Example 6 with ClaimsSetRequest
use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class AuthorizationServiceTest method shouldSuccessfullyValidateAuthRequestWhenValidClaimsArePresent.
@Test
void shouldSuccessfullyValidateAuthRequestWhenValidClaimsArePresent() {
ResponseType responseType = new ResponseType(ResponseType.Value.CODE);
Scope scope = new Scope();
scope.add(OIDCScopeValue.OPENID);
when(dynamoClientService.getClient(CLIENT_ID.toString())).thenReturn(Optional.of(generateClientRegistry(REDIRECT_URI.toString(), CLIENT_ID.toString())));
var claimsSetRequest = new ClaimsSetRequest().add("name").add("birthdate");
var oidcClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
AuthenticationRequest authRequest = generateAuthRequest(REDIRECT_URI.toString(), responseType, scope, jsonArrayOf("Cl.Cm", "Cl"), Optional.of(oidcClaimsRequest));
Optional<ErrorObject> errorObject = authorizationService.validateAuthRequest(authRequest);
assertThat(errorObject, equalTo(Optional.empty()));
}
Also used :
ClaimsSetRequest(com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest)
OIDCClaimsRequest(com.nimbusds.openid.connect.sdk.OIDCClaimsRequest)
Scope(com.nimbusds.oauth2.sdk.Scope)
ErrorObject(com.nimbusds.oauth2.sdk.ErrorObject)
AuthenticationRequest(com.nimbusds.openid.connect.sdk.AuthenticationRequest)
ResponseType(com.nimbusds.oauth2.sdk.ResponseType)
Test(org.junit.jupiter.api.Test)
Example 7 with ClaimsSetRequest
use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class TokenServiceTest method shouldOnlyIncludeIdentityClaimsInAccessTokenWhenRequested.
@Test
void shouldOnlyIncludeIdentityClaimsInAccessTokenWhenRequested() throws ParseException, JOSEException, Json.JsonException, com.nimbusds.oauth2.sdk.ParseException {
var claimsSetRequest = new ClaimsSetRequest().add("nickname").add("birthdate");
var oidcClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
when(configurationService.getTokenSigningKeyAlias()).thenReturn(KEY_ID);
createSignedIdToken();
createSignedAccessToken();
Map<String, Object> additionalTokenClaims = new HashMap<>();
additionalTokenClaims.put("nonce", nonce);
Set<String> claimsForListOfScopes = ValidScopes.getClaimsForListOfScopes(SCOPES_OFFLINE_ACCESS.toStringList());
OIDCTokenResponse tokenResponse = tokenService.generateTokenResponse(CLIENT_ID, INTERNAL_SUBJECT, SCOPES_OFFLINE_ACCESS, additionalTokenClaims, PUBLIC_SUBJECT, VOT, Collections.singletonList(new ClientConsent(CLIENT_ID, claimsForListOfScopes, LocalDateTime.now(ZoneId.of("UTC")).toString())), false, oidcClaimsRequest, false);
assertSuccessfullTokenResponse(tokenResponse);
assertNotNull(tokenResponse.getOIDCTokens().getRefreshToken());
assertNull(SignedJWT.parse(tokenResponse.getOIDCTokens().getRefreshToken().getValue()).getJWTClaimsSet().getClaim("claims"));
JSONArray jsonarray = JSONArrayUtils.parse(SignedJWT.parse(tokenResponse.getOIDCTokens().getAccessToken().getValue()).getJWTClaimsSet().getClaim("claims").toString());
assertTrue(jsonarray.contains("nickname"));
assertTrue(jsonarray.contains("birthdate"));
RefreshTokenStore refreshTokenStore = new RefreshTokenStore(tokenResponse.getOIDCTokens().getRefreshToken().getValue(), INTERNAL_SUBJECT.getValue());
ArgumentCaptor<String> redisKey = ArgumentCaptor.forClass(String.class);
verify(redisConnectionService).saveWithExpiry(redisKey.capture(), eq(objectMapper.writeValueAsString(refreshTokenStore)), eq(300L));
var refreshToken = SignedJWT.parse(tokenResponse.getOIDCTokens().getRefreshToken().getValue());
var jti = refreshToken.getJWTClaimsSet().getJWTID();
assertThat(redisKey.getValue(), startsWith(REFRESH_TOKEN_PREFIX));
assertThat(redisKey.getValue().split(":")[1], equalTo(jti));
}
Also used :
ClaimsSetRequest(com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest)
RefreshTokenStore(uk.gov.di.authentication.shared.entity.RefreshTokenStore)
HashMap(java.util.HashMap)
OIDCTokenResponse(com.nimbusds.openid.connect.sdk.OIDCTokenResponse)
JSONArray(net.minidev.json.JSONArray)
ClientConsent(uk.gov.di.authentication.shared.entity.ClientConsent)
OIDCClaimsRequest(com.nimbusds.openid.connect.sdk.OIDCClaimsRequest)
ErrorObject(com.nimbusds.oauth2.sdk.ErrorObject)
Test(org.junit.jupiter.api.Test)
Example 8 with ClaimsSetRequest
use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class TokenIntegrationTest method shouldCallTokenResourceAndReturnIdentityClaims.
@Test
void shouldCallTokenResourceAndReturnIdentityClaims() throws Exception {
KeyPair keyPair = KeyPairHelper.GENERATE_RSA_KEY_PAIR();
Scope scope = new Scope(OIDCScopeValue.OPENID.getValue());
var claimsSetRequest = new ClaimsSetRequest().add("nickname").add("birthdate");
var oidcClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
setUpDynamo(keyPair, scope, new Subject());
var response = generateTokenRequest(keyPair, scope, Optional.of("P2.Cl.Cm"), Optional.of(oidcClaimsRequest), Optional.of(CLIENT_ID));
assertThat(response, hasStatus(200));
JSONObject jsonResponse = JSONObjectUtils.parse(response.getBody());
assertNull(TokenResponse.parse(jsonResponse).toSuccessResponse().getTokens().getRefreshToken());
assertNotNull(TokenResponse.parse(jsonResponse).toSuccessResponse().getTokens().getBearerAccessToken());
BearerAccessToken bearerAccessToken = TokenResponse.parse(jsonResponse).toSuccessResponse().getTokens().getBearerAccessToken();
JSONArray jsonarray = JSONArrayUtils.parse(SignedJWT.parse(bearerAccessToken.getValue()).getJWTClaimsSet().getClaim("claims").toString());
assertTrue(jsonarray.contains("nickname"));
assertTrue(jsonarray.contains("birthdate"));
assertNoAuditEventsReceived(auditTopic);
}
Also used :
ClaimsSetRequest(com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest)
KeyPair(java.security.KeyPair)
OIDCClaimsRequest(com.nimbusds.openid.connect.sdk.OIDCClaimsRequest)
Scope(com.nimbusds.oauth2.sdk.Scope)
JSONObject(net.minidev.json.JSONObject)
JSONArray(net.minidev.json.JSONArray)
BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken)
Subject(com.nimbusds.oauth2.sdk.id.Subject)
Test(org.junit.jupiter.api.Test)
ApiGatewayHandlerIntegrationTest(uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)
ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)
Example 9 with ClaimsSetRequest
use of com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest in project di-authentication-api by alphagov.
the class AccessTokenServiceTest method shouldThrowExceptionWhenIdentityClaimsAreInvalid.
@Test
void shouldThrowExceptionWhenIdentityClaimsAreInvalid() throws Json.JsonException {
var claimsSetRequest = new ClaimsSetRequest().add("email").add(ValidClaims.ADDRESS.getValue());
var invalidClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
accessToken = createSignedAccessToken(invalidClaimsRequest, false);
when(tokenValidationService.validateAccessTokenSignature(accessToken)).thenReturn(true);
when(clientService.getClient(CLIENT_ID)).thenReturn(Optional.of(generateClientRegistry(SCOPES)));
when(redisConnectionService.getValue(ACCESS_TOKEN_PREFIX + CLIENT_ID + "." + SUBJECT)).thenReturn(objectMapper.writeValueAsString(new AccessTokenStore(accessToken.getValue(), INTERNAL_SUBJECT.getValue())));
var accessTokenException = assertThrows(AccessTokenException.class, () -> validationService.parse(accessToken.toAuthorizationHeader(), true), "Expected to throw AccessTokenException");
assertThat(accessTokenException.getMessage(), equalTo("Invalid Identity claims"));
assertThat(accessTokenException.getError(), equalTo(OAuth2Error.INVALID_REQUEST));
}
Also used :
ClaimsSetRequest(com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest)
OIDCClaimsRequest(com.nimbusds.openid.connect.sdk.OIDCClaimsRequest)
AccessTokenStore(uk.gov.di.authentication.shared.entity.AccessTokenStore)
Test(org.junit.jupiter.api.Test)
ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)
Aggregations
OIDCClaimsRequest (com.nimbusds.openid.connect.sdk.OIDCClaimsRequest)9
ClaimsSetRequest (com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest)9
Test (org.junit.jupiter.api.Test)9
Scope (com.nimbusds.oauth2.sdk.Scope)5
ErrorObject (com.nimbusds.oauth2.sdk.ErrorObject)4
ResponseType (com.nimbusds.oauth2.sdk.ResponseType)4
BearerAccessToken (com.nimbusds.oauth2.sdk.token.BearerAccessToken)3
AuthenticationRequest (com.nimbusds.openid.connect.sdk.AuthenticationRequest)3
AccessTokenStore (uk.gov.di.authentication.shared.entity.AccessTokenStore)3
ApiGatewayHandlerIntegrationTest (uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)3
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)2
Subject (com.nimbusds.oauth2.sdk.id.Subject)2
JSONArray (net.minidev.json.JSONArray)2
ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)2
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1
SignedJWT (com.nimbusds.jwt.SignedJWT)1
AccessToken (com.nimbusds.oauth2.sdk.token.AccessToken)1
OIDCTokenResponse (com.nimbusds.openid.connect.sdk.OIDCTokenResponse)1
KeyPair (java.security.KeyPair)1
LocalDateTime (java.time.LocalDateTime)1
