| 53 | } |
| 54 | |
| 55 | func TestOAuth2ProtectedResourceMetadata(t *testing.T) { |
| 56 | t.Parallel() |
| 57 | |
| 58 | client := coderdtest.New(t, nil) |
| 59 | serverURL := client.URL |
| 60 | |
| 61 | ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong) |
| 62 | defer cancel() |
| 63 | |
| 64 | // Use a plain HTTP client since this endpoint doesn't require authentication |
| 65 | endpoint := serverURL.ResolveReference(&url.URL{Path: "/.well-known/oauth-protected-resource"}).String() |
| 66 | req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil) |
| 67 | require.NoError(t, err) |
| 68 | |
| 69 | httpClient := &http.Client{} |
| 70 | resp, err := httpClient.Do(req) |
| 71 | require.NoError(t, err) |
| 72 | defer resp.Body.Close() |
| 73 | |
| 74 | require.Equal(t, http.StatusOK, resp.StatusCode) |
| 75 | |
| 76 | var metadata codersdk.OAuth2ProtectedResourceMetadata |
| 77 | err = json.NewDecoder(resp.Body).Decode(&metadata) |
| 78 | require.NoError(t, err) |
| 79 | |
| 80 | // Verify the metadata |
| 81 | require.NotEmpty(t, metadata.Resource) |
| 82 | require.NotEmpty(t, metadata.AuthorizationServers) |
| 83 | require.Len(t, metadata.AuthorizationServers, 1) |
| 84 | require.Equal(t, metadata.Resource, metadata.AuthorizationServers[0]) |
| 85 | // RFC 6750 bearer tokens are now supported as fallback methods |
| 86 | require.Contains(t, metadata.BearerMethodsSupported, "header") |
| 87 | require.Contains(t, metadata.BearerMethodsSupported, "query") |
| 88 | // Supported scopes are published from the curated catalog |
| 89 | require.Equal(t, rbac.ExternalScopeNames(), metadata.ScopesSupported) |
| 90 | } |