feat(op): ID token for device authorization grant (#500)

2023-12-18 09:39:39 +02:00 · 2023-12-18 09:39:39 +02:00 · b300027cd7
commit b300027cd7
parent 7bdaf9c71d
5 changed files with 162 additions and 42 deletions
--- a/pkg/op/device_test.go
+++ b/pkg/op/device_test.go
@ -453,3 +453,96 @@ func TestCheckDeviceAuthorizationState(t *testing.T) {
 		})
 	}
 }
+
+func TestCreateDeviceTokenResponse(t *testing.T) {
+	tests := []struct {
+		name             string
+		tokenRequest     op.TokenRequest
+		wantAccessToken  bool
+		wantRefreshToken bool
+		wantIDToken      bool
+		wantErr          bool
+	}{
+		{
+			name: "access token",
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "id1",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+			},
+			wantAccessToken: true,
+		},
+		{
+			name: "access and refresh tokens",
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "id1",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+				Scopes:   []string{oidc.ScopeOfflineAccess},
+			},
+			wantAccessToken:  true,
+			wantRefreshToken: true,
+		},
+		{
+			name: "access and id token",
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "id1",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+				Scopes:   []string{oidc.ScopeOpenID},
+			},
+			wantAccessToken: true,
+			wantIDToken:     true,
+		},
+		{
+			name: "access, refresh and id token",
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "id1",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+				Scopes:   []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID},
+			},
+			wantAccessToken:  true,
+			wantRefreshToken: true,
+			wantIDToken:      true,
+		},
+		{
+			name: "id token creation error",
+			tokenRequest: &op.DeviceAuthorizationState{
+				ClientID: "client1",
+				Subject:  "foobar",
+				AMR:      []string{"password"},
+				AuthTime: time.Now(),
+				Scopes:   []string{oidc.ScopeOfflineAccess, oidc.ScopeOpenID},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			client, err := testProvider.Storage().GetClientByClientID(context.Background(), "native")
+			require.NoError(t, err)
+
+			got, err := op.CreateDeviceTokenResponse(context.Background(), tt.tokenRequest, testProvider, client)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.InDelta(t, 300, got.ExpiresIn, 2)
+			if tt.wantAccessToken {
+				assert.NotEmpty(t, got.AccessToken, "access token")
+			}
+			if tt.wantRefreshToken {
+				assert.NotEmpty(t, got.RefreshToken, "refresh token")
+			}
+			if tt.wantIDToken {
+				assert.NotEmpty(t, got.IDToken, "id token")
+			}
+		})
+	}
+}