From cda7dd7782b189732842e3a341236073fceddb3c Mon Sep 17 00:00:00 2001 From: James Elliott Date: Mon, 22 Jul 2024 23:34:50 +1000 Subject: [PATCH] refactor(jar): use uniform naming --- authorize_request_handler.go | 2 +- ...orize_request_handler_oidc_request_test.go | 62 ++++----- client.go | 44 ++++--- client_authentication.go | 4 +- client_authentication_test.go | 118 +++++++++--------- 5 files changed, 117 insertions(+), 113 deletions(-) diff --git a/authorize_request_handler.go b/authorize_request_handler.go index 34e3eb96..6bd8b451 100644 --- a/authorize_request_handler.go +++ b/authorize_request_handler.go @@ -52,7 +52,7 @@ func (f *Fosite) authorizeRequestParametersFromOpenIDConnectRequestObject(ctx co parameter = consts.FormParameterRequestURI } - client, ok := request.Client.(JWTSecuredAuthorizationRequestClient) + client, ok := request.Client.(JARClient) if !ok { if nrequestURI > 0 { return errorsx.WithStack(ErrRequestURINotSupported.WithHintf(hintRequestObjectClientCapabilities, hintRequestObjectPrefix(openid), parameter).WithDebugf("The OAuth 2.0 client with id '%s' doesn't implement the correct functionality for this request.", request.GetClient().GetID())) diff --git a/authorize_request_handler_oidc_request_test.go b/authorize_request_handler_oidc_request_test.go index fd0152df..7d957d1b 100644 --- a/authorize_request_handler_oidc_request_test.go +++ b/authorize_request_handler_oidc_request_test.go @@ -109,7 +109,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldPassRequest", have: url.Values{consts.FormParameterScope: {"foo openid"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterRequest: {assertionRequestObjectValid}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterScope: {"foo openid"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeFormPost}, consts.FormParameterRequest: {assertionRequestObjectValid}, "foo": {"bar"}, "baz": {"baz"}}, }, { @@ -131,7 +131,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestAndRequestURI", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterRequest: {"foo"}, consts.FormParameterRequestURI: {"foo"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}}, - client: &DefaultJWTSecuredAuthorizationRequest{RequestObjectSigningAlg: "", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{RequestObjectSigningAlg: "", DefaultClient: &DefaultClient{ID: "foo"}}, par: true, expected: url.Values{consts.FormParameterRequest: {"foo"}}, err: ErrInvalidRequest, @@ -140,7 +140,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestMissingResponseType", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterRequest: {"foo"}, consts.FormParameterClientID: {"foo"}}, - client: &DefaultJWTSecuredAuthorizationRequest{RequestObjectSigningAlg: "", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{RequestObjectSigningAlg: "", DefaultClient: &DefaultClient{ID: "foo"}}, par: true, expected: url.Values{consts.FormParameterRequest: {"foo"}}, err: ErrInvalidRequest, @@ -149,7 +149,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestMissingClientID", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterRequest: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}}, - client: &DefaultJWTSecuredAuthorizationRequest{RequestObjectSigningAlg: "", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{RequestObjectSigningAlg: "", DefaultClient: &DefaultClient{ID: "foo"}}, par: true, expected: url.Values{consts.FormParameterRequest: {"foo"}}, err: ErrInvalidRequest, @@ -158,7 +158,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestURIWithPAR", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterRequestURI: {"foo"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}}, - client: &DefaultJWTSecuredAuthorizationRequest{RequestObjectSigningAlg: "", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{RequestObjectSigningAlg: "", DefaultClient: &DefaultClient{ID: "foo"}}, par: true, expected: url.Values{consts.FormParameterRequest: {"foo"}}, err: ErrInvalidRequest, @@ -167,7 +167,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestClientNoJWKS", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterRequest: {"foo"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}}, - client: &DefaultJWTSecuredAuthorizationRequest{RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}}, err: ErrInvalidRequest, errString: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. OpenID Connect 1.0 parameter 'request' was used, but the OAuth 2.0 Client does not have any JSON Web Keys registered. The OAuth 2.0 client with id 'foo' doesn't have any known JSON Web Keys but requires them when not explicitly registered with a 'request_object_signing_alg' with the value of 'none' or an empty value but it's registered with 'RS256'.", @@ -175,7 +175,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestURIClientNoJWKS", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterRequestURI: {"foo"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}}, - client: &DefaultJWTSecuredAuthorizationRequest{RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}}, err: ErrInvalidRequest, errString: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. OpenID Connect 1.0 parameter 'request_uri' was used, but the OAuth 2.0 Client does not have any JSON Web Keys registered. The OAuth 2.0 client with id 'foo' doesn't have any known JSON Web Keys but requires them when not explicitly registered with a 'request_object_signing_alg' with the value of 'none' or an empty value but it's registered with 'RS256'.", @@ -183,7 +183,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailInvalidTokenMalformed", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {"bad-token"}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request failed with an error attempting to validate the request object. The OAuth 2.0 client with id 'foo' provided a request object which failed to validate with error: go-jose/go-jose: compact JWS format must have three parts.", @@ -191,7 +191,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailUnknownKID", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {mustGenerateAssertion(t, jwt.MapClaims{}, key, "does-not-exists")}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "test"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "test"}}, expected: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. Unable to retrieve RSA signing key from OAuth 2.0 Client. The JSON Web Token uses signing key with kid 'does-not-exists', which could not be found. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The JSON Web Token uses signing key with kid 'does-not-exists', which could not be found.", @@ -199,7 +199,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailBadAlgRS256", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {mustGenerateHSAssertion(t, jwt.MapClaims{})}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "test"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "test"}}, expected: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request failed with an error attempting to validate the request object. The OAuth 2.0 client with id 'test' expects request objects to be signed with the 'RS256' algorithm but the request object was signed with the 'HS256' algorithm.", @@ -207,7 +207,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailMismatchedClientID", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"not-foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeNone}, consts.FormParameterRequest: {assertionRequestObjectValid}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeFormPost}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectValid}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object with a 'client_id' claim with a value of 'foo' which is required to match the value 'not-foo' in the parameter with the same name from the OAuth 2.0 request syntax.", @@ -215,7 +215,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestClientIDAssert", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"not-foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeNone}, consts.FormParameterRequest: {assertionRequestObjectInvalidClientIDValue}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeFormPost}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectInvalidClientIDValue}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object with a 'client_id' claim with a value of '100' which is required to match the value 'not-foo' in the parameter with the same name from the OAuth 2.0 request syntax but instead of a string it had the int64 type.", @@ -223,7 +223,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestWithRequest", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeNone}, consts.FormParameterRequest: {assertionRequestObjectInvalidRequestInRequest}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeFormPost}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectInvalidRequestInRequest}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object which contained the 'request' or 'request_uri' claims but this is not permitted.", @@ -231,7 +231,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestWithRequestURI", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeNone}, consts.FormParameterRequest: {assertionRequestObjectInvalidRequestURIInRequest}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeFormPost}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectInvalidRequestURIInRequest}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object which contained the 'request' or 'request_uri' claims but this is not permitted.", @@ -239,7 +239,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailMismatchedResponseType", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterResponseMode: {consts.ResponseModeNone}, consts.FormParameterRequest: {assertionRequestObjectValid}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeFormPost}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectValid}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object with a 'response_type' claim with a value of 'token' which is required to match the value 'code' in the parameter with the same name from the OAuth 2.0 request syntax.", @@ -247,7 +247,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailMismatchedResponseTypeAsserted", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterResponseMode: {consts.ResponseModeNone}, consts.FormParameterRequest: {assertionRequestObjectInvalidResponseTypeValue}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterResponseMode: {consts.ResponseModeFormPost}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectInvalidResponseTypeValue}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object with a 'response_type' claim with a value of '100' which is required to match the value 'code' in the parameter with the same name from the OAuth 2.0 request syntax but instead of a string it had the int64 type.", @@ -255,13 +255,13 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldPassWithoutKID", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectValidWithoutKID}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterScope: {"foo openid"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectValidWithoutKID}, "foo": {"bar"}, "baz": {"baz"}}, }, { name: "ShouldFailRequestURINotWhiteListed", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "standard.jwk").String()}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeys: jwks, RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterScope: {"foo openid"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectValidWithoutKID}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestURI, errRegex: regexp.MustCompile(`^The request_uri in the authorization request returns an error or contains invalid data\. OpenID Connect 1\.0 request failed to fetch request parameters from the provided 'request_uri'\. The OAuth 2\.0 client with id 'foo' provided the 'request_uri' parameter with value 'http://127.0.0.1:\d+/request-object/valid/standard\.jwk' which is not whitelisted.$`), @@ -269,13 +269,13 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldPassRequestURIFetch", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "standard.jwk").String()}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", RequestURIs: []string{root.JoinPath("request-object", "valid", "standard.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", RequestURIs: []string{root.JoinPath("request-object", "valid", "standard.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterResponseType: {"token"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseMode: {consts.ResponseModeFormPost}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "standard.jwk").String()}, "foo": {"bar"}, "baz": {"baz"}}, }, { name: "ShouldFailRequestAlgNone", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectValidNone}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterState: {"some-state"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectValidNone}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request failed with an error attempting to validate the request object. The OAuth 2.0 client with id 'foo' expects request objects to be signed with the 'RS256' algorithm but the request object was signed with the 'none' algorithm.", @@ -283,7 +283,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestURIAlgNone", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "none.jwk").String()}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", RequestURIs: []string{root.JoinPath("request-object", "valid", "none.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", RequestURIs: []string{root.JoinPath("request-object", "valid", "none.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterResponseType: {"token"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterState: {"some-state"}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "none.jwk").String()}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request failed with an error attempting to validate the request object. The OAuth 2.0 client with id 'foo' expects request objects to be signed with the 'RS256' algorithm but the request object was signed with the 'none' algorithm.", @@ -291,7 +291,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestRS256", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectValid}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: consts.JSONWebTokenAlgNone, DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: consts.JSONWebTokenAlgNone, DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterState: {"some-state"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectValid}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request failed with an error attempting to validate the request object. The OAuth 2.0 client with id 'foo' expects request objects to be signed with the 'none' algorithm but the request object was signed with the 'RS256' algorithm.", @@ -299,7 +299,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestURIRS256", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "standard.jwk").String()}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: consts.JSONWebTokenAlgNone, RequestURIs: []string{root.JoinPath("request-object", "valid", "standard.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: consts.JSONWebTokenAlgNone, RequestURIs: []string{root.JoinPath("request-object", "valid", "standard.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterResponseType: {"token"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterState: {"some-state"}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "standard.jwk").String()}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request failed with an error attempting to validate the request object. The OAuth 2.0 client with id 'foo' expects request objects to be signed with the 'none' algorithm but the request object was signed with the 'RS256' algorithm.", @@ -307,31 +307,31 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldPassRequestAlgNone", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectValidNone}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: consts.JSONWebTokenAlgNone}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: consts.JSONWebTokenAlgNone}, expected: url.Values{consts.FormParameterState: {"some-state"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectValidNone}, "foo": {"bar"}, "baz": {"baz"}}, }, { name: "ShouldPassRequestURIAlgNone", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "none.jwk").String()}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: consts.JSONWebTokenAlgNone, RequestURIs: []string{root.JoinPath("request-object", "valid", "none.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: consts.JSONWebTokenAlgNone, RequestURIs: []string{root.JoinPath("request-object", "valid", "none.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterResponseType: {"token"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterState: {"some-state"}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "none.jwk").String()}, "foo": {"bar"}, "baz": {"baz"}}, }, { name: "ShouldPassRequestAlgNoneAllowAny", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectValidNone}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String()}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String()}, expected: url.Values{consts.FormParameterState: {"some-state"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectValidNone}, "foo": {"bar"}, "baz": {"baz"}}, }, { name: "ShouldPassRequestURIAlgNoneAllowAny", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "none.jwk").String()}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "", RequestURIs: []string{root.JoinPath("request-object", "valid", "none.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "", RequestURIs: []string{root.JoinPath("request-object", "valid", "none.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterResponseType: {"token"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterState: {"some-state"}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "valid", "none.jwk").String()}, "foo": {"bar"}, "baz": {"baz"}}, }, { name: "ShouldFailRequestBadAudience", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectInvalidAudience}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterState: {"some-state"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectValidNone}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object with a 'aud' claim with the values 'https://auth.not-example.com' which is required match the issuer 'https://auth.example.com'.", @@ -339,7 +339,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestURIBadAudience", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "invalid", "audience.jwk").String()}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", RequestURIs: []string{root.JoinPath("request-object", "invalid", "audience.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", RequestURIs: []string{root.JoinPath("request-object", "invalid", "audience.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterResponseType: {"token"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterState: {"some-state"}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "invalid", "audience.jwk").String()}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object with a 'response_type' claim with a value of 'code' which is required to match the value 'token' in the parameter with the same name from the OAuth 2.0 request syntax.", @@ -347,7 +347,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestBadIssuer", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterRequest: {assertionRequestObjectInvalidIssuer}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterState: {"some-state"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeAuthorizationCodeFlow}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequest: {assertionRequestObjectValidNone}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object with a 'iss' claim with a value of 'not-foo' which is required to match the value 'foo' in the parameter with the same name from the OAuth 2.0 request syntax.", @@ -355,7 +355,7 @@ func TestAuthorizeRequestParametersFromOpenIDConnectRequestObject(t *testing.T) { name: "ShouldFailRequestURIBadIssuer", have: url.Values{consts.FormParameterScope: {consts.ScopeOpenID}, consts.FormParameterClientID: {"foo"}, consts.FormParameterResponseType: {consts.ResponseTypeImplicitFlowToken}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "invalid", "issuer.jwk").String()}}, - client: &DefaultJWTSecuredAuthorizationRequest{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", RequestURIs: []string{root.JoinPath("request-object", "invalid", "issuer.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, + client: &DefaultJARClient{JSONWebKeysURI: root.JoinPath("jwks.json").String(), RequestObjectSigningAlg: "RS256", RequestURIs: []string{root.JoinPath("request-object", "invalid", "issuer.jwk").String()}, DefaultClient: &DefaultClient{ID: "foo"}}, expected: url.Values{consts.FormParameterResponseType: {"token"}, consts.FormParameterClientID: {"foo"}, consts.FormParameterState: {"some-state"}, consts.FormParameterScope: {"foo openid"}, consts.FormParameterRequestURI: {root.JoinPath("request-object", "invalid", "issuer.jwk").String()}, "foo": {"bar"}, "baz": {"baz"}}, err: ErrInvalidRequestObject, errString: "The request parameter contains an invalid Request Object. OpenID Connect 1.0 request included a request object which excluded claims that are required or included claims that did not match the OAuth 2.0 request syntax or are generally not permitted. The OAuth 2.0 client with id 'foo' included a request object with a 'response_type' claim with a value of 'code' which is required to match the value 'token' in the parameter with the same name from the OAuth 2.0 request syntax.", diff --git a/client.go b/client.go index 0730ec54..2dc370f2 100644 --- a/client.go +++ b/client.go @@ -147,8 +147,10 @@ type UserInfoClient interface { JSONWebKeysClient } -// JWTSecuredAuthorizationRequestClient represents a client capable of performing OpenID Connect requests. -type JWTSecuredAuthorizationRequestClient interface { +// JARClient represents a client capable of performing OpenID Connect requests. +// +// See: https://www.rfc-editor.org/rfc/rfc9101 +type JARClient interface { // GetRequestObjectSigningKeyID returns the specific key identifier used to satisfy JWS requirements of the request // object specifications. If unspecified the other available parameters will be utilized to select an appropriate // key. @@ -248,6 +250,8 @@ type RevokeFlowRevokeRefreshTokensExplicitClient interface { } // JARMClient is a client which supports JARM. +// +// See: https://openid.net/specs/oauth-v2-jarm.html type JARMClient interface { // GetAuthorizationSignedResponseKeyID returns the specific key identifier used to satisfy JWS requirements of the // JWT-secured Authorization Response Method (JARM) specifications. If unspecified the other available parameters @@ -408,7 +412,7 @@ type DefaultClient struct { Public bool `json:"public"` } -type DefaultJWTSecuredAuthorizationRequest struct { +type DefaultJARClient struct { *DefaultClient JSONWebKeysURI string `json:"jwks_uri"` JSONWebKeys *jose.JSONWebKeySet `json:"jwks"` @@ -485,15 +489,15 @@ func (c *DefaultClient) GetResponseTypes() Arguments { return c.ResponseTypes } -func (c *DefaultJWTSecuredAuthorizationRequest) GetJSONWebKeysURI() string { +func (c *DefaultJARClient) GetJSONWebKeysURI() string { return c.JSONWebKeysURI } -func (c *DefaultJWTSecuredAuthorizationRequest) GetJSONWebKeys() *jose.JSONWebKeySet { +func (c *DefaultJARClient) GetJSONWebKeys() *jose.JSONWebKeySet { return c.JSONWebKeys } -func (c *DefaultJWTSecuredAuthorizationRequest) GetTokenEndpointAuthSigningAlg() string { +func (c *DefaultJARClient) GetTokenEndpointAuthSigningAlg() string { if c.TokenEndpointAuthSigningAlg == "" { return "RS256" } else { @@ -501,47 +505,47 @@ func (c *DefaultJWTSecuredAuthorizationRequest) GetTokenEndpointAuthSigningAlg() } } -func (c *DefaultJWTSecuredAuthorizationRequest) GetIntrospectionEndpointAuthSigningAlg() string { +func (c *DefaultJARClient) GetIntrospectionEndpointAuthSigningAlg() string { return c.IntrospectionEndpointAuthSigningAlg } -func (c *DefaultJWTSecuredAuthorizationRequest) GetRevocationEndpointAuthSigningAlg() string { +func (c *DefaultJARClient) GetRevocationEndpointAuthSigningAlg() string { return c.RevocationEndpointAuthSigningAlg } -func (c *DefaultJWTSecuredAuthorizationRequest) GetRequestObjectSigningKeyID() string { +func (c *DefaultJARClient) GetRequestObjectSigningKeyID() string { return c.RequestObjectSigningKeyID } -func (c *DefaultJWTSecuredAuthorizationRequest) GetRequestObjectSigningAlg() string { +func (c *DefaultJARClient) GetRequestObjectSigningAlg() string { return c.RequestObjectSigningAlg } -func (c *DefaultJWTSecuredAuthorizationRequest) GetRequestObjectEncryptionKeyID() string { +func (c *DefaultJARClient) GetRequestObjectEncryptionKeyID() string { return c.RequestObjectEncryptionKeyID } -func (c *DefaultJWTSecuredAuthorizationRequest) GetRequestObjectEncryptionAlg() string { +func (c *DefaultJARClient) GetRequestObjectEncryptionAlg() string { return c.RequestObjectEncryptionAlg } -func (c *DefaultJWTSecuredAuthorizationRequest) GetRequestObjectEncryptionEnc() string { +func (c *DefaultJARClient) GetRequestObjectEncryptionEnc() string { return c.RequestObjectEncryptionEnc } -func (c *DefaultJWTSecuredAuthorizationRequest) GetTokenEndpointAuthMethod() string { +func (c *DefaultJARClient) GetTokenEndpointAuthMethod() string { return c.TokenEndpointAuthMethod } -func (c *DefaultJWTSecuredAuthorizationRequest) GetIntrospectionEndpointAuthMethod() string { +func (c *DefaultJARClient) GetIntrospectionEndpointAuthMethod() string { return c.IntrospectionEndpointAuthMethod } -func (c *DefaultJWTSecuredAuthorizationRequest) GetRevocationEndpointAuthMethod() string { +func (c *DefaultJARClient) GetRevocationEndpointAuthMethod() string { return c.RevocationEndpointAuthMethod } -func (c *DefaultJWTSecuredAuthorizationRequest) GetRequestURIs() []string { +func (c *DefaultJARClient) GetRequestURIs() []string { return c.RequestURIs } @@ -550,7 +554,7 @@ func (c *DefaultResponseModeClient) GetResponseModes() []ResponseModeType { } var ( - _ Client = (*DefaultClient)(nil) - _ ResponseModeClient = (*DefaultResponseModeClient)(nil) - _ JWTSecuredAuthorizationRequestClient = (*DefaultJWTSecuredAuthorizationRequest)(nil) + _ Client = (*DefaultClient)(nil) + _ ResponseModeClient = (*DefaultResponseModeClient)(nil) + _ JARClient = (*DefaultJARClient)(nil) ) diff --git a/client_authentication.go b/client_authentication.go index 91ff82aa..6bb6cfd0 100644 --- a/client_authentication.go +++ b/client_authentication.go @@ -47,7 +47,7 @@ func (f *Fosite) AuthenticateClientWithAuthHandler(ctx context.Context, r *http. return strategy.AuthenticateClient(ctx, r, form, handler) } -func (f *Fosite) findClientPublicJWK(ctx context.Context, client JWTSecuredAuthorizationRequestClient, t *jwt.Token, expectsRSAKey bool) (key any, err error) { +func (f *Fosite) findClientPublicJWK(ctx context.Context, client JARClient, t *jwt.Token, expectsRSAKey bool) (key any, err error) { var ( keys *jose.JSONWebKeySet ) @@ -111,7 +111,7 @@ func CompareClientSecret(ctx context.Context, client Client, rawSecret []byte) ( return err } -// FindClientPublicJWK takes a JWTSecuredAuthorizationRequestClient and a kid, alg, and use to resolve a Public JWK for the client. +// FindClientPublicJWK takes a JARClient and a kid, alg, and use to resolve a Public JWK for the client. func FindClientPublicJWK(ctx context.Context, provider JWKSFetcherStrategyProvider, client JSONWebKeysClient, kid, alg, use string) (key any, err error) { if set := client.GetJSONWebKeys(); set != nil { return findPublicKeyByKID(kid, alg, use, set) diff --git a/client_authentication_test.go b/client_authentication_test.go index 49947d13..24468859 100644 --- a/client_authentication_test.go +++ b/client_authentication_test.go @@ -65,7 +65,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseAuthenticationCanNotBeDetermined", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo"}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo"}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: new(http.Request), @@ -74,7 +74,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientDoesNotExist", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "none"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "none"} }, form: url.Values{"client_id": []string{"bar"}}, r: new(http.Request), @@ -83,7 +83,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassBecauseClientIsPublicAndAuthenticationRequirementsAreMet", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "none"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "none"} }, form: url.Values{"client_id": []string{"foo"}}, r: new(http.Request), @@ -91,7 +91,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassBecauseClientIsPublicAndClientSecretIsEmptyInQueryParam", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "none"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "none"} }, form: url.Values{"client_id": []string{"foo"}, "client_secret": []string{""}}, r: new(http.Request), @@ -99,7 +99,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassBecauseClientIsPublicAndClientSecretIsEmptyInBasicAuthHeader", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "none"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "none"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "")}, @@ -107,7 +107,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientRequiresBasicAuthAndClientSecretIsEmptyInBasicAuthHeader", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "")}, @@ -116,7 +116,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassWithClientCredentialsContainingSpecialCharacters", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "!foo%20bar", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_post"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "!foo%20bar", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_post"} }, form: url.Values{"client_id": []string{"!foo%20bar"}, "client_secret": []string{complexSecretRaw}}, r: new(http.Request), @@ -124,7 +124,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailWithMultipleAuthenticationMethodsClientMethodBasic", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "abc", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "abc", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{"client_id": []string{"abc"}, "client_secret": []string{complexSecretRaw}}, r: &http.Request{Header: clientBasicAuthHeader("abc", complexSecretRaw)}, @@ -133,7 +133,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailWithMultipleAuthenticationMethodsClientMethodPost", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "abc", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_post"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "abc", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_post"} }, form: url.Values{"client_id": []string{"abc"}, "client_secret": []string{complexSecretRaw}}, r: &http.Request{Header: clientBasicAuthHeader("abc", complexSecretRaw)}, @@ -143,7 +143,7 @@ func TestAuthenticateClient(t *testing.T) { name: "ShouldPassWithMultipleAuthenticationMethods", client: func(ts *httptest.Server) Client { return &TestClientAuthenticationPolicyClient{ - &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "abc", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_basic"}, + &DefaultJARClient{DefaultClient: &DefaultClient{ID: "abc", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_basic"}, true, } }, @@ -153,7 +153,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseAuthMethodIsNotNone", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", Public: true}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{"client_id": []string{"foo"}}, r: new(http.Request), err: "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The request was determined to be using 'token_endpoint_auth_method' method 'none', however the OAuth 2.0 client registration does not allow this method. The registered client with id 'foo' is configured to only support 'token_endpoint_auth_method' method 'client_secret_basic'. Either the Authorization Server client registration will need to have the 'token_endpoint_auth_method' updated to 'none' or the Relying Party will need to be configured to use 'client_secret_basic'.", @@ -162,21 +162,21 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassBecauseClientIsConfidentialAndIdAndSecretMatchInPostBody", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar, RotatedClientSecrets: []ClientSecret{testClientSecretBar}}, TokenEndpointAuthMethod: "client_secret_post"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar, RotatedClientSecrets: []ClientSecret{testClientSecretBar}}, TokenEndpointAuthMethod: "client_secret_post"} }, form: url.Values{"client_id": []string{"foo"}, "client_secret": []string{"bar"}}, r: new(http.Request), }, { name: "ShouldPassBecauseClientIsConfidentialAndIdAndRotatedSecretMatchInPostBody", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_post"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_post"} }, form: url.Values{"client_id": []string{"foo"}, "client_secret": []string{"bar"}}, r: new(http.Request), }, { name: "ShouldFailBecauseClientIsConfidentialAndSecretDoesNotMatchInPostBody", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_post"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_post"} }, form: url.Values{"client_id": []string{"foo"}, "client_secret": []string{"baz"}}, r: new(http.Request), expectErr: ErrInvalidClient, @@ -184,7 +184,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientIsConfidentialAndIdDoesNotExistInPostBody", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_post"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_post"} }, form: url.Values{"client_id": []string{"foo"}, "client_secret": []string{"bar"}}, r: new(http.Request), expectErr: ErrInvalidClient, @@ -192,14 +192,14 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassBecauseClientIsConfidentialAndIdAndSecretMatchInHeader", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "bar")}, }, { name: "ShouldFailBecauseClientIsConfidentialAndIdAndSecretInHeaderIsNotRegistered", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: &BCryptClientSecret{}}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: &BCryptClientSecret{}}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "bar")}, err: "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The request was determined to be using 'token_endpoint_auth_method' method 'client_secret_basic', however the OAuth 2.0 client registration does not allow this method. The registered client with id 'foo' has no 'client_secret' however this is required to process the particular request.", @@ -208,21 +208,21 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassEscapedClientCredentials", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretComplex}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "foo %66%6F%6F@$<§!✓")}, }, { name: "ShouldPassBecauseClientIsConfidentialAndIdAndRotatedSecretMatchInHeader", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretFoo, RotatedClientSecrets: []ClientSecret{testClientSecretBar}}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretFoo, RotatedClientSecrets: []ClientSecret{testClientSecretBar}}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "bar")}, }, { name: "ShouldFailBecauseAuthMethodIsNotClientSecretBasic", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_post"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_post"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "bar")}, expectErr: ErrInvalidClient, @@ -230,7 +230,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientIsConfidentialAndSecretDoesNotMatchInHeader", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretFoo}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretFoo}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "baz")}, expectErr: ErrInvalidClient, @@ -238,7 +238,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientIsConfidentialAndNeitherSecretNorRotatedDoesMatchInHeader", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretFoo, RotatedClientSecrets: []ClientSecret{testClientSecretFoo}}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretFoo, RotatedClientSecrets: []ClientSecret{testClientSecretFoo}}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "baz")}, expectErr: ErrInvalidClient, @@ -247,7 +247,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientIdIsNotValid", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: http.Header{consts.HeaderAuthorization: {prefixSchemeBasic + base64.StdEncoding.EncodeToString([]byte("%%%%%%:foo"))}}}, err: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client id in the HTTP authorization header could not be decoded from 'application/x-www-form-urlencoded'. invalid URL escape '%%%'", @@ -256,7 +256,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientSecretIsNotValid", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: http.Header{consts.HeaderAuthorization: {prefixSchemeBasic + base64.StdEncoding.EncodeToString([]byte("foo:%%%%%%%"))}}}, err: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client secret in the HTTP authorization header could not be decoded from 'application/x-www-form-urlencoded'. invalid URL escape '%%%'", @@ -265,7 +265,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseBasicValueIsNotValid", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: http.Header{consts.HeaderAuthorization: {prefixSchemeBasic + base64.StdEncoding.EncodeToString([]byte("foo"))}}}, err: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials from the HTTP authorization header could not be parsed. The basic scheme value was not separated by a colon.", @@ -274,7 +274,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseSchemeIsNotValid", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: http.Header{consts.HeaderAuthorization: {"NotBasic " + base64.StdEncoding.EncodeToString([]byte("foo:bar"))}}}, err: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials from the HTTP authorization header had an unknown scheme. The scheme 'NotBasic' is not known for client authentication.", @@ -283,7 +283,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseHeaderIsNotEncoded", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: http.Header{consts.HeaderAuthorization: {prefixSchemeBasic + "foo:bar"}}}, err: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials from the HTTP authorization header could not be parsed. Error occurred performing a base64 decode: illegal base64 data at input byte 3.", @@ -292,7 +292,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseAuthorizationHeaderIsNotValid", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: http.Header{consts.HeaderAuthorization: {"Basic" + base64.StdEncoding.EncodeToString([]byte("foo:bar"))}}}, err: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials from the HTTP authorization header could not be parsed. The header value is either missing a scheme, value, or the separator between them.", @@ -301,7 +301,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseNonVSCHARClientID", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("\x19foo", "bar")}, err: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client id in the HTTP request had an invalid character.", @@ -310,7 +310,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseNonVSCHARClientSecret", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: clientBasicAuthHeader("foo", "\x19bar")}, err: "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client credentials in the HTTP authorization header could not be parsed. Either the scheme was missing, the scheme was invalid, or the value had malformed data. The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. The client secret in the HTTP request had an invalid character.", @@ -319,7 +319,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientIsConfidentialAndIdDoesNotExistInHeader", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{}, r: &http.Request{Header: http.Header{consts.HeaderAuthorization: {prefixSchemeBasic + base64.StdEncoding.EncodeToString([]byte("foo:bar"))}}}, expectErr: ErrInvalidClient, @@ -328,7 +328,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientAssertionButClientAssertionIsMissing", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"foo"}, "client_assertion_type": []string{consts.ClientAssertionTypeJWTBearer}}, r: new(http.Request), expectErr: ErrInvalidRequest, @@ -337,7 +337,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientAssertionTypeIsUnknown", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "foo", ClientSecret: testClientSecretBar}, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"foo"}, "client_assertion_type": []string{"foobar"}}, r: new(http.Request), expectErr: ErrInvalidRequest, @@ -346,7 +346,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassWithProperRSAAssertionWhenJWKsAreSetWithinTheClientAndClientIdIsNotSetInTheRequest", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -359,7 +359,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassWithProperECDSAAssertionWhenJWKsAreSetWithinTheClientAndClientIdIsNotSetInTheRequest", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} }, form: url.Values{"client_assertion": {mustGenerateECDSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -372,7 +372,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseRSAAssertionIsUsedButECDSAAssertionIsRequired", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -387,7 +387,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseMalformedAssertionUsed", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} }, form: url.Values{"client_assertion": []string{"bad.assertion"}, "client_assertion_type": []string{consts.ClientAssertionTypeJWTBearer}}, r: new(http.Request), expectErr: ErrInvalidClient, @@ -396,7 +396,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseExpired", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} }, form: url.Values{"client_assertion": {mustGenerateECDSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(-time.Hour).Unix(), @@ -411,7 +411,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseNotBefore", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} }, form: url.Values{"client_assertion": {mustGenerateECDSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -427,7 +427,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseIssuedInFuture", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} }, form: url.Values{"client_assertion": {mustGenerateECDSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -443,7 +443,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseNoKeys", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: nil, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: nil, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} }, form: url.Values{"client_assertion": {mustGenerateECDSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -458,7 +458,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseNotBefore", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksECDSA, TokenEndpointAuthMethod: "private_key_jwt", TokenEndpointAuthSigningAlg: "ES256"} }, form: url.Values{"client_assertion": {mustGenerateECDSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -474,7 +474,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseTokenAuthMethodIsNotPrivateKeyJwtButClientSecretJwt", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "client_secret_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "client_secret_jwt"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -489,7 +489,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseTokenAuthMethodIsNotPrivateKeyJwtButNone", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "none"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "none"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -504,7 +504,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseTokenAuthMethodIsNotPrivateKeyJwtButClientSecretPost", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "client_secret_post"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "client_secret_post"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -519,7 +519,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseTokenAuthMethodIsNotPrivateKeyJwtButClientSecretBasic", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "client_secret_basic"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "client_secret_basic"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -534,7 +534,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseTokenAuthMethodIsNotPrivateKeyJwtButFoobar", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "foobar"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "foobar"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -548,7 +548,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassWithProperAssertionWhenJWKsAreSetWithinTheClientAndClientIdIsNotSetInTheRequest (aud is array)", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -561,7 +561,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseAudienceDoesNotMatchTokenURL", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -576,7 +576,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassWithProperAssertionWhenJWKsAreSetWithinTheClient", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"bar"}, "client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -589,7 +589,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseJWTAlgorithmIsHS256", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"bar"}, "client_assertion": {mustGenerateHSAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -603,7 +603,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseJWTAlgorithmIsNone", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"bar"}, "client_assertion": {mustGenerateNoneAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -618,7 +618,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldPassWithProperAssertionWhenJWKsURIIsSet", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeysURI: ts.URL, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeysURI: ts.URL, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"bar"}, "client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -631,7 +631,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientAssertionSubDoesNotMatchClient", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"bar"}, "client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "not-bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -646,7 +646,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientAssertionIssDoesNotMatchClient", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"bar"}, "client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -661,7 +661,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientAssertionJtiIsNotSet", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{"client_id": []string{"bar"}, "client_assertion": {mustGenerateRSAAssertion(t, jwt.MapClaims{ consts.ClaimSubject: "bar", consts.ClaimExpirationTime: time.Now().Add(time.Hour).Unix(), @@ -675,7 +675,7 @@ func TestAuthenticateClient(t *testing.T) { { name: "ShouldFailBecauseClientAssertionAudIsNotSet", client: func(ts *httptest.Server) Client { - return &DefaultJWTSecuredAuthorizationRequest{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} + return &DefaultJARClient{DefaultClient: &DefaultClient{ID: "bar", ClientSecret: testClientSecretBar}, JSONWebKeys: jwksRSA, TokenEndpointAuthMethod: "private_key_jwt"} }, form: url.Values{ "client_id": []string{"bar"}, @@ -742,7 +742,7 @@ func TestAuthenticateClient(t *testing.T) { func TestAuthenticateClientTwice(t *testing.T) { key := gen.MustRSAKey() - client := &DefaultJWTSecuredAuthorizationRequest{ + client := &DefaultJARClient{ DefaultClient: &DefaultClient{ ID: "bar", ClientSecret: testClientSecretFoo, @@ -832,7 +832,7 @@ func clientBasicAuthHeader(clientID, clientSecret string) http.Header { } type TestClientAuthenticationPolicyClient struct { - *DefaultJWTSecuredAuthorizationRequest + *DefaultJARClient AllowMultipleAuthenticationMethods bool }