Code review

Author: acoburn

openid/src/main/java/com/inrupt/client/openid/OpenIdProvider.java

@@ -211,8 +211,10 @@ ErrorResponse tryParseError(final InputStream input) {
     }
 
     private Request tokenRequest(final Metadata metadata, final TokenRequest request) {
-        if (request.getIssuer() != null) {
-            if (!request.getIssuer().equals(metadata.issuer)) {
+        // RFC 9207 describes this behavior as a SHOULD but recognizes use cases that vary;
+        // this would be good to consider when adding broader configuration support to the libraries.
+        if (metadata.authorizationResponseIssParameterSupported) {
+            if (!Objects.equals(request.getIssuer(), metadata.issuer)) {
                 throw new OpenIdException("Issuer mismatch. " +
                         "Please verify that the designated OpenID issuer is correct");
             }

openid/src/main/java/com/inrupt/client/openid/OpenIdSession.java

@@ -142,6 +142,7 @@ public static Session ofClientCredentials(final URI issuer, final String clientI
         return new OpenIdSession(id, dpop, () -> provider.token(TokenRequest.newBuilder()
                 .clientSecret(clientSecret)
                 .authMethod(authMethod)
+                .issuer(issuer)
                 .scopes(config.getScopes().toArray(new String[0]))
                 .build("client_credentials", clientId))
             .thenApply(response -> {
@@ -166,11 +167,13 @@ public static Session ofClientCredentials(final OpenIdProvider provider,
             final OpenIdConfig config) {
         final String id = UUID.randomUUID().toString();
         final DPoP dpop = DPoP.of(config.getProofKeyPairs());
-        return new OpenIdSession(id, dpop, () -> provider.token(TokenRequest.newBuilder()
+        return new OpenIdSession(id, dpop, () -> provider.metadata()
+            .thenCompose(metadata -> provider.token(TokenRequest.newBuilder()
                 .clientSecret(clientSecret)
                 .authMethod(authMethod)
                 .scopes(config.getScopes().toArray(new String[0]))
-                .build("client_credentials", clientId))
+                .issuer(metadata.issuer)
+                .build("client_credentials", clientId)))
             .thenApply(response -> {
                 final JwtClaims claims = parseIdToken(response.idToken, config);
                 return new Credential(response.tokenType, getIssuer(claims), response.idToken,

openid/src/test/java/com/inrupt/client/openid/OpenIdMockHttpService.java

@@ -80,14 +80,14 @@ private void setupMocks() {
                                         "/oauth/oauth20/token",
                                         wireMockServer.baseUrl() + "/oauth/oauth20/token"))));
 
-        wireMockServer.stubFor(post(urlPathMatching("/oauth/oauth20/token"))
+        wireMockServer.stubFor(post(urlPathMatching("/token"))
                     .withHeader("Content-Type", containing("application/x-www-form-urlencoded"))
                     .withRequestBody(containing("myCodeverifier"))
                     .willReturn(aResponse()
                         .withStatus(200)
                         .withHeader("Content-Type", "application/json")
                         .withBody(getTokenResponseJSON())));
-        wireMockServer.stubFor(post(urlPathMatching("/oauth/oauth20/token"))
+        wireMockServer.stubFor(post(urlPathMatching("/token"))
                 .withHeader("Content-Type", containing("application/x-www-form-urlencoded"))
                     .atPriority(1)
                     .withRequestBody(containing("code=none"))
@@ -96,7 +96,7 @@ private void setupMocks() {
                         .withHeader("Content-Type", "application/json")
                         .withBodyFile("token-error.json")));
 
-        wireMockServer.stubFor(post(urlPathMatching("/oauth/oauth20/token"))
+        wireMockServer.stubFor(post(urlPathMatching("/token"))
                 .withHeader("Content-Type", containing("application/x-www-form-urlencoded"))
                     .atPriority(2)
                     .withRequestBody(containing("grant_type=client_credentials"))
@@ -108,7 +108,8 @@ private void setupMocks() {
 
     private String getMetadataJSON() {
         try (final InputStream res = OpenIdMockHttpService.class.getResourceAsStream("/metadata.json")) {
-            return new String(IOUtils.toByteArray(res), UTF_8);
+            return new String(IOUtils.toByteArray(res), UTF_8)
+                .replace("http://example.test", wireMockServer.baseUrl());
         } catch (final IOException ex) {
             throw new UncheckedIOException("Could not read class resource", ex);
         }
@@ -130,9 +131,6 @@ private String getTokenResponseJSON() {
             "}";
     }
 
-
-
-
     public String start() {
         wireMockServer.start();
 

openid/src/test/java/com/inrupt/client/openid/OpenIdProviderTest.java

@@ -25,6 +25,7 @@
 
 import com.inrupt.client.auth.DPoP;
 import com.inrupt.client.openid.TokenRequest.Builder;
+import com.inrupt.client.util.URIBuilder;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -33,8 +34,6 @@
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashMap;
-import java.util.Map;
 import java.util.OptionalInt;
 import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
@@ -49,14 +48,14 @@ class OpenIdProviderTest {
 
     private static OpenIdProvider openIdProvider;
     private static final OpenIdMockHttpService mockHttpService = new OpenIdMockHttpService();
-    private static final Map<String, String> config = new HashMap<>();
     private static final DPoP dpop = DPoP.of();
 
+    private static URI issuer;
 
     @BeforeAll
     static void setup() throws NoSuchAlgorithmException {
-        config.put("openid_uri", mockHttpService.start());
-        openIdProvider = new OpenIdProvider(URI.create(config.get("openid_uri")), dpop);
+        issuer = URI.create(mockHttpService.start());
+        openIdProvider = new OpenIdProvider(issuer, dpop);
     }
 
     @AfterAll
@@ -66,15 +65,16 @@ static void teardown() {
 
     @Test
     void metadataAsyncTest() {
-        assertEquals("http://example.test",
-                openIdProvider.metadata().toCompletableFuture().join().issuer.toString());
-        assertEquals("http://example.test/oauth/jwks",
-                openIdProvider.metadata().toCompletableFuture().join().jwksUri.toString());
+        assertEquals(issuer,
+                openIdProvider.metadata().toCompletableFuture().join().issuer);
+        assertEquals(URIBuilder.newBuilder(issuer).path("jwks").build(),
+                openIdProvider.metadata().toCompletableFuture().join().jwksUri);
     }
 
     @Test
     void unknownMetadata() {
-        final OpenIdProvider provider = new OpenIdProvider(URI.create(config.get("openid_uri") + "/not-found"), dpop);
+        final OpenIdProvider provider = new OpenIdProvider(URIBuilder.newBuilder(issuer).path("not-found").build(),
+                dpop);
         final CompletionException err = assertThrows(CompletionException.class,
                 provider.metadata().toCompletableFuture()::join);
         assertTrue(err.getCause() instanceof OpenIdException);
@@ -90,7 +90,7 @@ void authorizeAsyncTest() {
                 URI.create("myRedirectUri")
             );
         assertEquals(
-            "http://example.test/auth?client_id=myClientId&redirect_uri=myRedirectUri&" +
+            issuer + "/auth?client_id=myClientId&redirect_uri=myRedirectUri&" +
             "response_type=code&code_challenge=myCodeChallenge&code_challenge_method=method",
             openIdProvider.authorize(authReq).toCompletableFuture().join().toString()
         );
@@ -119,7 +119,25 @@ void tokenIssuerMismatch() {
         final TokenRequest tokenReq = TokenRequest.newBuilder()
             .code("someCode")
             .codeVerifier("myCodeverifier")
-            .issuer(URI.create("https://issuer.test"))
+            .issuer(URI.create("https://not.an.issuer.test"))
+            .redirectUri(URI.create("https://example.test/redirectUri"))
+            .build(
+                "authorization_code",
+                "myClientId"
+            );
+
+        final CompletionException ex = assertThrows(CompletionException.class, openIdProvider.token(tokenReq)
+            .toCompletableFuture()::join);
+        assertTrue(ex.getCause() instanceof OpenIdException);
+        final OpenIdException cause = (OpenIdException) ex.getCause();
+        assertTrue(cause.getMessage().contains("Issuer mismatch"));
+    }
+
+    @Test
+    void tokenIssuerMissing() {
+        final TokenRequest tokenReq = TokenRequest.newBuilder()
+            .code("someCode")
+            .codeVerifier("myCodeverifier")
             .redirectUri(URI.create("https://example.test/redirectUri"))
             .build(
                 "authorization_code",
@@ -138,7 +156,7 @@ void tokenIssuerMatch() {
         final TokenRequest tokenReq = TokenRequest.newBuilder()
             .code("someCode")
             .codeVerifier("myCodeverifier")
-            .issuer(URI.create("http://example.test"))
+            .issuer(issuer)
             .redirectUri(URI.create("https://example.test/redirectUri"))
             .build(
                 "authorization_code",
@@ -156,6 +174,7 @@ void tokenNoClientSecretTest() {
         final TokenRequest tokenReq = TokenRequest.newBuilder()
             .code("someCode")
             .codeVerifier("myCodeverifier")
+            .issuer(issuer)
             .redirectUri(URI.create("https://example.test/redirectUri"))
             .build(
                 "authorization_code",
@@ -174,6 +193,7 @@ void tokenWithClientSecretBasicTest() {
             .code("someCode")
             .codeVerifier("myCodeverifier")
             .clientSecret("myClientSecret")
+            .issuer(issuer)
             .authMethod("client_secret_basic")
             .redirectUri(URI.create("https://example.test/redirectUri"))
             .build(
@@ -193,6 +213,7 @@ void tokenWithClientSecretePostTest() {
             .code("someCode")
             .codeVerifier("myCodeverifier")
             .clientSecret("myClientSecret")
+            .issuer(issuer)
             .authMethod("client_secret_post")
             .redirectUri(URI.create("https://example.test/redirectUri"))
             .build(
@@ -211,6 +232,7 @@ void tokenAsyncTest() {
         final TokenRequest tokenReq = TokenRequest.newBuilder()
             .code("someCode")
             .codeVerifier("myCodeverifier")
+            .issuer(issuer)
             .redirectUri(URI.create("https://example.test/redirectUri"))
             .build("authorization_code", "myClientId");
         final TokenResponse token = openIdProvider.token(tokenReq).toCompletableFuture().join();
@@ -224,6 +246,7 @@ void tokenAsyncStatusCodesTest() {
         final TokenRequest tokenReq = TokenRequest.newBuilder()
             .code("none")
             .codeVerifier("none")
+            .issuer(issuer)
             .redirectUri(URI.create("none"))
             .build("authorization_code", "none");
 
@@ -254,7 +277,7 @@ void endSessionAsyncTest() {
             .build();
         final URI uri = openIdProvider.endSession(endReq).toCompletableFuture().join();
         assertEquals(
-            "http://example.test/endSession?" +
+            issuer + "/endSession?" +
             "client_id=myClientId&post_logout_redirect_uri=https://example.test/redirectUri&id_token_hint=&state=solid",
             uri.toString()
         );

openid/src/test/resources/metadata.json

@@ -1,65 +1,29 @@
 {
     "issuer":"http://example.test",
-    "token_endpoint":"/oauth/oauth20/token",
+    "token_endpoint":"http://example.test/token",
     "end_session_endpoint":"http://example.test/endSession",
-    "userinfo_endpoint":"http://example.test/oauth/userinfo",
-    "jwks_uri":"http://example.test/oauth/jwks",
+    "userinfo_endpoint":"http://example.test/userinfo",
+    "jwks_uri":"http://example.test/jwks",
     "authorization_endpoint":"http://example.test/auth",
     "scopes_supported":[
-        "READ",
-        "WRITE",
-        "DELETE",
         "openid",
-        "scope",
         "profile",
-        "email",
-        "address",
-        "phone"
+        "email"
     ],
     "response_types_supported":[
-        "code",
-        "code id_token",
-        "code token",
-        "code id_token token",
-        "token",
-        "id_token",
-        "id_token token"
+        "code"
     ],
     "grant_types_supported":[
         "authorization_code",
-        "implicit",
-        "password",
         "client_credentials",
         "urn:ietf:params:oauth:grant-type:jwt-bearer"
     ],
     "subject_types_supported":[
         "public"
     ],
     "id_token_signing_alg_values_supported":[
-        "HS256",
-        "HS384",
-        "HS512",
         "RS256",
-        "RS384",
-        "RS512",
-        "ES256",
-        "ES384",
-        "ES512",
-        "PS256",
-        "PS384",
-        "PS512"
-    ],
-    "id_token_encryption_alg_values_supported":[
-        "RSA1_5",
-        "RSA-OAEP",
-        "RSA-OAEP-256",
-        "A128KW",
-        "A192KW",
-        "A256KW",
-        "A128GCMKW",
-        "A192GCMKW",
-        "A256GCMKW",
-        "dir"
+        "ES256"
     ],
     "token_endpoint_auth_methods_supported":[
         "client_secret_post",