Add device code flow tests

indigo-iam · Sep 20, 2023 · d919783 · d919783
1 parent ae1418b
commit d919783
Showing 1 changed file with 52 additions and 0 deletions.
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/devicecode/DeviceCodeTests.java
@@ -415,6 +415,58 @@ public void testDeviceCodeApprovalFlowWorks() throws Exception {
       .andExpect(jsonPath("$.active", equalTo(true)));
   }
 
+  @Test
+  public void testDeviceCodeFlowDoesNotWorkIfScopeNotAllowed() throws Exception {
+
+    mvc
+      .perform(post(DEVICE_CODE_ENDPOINT).contentType(APPLICATION_FORM_URLENCODED)
+        .with(httpBasic(DEVICE_CODE_CLIENT_ID, DEVICE_CODE_CLIENT_SECRET))
+        .param("client_id", "device-code-client")
+        .param("scope", "openid profile offline_access custom-scope"))
+      .andExpect(status().isBadRequest())
+      .andExpect(jsonPath("$.error", equalTo("invalid_scope")));
+  }
+
+  @Test
+  public void deviceCodeDoesNotWorkForDynamicallyRegisteredClientIfScopeNotAllowed()
+      throws UnsupportedEncodingException, Exception {
+
+    String jsonInString = ClientJsonStringBuilder.builder()
+      .grantTypes("urn:ietf:params:oauth:grant-type:device_code")
+      .scopes("openid", "profile", "offline_access")
+      .build();
+
+    String clientJson =
+        mvc.perform(post(REGISTER_ENDPOINT).contentType(APPLICATION_JSON).content(jsonInString))
+          .andExpect(status().isCreated())
+          .andExpect(jsonPath("$.registration_access_token").exists())
+          .andExpect(jsonPath("$.registration_client_uri").exists())
+          .andExpect(jsonPath("$.scope", containsString("offline_access")))
+          .andReturn()
+          .getResponse()
+          .getContentAsString();
+
+    RegisteredClientDTO registrationResponse =
+        objectMapper.readValue(clientJson, RegisteredClientDTO.class);
+
+    ClientDetailsEntity newClient =
+        clientRepo.findByClientId(registrationResponse.getClientId()).orElseThrow();
+
+    assertThat(newClient, notNullValue());
+
+    RequestPostProcessor clientBasicAuth =
+        httpBasic(newClient.getClientId(), newClient.getClientSecret());
+
+    mvc
+      .perform(post(DEVICE_CODE_ENDPOINT).contentType(APPLICATION_FORM_URLENCODED)
+        .with(clientBasicAuth)
+        .param("client_id", newClient.getClientId())
+        .param("scope", "openid profile offline_access custom-scope"))
+      .andExpect(status().isBadRequest())
+      .andExpect(jsonPath("$.error", equalTo("invalid_scope")));
+  }
+
+
   @Test
   public void deviceCodeWorksForDynamicallyRegisteredClient()
       throws UnsupportedEncodingException, Exception {