host(address?.hostName ?: mockWebServer.hostName)
.build()
override fun url(path: String): HttpUrl =
mockWebServer
.url(path)
.newBuilder()
.host(address?.hostName ?: mockWebServer.hostName)
.build()

override fun sslConfig(): Ssl? = ssl

Expand Down
1 change: 0 additions & 1 deletion src/test/kotlin/no/nav/security/mock/oauth2/e2e/InteractiveLoginIntegrationTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,6 @@ class InteractiveLoginIntegrationTest {
"client_id" to "client1",
"client_secret" to "secret",
"grant_type" to "authorization_code",
"scope" to "openid scope1",
"redirect_uri" to "http://mycallback",
"code" to authCode,
),
Expand Down
1 change: 0 additions & 1 deletion src/test/kotlin/no/nav/security/mock/oauth2/e2e/MockOAuth2ServerIntegrationTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,6 @@ class MockOAuth2ServerIntegrationTest {
"client_id" to "client1",
"client_secret" to "secret",
"grant_type" to "authorization_code",
"scope" to "openid scope1",
"redirect_uri" to "http://mycallback",
"code" to "1234",
),
Expand Down
9 changes: 2 additions & 7 deletions src/test/kotlin/no/nav/security/mock/oauth2/e2e/OidcAuthorizationCodeGrantIntegrationTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,17 +56,15 @@ class OidcAuthorizationCodeGrantIntegrationTest {
"client_id" to "client1",
"client_secret" to "secret",
"grant_type" to "authorization_code",
"scope" to "openid scope1",
"redirect_uri" to "http://mycallback",
"code" to code,
),
).toTokenResponse().asClue {
it.accessToken shouldNotBe null
it.idToken shouldNotBe null
it.expiresIn shouldBeGreaterThan 0
it.scope shouldBe "openid scope1"
it.idToken?.audience shouldContainExactly listOf("client1")
it.accessToken?.audience shouldContainExactly listOf("scope1")
it.accessToken?.audience shouldContainExactly listOf("default")
}
}

Expand All @@ -90,17 +88,15 @@ class OidcAuthorizationCodeGrantIntegrationTest {
"client_id" to "client1",
"client_secret" to "secret",
"grant_type" to "authorization_code",
"scope" to "openid scope1",
"redirect_uri" to "http://mycallback",
"code" to code,
),
).toTokenResponse().asClue {
it.accessToken shouldNotBe null
it.idToken shouldNotBe null
it.expiresIn shouldBeGreaterThan 0
it.scope shouldBe "openid scope1"
it.idToken?.audience shouldContainExactly listOf("client1")
it.accessToken?.audience shouldContainExactly listOf("scope1")
it.accessToken?.audience shouldContainExactly listOf("default")
it.idToken?.subject shouldBe "foo"
}
server.shutdown()
Expand Down Expand Up @@ -152,7 +148,6 @@ class OidcAuthorizationCodeGrantIntegrationTest {
"client_id" to "client1",
"client_secret" to "secret",
"grant_type" to "authorization_code",
"scope" to "openid scope1",
"redirect_uri" to "http://mycallback",
"code" to code,
).apply {
Expand Down
1 change: 0 additions & 1 deletion src/test/kotlin/no/nav/security/mock/oauth2/e2e/RefreshTokenGrantIntegrationTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@ class RefreshTokenGrantIntegrationTest {
"code" to authorizationCode,
"client_id" to "id",
"client_secret" to "secret",
"scope" to "openid",
"redirect_uri" to "http://something",
),
).toTokenResponse()
Expand Down
1 change: 0 additions & 1 deletion src/test/kotlin/no/nav/security/mock/oauth2/e2e/RevocationIntegrationTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,6 @@ class RevocationIntegrationTest {
"code" to authorizationCode,
"client_id" to "id",
"client_secret" to "secret",
"scope" to "openid",
"redirect_uri" to "http://something",
),
).toTokenResponse()
Expand Down
1 change: 0 additions & 1 deletion .../kotlin/no/nav/security/mock/oauth2/examples/openidconnect/ExampleAppWithOpenIdConnect.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ class ExampleAppWithOpenIdConnect(oidcDiscoveryUrl: String) : AbstractExampleApp
.post(
FormBody.Builder()
.add("client_id", "client1")
.add("scope", authenticationRequest().scope.toString())
.add("code", code)
.add("redirect_uri", exampleApp.url("/callback").toString())
.add("grant_type", "authorization_code")
Expand Down
4 changes: 1 addition & 3 deletions src/test/kotlin/no/nav/security/mock/oauth2/grant/AuthorizationCodeHandlerTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,6 @@ internal class AuthorizationCodeHandlerTest {
private fun tokenRequest(
code: String,
redirectUri: String = "http://redirect",
scope: String = "openid",
): OAuth2HttpRequest {
return OAuth2HttpRequest(
headers = Headers.headersOf("Content-Type", "application/x-www-form-urlencoded"),
Expand All @@ -133,8 +132,7 @@ internal class AuthorizationCodeHandlerTest {
"client_id=client1&" +
"client_secret=secret&" +
"code=$code&" +
"redirect_uri=$redirectUri&" +
"scope=$scope",
"redirect_uri=$redirectUri&"
)
}
}
10 changes: 5 additions & 5 deletions src/test/kotlin/no/nav/security/mock/oauth2/token/OAuth2TokenCallbackTest.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ internal class OAuth2TokenCallbackTest {

@Test
fun `token request with request params matching wildcard requestmapping should return default claims from callback`() {
val shouldMatchAllGrantTypes = authCodeRequest("scope" to "openid scope1")
val shouldMatchAllGrantTypes = authCodeRequest()
assertSoftly {
issuer1.subject(shouldMatchAllGrantTypes) shouldBe "defaultSub"
issuer1.audience(shouldMatchAllGrantTypes) shouldBe listOf("defaultAud")
Expand Down Expand Up @@ -138,14 +138,14 @@ internal class OAuth2TokenCallbackTest {

@Test
fun `oidc auth code token request should return scopes not in OIDC from audience in callback`() {
authCodeRequest("scope" to "openid").let { tokenRequest ->
authCodeRequest().let { tokenRequest ->
DefaultOAuth2TokenCallback().asClue {
it.audience(tokenRequest) shouldBe emptyList()
it.audience(tokenRequest) shouldBe listOf("default")
}
}
authCodeRequest("scope" to "openid scope1").let { tokenRequest ->
authCodeRequest().let { tokenRequest ->
DefaultOAuth2TokenCallback().asClue {
it.audience(tokenRequest) shouldBe listOf("scope1")
it.audience(tokenRequest) shouldBe listOf("default")
}
}
}
Expand Down

0 comments on commit c960757

Please sign in to comment.