X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/e537d0c4e8dbf0c8bf4ac8119e6a8d7a4adf4bfb..refs/pull/3918/head:/tests/Auth/OidcTest.php

diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php
index 4215f6a54..db1f87bd5 100644
--- a/tests/Auth/OidcTest.php
+++ b/tests/Auth/OidcTest.php
@@ -40,7 +40,7 @@ class OidcTest extends TestCase
             'oidc.dump_user_details'      => false,
             'oidc.additional_scopes'      => '',
             'oidc.user_to_groups'         => false,
-            'oidc.group_attribute'        => 'group',
+            'oidc.groups_claim'           => 'group',
             'oidc.remove_from_groups'     => false,
         ]);
     }
@@ -360,11 +360,42 @@ class OidcTest extends TestCase
         $this->assertTrue(auth()->check());
     }
 
+    public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_use_property()
+    {
+        // Based on reading the OIDC discovery spec:
+        // > This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also
+        // > contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When
+        // > both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all
+        // > keys in the referenced JWK Set to indicate each key's intended usage.
+        // We can assume that keys without use are intended for signing.
+        $this->withAutodiscovery();
+
+        $keyArray = OidcJwtHelper::publicJwkKeyArray();
+        unset($keyArray['use']);
+
+        $this->mockHttpClient([
+            $this->getAutoDiscoveryResponse(),
+            new Response(200, [
+                'Content-Type'  => 'application/json',
+                'Cache-Control' => 'no-cache, no-store',
+                'Pragma'        => 'no-cache',
+            ], json_encode([
+                'keys' => [
+                    $keyArray,
+                ],
+            ])),
+        ]);
+
+        $this->assertFalse(auth()->check());
+        $this->runLogin();
+        $this->assertTrue(auth()->check());
+    }
+
     public function test_login_group_sync()
     {
         config()->set([
             'oidc.user_to_groups'     => true,
-            'oidc.group_attribute'    => 'groups',
+            'oidc.groups_claim'       => 'groups',
             'oidc.remove_from_groups' => false,
         ]);
         $roleA = Role::factory()->create(['display_name' => 'Wizards']);
@@ -374,7 +405,7 @@ class OidcTest extends TestCase
         $resp = $this->runLogin([
             'email'  => 'benny@example.com',
             'sub'    => 'benny1010101',
-            'groups' => ['Wizards', 'Zookeepers']
+            'groups' => ['Wizards', 'Zookeepers'],
         ]);
         $resp->assertRedirect('/');
 
@@ -390,7 +421,7 @@ class OidcTest extends TestCase
     {
         config()->set([
             'oidc.user_to_groups'     => true,
-            'oidc.group_attribute'    => 'my.custom.groups.attr',
+            'oidc.groups_claim'       => 'my.custom.groups.attr',
             'oidc.remove_from_groups' => false,
         ]);
         $roleA = Role::factory()->create(['display_name' => 'Wizards']);
@@ -398,13 +429,13 @@ class OidcTest extends TestCase
         $resp = $this->runLogin([
             'email'  => 'benny@example.com',
             'sub'    => 'benny1010101',
-            'my' => [
+            'my'     => [
                 'custom' => [
                     'groups' => [
-                        'attr' => ['Wizards']
-                    ]
-                ]
-            ]
+                        'attr' => ['Wizards'],
+                    ],
+                ],
+            ],
         ]);
         $resp->assertRedirect('/');