feat: adjust test to store consent challenge ID inside token

ory · Feb 5, 2025 · 065a0c6 · 065a0c6
1 parent 8e49c81
commit 065a0c6
Showing 1 changed file with 54 additions and 25 deletions.
diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go
@@ -117,7 +117,7 @@ func acceptLoginHandler(t *testing.T, c *client.Client, adminClient *hydra.APICl
 	}
 }
 
-func acceptConsentHandler(t *testing.T, c *client.Client, adminClient *hydra.APIClient, reg driver.Registry, subject string, checkRequestPayload func(*hydra.OAuth2ConsentRequest)) http.HandlerFunc {
+func acceptConsentHandler(t *testing.T, c *client.Client, adminClient *hydra.APIClient, reg driver.Registry, subject string, checkRequestPayload func(*hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		rr, _, err := adminClient.OAuth2API.GetOAuth2ConsentRequest(context.Background()).ConsentChallenge(r.URL.Query().Get("consent_challenge")).Execute()
 		require.NoError(t, err)
@@ -130,21 +130,27 @@ func acceptConsentHandler(t *testing.T, c *client.Client, adminClient *hydra.API
 		assert.EqualValues(t, subject, pointerx.Deref(rr.Subject))
 		assert.EqualValues(t, []string{"hydra", "offline", "openid"}, rr.RequestedScope)
 		assert.Contains(t, *rr.RequestUrl, reg.Config().OAuth2AuthURL(r.Context()).String())
+		assert.Equal(t, map[string]interface{}{"context": "bar"}, rr.Context)
+
+		acceptBody := hydra.AcceptOAuth2ConsentRequest{
+			GrantScope:               []string{"hydra", "offline", "openid"},
+			GrantAccessTokenAudience: rr.RequestedAccessTokenAudience,
+			Remember:                 pointerx.Ptr(true),
+			RememberFor:              pointerx.Ptr[int64](0),
+			Session: &hydra.AcceptOAuth2ConsentRequestSession{
+				AccessToken: map[string]interface{}{"foo": "bar"},
+				IdToken:     map[string]interface{}{"bar": "baz", "email": "[email protected]"},
+			},
+		}
 		if checkRequestPayload != nil {
-			checkRequestPayload(rr)
+			if b := checkRequestPayload(rr); b != nil {
+				acceptBody = *b
+			}
 		}
 
-		assert.Equal(t, map[string]interface{}{"context": "bar"}, rr.Context)
 		v, _, err := adminClient.OAuth2API.AcceptOAuth2ConsentRequest(context.Background()).
 			ConsentChallenge(r.URL.Query().Get("consent_challenge")).
-			AcceptOAuth2ConsentRequest(hydra.AcceptOAuth2ConsentRequest{
-				GrantScope: []string{"hydra", "offline", "openid"}, Remember: pointerx.Ptr(true), RememberFor: pointerx.Ptr[int64](0),
-				GrantAccessTokenAudience: rr.RequestedAccessTokenAudience,
-				Session: &hydra.AcceptOAuth2ConsentRequestSession{
-					AccessToken: map[string]interface{}{"foo": "bar"},
-					IdToken:     map[string]interface{}{"bar": "baz", "email": "[email protected]"},
-				},
-			}).
+			AcceptOAuth2ConsentRequest(acceptBody).
 			Execute()
 		require.NoError(t, err)
 		require.NotEmpty(t, v.RedirectTo)
@@ -675,9 +681,10 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 						assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
 						return nil
 					}),
-					acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) {
+					acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest {
 						assert.False(t, *r.Skip)
 						assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
+						return nil
 					}))
 
 				code, _ := getAuthorizeCode(t, conf, nil,
@@ -823,9 +830,10 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 						require.EqualValues(t, subject, r.Subject)
 						return nil
 					}),
-					acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) {
+					acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest {
 						require.True(t, *r.Skip)
 						require.EqualValues(t, subject, *r.Subject)
+						return nil
 					}),
 				)
 
@@ -877,9 +885,10 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 								require.Empty(t, r.Subject)
 								return nil
 							}),
-							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) {
+							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest {
 								require.True(t, *r.Skip)
 								require.EqualValues(t, subject, *r.Subject)
+								return nil
 							}),
 						)
 						code, _ := getAuthorizeCode(t, conf, oc,
@@ -1043,9 +1052,10 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 								assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
 								return nil
 							}),
-							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) {
+							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest {
 								assert.False(t, *r.Skip)
 								assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
+								return nil
 							}))
 
 						code, _ := getAuthorizeCode(t, conf, nil,
@@ -1092,9 +1102,10 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 								assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
 								return nil
 							}),
-							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) {
+							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest {
 								assert.False(t, *r.Skip)
 								assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
+								return nil
 							}))
 
 						code, _ := getAuthorizeCode(t, conf, nil,
@@ -1132,9 +1143,10 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 								assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
 								return nil
 							}),
-							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) {
+							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest {
 								assert.False(t, *r.Skip)
 								assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
+								return nil
 							}))
 
 						code, _ := getAuthorizeCode(t, conf, nil,
@@ -1172,9 +1184,10 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 								assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
 								return nil
 							}),
-							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) {
+							acceptConsentHandler(t, c, adminClient, reg, subject, func(r *hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest {
 								assert.False(t, *r.Skip)
 								assert.EqualValues(t, []string{expectAud}, r.RequestedAccessTokenAudience)
+								return nil
 							}))
 
 						code, _ := getAuthorizeCode(t, conf, nil,
@@ -1194,21 +1207,28 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 			t.Run("case=can revoke token chains with ID obtained from consent requests", func(t *testing.T) {
 				c, conf := newOAuth2Client(t, reg, testhelpers.NewCallbackURL(t, "callback", testhelpers.HTTPServerNotImplementedHandler))
 
-				// go through an auth code flow and take note of the consent request id
-				var consentRequestID string
+				// go through an auth code flow and store the consent request id in the tokens
 				testhelpers.NewLoginConsentUI(t, reg.Config(),
 					acceptLoginHandler(t, c, adminClient, reg, subject, nil),
-					acceptConsentHandler(t, c, adminClient, reg, subject, func(ocr *hydra.OAuth2ConsentRequest) {
-						consentRequestID = ocr.Challenge
+					acceptConsentHandler(t, c, adminClient, reg, subject, func(ocr *hydra.OAuth2ConsentRequest) *hydra.AcceptOAuth2ConsentRequest {
+						require.NotZero(t, ocr.Challenge)
+						t.Logf("Consent Request ID: %s", ocr.Challenge)
+						return &hydra.AcceptOAuth2ConsentRequest{
+							GrantScope:               ocr.RequestedScope,
+							GrantAccessTokenAudience: ocr.RequestedAccessTokenAudience,
+							Remember:                 pointerx.Ptr(true),
+							RememberFor:              pointerx.Ptr[int64](0),
+							Session: &hydra.AcceptOAuth2ConsentRequestSession{
+								AccessToken: map[string]interface{}{"crid": ocr.Challenge},
+								IdToken:     map[string]interface{}{"crid": ocr.Challenge},
+							},
+						}
 					}),
 				)
 
 				code, _ := getAuthorizeCode(t, conf, nil)
 				require.NotEmpty(t, code)
 
-				require.NotZero(t, consentRequestID)
-				t.Logf("Consent Request ID: %s", consentRequestID)
-
 				token, err := conf.Exchange(context.Background(), code)
 				require.NoError(t, err)
 
@@ -1234,6 +1254,15 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 				rt2 := testhelpers.IntrospectToken(t, conf, token2.RefreshToken, adminTS)
 				assert.True(t, rt2.Get("active").Bool(), "%s", rt2)
 
+				// extract consent request id from first access token
+				consentRequestID := at.Get("ext.crid").Str
+				assert.NotZero(t, consentRequestID, "%s", at)
+				assert.Equal(t, consentRequestID, rt.Get("ext.crid").Str, "%s", rt)
+
+				// second set of tokens have different consent request ids
+				assert.NotEqual(t, consentRequestID, at2.Get("ext.crid").Str, "%s", at2)
+				assert.NotEqual(t, consentRequestID, rt2.Get("ext.crid").Str, "%s", rt2)
+
 				// revoken the first token chain by consent request id
 				_, err = adminClient.OAuth2API.
 					RevokeOAuth2ConsentSessions(context.Background()).