providers/oauth2: OpenID conformance (#4758)

* don't open inspector by default when debug is enabled Signed-off-by: Jens Langhammer <jens@goauthentik.io> * encode error in fragment when using hybrid grant_type Signed-off-by: Jens Langhammer <jens@goauthentik.io> * require nonce for all response_types that get an id_token from the authorization endpoint Signed-off-by: Jens Langhammer <jens@goauthentik.io> * don't set empty family_name Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only set at_hash when response has token Signed-off-by: Jens Langhammer <jens@goauthentik.io> * cleaner way to get login time Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove authentication requirement from authentication flow Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use wrapper Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix auth_time not being handled correctly Signed-off-by: Jens Langhammer <jens@goauthentik.io> * minor cleanup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add test files Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove USER_LOGIN_AUTHENTICATED Signed-off-by: Jens Langhammer <jens@goauthentik.io> * rework prompt=login handling Signed-off-by: Jens Langhammer <jens@goauthentik.io> * also set last login uid for max_age check to prevent double login when max_age and prompt=login is set Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-23 15:26:41 +01:00
parent c6a14fa4f1
commit 80f4fccd35
22 changed files with 255 additions and 65 deletions
--- a/tests/manual/openid-conformance/README.md
+++ b/tests/manual/openid-conformance/README.md
@ -0,0 +1,8 @@
+# #Test files for OpenID Conformance testing.
+
+These config files assume testing is being done using the [OpenID Conformance Suite
+](https://openid.net/certification/about-conformance-suite/), locally.
+
+See https://gitlab.com/openid/conformance-suite/-/wikis/Developers/Build-&-Run for running the conformance suite locally.
+
+Requires docker containers to be able to access the host via `host.docker.internal` and an entry in the hosts file that maps `host.docker.internal` to localhost.
--- a/tests/manual/openid-conformance/oidc-conformance.yaml
+++ b/tests/manual/openid-conformance/oidc-conformance.yaml
@ -0,0 +1,81 @@
+version: 1
+metadata:
+  name: OIDC conformance testing
+entries:
+  - identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-address
+    model: authentik_providers_oauth2.scopemapping
+    attrs:
+      name: "authentik default OAuth Mapping: OpenID 'address'"
+      scope_name: address
+      description: "General Address Information"
+      expression: |
+        return {
+            "address": {
+                "formatted": "foo",
+            }
+        }
+  - identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-phone
+    model: authentik_providers_oauth2.scopemapping
+    attrs:
+      name: "authentik default OAuth Mapping: OpenID 'phone'"
+      scope_name: phone
+      description: "General phone Information"
+      expression: |
+        return {
+            "phone_number": "+1234",
+            "phone_number_verified": True,
+        }
+
+  - model: authentik_providers_oauth2.oauth2provider
+    id: provider
+    identifiers:
+      name: provider
+    attrs:
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      issuer_mode: global
+      client_id: 4054d882aff59755f2f279968b97ce8806a926e1
+      client_secret: 4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867
+      redirect_uris: |
+        https://localhost:8443/test/a/authentik/callback
+        https://localhost.emobix.co.uk:8443/test/a/authentik/callback
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-openid]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-email]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-address]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-phone]]
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+  - model: authentik_core.application
+    identifiers:
+      slug: conformance
+    attrs:
+      provider: !KeyOf provider
+      name: Conformance
+
+  - model: authentik_providers_oauth2.oauth2provider
+    id: oidc-conformance-2
+    identifiers:
+      name: oidc-conformance-2
+    attrs:
+      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      issuer_mode: global
+      client_id: ad64aeaf1efe388ecf4d28fcc537e8de08bcae26
+      client_secret: ff2e34a5b04c99acaf7241e25a950e7f6134c86936923d8c698d8f38bd57647750d661069612c0ee55045e29fe06aa101804bdae38e8360647d595e771fea789
+      redirect_uris: |
+        https://localhost:8443/test/a/authentik/callback
+        https://localhost.emobix.co.uk:8443/test/a/authentik/callback
+      property_mappings:
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-openid]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-email]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-address]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-phone]]
+      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+  - model: authentik_core.application
+    identifiers:
+      slug: oidc-conformance-2
+    attrs:
+      provider: !KeyOf oidc-conformance-2
+      name: OIDC Conformance
--- a/tests/manual/openid-conformance/test-config.json
+++ b/tests/manual/openid-conformance/test-config.json
@ -0,0 +1,20 @@
+{
+    "alias": "authentik",
+    "description": "authentik",
+    "server": {
+        "discoveryUrl": "http://host.docker.internal:9000/application/o/conformance/.well-known/openid-configuration"
+    },
+    "client": {
+        "client_id": "4054d882aff59755f2f279968b97ce8806a926e1",
+        "client_secret": "4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867"
+    },
+    "client_secret_post": {
+        "client_id": "4054d882aff59755f2f279968b97ce8806a926e1",
+        "client_secret": "4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867"
+    },
+    "client2": {
+        "client_id": "ad64aeaf1efe388ecf4d28fcc537e8de08bcae26",
+        "client_secret": "ff2e34a5b04c99acaf7241e25a950e7f6134c86936923d8c698d8f38bd57647750d661069612c0ee55045e29fe06aa101804bdae38e8360647d595e771fea789"
+    },
+    "consent": {}
+}