TestConstantQueryParams verifies a constant query parameter can be set in the "authenticate" url for external auth applications, and it will be carried forward to actual auth requests. This unit test was specifically created for Auth0 which can set an audience query parameter in it's /authorize endp
(t *testing.T)
| 1359 | // This unit test was specifically created for Auth0 which can set an |
| 1360 | // audience query parameter in it's /authorize endpoint. |
| 1361 | func TestConstantQueryParams(t *testing.T) { |
| 1362 | t.Parallel() |
| 1363 | const constantQueryParamKey = "audience" |
| 1364 | const constantQueryParamValue = "foobar" |
| 1365 | constantQueryParam := fmt.Sprintf("%s=%s", constantQueryParamKey, constantQueryParamValue) |
| 1366 | fake, config, _ := setupOauth2Test(t, testConfig{ |
| 1367 | FakeIDPOpts: []oidctest.FakeIDPOpt{ |
| 1368 | oidctest.WithMiddlewares(func(next http.Handler) http.Handler { |
| 1369 | return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) { |
| 1370 | if strings.Contains(request.URL.Path, "authorize") { |
| 1371 | // Assert has the audience query param |
| 1372 | assert.Equal(t, request.URL.Query().Get(constantQueryParamKey), constantQueryParamValue) |
| 1373 | } |
| 1374 | next.ServeHTTP(writer, request) |
| 1375 | }) |
| 1376 | }), |
| 1377 | }, |
| 1378 | CoderOIDCConfigOpts: []func(cfg *coderd.OIDCConfig){ |
| 1379 | func(cfg *coderd.OIDCConfig) { |
| 1380 | // Include a constant query parameter. |
| 1381 | authURL, err := url.Parse(cfg.OAuth2Config.(*oauth2.Config).Endpoint.AuthURL) |
| 1382 | require.NoError(t, err) |
| 1383 | |
| 1384 | authURL.RawQuery = url.Values{constantQueryParamKey: []string{constantQueryParamValue}}.Encode() |
| 1385 | cfg.OAuth2Config.(*oauth2.Config).Endpoint.AuthURL = authURL.String() |
| 1386 | require.Contains(t, cfg.OAuth2Config.(*oauth2.Config).Endpoint.AuthURL, constantQueryParam) |
| 1387 | cfg.PKCEMethods = []promoauth.Oauth2PKCEChallengeMethod{promoauth.PKCEChallengeMethodSha256} |
| 1388 | }, |
| 1389 | }, |
| 1390 | }) |
| 1391 | |
| 1392 | callbackCalled := false |
| 1393 | fake.SetCoderdCallbackHandler(func(writer http.ResponseWriter, request *http.Request) { |
| 1394 | // Just record the callback was hit, and the auth succeeded. |
| 1395 | callbackCalled = true |
| 1396 | }) |
| 1397 | |
| 1398 | // Verify the AuthURL endpoint contains the constant query parameter and is a valid URL. |
| 1399 | // It should look something like: |
| 1400 | // http://127.0.0.1:<port>>/oauth2/authorize? |
| 1401 | // audience=foobar& |
| 1402 | // client_id=d<uuid>& |
| 1403 | // redirect_uri=<redirect>& |
| 1404 | // response_type=code& |
| 1405 | // scope=openid+email+profile& |
| 1406 | // state=state |
| 1407 | const state = "state" |
| 1408 | rawAuthURL := config.AuthCodeURL(state) |
| 1409 | // Parsing the url is not perfect. It allows imperfections like the query |
| 1410 | // params having 2 question marks '?a=foo?b=bar'. |
| 1411 | // So use it to validate, then verify the raw url is as expected. |
| 1412 | authURL, err := url.Parse(rawAuthURL) |
| 1413 | require.NoError(t, err) |
| 1414 | require.Equal(t, authURL.Query().Get(constantQueryParamKey), constantQueryParamValue) |
| 1415 | // We are not using a real server, so it fakes https://coder.com |
| 1416 | require.Equal(t, authURL.Scheme, "https") |
| 1417 | // Validate the raw URL. |
| 1418 | // Double check only 1 '?' exists. Url parsing allows multiple '?' in the query string. |
nothing calls this directly
no test coverage detected