Fix the authorization grant template

It previously relied on the client being in the authorization grant, which is not the case anymore. This commit also adds a test to ensure we're not breaking this template in the future.
2025-07-29 22:01:14 +03:00 · 2023-01-31 16:27:48 +01:00
parent 87914cbcb3
commit 39c126318f
9 changed files with 183 additions and 64 deletions
--- a/crates/data-model/src/oauth2/authorization_grant.rs
+++ b/crates/data-model/src/oauth2/authorization_grant.rs
@ -19,6 +19,11 @@ use mas_iana::oauth::PkceCodeChallengeMethod;
 use oauth2_types::{
    pkce::{CodeChallengeError, CodeChallengeMethodExt},
    requests::ResponseMode,
+    scope::{Scope, OPENID, PROFILE},
+};
+use rand::{
+    distributions::{Alphanumeric, DistString},
+    RngCore,
 };
 use serde::Serialize;
 use ulid::Ulid;
@ -146,7 +151,7 @@ pub struct AuthorizationGrant {
    pub code: Option<AuthorizationCode>,
    pub client_id: Ulid,
    pub redirect_uri: Url,
-    pub scope: oauth2_types::scope::Scope,
+    pub scope: Scope,
    pub state: Option<String>,
    pub nonce: Option<String>,
    pub max_age: Option<NonZeroU32>,
@ -190,4 +195,25 @@ impl AuthorizationGrant {
        self.stage = self.stage.cancel(canceld_at)?;
        Ok(self)
    }
+
+    pub fn sample(now: DateTime<Utc>, rng: &mut impl RngCore) -> Self {
+        Self {
+            id: Ulid::from_datetime_with_source(now.into(), rng),
+            stage: AuthorizationGrantStage::Pending,
+            code: Some(AuthorizationCode {
+                code: Alphanumeric.sample_string(rng, 10),
+                pkce: None,
+            }),
+            client_id: Ulid::from_datetime_with_source(now.into(), rng),
+            redirect_uri: Url::parse("http://localhost:8080").unwrap(),
+            scope: Scope::from_iter([OPENID, PROFILE]),
+            state: Some(Alphanumeric.sample_string(rng, 10)),
+            nonce: Some(Alphanumeric.sample_string(rng, 10)),
+            max_age: None,
+            response_mode: ResponseMode::Query,
+            response_type_id_token: false,
+            created_at: now,
+            requires_consent: false,
+        }
+    }
 }
--- a/crates/data-model/src/oauth2/client.rs
+++ b/crates/data-model/src/oauth2/client.rs
@ -12,12 +12,14 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+use chrono::{DateTime, Utc};
 use mas_iana::{
    jose::JsonWebSignatureAlg,
    oauth::{OAuthAuthorizationEndpointResponseType, OAuthClientAuthenticationMethod},
 };
 use mas_jose::jwk::PublicJsonWebKeySet;
 use oauth2_types::requests::GrantType;
+use rand::RngCore;
 use serde::Serialize;
 use thiserror::Error;
 use ulid::Ulid;
@ -120,4 +122,56 @@ impl Client {
            _ => Err(InvalidRedirectUriError::NotAllowed),
        }
    }
+
+    pub fn samples(now: DateTime<Utc>, rng: &mut impl RngCore) -> Vec<Client> {
+        vec![
+            // A client with all the URIs set
+            Self {
+                id: Ulid::from_datetime_with_source(now.into(), rng),
+                client_id: "client1".to_owned(),
+                encrypted_client_secret: None,
+                redirect_uris: vec![
+                    Url::parse("https://client1.example.com/redirect").unwrap(),
+                    Url::parse("https://client1.example.com/redirect2").unwrap(),
+                ],
+                response_types: vec![OAuthAuthorizationEndpointResponseType::Code],
+                grant_types: vec![GrantType::AuthorizationCode, GrantType::RefreshToken],
+                contacts: vec!["foo@client1.example.com".to_owned()],
+                client_name: Some("Client 1".to_owned()),
+                client_uri: Some(Url::parse("https://client1.example.com").unwrap()),
+                logo_uri: Some(Url::parse("https://client1.example.com/logo.png").unwrap()),
+                tos_uri: Some(Url::parse("https://client1.example.com/tos").unwrap()),
+                policy_uri: Some(Url::parse("https://client1.example.com/policy").unwrap()),
+                initiate_login_uri: Some(
+                    Url::parse("https://client1.example.com/initiate-login").unwrap(),
+                ),
+                token_endpoint_auth_method: Some(OAuthClientAuthenticationMethod::None),
+                token_endpoint_auth_signing_alg: None,
+                id_token_signed_response_alg: None,
+                userinfo_signed_response_alg: None,
+                jwks: None,
+            },
+            // Another client without any URIs set
+            Self {
+                id: Ulid::from_datetime_with_source(now.into(), rng),
+                client_id: "client2".to_owned(),
+                encrypted_client_secret: None,
+                redirect_uris: vec![Url::parse("https://client2.example.com/redirect").unwrap()],
+                response_types: vec![OAuthAuthorizationEndpointResponseType::Code],
+                grant_types: vec![GrantType::AuthorizationCode, GrantType::RefreshToken],
+                contacts: vec!["foo@client2.example.com".to_owned()],
+                client_name: None,
+                client_uri: None,
+                logo_uri: None,
+                tos_uri: None,
+                policy_uri: None,
+                initiate_login_uri: None,
+                token_endpoint_auth_method: None,
+                token_endpoint_auth_signing_alg: None,
+                id_token_signed_response_alg: None,
+                userinfo_signed_response_alg: None,
+                jwks: None,
+            },
+        ]
+    }
 }