raos 0.0.2

Async Rust implementation of the OAuth 2.1 Authorization Server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189

use crate::{
    common::{
        frontend::{OAuthError, OAuthValidationError},
        model::{Client, CodeChallenge, Grant},
    },
    test::{
        TestEnvironment, DEFAULT_AUTHORIZATION_CODE, DEFAULT_CLIENT_SECRET, DEFAULT_CODE_VERIFIER,
        DEFAULT_REDIRECT_URI,
    },
    token::{RequestedGrantType, TokenRequest},
};

#[tokio::test]
async fn test_only_accept_code_challenge_if_originally_present() {
    // The authorization server MUST verify that the code_verifier parameter is present if and only if a code_challenge parameter was present in the authorization request.

    // Arrange
    let mut test = TestEnvironment::new();
    test.register_client(
        Client { confidential: true, ..Default::default() },
        DEFAULT_CLIENT_SECRET.to_string(),
    );
    test.register_grant(
        DEFAULT_AUTHORIZATION_CODE.to_string(),
        Grant { code_challenge: CodeChallenge::None, ..Default::default() },
    );
    let manager = test.build();

    let request = TokenRequest {
        grant_type: RequestedGrantType::AuthorizationCode {
            code: DEFAULT_AUTHORIZATION_CODE.to_string(),
            code_verifier: DEFAULT_CODE_VERIFIER.to_string(),
        },
        ..Default::default()
    };

    // Act
    let result = manager.validate_token_request(request).await;

    // Assert
    assert!(result.is_err(), "result is not Err, result is {:?}", result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::InvalidCodeVerifier),
        result.unwrap_err()
    );
}

#[tokio::test]
async fn test_client_credentials_only_allowed_by_confidential_clients() {
    // The client credentials grant type MUST only be used by confidential clients.

    // Arrange
    let mut test = TestEnvironment::new();
    test.register_client(
        Client {
            client_id: "confidential_client".to_string(),
            confidential: true,
            ..Default::default()
        },
        DEFAULT_CLIENT_SECRET.to_string(),
    );
    test.register_client(
        Client {
            client_id: "regular_client".to_string(),
            confidential: false,
            ..Default::default()
        },
        DEFAULT_CLIENT_SECRET.to_string(),
    );
    let manager = test.build();

    let confidential_request = TokenRequest {
        client_id: "confidential_client".to_string(),
        grant_type: RequestedGrantType::ClientCredentials,
        ..Default::default()
    };
    let regular_request = TokenRequest {
        client_id: "regular_client".to_string(),
        grant_type: RequestedGrantType::ClientCredentials,
        ..Default::default()
    };

    // Act
    let confidential_result = manager.validate_token_request(confidential_request).await;
    let regular_result = manager.validate_token_request(regular_request).await;

    // Assert
    assert!(confidential_result.is_ok(), "result is not Ok, result is {:?}", confidential_result);
    assert!(regular_result.is_err(), "result is not Err, result is {:?}", regular_result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::ClientNotAllowedToUseGrantType {
            requested: "client_credentials"
        }),
        regular_result.unwrap_err()
    );
}

#[tokio::test]
async fn test_authorization_code_belongs_to_authorized_client() {
    // The authorization server MUST ensure that the authorization code was issued to the authenticated confidential client,
    // or if the client is public, ensure that the code was issued to client_id in the request.

    // Arrange
    let mut test = TestEnvironment::new();
    test.default_client();
    test.register_client(
        Client { client_id: "bad_client".to_string(), ..Default::default() },
        DEFAULT_CLIENT_SECRET.to_string(),
    );
    test.default_grant();
    let manager = test.build();

    let request = TokenRequest { client_id: "bad_client".to_string(), ..Default::default() };

    // Act
    let result = manager.validate_token_request(request).await;

    // Assert
    assert!(result.is_err(), "result is not Err, result is {:?}", result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::AuthorizationCodeClientMismatch),
        result.unwrap_err()
    );
}

#[tokio::test]
async fn test_token_request_that_includes_redirect_uri_should_have_it_validated() {
    // For backwards compatibility of an authorization server wishing to support both OAuth 2.0 and OAuth 2.1 clients,
    // the authorization server MUST allow clients to send the redirect_uri parameter in the token request,
    // and MUST enforce the parameter.

    // Arrange
    let mut test = TestEnvironment::new();
    test.default_client();
    test.default_grant();
    let manager = test.build();

    let request = TokenRequest {
        redirect_uri: Some("https://example.com/wrong_uri".to_string()),
        ..Default::default()
    };

    // Act
    let result = manager.validate_token_request(request).await;

    // Assert
    assert!(result.is_err(), "result is not Err, result is {:?}", result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::UnknownRedirectUri),
        result.unwrap_err()
    );
}

#[tokio::test]
async fn test_token_request_that_includes_redirect_uri_should_be_the_same_as_the_original() {
    // For backwards compatibility of an authorization server wishing to support both OAuth 2.0 and OAuth 2.1 clients,
    // the authorization server MUST allow clients to send the redirect_uri parameter in the token request,
    // and MUST enforce the parameter.

    // Arrange
    let mut test = TestEnvironment::new();
    test.register_client(
        Client {
            redirect_uris: vec![
                DEFAULT_REDIRECT_URI.to_string(),
                "https://example.com/another".to_string(),
            ],
            ..Default::default()
        },
        DEFAULT_CLIENT_SECRET.to_string(),
    );
    test.default_grant(); // Uses DEFAULT_REDIRECT_URI
    let manager = test.build();

    let request = TokenRequest {
        redirect_uri: Some("https://example.com/another".to_string()),
        ..Default::default()
    };

    // Act
    let result = manager.validate_token_request(request).await;

    // Assert
    assert!(result.is_err(), "result is not Err, result is {:?}", result);
    assert_eq!(
        OAuthError::ValidationFailed(OAuthValidationError::InvalidRedirectUri),
        result.unwrap_err()
    );
}