TestOAuth2ProviderCrossResourceAudienceValidation tests that tokens are properly validated against the audience/resource server they were issued for.
(t *testing.T)
| 1119 | // TestOAuth2ProviderCrossResourceAudienceValidation tests that tokens are properly |
| 1120 | // validated against the audience/resource server they were issued for. |
| 1121 | func TestOAuth2ProviderCrossResourceAudienceValidation(t *testing.T) { |
| 1122 | t.Parallel() |
| 1123 | |
| 1124 | db, pubsub := dbtestutil.NewDB(t) |
| 1125 | |
| 1126 | // Set up first Coder instance (resource server 1) |
| 1127 | server1 := coderdtest.New(t, &coderdtest.Options{ |
| 1128 | Database: db, |
| 1129 | Pubsub: pubsub, |
| 1130 | }) |
| 1131 | owner := coderdtest.CreateFirstUser(t, server1) |
| 1132 | |
| 1133 | // Set up second Coder instance (resource server 2) - simulate different host |
| 1134 | server2 := coderdtest.New(t, &coderdtest.Options{ |
| 1135 | Database: db, |
| 1136 | Pubsub: pubsub, |
| 1137 | }) |
| 1138 | |
| 1139 | ctx := testutil.Context(t, testutil.WaitLong) |
| 1140 | |
| 1141 | // Create OAuth2 app |
| 1142 | apps := generateApps(ctx, t, server1, "cross-resource") |
| 1143 | |
| 1144 | //nolint:gocritic // OAauth2 app management requires owner permission. |
| 1145 | secret, err := server1.PostOAuth2ProviderAppSecret(ctx, apps.Default.ID) |
| 1146 | require.NoError(t, err) |
| 1147 | userClient, user := coderdtest.CreateAnotherUser(t, server1, owner.OrganizationID) |
| 1148 | |
| 1149 | // Get token with specific audience for server1 |
| 1150 | resource1 := server1.URL.String() |
| 1151 | cfg := &oauth2.Config{ |
| 1152 | ClientID: apps.Default.ID.String(), |
| 1153 | ClientSecret: secret.ClientSecretFull, |
| 1154 | Endpoint: oauth2.Endpoint{ |
| 1155 | AuthURL: apps.Default.Endpoints.Authorization, |
| 1156 | TokenURL: apps.Default.Endpoints.Token, |
| 1157 | AuthStyle: oauth2.AuthStyleInParams, |
| 1158 | }, |
| 1159 | RedirectURL: apps.Default.CallbackURL, |
| 1160 | Scopes: []string{}, |
| 1161 | } |
| 1162 | |
| 1163 | // Authorization with resource parameter for server1 and PKCE. |
| 1164 | state := uuid.NewString() |
| 1165 | verifier, challenge := generatePKCE() |
| 1166 | authURL := cfg.AuthCodeURL(state, |
| 1167 | oauth2.SetAuthURLParam("code_challenge", challenge), |
| 1168 | oauth2.SetAuthURLParam("code_challenge_method", "S256"), |
| 1169 | ) |
| 1170 | parsedURL, err := url.Parse(authURL) |
| 1171 | require.NoError(t, err) |
| 1172 | query := parsedURL.Query() |
| 1173 | query.Set("resource", resource1) |
| 1174 | parsedURL.RawQuery = query.Encode() |
| 1175 | authURL = parsedURL.String() |
| 1176 | |
| 1177 | code, err := oidctest.OAuth2GetCode( |
| 1178 | authURL, |
nothing calls this directly
no test coverage detected