matrix/matrix-js-sdk
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-js-sdk.git synced 2025-08-07 23:02:56 +03:00
Code Activity

OIDC: validate id token (#3531)

Browse Source 
* validate id token

* comments

* tidy comments
This commit is contained in:
Kerry
2023-07-04 09:12:15 +12:00
committed by GitHub
parent 3a694f4998
commit 09de76bd43
7 changed files with 259 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
spec/unit/oidc/authorize.spec.ts
View File

@@ -15,6 +15,8 @@ limitations under the License.
*/
import fetchMock from "fetch-mock-jest";
import { mocked } from "jest-mock";
import jwtDecode from "jwt-decode";
import { Method } from "../../../src";
import * as crypto from "../../../src/crypto/crypto";
@@ -26,6 +28,8 @@ import {
} from "../../../src/oidc/authorize";
import { OidcError } from "../../../src/oidc/error";
jest.mock("jwt-decode");
// save for resetting mocks
const realSubtleCrypto = crypto.subtleCrypto;
@@ -112,15 +116,28 @@ describe("oidc authorization", () => {
describe("completeAuthorizationCodeGrant", () => {
const codeVerifier = "abc123";
const nonce = "test-nonce";
const redirectUri = baseUrl;
const code = "auth_code_xyz";
const validBearerTokenResponse = {
token_type: "Bearer",
access_token: "test_access_token",
refresh_token: "test_refresh_token",
id_token: "valid.id.token",
expires_in: 12345,
};
const validDecodedIdToken = {
// nonce matches
nonce,
// not expired
exp: Date.now() / 1000 + 100000,
// audience is this client
aud: clientId,
// issuer matches
iss: delegatedAuthConfig.issuer,
};
beforeEach(() => {
fetchMock.mockClear();
fetchMock.resetBehavior();
@@ -129,10 +146,18 @@ describe("oidc authorization", () => {
status: 200,
body: JSON.stringify(validBearerTokenResponse),
});
mocked(jwtDecode).mockReturnValue(validDecodedIdToken);
});
it("should make correct request to the token endpoint", async () => {
await completeAuthorizationCodeGrant(code, { clientId, codeVerifier, redirectUri, delegatedAuthConfig });
await completeAuthorizationCodeGrant(code, {
clientId,
codeVerifier,
redirectUri,
delegatedAuthConfig,
nonce,
});
expect(fetchMock).toHaveBeenCalledWith(tokenEndpoint, {
method: Method.Post,
@@ -147,6 +172,7 @@ describe("oidc authorization", () => {
codeVerifier,
redirectUri,
delegatedAuthConfig,
nonce,
});
expect(result).toEqual(validBearerTokenResponse);
@@ -171,6 +197,7 @@ describe("oidc authorization", () => {
codeVerifier,
redirectUri,
delegatedAuthConfig,
nonce,
});
// results in token that uses 'Bearer' token type
@@ -187,7 +214,13 @@ describe("oidc authorization", () => {
{ overwriteRoutes: true },
);
await expect(() =>
completeAuthorizationCodeGrant(code, { clientId, codeVerifier, redirectUri, delegatedAuthConfig }),
completeAuthorizationCodeGrant(code, {
clientId,
codeVerifier,
redirectUri,
delegatedAuthConfig,
nonce,
}),
).rejects.toThrow(new Error(OidcError.CodeExchangeFailed));
});
@@ -202,8 +235,31 @@ describe("oidc authorization", () => {
{ overwriteRoutes: true },
);
await expect(() =>
completeAuthorizationCodeGrant(code, { clientId, codeVerifier, redirectUri, delegatedAuthConfig }),
completeAuthorizationCodeGrant(code, {
clientId,
codeVerifier,
redirectUri,
delegatedAuthConfig,
nonce,
}),
).rejects.toThrow(new Error(OidcError.InvalidBearerTokenResponse));
});
it("should throw invalid id token error when id_token is invalid", async () => {
mocked(jwtDecode).mockReturnValue({
...validDecodedIdToken,
// invalid audience
aud: "something-else",
});
await expect(() =>
completeAuthorizationCodeGrant(code, {
clientId,
codeVerifier,
redirectUri,
delegatedAuthConfig,
nonce,
}),
).rejects.toThrow(new Error(OidcError.InvalidIdToken));
});
});
});