TestIDPIssuerMismatch emulates a situation where the IDP issuer url does not match the one in the well-known config and claims. This can happen in some edge cases and in some azure configurations. This test just makes sure a fake IDP can set up this scenario.
(t *testing.T)
| 74 | // |
| 75 | // This test just makes sure a fake IDP can set up this scenario. |
| 76 | func TestIDPIssuerMismatch(t *testing.T) { |
| 77 | t.Parallel() |
| 78 | |
| 79 | const proxyURL = "https://proxy.com" |
| 80 | const primaryURL = "https://primary.com" |
| 81 | |
| 82 | fake := oidctest.NewFakeIDP(t, |
| 83 | oidctest.WithIssuer(proxyURL), |
| 84 | oidctest.WithDefaultIDClaims(jwt.MapClaims{ |
| 85 | "iss": primaryURL, |
| 86 | }), |
| 87 | oidctest.WithHookWellKnown(func(r *http.Request, j *oidctest.ProviderJSON) error { |
| 88 | // host should be proxy.com, but we return the primaryURL |
| 89 | if r.Host != "proxy.com" { |
| 90 | return xerrors.Errorf("unexpected host: %s", r.Host) |
| 91 | } |
| 92 | j.Issuer = primaryURL |
| 93 | return nil |
| 94 | }), |
| 95 | oidctest.WithLogging(t, nil), |
| 96 | ) |
| 97 | |
| 98 | ctx := testutil.Context(t, testutil.WaitMedium) |
| 99 | // Do not use real network requests |
| 100 | cli := fake.HTTPClient(nil) |
| 101 | ctx = oidc.ClientContext(ctx, cli) |
| 102 | |
| 103 | // Allow the issuer mismatch |
| 104 | verifierContext := oidc.InsecureIssuerURLContext(ctx, "this field does not matter") |
| 105 | p, err := oidc.NewProvider(verifierContext, "https://proxy.com") |
| 106 | require.NoError(t, err, "failed to create OIDC provider") |
| 107 | |
| 108 | oauthConfig := fake.OauthConfig(t, nil) |
| 109 | cfg := &coderd.OIDCConfig{ |
| 110 | OAuth2Config: oauthConfig, |
| 111 | Provider: p, |
| 112 | Verifier: oidc.NewVerifier(fake.WellknownConfig().Issuer, &oidc.StaticKeySet{ |
| 113 | PublicKeys: []crypto.PublicKey{fake.PublicKey()}, |
| 114 | }, &oidc.Config{ |
| 115 | SkipIssuerCheck: true, |
| 116 | ClientID: oauthConfig.ClientID, |
| 117 | SupportedSigningAlgs: []string{ |
| 118 | "RS256", |
| 119 | }, |
| 120 | }), |
| 121 | UsernameField: "preferred_username", |
| 122 | EmailField: "email", |
| 123 | AuthURLParams: map[string]string{"access_type": "offline"}, |
| 124 | } |
| 125 | |
| 126 | const expectedState = "random-state" |
| 127 | var token *oauth2.Token |
| 128 | |
| 129 | fake.SetCoderdCallbackHandler(func(w http.ResponseWriter, r *http.Request) { |
| 130 | // Emulate OIDC flow |
| 131 | code := r.URL.Query().Get("code") |
| 132 | state := r.URL.Query().Get("state") |
| 133 | assert.Equal(t, expectedState, state, "state mismatch") |
nothing calls this directly
no test coverage detected