test for OpenIDConfiguration server API

nuts-foundation · Sep 3, 2024 · 026b22a · 026b22a
1 parent 4c285d9
commit 026b22a
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 17 deletions.
diff --git a/auth/api/iam/api.go b/auth/api/iam/api.go
@@ -639,7 +639,7 @@ func (r Wrapper) OpenIDConfiguration(ctx context.Context, request OpenIDConfigur
 	}
 	if !exists {
 		return nil, oauth.OAuth2Error{
-			Code:        "not_found",
+			Code:        oauth.InvalidRequest,
 			Description: "subject not found",
 		}
 	}
@@ -680,22 +680,8 @@ func (r Wrapper) OpenIDConfiguration(ctx context.Context, request OpenIDConfigur
 	// we sign with a JWK, the receiving party can verify with the signature but not if the key corresponds to the DID since the DID method might not be supported.
 	// this is a shortcoming of the openID federation vs OpenID4VP/DID worlds
 	// issuer URL equals server baseURL + :/oauth2/:subject
-	baseURL := r.auth.PublicURL()
-	if baseURL == nil {
-		return nil, oauth.OAuth2Error{
-			Code:        oauth.ServerError,
-			Description: "misconfiguration: missing public URL",
-		}
-	}
-	issuerURL, err := baseURL.Parse("/oauth2/" + request.Subject)
-	if err != nil {
-		return nil, oauth.OAuth2Error{
-			Code:          oauth.ServerError,
-			Description:   "internal server error",
-			InternalError: err,
-		}
-	}
-	configuration := openIDConfiguration(*issuerURL, set, r.vdr.SupportedMethods())
+	issuerURL := r.subjectToBaseURL(request.Subject)
+	configuration := openIDConfiguration(issuerURL, set, r.vdr.SupportedMethods())
 	claims := make(map[string]interface{})
 	asJson, _ := json.Marshal(configuration)
 	_ = json.Unmarshal(asJson, &claims)

diff --git a/auth/api/iam/api_test.go b/auth/api/iam/api_test.go
@@ -26,9 +26,11 @@ import (
 	"fmt"
 	"github.com/nuts-foundation/nuts-node/core/to"
 	"github.com/nuts-foundation/nuts-node/crypto/storage/spi"
+	test2 "github.com/nuts-foundation/nuts-node/crypto/test"
 	"github.com/nuts-foundation/nuts-node/http/user"
 	"github.com/nuts-foundation/nuts-node/test"
 	"github.com/nuts-foundation/nuts-node/vdr/didsubject"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -121,6 +123,57 @@ func TestWrapper_GetOAuthClientMetadata(t *testing.T) {
 		assert.IsType(t, OAuthClientMetadata200JSONResponse{}, res)
 	})
 }
+
+func TestWrapper_OpenIDConfiguration(t *testing.T) {
+	testKey := test2.GenerateECKey()
+	t.Run("ok", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.keyResolver.EXPECT().ResolveKey(verifierDID, nil, resolver.AssertionMethod).Return("kid", testKey.Public(), nil)
+		ctx.jwtSigner.EXPECT().SignJWT(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(_ interface{}, claims interface{}, headers interface{}, kid interface{}) (string, error) {
+			asMap := claims.(map[string]interface{})
+			assert.Equal(t, "https://example.com/oauth2/verifier", asMap["iss"])
+			assert.Len(t, asMap["jwks"], 1)
+			return "token", nil
+		})
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: verifierSubject})
+
+		require.NoError(t, err)
+		assert.IsType(t, OpenIDConfiguration200ApplicationentityStatementJwtResponse{}, res)
+		successResponse := res.(OpenIDConfiguration200ApplicationentityStatementJwtResponse)
+		bodyBytes, err := io.ReadAll(successResponse.Body)
+		require.NoError(t, err)
+		assert.Equal(t, "token", string(bodyBytes))
+	})
+	t.Run("error - subject does not exist", func(t *testing.T) {
+		ctx := newTestClient(t)
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: unknownSubjectID})
+
+		requireOAuthError(t, err, oauth.InvalidRequest, "subject not found")
+		assert.Nil(t, res)
+	})
+	t.Run("error - key resolution error", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.keyResolver.EXPECT().ResolveKey(verifierDID, nil, resolver.AssertionMethod).Return("", nil, assert.AnError)
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: verifierSubject})
+
+		requireOAuthError(t, err, oauth.ServerError, "internal server error")
+		assert.Nil(t, res)
+	})
+	t.Run("error - signing error", func(t *testing.T) {
+		ctx := newTestClient(t)
+		ctx.keyResolver.EXPECT().ResolveKey(verifierDID, nil, resolver.AssertionMethod).Return("kid", testKey.Public(), nil)
+		ctx.jwtSigner.EXPECT().SignJWT(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return("", assert.AnError)
+
+		res, err := ctx.client.OpenIDConfiguration(nil, OpenIDConfigurationRequestObject{Subject: verifierSubject})
+
+		requireOAuthError(t, err, oauth.ServerError, "internal server error")
+		assert.Nil(t, res)
+	})
+}
+
 func TestWrapper_PresentationDefinition(t *testing.T) {
 	ctx := audit.TestContext()
 	walletOwnerMapping := pe.WalletOwnerMapping{pe.WalletOwnerOrganization: pe.PresentationDefinition{Id: "test"}}