use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class AuthorizationServiceTest method shouldReturnErrorWhenValidatingAuthRequestWhichContainsInvalidClaims.
@Test
void shouldReturnErrorWhenValidatingAuthRequestWhichContainsInvalidClaims() {
ResponseType responseType = new ResponseType(ResponseType.Value.CODE);
Scope scope = new Scope();
scope.add(OIDCScopeValue.OPENID);
when(dynamoClientService.getClient(CLIENT_ID.toString())).thenReturn(Optional.of(generateClientRegistry(REDIRECT_URI.toString(), CLIENT_ID.toString())));
var claimsSetRequest = new ClaimsSetRequest().add("nickname").add("birthdate");
var oidcClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
AuthenticationRequest authRequest = generateAuthRequest(REDIRECT_URI.toString(), responseType, scope, jsonArrayOf("Cl.Cm", "Cl"), Optional.of(oidcClaimsRequest));
var errorObject = authorizationService.validateAuthRequest(authRequest);
assertTrue(errorObject.isPresent());
assertThat(errorObject.get().getErrorObject(), equalTo(new ErrorObject(OAuth2Error.INVALID_REQUEST_CODE, "Request contains invalid claims")));
}
use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class AuthorizationServiceTest method shouldSuccessfullyValidateAuthRequestWhenValidClaimsArePresent.
@Test
void shouldSuccessfullyValidateAuthRequestWhenValidClaimsArePresent() {
var scope = new Scope(OIDCScopeValue.OPENID);
var clientRegistry = new ClientRegistry().setRedirectUrls(singletonList(REDIRECT_URI.toString())).setClientID(CLIENT_ID.toString()).setScopes(scope.toStringList()).setClaims(List.of(ValidClaims.ADDRESS.getValue(), ValidClaims.CORE_IDENTITY_JWT.getValue()));
when(dynamoClientService.getClient(CLIENT_ID.toString())).thenReturn(Optional.of(clientRegistry));
var claimsSetRequest = new ClaimsSetRequest().add(ValidClaims.ADDRESS.getValue()).add(ValidClaims.CORE_IDENTITY_JWT.getValue());
var oidcClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
var authRequest = generateAuthRequest(REDIRECT_URI.toString(), new ResponseType(ResponseType.Value.CODE), scope, jsonArrayOf("Cl.Cm", "Cl"), Optional.of(oidcClaimsRequest));
var errorObject = authorizationService.validateAuthRequest(authRequest);
assertTrue(errorObject.isEmpty());
}
use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class UserInfoIntegrationTest method shouldReturn200WhenIdentityIsEnabledAndIdentityClaimsArePresent.
@Test
void shouldReturn200WhenIdentityIsEnabledAndIdentityClaimsArePresent() throws Json.JsonException, ParseException {
var configurationService = new UserInfoIntegrationTest.UserInfoConfigurationService();
handler = new UserInfoHandler(configurationService);
var claimsSetRequest = new ClaimsSetRequest().add(ValidClaims.CORE_IDENTITY_JWT.getValue()).add(ValidClaims.ADDRESS.getValue()).add(ValidClaims.PASSPORT.getValue());
var oidcValidClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
var claimsSet = new JWTClaimsSet.Builder().claim("scope", SCOPES).issuer("issuer-id").expirationTime(EXPIRY_DATE).issueTime(NowHelper.now()).claim("client_id", "client-id-one").subject(PUBLIC_SUBJECT.getValue()).jwtID(UUID.randomUUID().toString()).claim("claims", oidcValidClaimsRequest.getUserInfoClaimsRequest().getEntries().stream().map(ClaimsSetRequest.Entry::getClaimName).collect(Collectors.toList())).build();
var signedJWT = tokenSigner.signJwt(claimsSet);
var accessToken = new BearerAccessToken(signedJWT.serialize());
var accessTokenStore = new AccessTokenStore(accessToken.getValue(), INTERNAL_SUBJECT.getValue());
redis.addToRedis(ACCESS_TOKEN_PREFIX + CLIENT_ID + "." + PUBLIC_SUBJECT, objectMapper.writeValueAsString(accessTokenStore), 300L);
var signedCredential = SignedCredentialHelper.generateCredential();
setUpDynamo(signedCredential.serialize(), Map.of(ValidClaims.ADDRESS.getValue(), ADDRESS_CLAIM, ValidClaims.PASSPORT.getValue(), PASSPORT_CLAIM));
var response = makeRequest(Optional.empty(), Map.of("Authorization", accessToken.toAuthorizationHeader()), Map.of());
assertThat(response, hasStatus(200));
var userInfoResponse = UserInfo.parse(response.getBody());
assertThat(userInfoResponse.getEmailVerified(), equalTo(true));
assertThat(userInfoResponse.getEmailAddress(), equalTo(TEST_EMAIL_ADDRESS));
assertThat(userInfoResponse.getPhoneNumber(), equalTo(FORMATTED_PHONE_NUMBER));
assertThat(userInfoResponse.getPhoneNumberVerified(), equalTo(true));
assertThat(userInfoResponse.getSubject(), equalTo(PUBLIC_SUBJECT));
assertThat(userInfoResponse.getClaim(ValidClaims.ADDRESS.getValue()), equalTo(ADDRESS_CLAIM));
assertThat(userInfoResponse.getClaim(ValidClaims.PASSPORT.getValue()), equalTo(PASSPORT_CLAIM));
assertThat(userInfoResponse.getClaim(ValidClaims.CORE_IDENTITY_JWT.getValue()), equalTo(signedCredential.serialize()));
assertThat(userInfoResponse.toJWTClaimsSet().getClaims().size(), equalTo(8));
assertNoAuditEventsReceived(auditTopic);
}
use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class IdentityIntegrationTest method shouldReturn204WhenCallingIdentityLambda.
@Test
void shouldReturn204WhenCallingIdentityLambda() throws JsonProcessingException {
Subject internalSubject = new Subject();
Subject publicSubject = new Subject();
LocalDateTime localDateTime = LocalDateTime.now().plusMinutes(10);
Date expiryDate = Date.from(localDateTime.atZone(ZoneId.of("UTC")).toInstant());
List<String> scopes = new ArrayList<>();
scopes.add("email");
scopes.add("phone");
scopes.add("openid");
var claimsSetRequest = new ClaimsSetRequest().add("name").add("birthdate");
var oidcValidClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().claim("scope", scopes).issuer("issuer-id").expirationTime(expiryDate).issueTime(Date.from(LocalDateTime.now().atZone(ZoneId.of("UTC")).toInstant())).claim("client_id", "client-id-one").subject(publicSubject.getValue()).jwtID(UUID.randomUUID().toString()).claim("claims", oidcValidClaimsRequest.getUserInfoClaimsRequest().getEntries().stream().map(ClaimsSetRequest.Entry::getClaimName).collect(Collectors.toList())).build();
SignedJWT signedJWT = tokenSigner.signJwt(claimsSet);
AccessToken accessToken = new BearerAccessToken(signedJWT.serialize());
AccessTokenStore accessTokenStore = new AccessTokenStore(accessToken.getValue(), internalSubject.getValue());
String accessTokenStoreString = new ObjectMapper().writeValueAsString(accessTokenStore);
redis.addToRedis(ACCESS_TOKEN_PREFIX + CLIENT_ID + "." + publicSubject, accessTokenStoreString, 300L);
SignedJWT signedCredential = SignedCredentialHelper.generateCredential();
setUpDynamo(publicSubject.getValue(), signedCredential.serialize());
var response = makeRequest(Optional.empty(), Map.of("Authorization", accessToken.toAuthorizationHeader()), Map.of());
assertThat(response, hasStatus(200));
IdentityResponse identityResponse = new ObjectMapper().readValue(response.getBody(), IdentityResponse.class);
assertThat(identityResponse.getSub(), equalTo(publicSubject.getValue()));
assertThat(identityResponse.getIdentityCredential(), equalTo(signedCredential.serialize()));
assertThat(spotStore.getSpotCredential(publicSubject.getValue()), equalTo(Optional.empty()));
}
use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class AuthorizationServiceTest method shouldReturnErrorWhenValidatingAuthRequestWhichContainsInvalidClaims.
@Test
void shouldReturnErrorWhenValidatingAuthRequestWhichContainsInvalidClaims() {
ResponseType responseType = new ResponseType(ResponseType.Value.CODE);
Scope scope = new Scope();
scope.add(OIDCScopeValue.OPENID);
when(dynamoClientService.getClient(CLIENT_ID.toString())).thenReturn(Optional.of(generateClientRegistry(REDIRECT_URI.toString(), CLIENT_ID.toString())));
var claimsSetRequest = new ClaimsSetRequest().add("nickname").add("birthdate");
var oidcClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
AuthenticationRequest authRequest = generateAuthRequest(REDIRECT_URI.toString(), responseType, scope, jsonArrayOf("Cl.Cm", "Cl"), Optional.of(oidcClaimsRequest));
Optional<ErrorObject> errorObject = authorizationService.validateAuthRequest(authRequest);
assertThat(errorObject, equalTo(Optional.of(new ErrorObject(OAuth2Error.INVALID_REQUEST_CODE, "Request contains invalid claims"))));
}
Aggregations