OAuth: Implement Authorization Server Issuer Identification (ISS)

- This patch implements ISS checking according to RFC 9207
https://datatracker.ietf.org/doc/html/rfc9207

- This tries to prevent so called "mix-up" attacks where the client is
fooled into authorizing with an honest AS through a malicious entity

1 files changed, 12 insertions, 3 deletions

diff --git a/client_test.go b/client_test.go
index 4466754..77be634 100644
--- a/client_test.go
+++ b/client_test.go
@@ -170,15 +170,24 @@ func Test_connect_oauth_parameters(t *testing.T) {
 	var (
 		failedCallbackParameterError  *oauth.OAuthCallbackParameterError
 		failedCallbackStateMatchError *oauth.OAuthCallbackStateMatchError
+		failedCallbackISSMatchError *oauth.OAuthCallbackISSMatchError
 	)
 
+
+	serverURI := getServerURI(t)
+	iss := serverURI + "/"
 	tests := []struct {
 		expectedErr interface{}
 		parameters  httpw.URLParameters
 	}{
-		{&failedCallbackParameterError, httpw.URLParameters{}},
-		{&failedCallbackParameterError, httpw.URLParameters{"code": "42"}},
-		{&failedCallbackStateMatchError, httpw.URLParameters{"code": "42", "state": "21"}},
+		// missing state and code
+		{&failedCallbackParameterError, httpw.URLParameters{"iss": iss}},
+		// missing state
+		{&failedCallbackParameterError, httpw.URLParameters{"iss": iss, "code": "42"}},
+		// invalid state
+		{&failedCallbackStateMatchError, httpw.URLParameters{"iss": iss, "code": "42", "state": "21"}},
+		// invalid iss
+		{&failedCallbackISSMatchError, httpw.URLParameters{"iss": "37", "code": "42", "state": "21"}},
 	}
 
 	for _, test := range tests {