raos 0.0.2

Async Rust implementation of the OAuth 2.1 Authorization Server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

use crate::test::DEFAULT_TOKEN;
use crate::{
    common::{
        frontend::{OAuthError, OAuthValidationError},
        model::{Client, Grant},
    },
    test::{
        TestEnvironment, DEFAULT_AUTHORIZATION_CODE, DEFAULT_CLIENT_SECRET, DEFAULT_REFRESH_TOKEN,
    },
    token::{RequestedGrantType, TokenRequest},
};
use mockall::predicate::always;

#[tokio::test]
async fn test_refresh_token_enforce_same_scopes() {
    // If refresh tokens are issued, those refresh tokens MUST be bound to the scope and resource servers as consented by the resource owner.
    // When using the refresh_token, the requested scope MUST NOT include any scope not originally granted by the resource owner,
    // and if omitted is treated as equal to the scope originally granted by the resource owner.

    // Arrange
    let mut test = TestEnvironment::new();
    test.default_client();
    test.register_grant(
        DEFAULT_AUTHORIZATION_CODE.to_string(),
        Grant { scope: vec!["some".to_string(), "scopes".to_string()], ..Default::default() },
    );
    let manager = test.build();

    let request = TokenRequest {
        grant_type: RequestedGrantType::RefreshToken {
            refresh_token: DEFAULT_REFRESH_TOKEN.to_string(),
        },
        scope: Some(vec!["some".to_string(), "wrong".to_string()]),
        ..Default::default()
    };

    // Act
    let result = manager.handle_token(request).await;

    // Assert
    assert!(result.is_err(), "result is not Err, result is {:?}", result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::ScopeNotConsented),
        result.unwrap_err()
    );
}

#[tokio::test]
async fn test_refresh_token_confidential_client_requires_authentication() {
    // When using the refresh_token, confidential clients must authenticate with the authorization server.

    // Arrange
    let mut test = TestEnvironment::new();
    test.register_client(
        Client { confidential: true, ..Default::default() },
        DEFAULT_CLIENT_SECRET.to_string(),
    );
    test.default_refresh_token();
    let manager = test.build();

    let request = TokenRequest {
        client_secret: None,
        grant_type: RequestedGrantType::RefreshToken {
            refresh_token: DEFAULT_REFRESH_TOKEN.to_string(),
        },
        ..Default::default()
    };

    // Act
    let result = manager.handle_token(request).await;

    // Assert
    assert!(result.is_err(), "result is not Err, result is {:?}", result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::MissingRequiredParameter(
            "client_secret"
        )),
        result.unwrap_err()
    );
}

#[tokio::test]
async fn test_refresh_token_belongs_to_requesting_client() {
    // When using the refresh_token, the authorization server MUST verify that if client authentication is included in the request,
    // ensure that the refresh token was issued to the authenticated client,
    // OR if a client_id is included in the request, ensure the refresh token was issued to the matching client.

    // Arrange
    let mut test = TestEnvironment::new();
    test.default_client();
    test.register_client(
        Client { client_id: "bad_client".to_string(), ..Default::default() },
        DEFAULT_CLIENT_SECRET.to_string(),
    );
    test.default_refresh_token();
    let manager = test.build();

    let request = TokenRequest {
        client_id: "bad_client".to_string(),
        grant_type: RequestedGrantType::RefreshToken {
            refresh_token: DEFAULT_REFRESH_TOKEN.to_string(),
        },
        ..Default::default()
    };

    // Act
    let result = manager.handle_token(request).await;

    // Assert
    assert!(result.is_err(), "result is not Err, result is {:?}", result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::RefreshTokenClientMismatch),
        result.unwrap_err()
    );
}

#[tokio::test]
async fn test_refresh_token_valid() {
    // Arrange
    let mut test = TestEnvironment::new();
    test.default_client();
    test.default_refresh_token();
    let manager = test.build();

    let request = TokenRequest {
        grant_type: RequestedGrantType::RefreshToken {
            refresh_token: DEFAULT_REFRESH_TOKEN.to_string(),
        },
        ..Default::default()
    };

    // Act
    let result = manager.handle_token(request).await;

    // Assert
    assert!(result.is_ok(), "result is not Ok, result is {:?}", result);
    assert_eq!(DEFAULT_TOKEN, result.unwrap().access_token);
}

#[tokio::test]
async fn test_refresh_token_invalid() {
    // Arrange
    let mut test = TestEnvironment::new();
    test.default_client();
    test.default_refresh_token();
    test.token_provider.expect_exchange_refresh_token().with(always()).returning(|_| Ok(None));
    let manager = test.build();

    let request = TokenRequest {
        grant_type: RequestedGrantType::RefreshToken { refresh_token: "wrong_token".to_string() },
        ..Default::default()
    };

    // Act
    let result = manager.handle_token(request).await;

    // Assert
    assert!(result.is_err(), "result is not Err, result is {:?}", result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::InvalidRefreshToken),
        result.unwrap_err()
    );
}