From 4e834896a1c68cd536971dcfff7c3afbcff637ae Mon Sep 17 00:00:00 2001 From: jwijenbergh Date: Mon, 17 Oct 2022 10:51:35 +0200 Subject: OAuth: Implement Authorization Server Issuer Identification (ISS) - This patch implements ISS checking according to RFC 9207 https://datatracker.ietf.org/doc/html/rfc9207 - This tries to prevent so called "mix-up" attacks where the client is fooled into authorizing with an honest AS through a malicious entity --- client_test.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'client_test.go') diff --git a/client_test.go b/client_test.go index 4466754..77be634 100644 --- a/client_test.go +++ b/client_test.go @@ -170,15 +170,24 @@ func Test_connect_oauth_parameters(t *testing.T) { var ( failedCallbackParameterError *oauth.OAuthCallbackParameterError failedCallbackStateMatchError *oauth.OAuthCallbackStateMatchError + failedCallbackISSMatchError *oauth.OAuthCallbackISSMatchError ) + + serverURI := getServerURI(t) + iss := serverURI + "/" tests := []struct { expectedErr interface{} parameters httpw.URLParameters }{ - {&failedCallbackParameterError, httpw.URLParameters{}}, - {&failedCallbackParameterError, httpw.URLParameters{"code": "42"}}, - {&failedCallbackStateMatchError, httpw.URLParameters{"code": "42", "state": "21"}}, + // missing state and code + {&failedCallbackParameterError, httpw.URLParameters{"iss": iss}}, + // missing state + {&failedCallbackParameterError, httpw.URLParameters{"iss": iss, "code": "42"}}, + // invalid state + {&failedCallbackStateMatchError, httpw.URLParameters{"iss": iss, "code": "42", "state": "21"}}, + // invalid iss + {&failedCallbackISSMatchError, httpw.URLParameters{"iss": "37", "code": "42", "state": "21"}}, } for _, test := range tests { -- cgit v1.2.3