public function testSuccessfulRequestStripsExtraParameters()
{
$server = $this->getTestServer(array('allow_implicit' => true));
$request = new Request(array('client_id' => 'Test Client ID', 'redirect_uri' => 'http://adobe.com?fake=something', 'response_type' => 'token', 'state' => 'test', 'fake' => 'something'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 302);
$this->assertNull($response->getParameter('error'));
$this->assertNull($response->getParameter('error_description'));
$location = $response->getHttpHeader('Location');
$parts = parse_url($location);
$this->assertFalse(isset($parts['fake']));
$this->assertArrayHasKey('fragment', $parts);
parse_str($parts['fragment'], $params);
$this->assertFalse(isset($parmas['fake']));
$this->assertArrayHasKey('state', $params);
$this->assertEquals($params['state'], 'test');
}
private function extractTokenDataFromResponse(Response $response)
{
$this->assertEquals($response->getStatusCode(), 302);
$location = $response->getHttpHeader('Location');
$this->assertNotContains('error', $location);
$parts = parse_url($location);
$this->assertArrayHasKey('fragment', $parts);
$this->assertFalse(isset($parts['query']));
parse_str($parts['fragment'], $params);
$this->assertNotNull($params);
$this->assertArrayHasKey('id_token', $params);
$this->assertArrayNotHasKey('access_token', $params);
list($headb64, $payloadb64, $signature) = explode('.', $params['id_token']);
$jwt = new Jwt();
$header = json_decode($jwt->urlSafeB64Decode($headb64), true);
$payload = json_decode($jwt->urlSafeB64Decode($payloadb64), true);
return array($header, $payload, $signature);
}
public function testHandleAuthorizeRequest()
{
// add the test parameters in memory
$server = $this->getTestServer(array('allow_implicit' => true));
$request = new Request(array('response_type' => 'token id_token', 'redirect_uri' => 'http://adobe.com', 'client_id' => 'Test Client ID', 'scope' => 'openid', 'state' => 'test', 'nonce' => 'test'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 302);
$location = $response->getHttpHeader('Location');
$this->assertNotContains('error', $location);
$parts = parse_url($location);
$this->assertArrayHasKey('fragment', $parts);
$this->assertFalse(isset($parts['query']));
// assert fragment is in "application/x-www-form-urlencoded" format
parse_str($parts['fragment'], $params);
$this->assertNotNull($params);
$this->assertArrayHasKey('id_token', $params);
$this->assertArrayHasKey('access_token', $params);
$this->validateIdToken($params['id_token']);
}
public function testHandleAuthorizeRequest()
{
// add the test parameters in memory
$server = $this->getTestServer();
$request = new Request(array('response_type' => 'code id_token', 'redirect_uri' => 'http://adobe.com', 'client_id' => 'Test Client ID', 'scope' => 'openid', 'state' => 'test', 'nonce' => 'test'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 302);
$location = $response->getHttpHeader('Location');
$this->assertNotContains('error', $location);
$parts = parse_url($location);
$this->assertArrayHasKey('query', $parts);
// assert fragment is in "application/x-www-form-urlencoded" format
parse_str($parts['query'], $params);
$this->assertNotNull($params);
$this->assertArrayHasKey('id_token', $params);
$this->assertArrayHasKey('code', $params);
// validate ID Token
$parts = explode('.', $params['id_token']);
foreach ($parts as &$part) {
// Each part is a base64url encoded json string.
$part = str_replace(array('-', '_'), array('+', '/'), $part);
$part = base64_decode($part);
$part = json_decode($part, true);
}
list($header, $claims, $signature) = $parts;
$this->assertArrayHasKey('iss', $claims);
$this->assertArrayHasKey('sub', $claims);
$this->assertArrayHasKey('aud', $claims);
$this->assertArrayHasKey('iat', $claims);
$this->assertArrayHasKey('exp', $claims);
$this->assertArrayHasKey('auth_time', $claims);
$this->assertArrayHasKey('nonce', $claims);
// only exists if an access token was granted along with the id_token
$this->assertArrayNotHasKey('at_hash', $claims);
$this->assertEquals($claims['iss'], 'test');
$this->assertEquals($claims['aud'], 'Test Client ID');
$this->assertEquals($claims['nonce'], 'test');
$duration = $claims['exp'] - $claims['iat'];
$this->assertEquals($duration, 3600);
}
public function testOutOfScopeToken()
{
$server = $this->getTestServer();
$request = Request::createFromGlobals();
$request->headers['AUTHORIZATION'] = 'Bearer accesstoken-scope';
$scope = 'outofscope';
$allow = $server->verifyResourceRequest($request, $response = new Response(), $scope);
$this->assertFalse($allow);
$this->assertEquals($response->getStatusCode(), 403);
$this->assertEquals($response->getParameter('error'), 'insufficient_scope');
$this->assertEquals($response->getParameter('error_description'), 'The request requires higher privileges than provided by the access token');
// verify the "scope" has been set in the "WWW-Authenticate" header
preg_match('/scope="(.*?)"/', $response->getHttpHeader('WWW-Authenticate'), $matches);
$this->assertEquals(2, count($matches));
$this->assertEquals($matches[1], 'outofscope');
}
public function testAddingResponseType()
{
$storage = $this->getMock('OAuth2\\Storage\\Memory');
$storage->expects($this->any())->method('getClientDetails')->will($this->returnValue(array('client_id' => 'some_client')));
$storage->expects($this->any())->method('checkRestrictedGrantType')->will($this->returnValue(true));
// add with the "code" key explicitly set
$codeType = new AuthorizationCode($storage);
$server = new Server();
$server->addStorage($storage);
$server->addResponseType($codeType);
$request = new Request(array('response_type' => 'code', 'client_id' => 'some_client', 'redirect_uri' => 'http://example.com', 'state' => 'xyx'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
// the response is successful
$this->assertEquals($response->getStatusCode(), 302);
$parts = parse_url($response->getHttpHeader('Location'));
parse_str($parts['query'], $query);
$this->assertTrue(isset($query['code']));
$this->assertFalse(isset($query['error']));
// add with the "code" key not set
$codeType = new AuthorizationCode($storage);
$server = new Server(array($storage), array(), array(), array($codeType));
$request = new Request(array('response_type' => 'code', 'client_id' => 'some_client', 'redirect_uri' => 'http://example.com', 'state' => 'xyx'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
// the response is successful
$this->assertEquals($response->getStatusCode(), 302);
$parts = parse_url($response->getHttpHeader('Location'));
parse_str($parts['query'], $query);
$this->assertTrue(isset($query['code']));
$this->assertFalse(isset($query['error']));
}
protected function handleResponse(OAuth2Response $response)
{
$redirect = $response->getHttpHeader('Location');
if (!empty($redirect)) {
return $this->redirect()->toUrl($redirect);
}
$parameters = $response->getParameters();
$errorUri = isset($parameters['error_uri']) ? $parameters['error_uri'] : null;
$view = new ViewModel(array('statusCode' => $response->getStatusCode(), 'statusText' => $response->getStatusText(), 'errorDescription' => $parameters['error_description'], 'error' => $parameters['error'], 'errorUri' => $errorUri));
$view->setTemplate('kap-security/oauth-authorize-error');
return $view;
}
public function testSuccessfulOpenidConnectRequest()
{
$server = $this->getTestServer(array('use_openid_connect' => true, 'issuer' => 'bojanz'));
$request = new Request(array('client_id' => 'Test Client ID', 'redirect_uri' => 'http://adobe.com', 'response_type' => 'code', 'state' => 'xyz', 'scope' => 'openid'));
$server->handleAuthorizeRequest($request, $response = new Response(), true);
$this->assertEquals($response->getStatusCode(), 302);
$location = $response->getHttpHeader('Location');
$parts = parse_url($location);
parse_str($parts['query'], $query);
$location = $response->getHttpHeader('Location');
$parts = parse_url($location);
$this->assertArrayHasKey('query', $parts);
$this->assertFalse(isset($parts['fragment']));
// assert fragment is in "application/x-www-form-urlencoded" format
parse_str($parts['query'], $query);
$this->assertNotNull($query);
$this->assertArrayHasKey('code', $query);
// ensure no error was returned
$this->assertFalse(isset($query['error']));
$this->assertFalse(isset($query['error_description']));
// confirm that the id_token has been created.
$storage = $server->getStorage('authorization_code');
$code = $storage->getAuthorizationCode($query['code']);
$this->assertTrue(!empty($code['id_token']));
}
