oauth2-proxy/providers/adfs_test.go

package providers

import (
	"context"
	"crypto/rand"
	"crypto/rsa"
	"encoding/base64"
	"errors"
	"net/http"
	"net/http/httptest"
	"net/url"
	"strings"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/golang-jwt/jwt/v5"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
	internaloidc "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/providers/oidc"
	. "github.com/onsi/ginkgo"
	. "github.com/onsi/ginkgo/extensions/table"
	. "github.com/onsi/gomega"
)

type fakeADFSJwks struct{}

func (fakeADFSJwks) VerifySignature(_ context.Context, jwt string) (payload []byte, err error) {
	decodeString, err := base64.RawURLEncoding.DecodeString(strings.Split(jwt, ".")[1])
	if err != nil {
		return nil, err
	}
	return decodeString, nil
}

type adfsClaims struct {
	UPN string `json:"upn,omitempty"`
	idTokenClaims
}

func newSignedTestADFSToken(tokenClaims adfsClaims) (string, error) {
	key, _ := rsa.GenerateKey(rand.Reader, 2048)
	standardClaims := jwt.NewWithClaims(jwt.SigningMethodRS256, tokenClaims)
	return standardClaims.SignedString(key)
}

func testADFSProvider(hostname string) *ADFSProvider {
	verificationOptions := internaloidc.IDTokenVerificationOptions{
		AudienceClaims: []string{"aud"},
		ClientID:       "https://test.myapp.com",
	}

	o := internaloidc.NewVerifier(oidc.NewVerifier(
		"https://issuer.example.com",
		fakeADFSJwks{},
		&oidc.Config{ClientID: "https://test.myapp.com"},
	), verificationOptions)

	p := NewADFSProvider(&ProviderData{
		ProviderName: "",
		LoginURL:     &url.URL{},
		RedeemURL:    &url.URL{},
		ProfileURL:   &url.URL{},
		ValidateURL:  &url.URL{},
		Scope:        "",
		Verifier:     o,
		EmailClaim:   options.OIDCEmailClaim,
	}, options.Provider{})

	if hostname != "" {
		updateURL(p.Data().LoginURL, hostname)
		updateURL(p.Data().RedeemURL, hostname)
		updateURL(p.Data().ProfileURL, hostname)
		updateURL(p.Data().ValidateURL, hostname)
	}

	return p
}

func testADFSBackend() *httptest.Server {
	authResponse := `
		{
			"access_token": "my_access_token",
			"id_token": "my_id_token",
			"refresh_token": "my_refresh_token"
		 }
	`
	userInfo := `
		{
			"email": "samiracho@email.com"
		}
	`

	refreshResponse := `{ "access_token": "new_some_access_token", "refresh_token": "new_some_refresh_token", "expires_in": "32693148245", "id_token": "new_some_id_token" }`

	authHeader := "Bearer adfs_access_token"

	return httptest.NewServer(http.HandlerFunc(
		func(w http.ResponseWriter, r *http.Request) {
			switch r.URL.Path {
			case "/adfs/oauth2/authorize":
				w.WriteHeader(200)
				w.Write([]byte(authResponse))
			case "/adfs/oauth2/refresh":
				w.WriteHeader(200)
				w.Write([]byte(refreshResponse))
			case "/adfs/oauth2/userinfo":
				if r.Header["Authorization"][0] == authHeader {
					w.WriteHeader(200)
					w.Write([]byte(userInfo))
				} else {
					w.WriteHeader(401)
				}
			default:
				w.WriteHeader(200)
			}
		}))
}

var _ = Describe("ADFS Provider Tests", func() {
	var p *ADFSProvider
	var b *httptest.Server

	BeforeEach(func() {
		b = testADFSBackend()

		bURL, err := url.Parse(b.URL)
		Expect(err).To(BeNil())

		p = testADFSProvider(bURL.Host)
	})

	AfterEach(func() {
		b.Close()
	})

	Context("New Provider Init", func() {
		It("uses defaults", func() {
			providerData := NewADFSProvider(&ProviderData{}, options.Provider{}).Data()
			Expect(providerData.ProviderName).To(Equal("ADFS"))
			Expect(providerData.Scope).To(Equal(oidcDefaultScope))
		})
		It("uses custom scope", func() {
			providerData := NewADFSProvider(&ProviderData{Scope: "openid email"}, options.Provider{}).Data()
			Expect(providerData.ProviderName).To(Equal("ADFS"))
			Expect(providerData.Scope).To(Equal("openid email"))
			Expect(providerData.Scope).NotTo(Equal(oidcDefaultScope))
		})
	})

	Context("with bad token", func() {
		It("should trigger an error", func() {
			session := &sessions.SessionState{AccessToken: "unexpected_adfs_access_token", IDToken: "malformed_token"}
			err := p.EnrichSession(context.Background(), session)
			Expect(err).NotTo(BeNil())
		})
	})

	Context("with valid token", func() {
		It("should not throw an error", func() {
			rawIDToken, _ := newSignedTestIDToken(defaultIDToken)
			session, err := p.buildSessionFromClaims(rawIDToken, "")
			Expect(err).To(BeNil())
			session.IDToken = rawIDToken
			err = p.EnrichSession(context.Background(), session)
			Expect(session.Email).To(Equal("janed@me.com"))
			Expect(err).To(BeNil())
		})
	})

	Context("with skipScope enabled", func() {
		It("should not include parameter scope", func() {
			resource, _ := url.Parse("http://example.com")
			p := NewADFSProvider(&ProviderData{
				ProtectedResource: resource,
				Scope:             "",
			}, options.Provider{
				ADFSConfig: options.ADFSOptions{SkipScope: true},
			})

			result := p.GetLoginURL("https://example.com/adfs/oauth2/", "", "", url.Values{})
			Expect(result).NotTo(ContainSubstring("scope="))
		})
	})

	Context("With resource parameter", func() {
		type scopeTableInput struct {
			resource      string
			scope         string
			expectedScope string
		}

		DescribeTable("should return expected results",
			func(in scopeTableInput) {
				resource, _ := url.Parse(in.resource)
				p := NewADFSProvider(&ProviderData{
					ProtectedResource: resource,
					Scope:             in.scope,
				}, options.Provider{})

				Expect(p.Data().Scope).To(Equal(in.expectedScope))
				result := p.GetLoginURL("https://example.com/adfs/oauth2/", "", "", url.Values{})
				Expect(result).To(ContainSubstring("scope=" + url.QueryEscape(in.expectedScope)))
			},
			Entry("should add slash", scopeTableInput{
				resource:      "http://resource.com",
				scope:         "openid",
				expectedScope: "http://resource.com/openid",
			}),
			Entry("shouldn't add extra slash", scopeTableInput{
				resource:      "http://resource.com/",
				scope:         "openid",
				expectedScope: "http://resource.com/openid",
			}),
			Entry("should add default scopes with resource", scopeTableInput{
				resource:      "http://resource.com/",
				scope:         "",
				expectedScope: "http://resource.com/openid email profile",
			}),
			Entry("should add default scopes", scopeTableInput{
				resource:      "",
				scope:         "",
				expectedScope: "openid email profile",
			}),
			Entry("shouldn't add resource if already in scopes", scopeTableInput{
				resource:      "http://resource.com",
				scope:         "http://resource.com/openid",
				expectedScope: "http://resource.com/openid",
			}),
		)
	})

	Context("UPN Fallback", func() {
		var idToken string
		var session *sessions.SessionState

		BeforeEach(func() {
			var err error
			idToken, err = newSignedTestADFSToken(adfsClaims{
				UPN:           "upn@company.com",
				idTokenClaims: minimalIDToken,
			})
			Expect(err).ToNot(HaveOccurred())

			session = &sessions.SessionState{
				IDToken: idToken,
			}
		})

		Describe("EnrichSession", func() {
			It("uses email claim if present", func() {
				p.oidcEnrichFunc = func(_ context.Context, s *sessions.SessionState) error {
					s.Email = "person@company.com"
					return nil
				}

				err := p.EnrichSession(context.Background(), session)
				Expect(err).ToNot(HaveOccurred())
				Expect(session.Email).To(Equal("person@company.com"))
			})

			It("falls back to UPN claim if Email is missing", func() {
				p.oidcEnrichFunc = func(_ context.Context, s *sessions.SessionState) error {
					return nil
				}

				err := p.EnrichSession(context.Background(), session)
				Expect(err).ToNot(HaveOccurred())
				Expect(session.Email).To(Equal("upn@company.com"))
			})

			It("falls back to UPN claim on errors", func() {
				p.oidcEnrichFunc = func(_ context.Context, s *sessions.SessionState) error {
					return errors.New("neither the id_token nor the profileURL set an email")
				}

				err := p.EnrichSession(context.Background(), session)
				Expect(err).ToNot(HaveOccurred())
				Expect(session.Email).To(Equal("upn@company.com"))
			})
		})

		Describe("RefreshSession", func() {
			It("uses email claim if present", func() {
				p.oidcRefreshFunc = func(_ context.Context, s *sessions.SessionState) (bool, error) {
					s.Email = "person@company.com"
					return true, nil
				}

				_, err := p.RefreshSession(context.Background(), session)
				Expect(err).ToNot(HaveOccurred())
				Expect(session.Email).To(Equal("person@company.com"))
			})

			It("falls back to UPN claim if Email is missing", func() {
				p.oidcRefreshFunc = func(_ context.Context, s *sessions.SessionState) (bool, error) {
					return true, nil
				}

				_, err := p.RefreshSession(context.Background(), session)
				Expect(err).ToNot(HaveOccurred())
				Expect(session.Email).To(Equal("upn@company.com"))
			})
		})
	})
})
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`package providers`

			`import (`
			`"context"`
Use upn claim as a fallback in Enrich & Refresh Only when `email` claim is missing, fallback to `upn` claim which may have it. 2021-06-23 03:50:47 +02:00			`"crypto/rand"`
			`"crypto/rsa"`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`"encoding/base64"`
Handle UPN fallback when profileURL isn't set 2021-07-03 22:40:34 +02:00			`"errors"`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`"net/http"`
			`"net/http/httptest"`
			`"net/url"`
			`"strings"`

Upgrade go-oidc to v3 (#1264) 2021-07-17 18:55:05 +02:00			`"github.com/coreos/go-oidc/v3/oidc"`
chore: Updated go-jwt to v5 2024-03-04 02:42:00 +02:00			`"github.com/golang-jwt/jwt/v5"`
Move provider initialisation into providers package 2022-02-15 13:18:32 +02:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"`
Move internal OIDC package to providers package 2022-02-15 19:24:48 +02:00			`internaloidc "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/providers/oidc"`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`. "github.com/onsi/ginkgo"`
			`. "github.com/onsi/ginkgo/extensions/table"`
			`. "github.com/onsi/gomega"`
			`)`

			`type fakeADFSJwks struct{}`

			`func (fakeADFSJwks) VerifySignature(_ context.Context, jwt string) (payload []byte, err error) {`
			`decodeString, err := base64.RawURLEncoding.DecodeString(strings.Split(jwt, ".")[1])`
			`if err != nil {`
			`return nil, err`
			`}`
			`return decodeString, nil`
			`}`

Use upn claim as a fallback in Enrich & Refresh Only when `email` claim is missing, fallback to `upn` claim which may have it. 2021-06-23 03:50:47 +02:00			`type adfsClaims struct {`
			UPN string `json:"upn,omitempty"`
			`idTokenClaims`
			`}`

			`func newSignedTestADFSToken(tokenClaims adfsClaims) (string, error) {`
			`key, _ := rsa.GenerateKey(rand.Reader, 2048)`
			`standardClaims := jwt.NewWithClaims(jwt.SigningMethodRS256, tokenClaims)`
			`return standardClaims.SignedString(key)`
			`}`
Added ADFS Provider 2021-06-13 10:00:12 +02:00
Use upn claim as a fallback in Enrich & Refresh Only when `email` claim is missing, fallback to `upn` claim which may have it. 2021-06-23 03:50:47 +02:00			`func testADFSProvider(hostname string) *ADFSProvider {`
Move OIDC IDToken verifier behind interface 2022-02-16 16:06:25 +02:00			`verificationOptions := internaloidc.IDTokenVerificationOptions{`
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com> 2022-02-15 18:12:22 +02:00			`AudienceClaims: []string{"aud"},`
			`ClientID: "https://test.myapp.com",`
			`}`

			`o := internaloidc.NewVerifier(oidc.NewVerifier(`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`"https://issuer.example.com",`
			`fakeADFSJwks{},`
			`&oidc.Config{ClientID: "https://test.myapp.com"},`
improved audience handling to support client credentials access tokens without aud claims (#1204) * implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com> 2022-02-15 18:12:22 +02:00			`), verificationOptions)`
Added ADFS Provider 2021-06-13 10:00:12 +02:00
			`p := NewADFSProvider(&ProviderData{`
			`ProviderName: "",`
			`LoginURL: &url.URL{},`
			`RedeemURL: &url.URL{},`
			`ProfileURL: &url.URL{},`
			`ValidateURL: &url.URL{},`
			`Scope: "",`
			`Verifier: o,`
Move provider initialisation into providers package 2022-02-15 13:18:32 +02:00			`EmailClaim: options.OIDCEmailClaim,`
bugfix: OIDCConfig based providers are not respecting flags and configs (#2299) * add full support for all oidc config based providers to use and respect all configs set via OIDCConfig * add changelog entry --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2023-11-25 13:32:31 +02:00			`}, options.Provider{})`
Added ADFS Provider 2021-06-13 10:00:12 +02:00
			`if hostname != "" {`
			`updateURL(p.Data().LoginURL, hostname)`
			`updateURL(p.Data().RedeemURL, hostname)`
			`updateURL(p.Data().ProfileURL, hostname)`
			`updateURL(p.Data().ValidateURL, hostname)`
			`}`

			`return p`
			`}`

			`func testADFSBackend() *httptest.Server {`
			authResponse := `
			`{`
			`"access_token": "my_access_token",`
			`"id_token": "my_id_token",`
Integrate claim extractor into providers 2021-06-26 12:49:08 +02:00			`"refresh_token": "my_refresh_token"`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`}`
			`
			userInfo := `
			`{`
			`"email": "samiracho@email.com"`
			`}`
			`

			refreshResponse := `{ "access_token": "new_some_access_token", "refresh_token": "new_some_refresh_token", "expires_in": "32693148245", "id_token": "new_some_id_token" }`

			`authHeader := "Bearer adfs_access_token"`

			`return httptest.NewServer(http.HandlerFunc(`
			`func(w http.ResponseWriter, r *http.Request) {`
			`switch r.URL.Path {`
			`case "/adfs/oauth2/authorize":`
			`w.WriteHeader(200)`
			`w.Write([]byte(authResponse))`
			`case "/adfs/oauth2/refresh":`
			`w.WriteHeader(200)`
			`w.Write([]byte(refreshResponse))`
			`case "/adfs/oauth2/userinfo":`
			`if r.Header["Authorization"][0] == authHeader {`
			`w.WriteHeader(200)`
			`w.Write([]byte(userInfo))`
			`} else {`
			`w.WriteHeader(401)`
			`}`
			`default:`
			`w.WriteHeader(200)`
			`}`
			`}))`
			`}`

			`var _ = Describe("ADFS Provider Tests", func() {`
			`var p *ADFSProvider`
			`var b *httptest.Server`

			`BeforeEach(func() {`
			`b = testADFSBackend()`

			`bURL, err := url.Parse(b.URL)`
			`Expect(err).To(BeNil())`

			`p = testADFSProvider(bURL.Host)`
			`})`

			`AfterEach(func() {`
			`b.Close()`
			`})`

			`Context("New Provider Init", func() {`
			`It("uses defaults", func() {`
bugfix: OIDCConfig based providers are not respecting flags and configs (#2299) * add full support for all oidc config based providers to use and respect all configs set via OIDCConfig * add changelog entry --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2023-11-25 13:32:31 +02:00			`providerData := NewADFSProvider(&ProviderData{}, options.Provider{}).Data()`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`Expect(providerData.ProviderName).To(Equal("ADFS"))`
bugfix: default scopes for OIDCProvider based providers 2023-09-10 21:57:08 +02:00			`Expect(providerData.Scope).To(Equal(oidcDefaultScope))`
			`})`
			`It("uses custom scope", func() {`
bugfix: OIDCConfig based providers are not respecting flags and configs (#2299) * add full support for all oidc config based providers to use and respect all configs set via OIDCConfig * add changelog entry --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2023-11-25 13:32:31 +02:00			`providerData := NewADFSProvider(&ProviderData{Scope: "openid email"}, options.Provider{}).Data()`
bugfix: default scopes for OIDCProvider based providers 2023-09-10 21:57:08 +02:00			`Expect(providerData.ProviderName).To(Equal("ADFS"))`
			`Expect(providerData.Scope).To(Equal("openid email"))`
			`Expect(providerData.Scope).NotTo(Equal(oidcDefaultScope))`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`})`
			`})`

			`Context("with bad token", func() {`
			`It("should trigger an error", func() {`
			`session := &sessions.SessionState{AccessToken: "unexpected_adfs_access_token", IDToken: "malformed_token"}`
			`err := p.EnrichSession(context.Background(), session)`
			`Expect(err).NotTo(BeNil())`
			`})`
			`})`

			`Context("with valid token", func() {`
			`It("should not throw an error", func() {`
			`rawIDToken, _ := newSignedTestIDToken(defaultIDToken)`
Integrate claim extractor into providers 2021-06-26 12:49:08 +02:00			`session, err := p.buildSessionFromClaims(rawIDToken, "")`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`Expect(err).To(BeNil())`
Use `upn` as EmailClaim throughout ADFSProvider By only overriding in the EnrichSession, any Refresh calls would've overriden it with the `email` claim. 2021-06-20 01:06:58 +02:00			`session.IDToken = rawIDToken`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`err = p.EnrichSession(context.Background(), session)`
			`Expect(session.Email).To(Equal("janed@me.com"))`
			`Expect(err).To(BeNil())`
			`})`
			`})`

			`Context("with skipScope enabled", func() {`
			`It("should not include parameter scope", func() {`
			`resource, _ := url.Parse("http://example.com")`
			`p := NewADFSProvider(&ProviderData{`
			`ProtectedResource: resource,`
			`Scope: "",`
bugfix: OIDCConfig based providers are not respecting flags and configs (#2299) * add full support for all oidc config based providers to use and respect all configs set via OIDCConfig * add changelog entry --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2023-11-25 13:32:31 +02:00			`}, options.Provider{`
			`ADFSConfig: options.ADFSOptions{SkipScope: true},`
			`})`
Added ADFS Provider 2021-06-13 10:00:12 +02:00
Support for passing through URL query parameters from /oauth2/start to the ID provider's login URL. You must explicitly configure oauth2-proxy (alpha config only) with which parameters are allowed to pass through, and optionally provide an allow-list of valid values and/or regular expressions for each one. Note that this mechanism subsumes the functionality of the "prompt", "approval_prompt" and "acr_values" legacy configuration options, which must be converted to the equivalent YAML when running in alpha config mode. 2022-02-16 18:18:51 +02:00			`result := p.GetLoginURL("https://example.com/adfs/oauth2/", "", "", url.Values{})`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`Expect(result).NotTo(ContainSubstring("scope="))`
			`})`
			`})`

			`Context("With resource parameter", func() {`
			`type scopeTableInput struct {`
			`resource string`
			`scope string`
			`expectedScope string`
			`}`

			`DescribeTable("should return expected results",`
			`func(in scopeTableInput) {`
			`resource, _ := url.Parse(in.resource)`
			`p := NewADFSProvider(&ProviderData{`
			`ProtectedResource: resource,`
			`Scope: in.scope,`
bugfix: OIDCConfig based providers are not respecting flags and configs (#2299) * add full support for all oidc config based providers to use and respect all configs set via OIDCConfig * add changelog entry --------- Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2023-11-25 13:32:31 +02:00			`}, options.Provider{})`
Added ADFS Provider 2021-06-13 10:00:12 +02:00
			`Expect(p.Data().Scope).To(Equal(in.expectedScope))`
Support for passing through URL query parameters from /oauth2/start to the ID provider's login URL. You must explicitly configure oauth2-proxy (alpha config only) with which parameters are allowed to pass through, and optionally provide an allow-list of valid values and/or regular expressions for each one. Note that this mechanism subsumes the functionality of the "prompt", "approval_prompt" and "acr_values" legacy configuration options, which must be converted to the equivalent YAML when running in alpha config mode. 2022-02-16 18:18:51 +02:00			`result := p.GetLoginURL("https://example.com/adfs/oauth2/", "", "", url.Values{})`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`Expect(result).To(ContainSubstring("scope=" + url.QueryEscape(in.expectedScope)))`
			`},`
			`Entry("should add slash", scopeTableInput{`
			`resource: "http://resource.com",`
			`scope: "openid",`
			`expectedScope: "http://resource.com/openid",`
			`}),`
			`Entry("shouldn't add extra slash", scopeTableInput{`
			`resource: "http://resource.com/",`
			`scope: "openid",`
			`expectedScope: "http://resource.com/openid",`
			`}),`
			`Entry("should add default scopes with resource", scopeTableInput{`
			`resource: "http://resource.com/",`
			`scope: "",`
			`expectedScope: "http://resource.com/openid email profile",`
			`}),`
			`Entry("should add default scopes", scopeTableInput{`
			`resource: "",`
			`scope: "",`
			`expectedScope: "openid email profile",`
			`}),`
			`Entry("shouldn't add resource if already in scopes", scopeTableInput{`
			`resource: "http://resource.com",`
			`scope: "http://resource.com/openid",`
			`expectedScope: "http://resource.com/openid",`
			`}),`
			`)`
			`})`
Use upn claim as a fallback in Enrich & Refresh Only when `email` claim is missing, fallback to `upn` claim which may have it. 2021-06-23 03:50:47 +02:00
			`Context("UPN Fallback", func() {`
			`var idToken string`
			`var session *sessions.SessionState`

			`BeforeEach(func() {`
			`var err error`
			`idToken, err = newSignedTestADFSToken(adfsClaims{`
			`UPN: "upn@company.com",`
			`idTokenClaims: minimalIDToken,`
			`})`
			`Expect(err).ToNot(HaveOccurred())`

			`session = &sessions.SessionState{`
			`IDToken: idToken,`
			`}`
			`})`

			`Describe("EnrichSession", func() {`
			`It("uses email claim if present", func() {`
			`p.oidcEnrichFunc = func(_ context.Context, s *sessions.SessionState) error {`
			`s.Email = "person@company.com"`
			`return nil`
			`}`

			`err := p.EnrichSession(context.Background(), session)`
			`Expect(err).ToNot(HaveOccurred())`
			`Expect(session.Email).To(Equal("person@company.com"))`
			`})`

			`It("falls back to UPN claim if Email is missing", func() {`
			`p.oidcEnrichFunc = func(_ context.Context, s *sessions.SessionState) error {`
			`return nil`
			`}`

			`err := p.EnrichSession(context.Background(), session)`
			`Expect(err).ToNot(HaveOccurred())`
			`Expect(session.Email).To(Equal("upn@company.com"))`
			`})`
Handle UPN fallback when profileURL isn't set 2021-07-03 22:40:34 +02:00
			`It("falls back to UPN claim on errors", func() {`
			`p.oidcEnrichFunc = func(_ context.Context, s *sessions.SessionState) error {`
			`return errors.New("neither the id_token nor the profileURL set an email")`
			`}`

			`err := p.EnrichSession(context.Background(), session)`
			`Expect(err).ToNot(HaveOccurred())`
			`Expect(session.Email).To(Equal("upn@company.com"))`
			`})`
Use upn claim as a fallback in Enrich & Refresh Only when `email` claim is missing, fallback to `upn` claim which may have it. 2021-06-23 03:50:47 +02:00			`})`

			`Describe("RefreshSession", func() {`
			`It("uses email claim if present", func() {`
			`p.oidcRefreshFunc = func(_ context.Context, s *sessions.SessionState) (bool, error) {`
			`s.Email = "person@company.com"`
			`return true, nil`
			`}`

			`_, err := p.RefreshSession(context.Background(), session)`
			`Expect(err).ToNot(HaveOccurred())`
			`Expect(session.Email).To(Equal("person@company.com"))`
			`})`

			`It("falls back to UPN claim if Email is missing", func() {`
			`p.oidcRefreshFunc = func(_ context.Context, s *sessions.SessionState) (bool, error) {`
			`return true, nil`
			`}`

			`_, err := p.RefreshSession(context.Background(), session)`
			`Expect(err).ToNot(HaveOccurred())`
			`Expect(session.Email).To(Equal("upn@company.com"))`
			`})`
			`})`
			`})`
Added ADFS Provider 2021-06-13 10:00:12 +02:00			`})`