+ public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_use_property()
+ {
+ // Based on reading the OIDC discovery spec:
+ // > This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also
+ // > contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When
+ // > both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all
+ // > keys in the referenced JWK Set to indicate each key's intended usage.
+ // We can assume that keys without use are intended for signing.
+ $this->withAutodiscovery();
+
+ $keyArray = OidcJwtHelper::publicJwkKeyArray();
+ unset($keyArray['use']);
+
+ $this->mockHttpClient([
+ $this->getAutoDiscoveryResponse(),
+ new Response(200, [
+ 'Content-Type' => 'application/json',
+ 'Cache-Control' => 'no-cache, no-store',
+ 'Pragma' => 'no-cache',
+ ], json_encode([
+ 'keys' => [
+ $keyArray,
+ ],
+ ])),
+ ]);
+
+ $this->assertFalse(auth()->check());
+ $this->runLogin();
+ $this->assertTrue(auth()->check());
+ }
+
+ public function test_auth_uses_configured_external_id_claim_option()
+ {
+ config()->set([
+ 'oidc.external_id_claim' => 'super_awesome_id',
+ ]);
+
+ $resp = $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'super_awesome_id' => 'xXBennyTheGeezXx',
+ ]);
+ $resp->assertRedirect('/');
+
+ /** @var User $user */
+ $this->assertEquals('xXBennyTheGeezXx', $user->external_auth_id);
+ }
+
+ public function test_auth_uses_mulitple_display_name_claims_if_configured()
+ {
+ config()->set(['oidc.display_name_claims' => 'first_name|last_name']);
+
+ $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'first_name' => 'Benny',
+ 'last_name' => 'Jenkins'
+ ]);
+
+ $this->assertDatabaseHas('users', [
+ 'name' => 'Benny Jenkins',
+ ]);
+ }
+
+ public function test_user_avatar_fetched_from_picture_on_first_login_if_enabled()
+ {
+ config()->set(['oidc.fetch_avatar' => true]);
+
+ $this->runLogin([
+ 'picture' => 'https://example.com/my-avatar.jpg',
+ ], [
+ new Response(200, ['Content-Type' => 'image/jpeg'], $this->files->jpegImageData())
+ ]);
+
+ $this->assertNotNull($user);
+
+ $this->assertTrue($user->avatar()->exists());
+ }
+
+ public function test_user_avatar_fetched_for_existing_user_when_no_avatar_already_assigned()
+ {
+ config()->set(['oidc.fetch_avatar' => true]);
+ $editor = $this->users->editor();
+ $editor->external_auth_id = 'benny509';
+ $editor->save();
+
+ $this->assertFalse($editor->avatar()->exists());
+
+ $this->runLogin([
+ 'picture' => 'https://example.com/my-avatar.jpg',
+ 'sub' => 'benny509',
+ ], [
+ new Response(200, ['Content-Type' => 'image/jpeg'], $this->files->jpegImageData())
+ ]);
+
+ $editor->refresh();
+ $this->assertTrue($editor->avatar()->exists());
+ }
+
+ public function test_user_avatar_not_fetched_if_image_data_format_unknown()
+ {
+ config()->set(['oidc.fetch_avatar' => true]);
+
+ $this->runLogin([
+ 'picture' => 'https://example.com/my-avatar.jpg',
+ ], [
+ new Response(200, ['Content-Type' => 'image/jpeg'], str_repeat('abc123', 5))
+ ]);
+
+ $this->assertNotNull($user);
+
+ $this->assertFalse($user->avatar()->exists());
+ }
+
+ public function test_user_avatar_not_fetched_when_avatar_already_assigned()
+ {
+ config()->set(['oidc.fetch_avatar' => true]);
+ $editor = $this->users->editor();
+ $editor->external_auth_id = 'benny509';
+ $editor->save();
+
+ $avatars = $this->app->make(UserAvatars::class);
+ $originalImageData = $this->files->pngImageData();
+ $avatars->assignToUserFromExistingData($editor, $originalImageData, 'png');
+
+ $this->runLogin([
+ 'picture' => 'https://example.com/my-avatar.jpg',
+ 'sub' => 'benny509',
+ ], [
+ new Response(200, ['Content-Type' => 'image/jpeg'], $this->files->jpegImageData())
+ ]);
+
+ $editor->refresh();
+ $newAvatarData = file_get_contents($this->files->relativeToFullPath($editor->avatar->path));
+ $this->assertEquals($originalImageData, $newAvatarData);
+ }
+
+ public function test_user_avatar_fetch_follows_up_to_three_redirects()
+ {
+ config()->set(['oidc.fetch_avatar' => true]);
+
+ $logger = $this->withTestLogger();
+
+ $this->runLogin([
+ 'picture' => 'https://example.com/my-avatar.jpg',
+ ], [
+ new Response(302, ['Location' => 'https://example.com/a']),
+ new Response(302, ['Location' => 'https://example.com/b']),
+ new Response(302, ['Location' => 'https://example.com/c']),
+ new Response(302, ['Location' => 'https://example.com/d']),
+ ]);
+
+ $this->assertFalse($user->avatar()->exists());
+
+ $this->assertStringContainsString('"Failed to fetch image, max redirect limit of 3 tries reached. Last fetched URL: https://example.com/c"', $logger->getRecords()[0]->formatted);
+ }
+
+ public function test_login_group_sync()
+ {
+ config()->set([
+ 'oidc.user_to_groups' => true,
+ 'oidc.groups_claim' => 'groups',
+ 'oidc.remove_from_groups' => false,
+ ]);
+ $roleA = Role::factory()->create(['display_name' => 'Wizards']);
+ $roleB = Role::factory()->create(['display_name' => 'ZooFolks', 'external_auth_id' => 'zookeepers']);
+ $roleC = Role::factory()->create(['display_name' => 'Another Role']);
+
+ $resp = $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'groups' => ['Wizards', 'Zookeepers'],
+ ]);
+ $resp->assertRedirect('/');
+
+ /** @var User $user */
+
+ $this->assertTrue($user->hasRole($roleA->id));
+ $this->assertTrue($user->hasRole($roleB->id));
+ $this->assertFalse($user->hasRole($roleC->id));
+ }
+
+ public function test_login_group_sync_with_nested_groups_in_token()
+ {
+ config()->set([
+ 'oidc.user_to_groups' => true,
+ 'oidc.groups_claim' => 'my.custom.groups.attr',
+ 'oidc.remove_from_groups' => false,
+ ]);
+ $roleA = Role::factory()->create(['display_name' => 'Wizards']);
+
+ $resp = $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'my' => [
+ 'custom' => [
+ 'groups' => [
+ 'attr' => ['Wizards'],
+ ],
+ ],
+ ],
+ ]);
+ $resp->assertRedirect('/');
+
+ /** @var User $user */
+ $this->assertTrue($user->hasRole($roleA->id));
+ }
+
+ public function test_oidc_logout_form_active_when_oidc_active()
+ {
+ $this->runLogin();
+
+ $resp = $this->get('/');
+ $this->withHtml($resp)->assertElementExists('header form[action$="/oidc/logout"] button');
+ }
+ public function test_logout_with_autodiscovery_with_oidc_logout_enabled()
+ {
+ config()->set(['oidc.end_session_endpoint' => true]);
+ $this->withAutodiscovery();
+
+ $transactions = $this->mockHttpClient([
+ $this->getAutoDiscoveryResponse(),
+ $this->getJwksResponse(),
+ ]);
+
+ $resp = $this->asEditor()->post('/oidc/logout');
+ $resp->assertRedirect('https://auth.example.com/oidc/logout?post_logout_redirect_uri=' . urlencode(url('/')));
+
+ $this->assertEquals(2, $transactions->requestCount());
+ $this->assertFalse(auth()->check());
+ }
+
+ public function test_logout_with_autodiscovery_with_oidc_logout_disabled()
+ {
+ $this->withAutodiscovery();
+ config()->set(['oidc.end_session_endpoint' => false]);
+
+ $this->mockHttpClient([
+ $this->getAutoDiscoveryResponse(),
+ $this->getJwksResponse(),
+ ]);
+
+ $resp = $this->asEditor()->post('/oidc/logout');
+ $resp->assertRedirect('/');
+ $this->assertFalse(auth()->check());
+ }
+
+ public function test_logout_without_autodiscovery_but_with_endpoint_configured()
+ {
+ config()->set(['oidc.end_session_endpoint' => 'https://example.com/logout']);
+
+ $resp = $this->asEditor()->post('/oidc/logout');
+ $resp->assertRedirect('https://example.com/logout?post_logout_redirect_uri=' . urlencode(url('/')));
+ $this->assertFalse(auth()->check());
+ }
+
+ public function test_logout_without_autodiscovery_with_configured_endpoint_adds_to_query_if_existing()
+ {
+ config()->set(['oidc.end_session_endpoint' => 'https://example.com/logout?a=b']);
+
+ $resp = $this->asEditor()->post('/oidc/logout');
+ $resp->assertRedirect('https://example.com/logout?a=b&post_logout_redirect_uri=' . urlencode(url('/')));
+ $this->assertFalse(auth()->check());
+ }
+
+ public function test_logout_with_autodiscovery_and_auto_initiate_returns_to_auto_prevented_login()
+ {
+ $this->withAutodiscovery();
+ config()->set([
+ 'auth.auto_initiate' => true,
+ 'services.google.client_id' => false,
+ 'services.github.client_id' => false,
+ 'oidc.end_session_endpoint' => true,
+ ]);
+
+ $this->mockHttpClient([
+ $this->getAutoDiscoveryResponse(),
+ $this->getJwksResponse(),
+ ]);
+
+ $resp = $this->asEditor()->post('/oidc/logout');
+
+ $redirectUrl = url('/login?prevent_auto_init=true');
+ $resp->assertRedirect('https://auth.example.com/oidc/logout?post_logout_redirect_uri=' . urlencode($redirectUrl));
+ $this->assertFalse(auth()->check());
+ }
+
+ public function test_logout_endpoint_url_overrides_autodiscovery_endpoint()
+ {
+ config()->set(['oidc.end_session_endpoint' => 'https://a.example.com']);
+ $this->withAutodiscovery();
+
+ $transactions = $this->mockHttpClient([
+ $this->getAutoDiscoveryResponse(),
+ $this->getJwksResponse(),
+ ]);
+
+ $resp = $this->asEditor()->post('/oidc/logout');
+ $resp->assertRedirect('https://a.example.com?post_logout_redirect_uri=' . urlencode(url('/')));
+
+ $this->assertEquals(2, $transactions->requestCount());
+ $this->assertFalse(auth()->check());
+ }
+
+ public function test_logout_with_autodiscovery_does_not_use_rp_logout_if_no_url_via_autodiscovery()
+ {
+ config()->set(['oidc.end_session_endpoint' => true]);
+ $this->withAutodiscovery();
+
+ $this->mockHttpClient([
+ $this->getAutoDiscoveryResponse(['end_session_endpoint' => null]),
+ $this->getJwksResponse(),
+ ]);
+
+ $resp = $this->asEditor()->post('/oidc/logout');
+ $resp->assertRedirect('/');
+ $this->assertFalse(auth()->check());
+ }
+
+ public function test_logout_redirect_contains_id_token_hint_if_existing()
+ {
+ config()->set(['oidc.end_session_endpoint' => 'https://example.com/logout']);
+
+ // Fix times so our token is predictable
+ $claimOverrides = [
+ 'iat' => time(),
+ 'exp' => time() + 720,
+ 'auth_time' => time()
+ ];
+ $this->runLogin($claimOverrides);
+
+ $resp = $this->asEditor()->post('/oidc/logout');
+ $query = 'id_token_hint=' . urlencode(OidcJwtHelper::idToken($claimOverrides)) . '&post_logout_redirect_uri=' . urlencode(url('/'));
+ $resp->assertRedirect('https://example.com/logout?' . $query);
+ }
+
+ public function test_oidc_id_token_pre_validate_theme_event_without_return()
+ {
+ $args = [];
+ $callback = function (...$eventArgs) use (&$args) {
+ $args = $eventArgs;
+ };
+ Theme::listen(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, $callback);
+
+ $resp = $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'name' => 'Benny',
+ ]);
+ $resp->assertRedirect('/');
+
+ $this->assertDatabaseHas('users', [
+ 'external_auth_id' => 'benny1010101',
+ ]);
+
+ $this->assertArrayHasKey('iss', $args[0]);
+ $this->assertArrayHasKey('sub', $args[0]);
+ $this->assertEquals('Benny', $args[0]['name']);
+ $this->assertEquals('benny1010101', $args[0]['sub']);
+
+ $this->assertArrayHasKey('access_token', $args[1]);
+ $this->assertArrayHasKey('expires_in', $args[1]);
+ $this->assertArrayHasKey('refresh_token', $args[1]);
+ }
+
+ public function test_oidc_id_token_pre_validate_theme_event_with_return()
+ {
+ $callback = function (...$eventArgs) {
+ return array_merge($eventArgs[0], [
+ 'sub' => 'lenny1010101',
+ 'name' => 'Lenny',
+ ]);
+ };
+ Theme::listen(ThemeEvents::OIDC_ID_TOKEN_PRE_VALIDATE, $callback);
+
+ $resp = $this->runLogin([
+ 'sub' => 'benny1010101',
+ 'name' => 'Benny',
+ ]);
+ $resp->assertRedirect('/');
+
+ $this->assertDatabaseHas('users', [
+ 'external_auth_id' => 'lenny1010101',
+ 'name' => 'Lenny',
+ ]);
+ }
+
+ public function test_pkce_used_on_authorize_and_access()
+ {
+ // Start auth
+ $resp = $this->post('/oidc/login');
+ $state = session()->get('oidc_state');
+
+ $pkceCode = session()->get('oidc_pkce_code');
+ $this->assertGreaterThan(30, strlen($pkceCode));
+
+ $expectedCodeChallenge = trim(strtr(base64_encode(hash('sha256', $pkceCode, true)), '+/', '-_'), '=');
+ $redirect = $resp->headers->get('Location');
+ $redirectParams = [];
+ parse_str(parse_url($redirect, PHP_URL_QUERY), $redirectParams);
+ $this->assertEquals($expectedCodeChallenge, $redirectParams['code_challenge']);
+ $this->assertEquals('S256', $redirectParams['code_challenge_method']);
+
+ $transactions = $this->mockHttpClient([$this->getMockAuthorizationResponse([
+ 'sub' => 'benny1010101',
+ ])]);
+
+ $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);
+ $tokenRequest = $transactions->latestRequest();
+ $bodyParams = [];
+ parse_str($tokenRequest->getBody(), $bodyParams);
+ $this->assertEquals($pkceCode, $bodyParams['code_verifier']);
+ }
+
+ public function test_userinfo_endpoint_used_if_missing_claims_in_id_token()
+ {
+ config()->set('oidc.display_name_claims', 'first_name|last_name');
+ $this->post('/oidc/login');
+ $state = session()->get('oidc_state');
+
+ $client = $this->mockHttpClient([
+ $this->getMockAuthorizationResponse(['name' => null]),
+ new Response(200, [
+ 'Content-Type' => 'application/json',
+ ], json_encode([
+ 'sub' => OidcJwtHelper::defaultPayload()['sub'],
+ 'first_name' => 'Barry',
+ 'last_name' => 'Userinfo',
+ ]))
+ ]);
+
+ $resp = $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);
+ $resp->assertRedirect('/');
+ $this->assertEquals(2, $client->requestCount());
+
+ $userinfoRequest = $client->requestAt(1);
+ $this->assertEquals('GET', $userinfoRequest->getMethod());
+ $this->assertEquals('https://oidc.local/userinfo', (string) $userinfoRequest->getUri());
+
+ $this->assertEquals('Barry Userinfo', user()->name);
+ }
+
+ public function test_userinfo_endpoint_fetch_with_different_sub_throws_error()
+ {
+ $userinfoResponseData = ['sub' => 'dcba4321'];
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/json'], json_encode($userinfoResponseData));
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/login');
+ $this->assertSessionError('Userinfo endpoint response validation failed with error: Subject value provided in the userinfo endpoint does not match the provided ID token value');
+ }
+
+ public function test_userinfo_endpoint_fetch_returning_no_sub_throws_error()
+ {
+ $userinfoResponseData = ['name' => 'testing'];
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/json'], json_encode($userinfoResponseData));
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/login');
+ $this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
+ }
+
+ public function test_userinfo_endpoint_fetch_can_parsed_nested_groups()
+ {
+ config()->set([
+ 'oidc.user_to_groups' => true,
+ 'oidc.groups_claim' => 'my.nested.groups.attr',
+ 'oidc.remove_from_groups' => false,
+ ]);
+
+ $roleA = Role::factory()->create(['display_name' => 'Ducks']);
+ $userinfoResponseData = [
+ 'sub' => OidcJwtHelper::defaultPayload()['sub'],
+ 'my' => ['nested' => ['groups' => ['attr' => ['Ducks', 'Donkeys']]]]
+ ];
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/json'], json_encode($userinfoResponseData));
+ $resp = $this->runLogin(['groups' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/');
+
+ $user = User::where('email', OidcJwtHelper::defaultPayload()['email'])->first();
+ $this->assertTrue($user->hasRole($roleA->id));
+ }
+
+ public function test_userinfo_endpoint_response_with_complex_json_content_type_handled()
+ {
+ $userinfoResponseData = [
+ 'sub' => OidcJwtHelper::defaultPayload()['sub'],
+ 'name' => 'Barry',
+ ];
+ $userinfoResponse = new Response(200, ['Content-Type' => 'Application/Json ; charset=utf-8'], json_encode($userinfoResponseData));
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/');
+
+ $user = User::where('email', OidcJwtHelper::defaultPayload()['email'])->first();
+ $this->assertEquals('Barry', $user->name);
+ }
+
+ public function test_userinfo_endpoint_jwks_response_handled()
+ {
+ $userinfoResponseData = OidcJwtHelper::idToken(['name' => 'Barry Jwks']);
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/jwt'], $userinfoResponseData);
+
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/');
+
+ $user = User::where('email', OidcJwtHelper::defaultPayload()['email'])->first();
+ $this->assertEquals('Barry Jwks', $user->name);
+ }
+
+ public function test_userinfo_endpoint_jwks_response_returning_no_sub_throws()
+ {
+ $userinfoResponseData = OidcJwtHelper::idToken(['sub' => null]);
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/jwt'], $userinfoResponseData);
+
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/login');
+ $this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
+ }
+
+ public function test_userinfo_endpoint_jwks_response_returning_non_matching_sub_throws()
+ {
+ $userinfoResponseData = OidcJwtHelper::idToken(['sub' => 'zzz123']);
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/jwt'], $userinfoResponseData);
+
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/login');
+ $this->assertSessionError('Userinfo endpoint response validation failed with error: Subject value provided in the userinfo endpoint does not match the provided ID token value');
+ }
+
+ public function test_userinfo_endpoint_jwks_response_with_invalid_signature_throws()
+ {
+ $userinfoResponseData = OidcJwtHelper::idToken();
+ $exploded = explode('.', $userinfoResponseData);
+ $exploded[2] = base64_encode(base64_decode($exploded[2]) . 'ABC');
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/jwt'], implode('.', $exploded));
+
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/login');
+ $this->assertSessionError('Userinfo endpoint response validation failed with error: Token signature could not be validated using the provided keys');
+ }
+
+ public function test_userinfo_endpoint_jwks_response_with_invalid_signature_alg_throws()
+ {
+ $userinfoResponseData = OidcJwtHelper::idToken([], ['alg' => 'ZZ512']);
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/jwt'], $userinfoResponseData);
+
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/login');
+ $this->assertSessionError('Userinfo endpoint response validation failed with error: Only RS256 signature validation is supported. Token reports using ZZ512');
+ }
+
+ public function test_userinfo_endpoint_response_with_invalid_content_type_throws()
+ {
+ $userinfoResponse = new Response(200, ['Content-Type' => 'application/beans'], json_encode(OidcJwtHelper::defaultPayload()));
+ $resp = $this->runLogin(['name' => null], [$userinfoResponse]);
+ $resp->assertRedirect('/login');
+ $this->assertSessionError('Userinfo endpoint response validation failed with error: No valid subject value found in userinfo data');
+ }
+
+ public function test_userinfo_endpoint_not_called_if_empty_groups_array_provided_in_id_token()
+ {
+ config()->set([
+ 'oidc.user_to_groups' => true,
+ 'oidc.groups_claim' => 'groups',
+ 'oidc.remove_from_groups' => false,
+ ]);
+
+ $this->post('/oidc/login');
+ $state = session()->get('oidc_state');
+ $client = $this->mockHttpClient([$this->getMockAuthorizationResponse([
+ 'groups' => [],
+ ])]);
+
+ $resp = $this->get('/oidc/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=' . $state);
+ $resp->assertRedirect('/');
+ $this->assertEquals(1, $client->requestCount());
+ $this->assertTrue(auth()->check());
+ }
+
+ protected function withAutodiscovery(): void
projects / bookstack / blobdiff