Example 76 with Subject
use of com.nimbusds.oauth2.sdk.id.Subject in project di-authentication-api by alphagov.
the class TokenIntegrationTest method shouldCallTokenResourceAndReturnIdentityClaims.
@Test
void shouldCallTokenResourceAndReturnIdentityClaims() throws Exception {
KeyPair keyPair = KeyPairHelper.GENERATE_RSA_KEY_PAIR();
Scope scope = new Scope(OIDCScopeValue.OPENID.getValue());
var claimsSetRequest = new ClaimsSetRequest().add("nickname").add("birthdate");
var oidcClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
setUpDynamo(keyPair, scope, new Subject());
var response = generateTokenRequest(keyPair, scope, Optional.of("P2.Cl.Cm"), Optional.of(oidcClaimsRequest), Optional.of(CLIENT_ID));
assertThat(response, hasStatus(200));
JSONObject jsonResponse = JSONObjectUtils.parse(response.getBody());
assertNull(TokenResponse.parse(jsonResponse).toSuccessResponse().getTokens().getRefreshToken());
assertNotNull(TokenResponse.parse(jsonResponse).toSuccessResponse().getTokens().getBearerAccessToken());
BearerAccessToken bearerAccessToken = TokenResponse.parse(jsonResponse).toSuccessResponse().getTokens().getBearerAccessToken();
JSONArray jsonarray = JSONArrayUtils.parse(SignedJWT.parse(bearerAccessToken.getValue()).getJWTClaimsSet().getClaim("claims").toString());
assertTrue(jsonarray.contains("nickname"));
assertTrue(jsonarray.contains("birthdate"));
assertNoAuditEventsReceived(auditTopic);
}
Also used :
ClaimsSetRequest(com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest)
KeyPair(java.security.KeyPair)
OIDCClaimsRequest(com.nimbusds.openid.connect.sdk.OIDCClaimsRequest)
Scope(com.nimbusds.oauth2.sdk.Scope)
JSONObject(net.minidev.json.JSONObject)
JSONArray(net.minidev.json.JSONArray)
BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken)
Subject(com.nimbusds.oauth2.sdk.id.Subject)
Test(org.junit.jupiter.api.Test)
ApiGatewayHandlerIntegrationTest(uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)
ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)
Example 77 with Subject
use of com.nimbusds.oauth2.sdk.id.Subject in project di-authentication-api by alphagov.
the class TokenIntegrationTest method shouldReturnIdTokenWithPairwiseSubjectId.
@Test
void shouldReturnIdTokenWithPairwiseSubjectId() throws Exception {
KeyPair keyPair = KeyPairHelper.GENERATE_RSA_KEY_PAIR();
Scope scope = new Scope(OIDCScopeValue.OPENID.getValue(), OIDCScopeValue.OFFLINE_ACCESS.getValue());
setUpDynamo(keyPair, scope, new Subject(), "pairwise");
var response = generateTokenRequest(keyPair, scope, Optional.empty(), Optional.empty(), Optional.of(CLIENT_ID));
assertThat(response, hasStatus(200));
JSONObject jsonResponse = JSONObjectUtils.parse(response.getBody());
assertNotNull(TokenResponse.parse(jsonResponse).toSuccessResponse().getTokens().getRefreshToken());
assertNotNull(TokenResponse.parse(jsonResponse).toSuccessResponse().getTokens().getBearerAccessToken());
assertThat(OIDCTokenResponse.parse(jsonResponse).getOIDCTokens().getIDToken().getJWTClaimsSet().getSubject(), not(equalTo(userStore.getPublicSubjectIdForEmail(TEST_EMAIL))));
assertNoAuditEventsReceived(auditTopic);
}
Also used :
KeyPair(java.security.KeyPair)
Scope(com.nimbusds.oauth2.sdk.Scope)
JSONObject(net.minidev.json.JSONObject)
Subject(com.nimbusds.oauth2.sdk.id.Subject)
Test(org.junit.jupiter.api.Test)
ApiGatewayHandlerIntegrationTest(uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)
ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)
Example 78 with Subject
use of com.nimbusds.oauth2.sdk.id.Subject in project di-authentication-api by alphagov.
the class FakeDataGenerator method main.
public static void main(String[] args) {
try {
List<ImportRecord> importRecordList = new ArrayList<>();
List<TestPassword> testPasswordList = new ArrayList<>();
SecureRandom rng = new SecureRandom();
for (int i = 0; i < RECORD_COUNT; i++) {
String password = generateRandomSpecialCharacters(10);
char[] passwordWithPepper = (password + PEPPER).toCharArray();
String hashed = OpenBSDBCrypt.generate(passwordWithPepper, rng.generateSeed(16), 5);
String email = format("hello+%d@gov.uk", i);
ImportRecord record = new ImportRecord().setEmail(email).setPhone(format("+441234%06d", i)).setEncryptedPassword(hashed).setSubjectIdentifier(new Subject().toString()).setCreatedAt(LocalDateTime.now());
importRecordList.add(record);
TestPassword testPassword = new TestPassword().setEmail(email).setPassword(password);
testPasswordList.add(testPassword);
}
saveImportFile(importRecordList);
savePasswordFile(testPasswordList);
} catch (Exception e) {
e.printStackTrace();
}
}
Also used :
ArrayList(java.util.ArrayList)
SecureRandom(java.security.SecureRandom)
Subject(com.nimbusds.oauth2.sdk.id.Subject)
CsvRequiredFieldEmptyException(com.opencsv.exceptions.CsvRequiredFieldEmptyException)
IOException(java.io.IOException)
CsvDataTypeMismatchException(com.opencsv.exceptions.CsvDataTypeMismatchException)
Example 79 with Subject
use of com.nimbusds.oauth2.sdk.id.Subject in project di-authentication-api by alphagov.
the class DocAppAuthorisationServiceTest method shouldConstructASignedRequestJWT.
@Test
void shouldConstructASignedRequestJWT() throws JOSEException, ParseException {
var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
var ecdsaSigner = new ECDSASigner(ecSigningKey);
var jwtClaimsSet = new JWTClaimsSet.Builder().build();
var jwsHeader = new JWSHeader(JWSAlgorithm.ES256);
var signedJWT = new SignedJWT(jwsHeader, jwtClaimsSet);
signedJWT.sign(ecdsaSigner);
var signResult = new SignResult();
byte[] signatureToDER = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
signResult.setSignature(ByteBuffer.wrap(signatureToDER));
signResult.setKeyId(KEY_ID);
signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(signResult);
var state = new State();
var pairwise = new Subject("pairwise-identifier");
var encryptedJWT = authorisationService.constructRequestJWT(state, pairwise);
var signedJWTResponse = decryptJWT(encryptedJWT);
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("client_id"), equalTo(DOC_APP_CLIENT_ID));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("state"), equalTo(state.getValue()));
assertThat(signedJWTResponse.getJWTClaimsSet().getSubject(), equalTo(pairwise.getValue()));
assertThat(signedJWTResponse.getJWTClaimsSet().getIssuer(), equalTo(DOC_APP_CLIENT_ID));
assertThat(signedJWTResponse.getJWTClaimsSet().getAudience(), equalTo(singletonList(DOC_APP_AUTHORISATION_URI.toString())));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("response_type"), equalTo("code"));
}
Also used :
SignResult(com.amazonaws.services.kms.model.SignResult)
SignRequest(com.amazonaws.services.kms.model.SignRequest)
ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
State(com.nimbusds.oauth2.sdk.id.State)
ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWSHeader(com.nimbusds.jose.JWSHeader)
Subject(com.nimbusds.oauth2.sdk.id.Subject)
Test(org.junit.jupiter.api.Test)
Example 80 with Subject
use of com.nimbusds.oauth2.sdk.id.Subject in project di-authentication-api by alphagov.
the class RemoveAccountIntegrationTest method shouldThrowExceptionWhenUserAttemptsToDeleteDifferentAccount.
@Test
public void shouldThrowExceptionWhenUserAttemptsToDeleteDifferentAccount() {
String user1Email = "joe.bloggs+3@digital.cabinet-office.gov.uk";
String user2Email = "i-do-not-exist@example.com";
String password1 = "password-1";
String password2 = "password-2";
Subject subject1 = new Subject();
Subject subject2 = new Subject();
String subjectId1 = userStore.signUp(user1Email, password1, subject1);
userStore.signUp(user2Email, password2, subject2);
Exception ex = assertThrows(RuntimeException.class, () -> makeRequest(Optional.of(new RemoveAccountRequest(user2Email)), Collections.emptyMap(), Collections.emptyMap(), Collections.emptyMap(), Map.of("principalId", subjectId1)));
assertThat(ex.getMessage(), is("Subject ID does not match principalId"));
}
Also used :
RemoveAccountRequest(uk.gov.di.accountmanagement.entity.RemoveAccountRequest)
Subject(com.nimbusds.oauth2.sdk.id.Subject)
Test(org.junit.jupiter.api.Test)
ApiGatewayHandlerIntegrationTest(uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)
Aggregations
Subject (com.nimbusds.oauth2.sdk.id.Subject)59
Test (org.junit.jupiter.api.Test)36
SignedJWT (com.nimbusds.jwt.SignedJWT)22
Date (java.util.Date)22
ApiGatewayHandlerIntegrationTest (uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)19
UserProfile (uk.gov.di.authentication.shared.entity.UserProfile)18
KeyPair (java.security.KeyPair)16
BearerAccessToken (com.nimbusds.oauth2.sdk.token.BearerAccessToken)15
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)13
ParseException (com.nimbusds.oauth2.sdk.ParseException)12
Scope (com.nimbusds.oauth2.sdk.Scope)12
APIGatewayProxyRequestEvent (com.amazonaws.services.lambda.runtime.events.APIGatewayProxyRequestEvent)11
APIGatewayProxyResponseEvent (com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent)11
AccessToken (com.nimbusds.oauth2.sdk.token.AccessToken)10
ECKeyGenerator (com.nimbusds.jose.jwk.gen.ECKeyGenerator)9
ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)9
ECDSASigner (com.nimbusds.jose.crypto.ECDSASigner)8
Issuer (com.nimbusds.oauth2.sdk.id.Issuer)8
IDTokenClaimsSet (com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet)8
LocalDateTime (java.time.LocalDateTime)8
