erik-a-e
diff --git a/‎src/test/kotlin/no/nav/security/mock/oauth2/MockOAuth2ServerTest.kt
Lines changed: 32 additions & 517 deletions b/‎src/test/kotlin/no/nav/security/mock/oauth2/MockOAuth2ServerTest.kt
Lines changed: 32 additions & 517 deletions
diff --git a/‎src/test/kotlin/no/nav/security/mock/oauth2/e2e/JwtBearerGrantIntegrationTest.kt
Lines changed: 5 additions & 7 deletions b/‎src/test/kotlin/no/nav/security/mock/oauth2/e2e/JwtBearerGrantIntegrationTest.kt
Lines changed: 5 additions & 7 deletions
diff --git a/‎src/test/kotlin/no/nav/security/mock/oauth2/e2e/MockOAuth2ServerIntegrationTest.kt
Lines changed: 176 additions & 0 deletions b/‎src/test/kotlin/no/nav/security/mock/oauth2/e2e/MockOAuth2ServerIntegrationTest.kt
Lines changed: 176 additions & 0 deletions
diff --git a/‎src/test/kotlin/no/nav/security/mock/oauth2/e2e/OidcAuthorizationCodeGrantIntegrationTest.kt
Lines changed: 105 additions & 0 deletions b/‎src/test/kotlin/no/nav/security/mock/oauth2/e2e/OidcAuthorizationCodeGrantIntegrationTest.kt
Lines changed: 105 additions & 0 deletions
diff --git a/‎src/test/kotlin/no/nav/security/mock/oauth2/e2e/RefreshTokenGrantIntegrationTest.kt
Lines changed: 14 additions & 7 deletions b/‎src/test/kotlin/no/nav/security/mock/oauth2/e2e/RefreshTokenGrantIntegrationTest.kt
Lines changed: 14 additions & 7 deletions
@@ -10,22 +10,19 @@ import io.kotest.matchers.string.shouldContain
 import no.nav.security.mock.oauth2.testutils.ParsedTokenResponse
 import no.nav.security.mock.oauth2.testutils.audience
 import no.nav.security.mock.oauth2.testutils.claims
+import no.nav.security.mock.oauth2.testutils.client
 import no.nav.security.mock.oauth2.testutils.shouldBeValidFor
 import no.nav.security.mock.oauth2.testutils.subject
 import no.nav.security.mock.oauth2.testutils.toTokenResponse
 import no.nav.security.mock.oauth2.testutils.tokenRequest
 import no.nav.security.mock.oauth2.testutils.verifyWith
 import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback
 import no.nav.security.mock.oauth2.withMockOAuth2Server
-import okhttp3.OkHttpClient
 import org.junit.jupiter.api.Test
 
 class JwtBearerGrantIntegrationTest {
 
-    private val client: OkHttpClient = OkHttpClient()
-        .newBuilder()
-        .followRedirects(false)
-        .build()
+    private val client = client()
 
     @Test
     fun `token request with JwtBearerGrant should exchange assertion with a new token containing many of the same claims`() {
@@ -57,7 +54,8 @@ class JwtBearerGrantIntegrationTest {
             response shouldBeValidFor GrantType.JWT_BEARER
             response.scope shouldContain "scope1"
             response.issuedTokenType shouldBe null
-            response.accessToken!! should verifyWith(issuerId, this)
+            response.accessToken.shouldNotBeNull()
+            response.accessToken should verifyWith(issuerId, this)
             response.accessToken.subject shouldBe initialSubject
             response.accessToken.audience shouldContainExactly listOf("scope1")
             response.accessToken.claims["claim1"] shouldBe "value1"
@@ -66,7 +64,7 @@ class JwtBearerGrantIntegrationTest {
     }
 
     @Test
-    fun `token request with JwtBearerGrant should exchange assertion with a new token with scope specified in assertion claim or request parmas`() {
+    fun `token request with JwtBearerGrant should exchange assertion with a new token with scope specified in assertion claim or request params`() {
         withMockOAuth2Server {
             val initialSubject = "mysub"
             val initialToken = this.issueToken(
 
@@ -0,0 +1,176 @@
+package no.nav.security.mock.oauth2.e2e
+
+import com.nimbusds.jose.jwk.JWKSet
+import com.nimbusds.jwt.SignedJWT
+import com.nimbusds.oauth2.sdk.id.Issuer
+import io.kotest.assertions.asClue
+import io.kotest.matchers.collections.shouldContainExactly
+import io.kotest.matchers.nulls.shouldNotBeNull
+import io.kotest.matchers.shouldBe
+import io.kotest.matchers.string.shouldContain
+import io.kotest.matchers.string.shouldStartWith
+import no.nav.security.mock.oauth2.MockOAuth2Server
+import no.nav.security.mock.oauth2.extensions.verifySignatureAndIssuer
+import no.nav.security.mock.oauth2.http.OAuth2HttpResponse
+import no.nav.security.mock.oauth2.http.WellKnown
+import no.nav.security.mock.oauth2.http.route
+import no.nav.security.mock.oauth2.testutils.audience
+import no.nav.security.mock.oauth2.testutils.claims
+import no.nav.security.mock.oauth2.testutils.client
+import no.nav.security.mock.oauth2.testutils.get
+import no.nav.security.mock.oauth2.testutils.issuer
+import no.nav.security.mock.oauth2.testutils.parse
+import no.nav.security.mock.oauth2.testutils.post
+import no.nav.security.mock.oauth2.testutils.subject
+import no.nav.security.mock.oauth2.testutils.toTokenResponse
+import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback
+import no.nav.security.mock.oauth2.withMockOAuth2Server
+import okhttp3.HttpUrl.Companion.toHttpUrl
+import org.junit.jupiter.api.Test
+import java.time.Duration
+
+class MockOAuth2ServerIntegrationTest {
+    private val client = client()
+
+    @Test
+    fun `server with addtional routes should serve wellknown and additional route`() {
+        val s = MockOAuth2Server(
+            route("/custom") {
+                OAuth2HttpResponse(status = 200, body = "custom route")
+            }
+        ).apply {
+            start()
+        }
+        client.get(s.wellKnownUrl("someissuer")).body?.string() shouldContain s.issuerUrl("someissuer").toString()
+        client.get(s.url("/custom")).body?.string() shouldBe "custom route"
+        client.get(s.url("/someissuer/custom")).body?.string() shouldBe "custom route"
+    }
+
+    @Test
+    fun `server on fixed port should include fixed port in wellknown and issued token`() {
+        val port = 1234
+        val server = MockOAuth2Server()
+        server.start(port = port)
+
+        val issuerUrl = "http://localhost:$port/issuer1"
+        client.get("$issuerUrl/.well-known/openid-configuration".toHttpUrl()).asClue {
+            it.parse<WellKnown>().issuer shouldBe issuerUrl
+            server.issueToken("issuer1").issuer shouldBe issuerUrl
+        }
+
+        server.shutdown()
+    }
+
+    @Test
+    fun `wellknown should include issuer id in urls`() {
+        withMockOAuth2Server {
+            val baseUrl = this.baseUrl().toString().removeSuffix("/")
+            client.get(this.wellKnownUrl("default")).let {
+                it.parse<WellKnown>() urlsShouldStartWith "$baseUrl/default"
+            }
+            client.get(this.wellKnownUrl("foo")).let {
+                it.parse<WellKnown>() urlsShouldStartWith "$baseUrl/foo"
+            }
+            client.get(this.wellKnownUrl("path1/path2/path3")).let {
+                it.parse<WellKnown>() urlsShouldStartWith "$baseUrl/path1/path2/path3"
+            }
+        }
+    }
+
+    @Test
+    fun `token request with enqueued token callback should return claims from tokencallback (with exception of id_token and oidc rules)`() {
+        val server = MockOAuth2Server().apply { start() }
+        server.enqueueCallback(
+            DefaultOAuth2TokenCallback(
+                issuerId = "custom",
+                subject = "yolo",
+                audience = listOf("myaud")
+            )
+        )
+
+        client.post(
+            server.tokenEndpointUrl("custom"),
+            mapOf(
+                "client_id" to "client1",
+                "client_secret" to "secret",
+                "grant_type" to "authorization_code",
+                "scope" to "openid scope1",
+                "redirect_uri" to "http://mycallback",
+                "code" to "1234"
+            )
+        ).toTokenResponse().asClue {
+            it.idToken.shouldNotBeNull()
+            it.idToken.subject shouldBe "yolo"
+            it.idToken.audience shouldBe listOf("client1")
+            it.accessToken.shouldNotBeNull()
+            it.accessToken.subject shouldBe "yolo"
+            it.accessToken.audience shouldBe listOf("myaud")
+        }
+        server.shutdown()
+    }
+
+    @Test
+    fun `issue token directly from server should contain claims from callback and be verifiable with server jwks`() {
+        withMockOAuth2Server {
+            val signedJWT: SignedJWT = this.issueToken(
+                "default",
+                "client1",
+                DefaultOAuth2TokenCallback(
+                    issuerId = "default",
+                    subject = "mysub",
+                    audience = listOf("myaud"),
+                    claims = mapOf("someclaim" to "claimvalue")
+                )
+            )
+            val wellKnown = client.get(this.wellKnownUrl("default")).parse<WellKnown>()
+            val jwks = client.get(wellKnown.jwksUri.toHttpUrl()).body?.let { JWKSet.parse(it.string()) }
+
+            jwks.shouldNotBeNull()
+
+            signedJWT.verifySignatureAndIssuer(Issuer(wellKnown.issuer), jwks).asClue {
+                it.issuer shouldBe wellKnown.issuer
+                it.subject shouldBe "mysub"
+                it.audience shouldContainExactly listOf("myaud")
+                it.claims["someclaim"] shouldBe "claimvalue"
+            }
+        }
+    }
+
+    @Test
+    fun `anyToken should issue token with claims from input and be verifyable by servers keys`() {
+        withMockOAuth2Server {
+            val customIssuer = "https://customissuer".toHttpUrl()
+            val token = this.anyToken(
+                customIssuer,
+                mutableMapOf(
+                    "sub" to "mysub",
+                    "aud" to listOf("myapp"),
+                    "customInt" to 123,
+                    "customList" to listOf(1, 2, 3)
+                ),
+                Duration.ofSeconds(10)
+            )
+
+            val wellKnown = client.get(this.wellKnownUrl("default")).parse<WellKnown>()
+            val jwks = client.get(wellKnown.jwksUri.toHttpUrl()).body?.let { JWKSet.parse(it.string()) }
+
+            jwks.shouldNotBeNull()
+
+            token.verifySignatureAndIssuer(Issuer(customIssuer.toString()), jwks).asClue {
+                it.issuer shouldBe customIssuer.toString()
+                it.subject shouldBe "mysub"
+                it.audience shouldContainExactly listOf("myapp")
+                it.claims["customInt"] shouldBe 123
+                it.claims["customList"] to listOf(1, 2, 3)
+            }
+        }
+    }
+
+    private infix fun WellKnown.urlsShouldStartWith(url: String) {
+        issuer shouldStartWith url
+        authorizationEndpoint shouldStartWith url
+        tokenEndpoint shouldStartWith url
+        jwksUri shouldStartWith url
+        endSessionEndpoint shouldStartWith url
+    }
+}
@@ -0,0 +1,105 @@
+package no.nav.security.mock.oauth2.e2e
+
+import io.kotest.assertions.asClue
+import io.kotest.matchers.collections.shouldContainExactly
+import io.kotest.matchers.ints.shouldBeGreaterThan
+import io.kotest.matchers.nulls.shouldNotBeNull
+import io.kotest.matchers.shouldBe
+import io.kotest.matchers.shouldNotBe
+import io.kotest.matchers.string.shouldStartWith
+import no.nav.security.mock.oauth2.MockOAuth2Server
+import no.nav.security.mock.oauth2.OAuth2Config
+import no.nav.security.mock.oauth2.testutils.audience
+import no.nav.security.mock.oauth2.testutils.authenticationRequest
+import no.nav.security.mock.oauth2.testutils.client
+import no.nav.security.mock.oauth2.testutils.get
+import no.nav.security.mock.oauth2.testutils.post
+import no.nav.security.mock.oauth2.testutils.subject
+import no.nav.security.mock.oauth2.testutils.toTokenResponse
+import no.nav.security.mock.oauth2.testutils.tokenRequest
+import okhttp3.HttpUrl.Companion.toHttpUrl
+import org.junit.jupiter.api.Test
+
+class OidcAuthorizationCodeGrantIntegrationTest {
+
+    private val server = MockOAuth2Server().apply { start() }
+    private val client = client()
+
+    @Test
+    fun `authentication request should return 302 with redirectUri as location and query params state and code`() {
+
+        client.get(
+            server.authorizationEndpointUrl("default").authenticationRequest(redirectUri = "http://mycallback", state = "mystate")
+        ).asClue { response ->
+            response.code shouldBe 302
+            response.headers["location"]?.toHttpUrl().asClue {
+                it.toString() shouldStartWith "http://mycallback"
+                it?.queryParameterNames shouldContainExactly setOf("code", "state")
+                it?.queryParameter("state") shouldBe "mystate"
+            }
+        }
+    }
+
+    @Test
+    fun `complete authorization code flow should return tokens according to spec`() {
+        val code = client.get(server.authorizationEndpointUrl("default").authenticationRequest()).let { authResponse ->
+            authResponse.headers["location"]?.toHttpUrl()?.queryParameter("code")
+        }
+
+        code.shouldNotBeNull()
+
+        client.tokenRequest(
+            server.tokenEndpointUrl("default"),
+            mapOf(
+                "client_id" to "client1",
+                "client_secret" to "secret",
+                "grant_type" to "authorization_code",
+                "scope" to "openid scope1",
+                "redirect_uri" to "http://mycallback",
+                "code" to code
+            )
+        ).toTokenResponse().asClue {
+            it.accessToken shouldNotBe null
+            it.idToken shouldNotBe null
+            it.expiresIn shouldBeGreaterThan 0
+            it.scope shouldBe "openid scope1"
+            it.idToken?.audience shouldContainExactly listOf("client1")
+            it.accessToken?.audience shouldContainExactly listOf("scope1")
+        }
+    }
+
+    @Test
+    fun `complete authorization code flow with interactivelogin enable should return tokens with sub=username posted to login`() {
+        val server = MockOAuth2Server(OAuth2Config(interactiveLogin = true)).apply { start() }
+        // simulate user interaction by doing the auth request as a post (instead of get with user punching username/pwd and submitting form)
+        val code = client.post(
+            server.authorizationEndpointUrl("default").authenticationRequest(),
+            mapOf("username" to "foo")
+        ).let { authResponse ->
+            authResponse.headers["location"]?.toHttpUrl()?.queryParameter("code")
+        }
+
+        code.shouldNotBeNull()
+
+        client.tokenRequest(
+            server.tokenEndpointUrl("default"),
+            mapOf(
+                "client_id" to "client1",
+                "client_secret" to "secret",
+                "grant_type" to "authorization_code",
+                "scope" to "openid scope1",
+                "redirect_uri" to "http://mycallback",
+                "code" to code
+            )
+        ).toTokenResponse().asClue {
+            it.accessToken shouldNotBe null
+            it.idToken shouldNotBe null
+            it.expiresIn shouldBeGreaterThan 0
+            it.scope shouldBe "openid scope1"
+            it.idToken?.audience shouldContainExactly listOf("client1")
+            it.accessToken?.audience shouldContainExactly listOf("scope1")
+            it.idToken?.subject shouldBe "foo"
+        }
+        server.shutdown()
+    }
+}
@@ -1,27 +1,27 @@
 package no.nav.security.mock.oauth2.e2e
 
 import com.nimbusds.oauth2.sdk.GrantType
+import io.kotest.matchers.nulls.shouldNotBeNull
 import io.kotest.matchers.should
 import io.kotest.matchers.shouldBe
 import io.kotest.matchers.shouldNotBe
 import no.nav.security.mock.oauth2.testutils.audience
 import no.nav.security.mock.oauth2.testutils.authenticationRequest
-import no.nav.security.mock.oauth2.testutils.authorizationCode
+import no.nav.security.mock.oauth2.testutils.client
+import no.nav.security.mock.oauth2.testutils.post
 import no.nav.security.mock.oauth2.testutils.shouldBeValidFor
 import no.nav.security.mock.oauth2.testutils.subject
 import no.nav.security.mock.oauth2.testutils.toTokenResponse
 import no.nav.security.mock.oauth2.testutils.tokenRequest
 import no.nav.security.mock.oauth2.testutils.verifyWith
 import no.nav.security.mock.oauth2.token.DefaultOAuth2TokenCallback
 import no.nav.security.mock.oauth2.withMockOAuth2Server
+import okhttp3.HttpUrl.Companion.toHttpUrl
 import okhttp3.OkHttpClient
 import org.junit.jupiter.api.Test
 
 class RefreshTokenGrantIntegrationTest {
-    private val client: OkHttpClient = OkHttpClient()
-        .newBuilder()
-        .followRedirects(false)
-        .build()
+    private val client: OkHttpClient = client()
 
     @Test
     fun `token request with refresh_token grant should return id_token and access_token with same subject as authorization code grant`() {
@@ -30,8 +30,15 @@ class RefreshTokenGrantIntegrationTest {
             val issuerId = "idprovider"
 
             // Authenticate using Authorization Code Flow
-            val codeResponse = client.authenticationRequest(this.authorizationEndpointUrl(issuerId), initialSubject)
-            val authorizationCode = checkNotNull(codeResponse.authorizationCode)
+            // simulate user interaction by doing the auth request as a post (instead of get with user punching username/pwd and submitting form)
+            val authorizationCode = client.post(
+                this.authorizationEndpointUrl("default").authenticationRequest(),
+                mapOf("username" to initialSubject)
+            ).let { authResponse ->
+                authResponse.headers["location"]?.toHttpUrl()?.queryParameter("code")
+            }
+
+            authorizationCode.shouldNotBeNull()
 
             // Token Request based on authorization code
             val tokenResponseBeforeRefresh = client.tokenRequest(