From a75a94ec9db000228581f70b584239939a610567 Mon Sep 17 00:00:00 2001 From: lasanthaS Date: Thu, 16 Mar 2023 14:39:03 +0530 Subject: [PATCH 1/3] Enable PKCE in OIDC federated flow --- .../oidc/OIDCAuthenticatorConstants.java | 4 + .../oidc/OpenIDConnectAuthenticator.java | 98 +++++++++++++++++-- 2 files changed, 93 insertions(+), 9 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java index 92368b8c..2c47b761 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java @@ -58,6 +58,10 @@ private OIDCAuthenticatorConstants() { public static final String LOGOUT_TOKEN = "logout_token"; public static final Pattern OIDC_BACKCHANNEL_LOGOUT_ENDPOINT_URL_PATTERN = Pattern.compile("(.*)/identity/oidc" + "/slo(.*)"); + public static final String SID = "sid"; + + public static final String OAUTH_FEDERATED_PKCE_CODE_VERIFIER = "OAUTH_PKCE_CODE_VERIFIER"; + public static final String ENABLE_FEDERATED_PKCE = "IsPKCEEnabled"; public class AuthenticatorConfParams { diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java index aaef7ffe..681c805d 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java @@ -72,6 +72,9 @@ import java.net.URL; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.text.ParseException; import java.util.ArrayList; import java.util.HashMap; @@ -351,6 +354,8 @@ protected void initiateAuthenticationRequest(HttpServletRequest request, HttpSer String authorizationEP = getOIDCAuthzEndpoint(authenticatorProperties); String callbackurl = getCallbackUrl(authenticatorProperties); String state = getStateParameter(context, authenticatorProperties); + boolean isPKCEEnabled = Boolean.parseBoolean( + authenticatorProperties.get(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE)); OAuthClientRequest authzRequest; @@ -402,6 +407,18 @@ protected void initiateAuthenticationRequest(HttpServletRequest request, HttpSer loginPage = loginPage + "&fidp=" + domain; } + // If PKCE is enabled, add code_challenge and code_challenge_method to the request. + if (isPKCEEnabled) { + String codeVerifier = generateCodeVerifier(); + context.setProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER, codeVerifier); + try { + String codeChallenge = generateCodeChallenge(codeVerifier); + loginPage += "&code_challenge=" + codeChallenge + "&code_challenge_method=S256"; + } catch (NoSuchAlgorithmException e) { + log.error("Error while generating the code challenge", e); + } + } + if (StringUtils.isNotBlank(queryString)) { if (!queryString.startsWith("&")) { loginPage = loginPage + "&" + queryString; @@ -727,6 +744,9 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID); String clientSecret = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_SECRET); String tokenEndPoint = getTokenEndpoint(authenticatorProperties); + boolean isPKCEEnabled = Boolean.parseBoolean( + authenticatorProperties.get(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE)); + Object codeVerifier = context.getProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER); String callbackUrl = getCallbackUrlFromInitialRequestParamMap(context); if (StringUtils.isBlank(callbackUrl)) { @@ -739,28 +759,51 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context OAuthClientRequest accessTokenRequest; try { if (isHTTPBasicAuth) { - if (log.isDebugEnabled()) { log.debug("Authenticating to token endpoint: " + tokenEndPoint + " with HTTP basic " + "authentication scheme."); } - accessTokenRequest = OAuthClientRequest.tokenLocation(tokenEndPoint).setGrantType(GrantType - .AUTHORIZATION_CODE).setRedirectURI(callbackUrl).setCode(authzResponse.getCode()) - .buildBodyMessage(); + OAuthClientRequest.TokenRequestBuilder tokenRequestBuilder = OAuthClientRequest + .tokenLocation(tokenEndPoint) + .setGrantType(GrantType.AUTHORIZATION_CODE) + .setRedirectURI(callbackUrl) + .setCode(authzResponse.getCode()); + + if (isPKCEEnabled) { + if (codeVerifier != null) { + tokenRequestBuilder.setParameter("code_verifier", codeVerifier.toString()); + } else { + log.warn("PKCE is enabled, but the code verifier is not found."); + } + } + + accessTokenRequest = tokenRequestBuilder.buildBodyMessage(); String base64EncodedCredential = new String(Base64.encodeBase64((clientId + ":" + clientSecret).getBytes())); accessTokenRequest.addHeader(OAuth.HeaderType.AUTHORIZATION, "Basic " + base64EncodedCredential); } else { - if (log.isDebugEnabled()) { log.debug("Authenticating to token endpoint: " + tokenEndPoint + " including client credentials " + "in request body."); } - accessTokenRequest = OAuthClientRequest.tokenLocation(tokenEndPoint).setGrantType(GrantType - .AUTHORIZATION_CODE).setClientId(clientId).setClientSecret(clientSecret).setRedirectURI - (callbackUrl).setCode(authzResponse.getCode()).buildBodyMessage(); + OAuthClientRequest.TokenRequestBuilder tokenRequestBuilder = OAuthClientRequest + .tokenLocation(tokenEndPoint) + .setGrantType(GrantType.AUTHORIZATION_CODE) + .setClientId(clientId) + .setClientSecret(clientSecret) + .setRedirectURI(callbackUrl) + .setCode(authzResponse.getCode()); + if (isPKCEEnabled) { + if (codeVerifier != null) { + tokenRequestBuilder.setParameter("code_verifier", codeVerifier.toString()); + } else { + log.warn("PKCE is enabled, but the code verifier is not found."); + } + } + accessTokenRequest = tokenRequestBuilder.buildBodyMessage(); } + context.removeProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER); // set 'Origin' header to access token request. if (accessTokenRequest != null) { // fetch the 'Hostname' configured in carbon.xml @@ -776,7 +819,6 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context } catch (URLBuilderException e) { throw new RuntimeException("Error occurred while building URL in tenant qualified mode.", e); } - return accessTokenRequest; } @@ -930,6 +972,15 @@ public List getConfigurationProperties() { enableBasicAuth.setDisplayOrder(9); configProperties.add(enableBasicAuth); + Property enablePKCE = new Property(); + enablePKCE.setName("isPKCEEnabled"); + enablePKCE.setDisplayName("Enable PKCE"); + enablePKCE.setRequired(false); + enablePKCE.setDescription("Specifies that PKCE should be used for client authentication"); + enablePKCE.setType("boolean"); + enablePKCE.setDisplayOrder(10); + configProperties.add(enablePKCE); + return configProperties; } @@ -1182,4 +1233,33 @@ private String getCallbackUrlFromInitialRequestParamMap(AuthenticationContext co return null; } + + /** + * Generate code verifier for PKCE + * + * @return code verifier + */ + private String generateCodeVerifier() { + SecureRandom secureRandom = new SecureRandom(); + byte[] codeVerifier = new byte[32]; + secureRandom.nextBytes(codeVerifier); + return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(codeVerifier); + } + + /** + * Generate code challenge for PKCE + * + * @param codeVerifier code verifier + * @return code challenge + * @throws UnsupportedEncodingException + * @throws NoSuchAlgorithmException + */ + private String generateCodeChallenge(String codeVerifier) + throws UnsupportedEncodingException, NoSuchAlgorithmException { + byte[] bytes = codeVerifier.getBytes("US-ASCII"); + MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); + messageDigest.update(bytes, 0, bytes.length); + byte[] digest = messageDigest.digest(); + return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(digest); + } } From 5b66f06941af3199c22db252cd0790713219d6a9 Mon Sep 17 00:00:00 2001 From: lasanthaS Date: Wed, 29 Mar 2023 14:03:31 +0530 Subject: [PATCH 2/3] Add unit tests for federated PKCE flow --- .../oidc/OpenIDConnectAuthenticatorTest.java | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java index 3dba41a4..36660e38 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java @@ -30,6 +30,7 @@ import org.apache.oltu.oauth2.common.exception.OAuthSystemException; import org.mockito.Matchers; import org.mockito.Mock; +import org.powermock.core.classloader.annotations.PowerMockIgnore; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.testng.PowerMockTestCase; import org.powermock.reflect.Whitebox; @@ -51,6 +52,7 @@ import org.wso2.carbon.identity.claim.metadata.mgt.ClaimMetadataManagementService; import org.wso2.carbon.identity.core.ServiceURL; import org.wso2.carbon.identity.core.ServiceURLBuilder; +import org.wso2.carbon.identity.core.URLBuilderException; import org.wso2.carbon.identity.core.util.IdentityCoreConstants; import org.wso2.carbon.identity.core.util.IdentityUtil; import org.wso2.carbon.user.api.RealmConfiguration; @@ -89,6 +91,7 @@ @PrepareForTest({LogFactory.class, OAuthClient.class, URL.class, FrameworkUtils.class, OpenIDConnectAuthenticatorDataHolder.class, OAuthAuthzResponse.class, OAuthClientRequest.class, OAuthClientResponse.class, IdentityUtil.class, OpenIDConnectAuthenticator.class, ServiceURLBuilder.class}) +@PowerMockIgnore("jdk.internal.reflect.*") public class OpenIDConnectAuthenticatorTest extends PowerMockTestCase { @Mock @@ -403,6 +406,31 @@ public void testPassProcessAuthenticationResponse() throws Exception { "Invalid Id token in the authentication context."); } + /** + * Test whether the token request contains the code verifier when PKCE is enabled. + * + * @throws URLBuilderException + * @throws AuthenticationFailedException + */ + @Test() + public void testGetAccessTokenRequestWithPKCE() throws URLBuilderException, AuthenticationFailedException { + mockAuthenticationRequestContext(mockAuthenticationContext); + mockAuthenticationContext.getAuthenticatorProperties() + .put(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE, "true"); + when(mockAuthenticationContext.getProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER)) + .thenReturn("sample_code_verifier"); + OAuthAuthzResponse oAuthAuthzResponse = mock(OAuthAuthzResponse.class); + when(oAuthAuthzResponse.getCode()).thenReturn("abc"); + mockStatic(ServiceURLBuilder.class); + ServiceURLBuilder serviceURLBuilder = mock(ServiceURLBuilder.class); + when(ServiceURLBuilder.create()).thenReturn(serviceURLBuilder); + when(serviceURLBuilder.build()).thenReturn(serviceURL); + when(serviceURL.getAbsolutePublicURL()).thenReturn("http://localhost:9443"); + OAuthClientRequest request = openIDConnectAuthenticator + .getAccessTokenRequest(mockAuthenticationContext, oAuthAuthzResponse); + assertTrue(request.getBody().contains("code_verifier=sample_code_verifier")); + } + @Test(expectedExceptions = AuthenticationFailedException.class) public void testPassProcessAuthenticationResponseWithoutAccessToken() throws Exception { From 641e36baa576949f31e711673fc9711661ab7ce2 Mon Sep 17 00:00:00 2001 From: lasanthaS Date: Sun, 2 Apr 2023 11:52:58 +0530 Subject: [PATCH 3/3] Fix code styles and review suggestions --- .../oidc/OIDCAuthenticatorConstants.java | 4 +- .../oidc/OpenIDConnectAuthenticator.java | 67 ++++++++++--------- .../oidc/OpenIDConnectAuthenticatorTest.java | 14 ++-- 3 files changed, 44 insertions(+), 41 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java index 2c47b761..3319abf9 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java @@ -60,8 +60,8 @@ private OIDCAuthenticatorConstants() { "/slo(.*)"); public static final String SID = "sid"; - public static final String OAUTH_FEDERATED_PKCE_CODE_VERIFIER = "OAUTH_PKCE_CODE_VERIFIER"; - public static final String ENABLE_FEDERATED_PKCE = "IsPKCEEnabled"; + public static final String PKCE_CODE_VERIFIER = "PKCE_CODE_VERIFIER"; + public static final String IS_PKCE_ENABLED = "IsPKCEEnabled"; public class AuthenticatorConfParams { diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java index 681c805d..ac5ed8f6 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java @@ -98,11 +98,17 @@ public class OpenIDConnectAuthenticator extends AbstractApplicationAuthenticator private static final Log log = LogFactory.getLog(OpenIDConnectAuthenticator.class); private static final String OIDC_DIALECT = "http://wso2.org/oidc/claim"; + private static final String PKCE_CODE_CHALLENGE_METHOD = "S256"; private static final String DYNAMIC_PARAMETER_LOOKUP_REGEX = "\\$\\{(\\w+)\\}"; private static Pattern pattern = Pattern.compile(DYNAMIC_PARAMETER_LOOKUP_REGEX); private static final String[] NON_USER_ATTRIBUTES = new String[]{"at_hash", "iss", "iat", "exp", "aud", "azp"}; + private static final String IS_PKCE_ENABLED_NAME = "isPKCEEnabled"; + private static final String IS_PKCE_ENABLED_DISPLAY_NAME = "Enable PKCE"; + private static final String IS_PKCE_ENABLED_DESCRIPTION = "Specifies that PKCE should be used for client authentication"; + private static final String TYPE_BOOLEAN = "boolean"; + @Override public AuthenticatorFlowStatus process(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) @@ -355,7 +361,7 @@ protected void initiateAuthenticationRequest(HttpServletRequest request, HttpSer String callbackurl = getCallbackUrl(authenticatorProperties); String state = getStateParameter(context, authenticatorProperties); boolean isPKCEEnabled = Boolean.parseBoolean( - authenticatorProperties.get(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE)); + authenticatorProperties.get(OIDCAuthenticatorConstants.IS_PKCE_ENABLED)); OAuthClientRequest authzRequest; @@ -410,13 +416,10 @@ protected void initiateAuthenticationRequest(HttpServletRequest request, HttpSer // If PKCE is enabled, add code_challenge and code_challenge_method to the request. if (isPKCEEnabled) { String codeVerifier = generateCodeVerifier(); - context.setProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER, codeVerifier); - try { - String codeChallenge = generateCodeChallenge(codeVerifier); - loginPage += "&code_challenge=" + codeChallenge + "&code_challenge_method=S256"; - } catch (NoSuchAlgorithmException e) { - log.error("Error while generating the code challenge", e); - } + context.setProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER, codeVerifier); + String codeChallenge = generateCodeChallenge(codeVerifier); + loginPage += "&code_challenge=" + codeChallenge + "&code_challenge_method=" + + PKCE_CODE_CHALLENGE_METHOD; } if (StringUtils.isNotBlank(queryString)) { @@ -745,8 +748,8 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context String clientSecret = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_SECRET); String tokenEndPoint = getTokenEndpoint(authenticatorProperties); boolean isPKCEEnabled = Boolean.parseBoolean( - authenticatorProperties.get(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE)); - Object codeVerifier = context.getProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER); + authenticatorProperties.get(OIDCAuthenticatorConstants.IS_PKCE_ENABLED)); + String codeVerifier = (String) context.getProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER); String callbackUrl = getCallbackUrlFromInitialRequestParamMap(context); if (StringUtils.isBlank(callbackUrl)) { @@ -771,11 +774,10 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context .setCode(authzResponse.getCode()); if (isPKCEEnabled) { - if (codeVerifier != null) { - tokenRequestBuilder.setParameter("code_verifier", codeVerifier.toString()); - } else { - log.warn("PKCE is enabled, but the code verifier is not found."); + if (StringUtils.isEmpty(codeVerifier)) { + throw new AuthenticationFailedException("PKCE is enabled, but the code verifier is not found."); } + tokenRequestBuilder.setParameter("code_verifier", codeVerifier); } accessTokenRequest = tokenRequestBuilder.buildBodyMessage(); @@ -795,15 +797,14 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context .setRedirectURI(callbackUrl) .setCode(authzResponse.getCode()); if (isPKCEEnabled) { - if (codeVerifier != null) { - tokenRequestBuilder.setParameter("code_verifier", codeVerifier.toString()); - } else { - log.warn("PKCE is enabled, but the code verifier is not found."); + if (StringUtils.isEmpty(codeVerifier)) { + throw new AuthenticationFailedException("PKCE is enabled, but the code verifier is not found."); } + tokenRequestBuilder.setParameter("code_verifier", codeVerifier); } accessTokenRequest = tokenRequestBuilder.buildBodyMessage(); } - context.removeProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER); + context.removeProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER); // set 'Origin' header to access token request. if (accessTokenRequest != null) { // fetch the 'Hostname' configured in carbon.xml @@ -973,11 +974,11 @@ public List getConfigurationProperties() { configProperties.add(enableBasicAuth); Property enablePKCE = new Property(); - enablePKCE.setName("isPKCEEnabled"); - enablePKCE.setDisplayName("Enable PKCE"); + enablePKCE.setName(IS_PKCE_ENABLED_NAME); + enablePKCE.setDisplayName(IS_PKCE_ENABLED_DISPLAY_NAME); enablePKCE.setRequired(false); - enablePKCE.setDescription("Specifies that PKCE should be used for client authentication"); - enablePKCE.setType("boolean"); + enablePKCE.setDescription(IS_PKCE_ENABLED_DESCRIPTION); + enablePKCE.setType(TYPE_BOOLEAN); enablePKCE.setDisplayOrder(10); configProperties.add(enablePKCE); @@ -1251,15 +1252,17 @@ private String generateCodeVerifier() { * * @param codeVerifier code verifier * @return code challenge - * @throws UnsupportedEncodingException - * @throws NoSuchAlgorithmException + * @throws AuthenticationFailedException */ - private String generateCodeChallenge(String codeVerifier) - throws UnsupportedEncodingException, NoSuchAlgorithmException { - byte[] bytes = codeVerifier.getBytes("US-ASCII"); - MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); - messageDigest.update(bytes, 0, bytes.length); - byte[] digest = messageDigest.digest(); - return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(digest); + private String generateCodeChallenge(String codeVerifier) throws AuthenticationFailedException { + try { + byte[] bytes = codeVerifier.getBytes("US-ASCII"); + MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); + messageDigest.update(bytes, 0, bytes.length); + byte[] digest = messageDigest.digest(); + return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(digest); + } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) { + throw new AuthenticationFailedException("Error while generating code challenge", e); + } } } diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java index 36660e38..d93c6c01 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java @@ -91,7 +91,6 @@ @PrepareForTest({LogFactory.class, OAuthClient.class, URL.class, FrameworkUtils.class, OpenIDConnectAuthenticatorDataHolder.class, OAuthAuthzResponse.class, OAuthClientRequest.class, OAuthClientResponse.class, IdentityUtil.class, OpenIDConnectAuthenticator.class, ServiceURLBuilder.class}) -@PowerMockIgnore("jdk.internal.reflect.*") public class OpenIDConnectAuthenticatorTest extends PowerMockTestCase { @Mock @@ -389,6 +388,7 @@ public void testPassProcessAuthenticationResponse() throws Exception { setupTest(); when(mockAuthenticationContext.getExternalIdP()).thenReturn(externalIdPConfig); + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "false"); when(openIDConnectAuthenticatorDataHolder.getClaimMetadataManagementService()).thenReturn (claimMetadataManagementService); when(mockAuthenticationContext.getExternalIdP()).thenReturn(externalIdPConfig); @@ -415,19 +415,17 @@ public void testPassProcessAuthenticationResponse() throws Exception { @Test() public void testGetAccessTokenRequestWithPKCE() throws URLBuilderException, AuthenticationFailedException { mockAuthenticationRequestContext(mockAuthenticationContext); - mockAuthenticationContext.getAuthenticatorProperties() - .put(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE, "true"); - when(mockAuthenticationContext.getProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER)) + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "true"); + when(mockAuthenticationContext.getProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER)) .thenReturn("sample_code_verifier"); - OAuthAuthzResponse oAuthAuthzResponse = mock(OAuthAuthzResponse.class); - when(oAuthAuthzResponse.getCode()).thenReturn("abc"); + when(mockOAuthzResponse.getCode()).thenReturn("abc"); mockStatic(ServiceURLBuilder.class); ServiceURLBuilder serviceURLBuilder = mock(ServiceURLBuilder.class); when(ServiceURLBuilder.create()).thenReturn(serviceURLBuilder); when(serviceURLBuilder.build()).thenReturn(serviceURL); when(serviceURL.getAbsolutePublicURL()).thenReturn("http://localhost:9443"); OAuthClientRequest request = openIDConnectAuthenticator - .getAccessTokenRequest(mockAuthenticationContext, oAuthAuthzResponse); + .getAccessTokenRequest(mockAuthenticationContext, mockOAuthzResponse); assertTrue(request.getBody().contains("code_verifier=sample_code_verifier")); } @@ -446,6 +444,7 @@ public void testPassProcessAuthenticationWithBlankCallBack() throws Exception { setupTest(); authenticatorProperties.put("callbackUrl", " "); + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "false"); mockStatic(IdentityUtil.class); when(IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH, true, true)).thenReturn("http:/localhost:9443/oauth2/callback"); setParametersForOAuthClientResponse(mockOAuthClientResponse, accessToken, idToken); @@ -464,6 +463,7 @@ public void testPassProcessAuthenticationWithParamValue() throws Exception { setupTest(); authenticatorProperties.put("callbackUrl", "http://localhost:8080/playground2/oauth2client"); + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "false"); Map paramMap = new HashMap<>(); paramMap.put("redirect_uri", "http:/localhost:9443/oauth2/redirect"); when(mockAuthenticationContext.getProperty("oidc:param.map")).thenReturn(paramMap);