openid-client 0.2.7

OpenID client for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

use crate::{
    issuer::Issuer,
    tokenset::{TokenSet, TokenSetParams},
    types::{ClientMetadata, IssuerMetadata},
};

#[test]
fn to_decrypt_tokenset_id_token_it_must_have_one() {
    let issuer = Issuer::new(IssuerMetadata::default());

    let client_metadata = ClientMetadata {
        client_id: Some("identifier".to_string()),
        id_token_encrypted_response_alg: Some("RSA-OAEP".to_string()),
        ..Default::default()
    };

    let client = issuer.client(client_metadata, None, None, None).unwrap();

    let err = client.decrypt_id_token(TokenSet::default()).unwrap_err();

    assert!(err.is_type_error());

    assert_eq!(
        "id_token not present in TokenSet",
        err.type_error().error.message
    );
}

#[test]
fn verifies_the_id_token_using_the_right_alg() {
    let issuer = Issuer::new(IssuerMetadata::default());

    let client_metadata = ClientMetadata {
        client_id: Some("identifier".to_string()),
        id_token_encrypted_response_alg: Some("RSA-OAEP".to_string()),
        ..Default::default()
    };

    let client = issuer.client(client_metadata, None, None, None).unwrap();

    let header = base64_url::encode(r#"{"alg":"RSA1_5","enc":"A128CBC-HS256"}"#);

    let id_token = format!("{}....", header);

    let token_set_params = TokenSetParams {
        id_token: Some(id_token),
        ..Default::default()
    };

    let err = client
        .decrypt_id_token(TokenSet::new(token_set_params))
        .unwrap_err();

    assert!(err.is_rp_error());

    assert_eq!(
        "unexpected JWE alg received, expected RSA-OAEP, got: RSA1_5",
        err.rp_error().error.message
    );
}

#[test]
fn verifies_the_id_token_is_using_the_right_enc_explicit() {
    let issuer = Issuer::new(IssuerMetadata::default());

    let client_metadata = ClientMetadata {
        client_id: Some("identifier".to_string()),
        id_token_encrypted_response_alg: Some("RSA-OAEP".to_string()),
        id_token_encrypted_response_enc: Some("A128CBC-HS256".to_string()),
        ..Default::default()
    };

    let client = issuer.client(client_metadata, None, None, None).unwrap();

    let header = base64_url::encode(r#"{"alg":"RSA-OAEP","enc":"A128GCM"}"#);

    let id_token = format!("{}....", header);

    let token_set_params = TokenSetParams {
        id_token: Some(id_token),
        ..Default::default()
    };

    let err = client
        .decrypt_id_token(TokenSet::new(token_set_params))
        .unwrap_err();

    assert!(err.is_rp_error());

    assert_eq!(
        "unexpected JWE enc received, expected A128CBC-HS256, got: A128GCM",
        err.rp_error().error.message
    );
}

#[test]
fn verifies_the_id_token_is_using_the_right_enc_default_to() {
    let issuer = Issuer::new(IssuerMetadata::default());

    let client_metadata = ClientMetadata {
        client_id: Some("identifier".to_string()),
        id_token_encrypted_response_alg: Some("RSA-OAEP".to_string()),
        ..Default::default()
    };

    let client = issuer.client(client_metadata, None, None, None).unwrap();

    let header = base64_url::encode(r#"{"alg":"RSA-OAEP","enc":"A128GCM"}"#);

    let id_token = format!("{}....", header);

    let token_set_params = TokenSetParams {
        id_token: Some(id_token),
        ..Default::default()
    };

    let err = client
        .decrypt_id_token(TokenSet::new(token_set_params))
        .unwrap_err();

    assert!(err.is_rp_error());

    assert_eq!(
        "unexpected JWE enc received, expected A128CBC-HS256, got: A128GCM",
        err.rp_error().error.message
    );
}