MCPcopy Index your code
hub / github.com/coder/coder / TestOAuth2ProviderCrossResourceAudienceValidation

Function TestOAuth2ProviderCrossResourceAudienceValidation

coderd/oauth2_test.go:1121–1227  ·  view source on GitHub ↗

TestOAuth2ProviderCrossResourceAudienceValidation tests that tokens are properly validated against the audience/resource server they were issued for.

(t *testing.T)

Source from the content-addressed store, hash-verified

1119// TestOAuth2ProviderCrossResourceAudienceValidation tests that tokens are properly
1120// validated against the audience/resource server they were issued for.
1121func TestOAuth2ProviderCrossResourceAudienceValidation(t *testing.T) {
1122 t.Parallel()
1123
1124 db, pubsub := dbtestutil.NewDB(t)
1125
1126 // Set up first Coder instance (resource server 1)
1127 server1 := coderdtest.New(t, &coderdtest.Options{
1128 Database: db,
1129 Pubsub: pubsub,
1130 })
1131 owner := coderdtest.CreateFirstUser(t, server1)
1132
1133 // Set up second Coder instance (resource server 2) - simulate different host
1134 server2 := coderdtest.New(t, &coderdtest.Options{
1135 Database: db,
1136 Pubsub: pubsub,
1137 })
1138
1139 ctx := testutil.Context(t, testutil.WaitLong)
1140
1141 // Create OAuth2 app
1142 apps := generateApps(ctx, t, server1, "cross-resource")
1143
1144 //nolint:gocritic // OAauth2 app management requires owner permission.
1145 secret, err := server1.PostOAuth2ProviderAppSecret(ctx, apps.Default.ID)
1146 require.NoError(t, err)
1147 userClient, user := coderdtest.CreateAnotherUser(t, server1, owner.OrganizationID)
1148
1149 // Get token with specific audience for server1
1150 resource1 := server1.URL.String()
1151 cfg := &oauth2.Config{
1152 ClientID: apps.Default.ID.String(),
1153 ClientSecret: secret.ClientSecretFull,
1154 Endpoint: oauth2.Endpoint{
1155 AuthURL: apps.Default.Endpoints.Authorization,
1156 TokenURL: apps.Default.Endpoints.Token,
1157 AuthStyle: oauth2.AuthStyleInParams,
1158 },
1159 RedirectURL: apps.Default.CallbackURL,
1160 Scopes: []string{},
1161 }
1162
1163 // Authorization with resource parameter for server1 and PKCE.
1164 state := uuid.NewString()
1165 verifier, challenge := generatePKCE()
1166 authURL := cfg.AuthCodeURL(state,
1167 oauth2.SetAuthURLParam("code_challenge", challenge),
1168 oauth2.SetAuthURLParam("code_challenge_method", "S256"),
1169 )
1170 parsedURL, err := url.Parse(authURL)
1171 require.NoError(t, err)
1172 query := parsedURL.Query()
1173 query.Set("resource", resource1)
1174 parsedURL.RawQuery = query.Encode()
1175 authURL = parsedURL.String()
1176
1177 code, err := oidctest.OAuth2GetCode(
1178 authURL,

Callers

nothing calls this directly

Calls 15

AuthCodeURLMethod · 0.95
ExchangeMethod · 0.95
NewDBFunction · 0.92
NewFunction · 0.92
CreateFirstUserFunction · 0.92
ContextFunction · 0.92
CreateAnotherUserFunction · 0.92
OAuth2GetCodeFunction · 0.92
NewFunction · 0.92
generatePKCEFunction · 0.85
EncodeMethod · 0.80

Tested by

no test coverage detected