From 15f02c9721da4879a81ee88b7c0a1844c8ee9725 Mon Sep 17 00:00:00 2001 From: lasanthaS Date: Thu, 16 Mar 2023 14:39:03 +0530 Subject: [PATCH 1/3] Enable PKCE in OIDC federated flow --- .../oidc/OIDCAuthenticatorConstants.java | 4 + .../oidc/OpenIDConnectAuthenticator.java | 96 +++++++++++++++++-- 2 files changed, 93 insertions(+), 7 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java index ed787940..0c40d2e8 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java @@ -88,6 +88,10 @@ private OIDCAuthenticatorConstants() { /** * This class holds the constants related to authenticator configuration parameters. */ + + public static final String OAUTH_FEDERATED_PKCE_CODE_VERIFIER = "OAUTH_PKCE_CODE_VERIFIER"; + public static final String ENABLE_FEDERATED_PKCE = "IsPKCEEnabled"; + public class AuthenticatorConfParams { private AuthenticatorConfParams() { diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java index 45912358..6066278c 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java @@ -96,6 +96,9 @@ import java.net.URLDecoder; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.text.ParseException; import java.util.ArrayList; import java.util.Arrays; @@ -514,6 +517,8 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont context.setProperty(OIDCAuthenticatorConstants.AUTHENTICATOR_NAME + STATE_PARAM_SUFFIX, state); String nonce = UUID.randomUUID().toString(); context.setProperty(OIDC_FEDERATION_NONCE, nonce); + boolean isPKCEEnabled = Boolean.parseBoolean( + authenticatorProperties.get(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE)); OAuthClientRequest authzRequest; @@ -585,6 +590,18 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont loginPage = loginPage + "&fidp=" + domain; } + // If PKCE is enabled, add code_challenge and code_challenge_method to the request. + if (isPKCEEnabled) { + String codeVerifier = generateCodeVerifier(); + context.setProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER, codeVerifier); + try { + String codeChallenge = generateCodeChallenge(codeVerifier); + loginPage += "&code_challenge=" + codeChallenge + "&code_challenge_method=S256"; + } catch (NoSuchAlgorithmException e) { + LOG.error("Error while generating the code challenge", e); + } + } + if (StringUtils.isNotBlank(queryString)) { if (!queryString.startsWith("&")) { loginPage = loginPage + "&" + queryString; @@ -1467,6 +1484,9 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID); String clientSecret = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_SECRET); String tokenEndPoint = getTokenEndpoint(authenticatorProperties); + boolean isPKCEEnabled = Boolean.parseBoolean( + authenticatorProperties.get(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE)); + Object codeVerifier = context.getProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER); String callbackUrl = getCallbackUrlFromInitialRequestParamMap(context); if (StringUtils.isBlank(callbackUrl)) { @@ -1489,9 +1509,21 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context "authentication scheme."); } - accessTokenRequest = OAuthClientRequest.tokenLocation(tokenEndPoint).setGrantType(GrantType - .AUTHORIZATION_CODE).setRedirectURI(callbackUrl).setCode(authzResponse.getCode()) - .buildBodyMessage(); + OAuthClientRequest.TokenRequestBuilder tokenRequestBuilder = OAuthClientRequest + .tokenLocation(tokenEndPoint) + .setGrantType(GrantType.AUTHORIZATION_CODE) + .setRedirectURI(callbackUrl) + .setCode(authzResponse.getCode()); + + if (isPKCEEnabled) { + if (codeVerifier != null) { + tokenRequestBuilder.setParameter("code_verifier", codeVerifier.toString()); + } else { + LOG.warn("PKCE is enabled, but the code verifier is not found."); + } + } + + accessTokenRequest = tokenRequestBuilder.buildBodyMessage(); String base64EncodedCredential = new String(Base64.encodeBase64((clientId + ":" + clientSecret).getBytes())); accessTokenRequest.addHeader(OAuth.HeaderType.AUTHORIZATION, "Basic " + base64EncodedCredential); @@ -1501,10 +1533,23 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context LOG.debug("Authenticating to token endpoint: " + tokenEndPoint + " including client credentials " + "in request body."); } - accessTokenRequest = OAuthClientRequest.tokenLocation(tokenEndPoint).setGrantType(GrantType - .AUTHORIZATION_CODE).setClientId(clientId).setClientSecret(clientSecret).setRedirectURI - (callbackUrl).setCode(authzResponse.getCode()).buildBodyMessage(); + OAuthClientRequest.TokenRequestBuilder tokenRequestBuilder = OAuthClientRequest + .tokenLocation(tokenEndPoint) + .setGrantType(GrantType.AUTHORIZATION_CODE) + .setClientId(clientId) + .setClientSecret(clientSecret) + .setRedirectURI(callbackUrl) + .setCode(authzResponse.getCode()); + if (isPKCEEnabled) { + if (codeVerifier != null) { + tokenRequestBuilder.setParameter("code_verifier", codeVerifier.toString()); + } else { + LOG.warn("PKCE is enabled, but the code verifier is not found."); + } + } + accessTokenRequest = tokenRequestBuilder.buildBodyMessage(); } + context.removeProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER); // set 'Origin' header to access token request. if (accessTokenRequest != null) { // fetch the 'Hostname' configured in carbon.xml @@ -1522,7 +1567,6 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context } catch (URLBuilderException e) { throw new RuntimeException("Error occurred while building URL in tenant qualified mode.", e); } - return accessTokenRequest; } @@ -1692,6 +1736,15 @@ public List getConfigurationProperties() { enableBasicAuth.setDisplayOrder(10); configProperties.add(enableBasicAuth); + Property enablePKCE = new Property(); + enablePKCE.setName("isPKCEEnabled"); + enablePKCE.setDisplayName("Enable PKCE"); + enablePKCE.setRequired(false); + enablePKCE.setDescription("Specifies that PKCE should be used for client authentication"); + enablePKCE.setType("boolean"); + enablePKCE.setDisplayOrder(10); + configProperties.add(enablePKCE); + return configProperties; } @@ -2147,4 +2200,33 @@ private String getFederatedAuthenticatorName(AuthenticationContext context) { } return context.getExternalIdP().getIdPName(); } + + /** + * Generate code verifier for PKCE + * + * @return code verifier + */ + private String generateCodeVerifier() { + SecureRandom secureRandom = new SecureRandom(); + byte[] codeVerifier = new byte[32]; + secureRandom.nextBytes(codeVerifier); + return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(codeVerifier); + } + + /** + * Generate code challenge for PKCE + * + * @param codeVerifier code verifier + * @return code challenge + * @throws UnsupportedEncodingException + * @throws NoSuchAlgorithmException + */ + private String generateCodeChallenge(String codeVerifier) + throws UnsupportedEncodingException, NoSuchAlgorithmException { + byte[] bytes = codeVerifier.getBytes("US-ASCII"); + MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); + messageDigest.update(bytes, 0, bytes.length); + byte[] digest = messageDigest.digest(); + return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(digest); + } } From 1e9d22f00b5f3cea15bfe9f6376bcd115b8d71eb Mon Sep 17 00:00:00 2001 From: lasanthaS Date: Wed, 17 Apr 2024 00:05:59 +0530 Subject: [PATCH 2/3] Add unit tests for federated PKCE flow --- .../pom.xml | 1 + .../oidc/OpenIDConnectAuthenticatorTest.java | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/pom.xml b/components/org.wso2.carbon.identity.application.authenticator.oidc/pom.xml index 5e04227d..171dfac6 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/pom.xml +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/pom.xml @@ -216,6 +216,7 @@ --add-opens java.base/sun.nio.fs=ALL-UNNAMED --add-opens java.base/sun.nio.cs=ALL-UNNAMED --add-opens java.base/sun.net.www.protocol.https=ALL-UNNAMED + --add-opens java.base/java.security=ALL-UNNAMED src/test/resources/testng.xml diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java index 6b0750cb..b04f016d 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java @@ -33,6 +33,7 @@ import org.apache.oltu.oauth2.common.exception.OAuthSystemException; import org.mockito.Matchers; import org.mockito.Mock; +import org.powermock.core.classloader.annotations.PowerMockIgnore; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.core.classloader.annotations.SuppressStaticInitializationFor; import org.powermock.modules.testng.PowerMockTestCase; @@ -123,6 +124,7 @@ LoggerUtils.class, OIDCTokenValidationUtil.class, IdentityProviderManager.class}) @SuppressStaticInitializationFor({"org.wso2.carbon.idp.mgt.IdentityProviderManager", "org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException"}) +@PowerMockIgnore("jdk.internal.reflect.*") public class OpenIDConnectAuthenticatorTest extends PowerMockTestCase { private static final String OIDC_PARAM_MAP_STRING = "oidc:param.map"; @@ -539,6 +541,31 @@ public void testPassProcessAuthenticationResponseWithNonce() throws Exception { "Invalid Id token in the authentication context."); } + /** + * Test whether the token request contains the code verifier when PKCE is enabled. + * + * @throws URLBuilderException + * @throws AuthenticationFailedException + */ + @Test() + public void testGetAccessTokenRequestWithPKCE() throws URLBuilderException, AuthenticationFailedException { + mockAuthenticationRequestContext(mockAuthenticationContext); + mockAuthenticationContext.getAuthenticatorProperties() + .put(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE, "true"); + when(mockAuthenticationContext.getProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER)) + .thenReturn("sample_code_verifier"); + OAuthAuthzResponse oAuthAuthzResponse = mock(OAuthAuthzResponse.class); + when(oAuthAuthzResponse.getCode()).thenReturn("abc"); + mockStatic(ServiceURLBuilder.class); + ServiceURLBuilder serviceURLBuilder = mock(ServiceURLBuilder.class); + when(ServiceURLBuilder.create()).thenReturn(serviceURLBuilder); + when(serviceURLBuilder.build()).thenReturn(serviceURL); + when(serviceURL.getAbsolutePublicURL()).thenReturn("http://localhost:9443"); + OAuthClientRequest request = openIDConnectAuthenticator + .getAccessTokenRequest(mockAuthenticationContext, oAuthAuthzResponse); + assertTrue(request.getBody().contains("code_verifier=sample_code_verifier")); + } + @Test public void testPassProcessAuthenticationResponseWithoutAccessToken() throws Exception { From 8e23d6845283f48afa9cb3e500cf4bce8b1e5a04 Mon Sep 17 00:00:00 2001 From: lasanthaS Date: Sun, 2 Apr 2023 11:52:58 +0530 Subject: [PATCH 3/3] Fix code styles and review suggestions --- .../oidc/OIDCAuthenticatorConstants.java | 4 +- .../oidc/OpenIDConnectAuthenticator.java | 67 ++++++++++--------- .../oidc/OpenIDConnectAuthenticatorTest.java | 15 +++-- 3 files changed, 45 insertions(+), 41 deletions(-) diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java index 0c40d2e8..ab7b667f 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OIDCAuthenticatorConstants.java @@ -89,8 +89,8 @@ private OIDCAuthenticatorConstants() { * This class holds the constants related to authenticator configuration parameters. */ - public static final String OAUTH_FEDERATED_PKCE_CODE_VERIFIER = "OAUTH_PKCE_CODE_VERIFIER"; - public static final String ENABLE_FEDERATED_PKCE = "IsPKCEEnabled"; + public static final String PKCE_CODE_VERIFIER = "PKCE_CODE_VERIFIER"; + public static final String IS_PKCE_ENABLED = "IsPKCEEnabled"; public class AuthenticatorConfParams { diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java index 6066278c..9fe72fe5 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java @@ -141,6 +141,7 @@ public class OpenIDConnectAuthenticator extends AbstractApplicationAuthenticator private static final Log LOG = LogFactory.getLog(OpenIDConnectAuthenticator.class); private static final String OIDC_DIALECT = "http://wso2.org/oidc/claim"; + private static final String PKCE_CODE_CHALLENGE_METHOD = "S256"; private static final String DYNAMIC_PARAMETER_LOOKUP_REGEX = "\\$\\{(\\w+)\\}"; private static final String IS_API_BASED = "IS_API_BASED"; @@ -153,6 +154,11 @@ public class OpenIDConnectAuthenticator extends AbstractApplicationAuthenticator private static final String[] NON_USER_ATTRIBUTES = new String[]{"at_hash", "iss", "iat", "exp", "aud", "azp"}; private static final String AUTHENTICATOR_MESSAGE = "authenticatorMessage"; + private static final String IS_PKCE_ENABLED_NAME = "isPKCEEnabled"; + private static final String IS_PKCE_ENABLED_DISPLAY_NAME = "Enable PKCE"; + private static final String IS_PKCE_ENABLED_DESCRIPTION = "Specifies that PKCE should be used for client authentication"; + private static final String TYPE_BOOLEAN = "boolean"; + @Override public AuthenticatorFlowStatus process(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) @@ -518,7 +524,7 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont String nonce = UUID.randomUUID().toString(); context.setProperty(OIDC_FEDERATION_NONCE, nonce); boolean isPKCEEnabled = Boolean.parseBoolean( - authenticatorProperties.get(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE)); + authenticatorProperties.get(OIDCAuthenticatorConstants.IS_PKCE_ENABLED)); OAuthClientRequest authzRequest; @@ -593,13 +599,10 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont // If PKCE is enabled, add code_challenge and code_challenge_method to the request. if (isPKCEEnabled) { String codeVerifier = generateCodeVerifier(); - context.setProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER, codeVerifier); - try { - String codeChallenge = generateCodeChallenge(codeVerifier); - loginPage += "&code_challenge=" + codeChallenge + "&code_challenge_method=S256"; - } catch (NoSuchAlgorithmException e) { - LOG.error("Error while generating the code challenge", e); - } + context.setProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER, codeVerifier); + String codeChallenge = generateCodeChallenge(codeVerifier); + loginPage += "&code_challenge=" + codeChallenge + "&code_challenge_method=" + + PKCE_CODE_CHALLENGE_METHOD; } if (StringUtils.isNotBlank(queryString)) { @@ -1485,8 +1488,8 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context String clientSecret = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_SECRET); String tokenEndPoint = getTokenEndpoint(authenticatorProperties); boolean isPKCEEnabled = Boolean.parseBoolean( - authenticatorProperties.get(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE)); - Object codeVerifier = context.getProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER); + authenticatorProperties.get(OIDCAuthenticatorConstants.IS_PKCE_ENABLED)); + String codeVerifier = (String) context.getProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER); String callbackUrl = getCallbackUrlFromInitialRequestParamMap(context); if (StringUtils.isBlank(callbackUrl)) { @@ -1516,11 +1519,10 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context .setCode(authzResponse.getCode()); if (isPKCEEnabled) { - if (codeVerifier != null) { - tokenRequestBuilder.setParameter("code_verifier", codeVerifier.toString()); - } else { - LOG.warn("PKCE is enabled, but the code verifier is not found."); + if (StringUtils.isEmpty(codeVerifier)) { + throw new AuthenticationFailedException("PKCE is enabled, but the code verifier is not found."); } + tokenRequestBuilder.setParameter("code_verifier", codeVerifier); } accessTokenRequest = tokenRequestBuilder.buildBodyMessage(); @@ -1541,15 +1543,14 @@ protected OAuthClientRequest getAccessTokenRequest(AuthenticationContext context .setRedirectURI(callbackUrl) .setCode(authzResponse.getCode()); if (isPKCEEnabled) { - if (codeVerifier != null) { - tokenRequestBuilder.setParameter("code_verifier", codeVerifier.toString()); - } else { - LOG.warn("PKCE is enabled, but the code verifier is not found."); + if (StringUtils.isEmpty(codeVerifier)) { + throw new AuthenticationFailedException("PKCE is enabled, but the code verifier is not found."); } + tokenRequestBuilder.setParameter("code_verifier", codeVerifier); } accessTokenRequest = tokenRequestBuilder.buildBodyMessage(); } - context.removeProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER); + context.removeProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER); // set 'Origin' header to access token request. if (accessTokenRequest != null) { // fetch the 'Hostname' configured in carbon.xml @@ -1737,11 +1738,11 @@ public List getConfigurationProperties() { configProperties.add(enableBasicAuth); Property enablePKCE = new Property(); - enablePKCE.setName("isPKCEEnabled"); - enablePKCE.setDisplayName("Enable PKCE"); + enablePKCE.setName(IS_PKCE_ENABLED_NAME); + enablePKCE.setDisplayName(IS_PKCE_ENABLED_DISPLAY_NAME); enablePKCE.setRequired(false); - enablePKCE.setDescription("Specifies that PKCE should be used for client authentication"); - enablePKCE.setType("boolean"); + enablePKCE.setDescription(IS_PKCE_ENABLED_DESCRIPTION); + enablePKCE.setType(TYPE_BOOLEAN); enablePKCE.setDisplayOrder(10); configProperties.add(enablePKCE); @@ -2218,15 +2219,17 @@ private String generateCodeVerifier() { * * @param codeVerifier code verifier * @return code challenge - * @throws UnsupportedEncodingException - * @throws NoSuchAlgorithmException + * @throws AuthenticationFailedException */ - private String generateCodeChallenge(String codeVerifier) - throws UnsupportedEncodingException, NoSuchAlgorithmException { - byte[] bytes = codeVerifier.getBytes("US-ASCII"); - MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); - messageDigest.update(bytes, 0, bytes.length); - byte[] digest = messageDigest.digest(); - return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(digest); + private String generateCodeChallenge(String codeVerifier) throws AuthenticationFailedException { + try { + byte[] bytes = codeVerifier.getBytes("US-ASCII"); + MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); + messageDigest.update(bytes, 0, bytes.length); + byte[] digest = messageDigest.digest(); + return java.util.Base64.getUrlEncoder().withoutPadding().encodeToString(digest); + } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) { + throw new AuthenticationFailedException("Error while generating code challenge", e); + } } } diff --git a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java index b04f016d..58ecc5e2 100644 --- a/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java +++ b/components/org.wso2.carbon.identity.application.authenticator.oidc/src/test/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java @@ -482,7 +482,7 @@ public void testInitiateAuthenticationRequestNullProperties() throws OAuthSystem public void testPassProcessAuthenticationResponse() throws Exception { setupTest(); - + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "false"); IdentityProviderProperty property = new IdentityProviderProperty(); property.setName(IdPManagementConstants.IS_TRUSTED_TOKEN_ISSUER); property.setValue("false"); @@ -523,6 +523,7 @@ public void testPassProcessAuthenticationResponseWithNonce() throws Exception { when(mockAuthenticationContext.getExternalIdP()).thenReturn(externalIdPConfig); when(externalIdPConfig.getIdentityProvider()).thenReturn(identityProvider); when(identityProvider.getIdpProperties()).thenReturn(identityProviderProperties); + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "false"); when(openIDConnectAuthenticatorDataHolder.getClaimMetadataManagementService()).thenReturn (claimMetadataManagementService); when(mockAuthenticationContext.getExternalIdP()).thenReturn(externalIdPConfig); @@ -550,19 +551,17 @@ public void testPassProcessAuthenticationResponseWithNonce() throws Exception { @Test() public void testGetAccessTokenRequestWithPKCE() throws URLBuilderException, AuthenticationFailedException { mockAuthenticationRequestContext(mockAuthenticationContext); - mockAuthenticationContext.getAuthenticatorProperties() - .put(OIDCAuthenticatorConstants.ENABLE_FEDERATED_PKCE, "true"); - when(mockAuthenticationContext.getProperty(OIDCAuthenticatorConstants.OAUTH_FEDERATED_PKCE_CODE_VERIFIER)) + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "true"); + when(mockAuthenticationContext.getProperty(OIDCAuthenticatorConstants.PKCE_CODE_VERIFIER)) .thenReturn("sample_code_verifier"); - OAuthAuthzResponse oAuthAuthzResponse = mock(OAuthAuthzResponse.class); - when(oAuthAuthzResponse.getCode()).thenReturn("abc"); + when(mockOAuthzResponse.getCode()).thenReturn("abc"); mockStatic(ServiceURLBuilder.class); ServiceURLBuilder serviceURLBuilder = mock(ServiceURLBuilder.class); when(ServiceURLBuilder.create()).thenReturn(serviceURLBuilder); when(serviceURLBuilder.build()).thenReturn(serviceURL); when(serviceURL.getAbsolutePublicURL()).thenReturn("http://localhost:9443"); OAuthClientRequest request = openIDConnectAuthenticator - .getAccessTokenRequest(mockAuthenticationContext, oAuthAuthzResponse); + .getAccessTokenRequest(mockAuthenticationContext, mockOAuthzResponse); assertTrue(request.getBody().contains("code_verifier=sample_code_verifier")); } @@ -585,6 +584,7 @@ public void testPassProcessAuthenticationWithBlankCallBack() throws Exception { setupTest(); authenticatorProperties.put("callbackUrl", " "); + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "false"); mockStatic(IdentityUtil.class); when(IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH, true, true)) .thenReturn("http:/localhost:9443/oauth2/callback"); @@ -645,6 +645,7 @@ public void testPassProcessAuthenticationWithParamValue() throws Exception { setupTest(); when(LoggerUtils.isDiagnosticLogsEnabled()).thenReturn(true); authenticatorProperties.put("callbackUrl", "http://localhost:8080/playground2/oauth2client"); + authenticatorProperties.put(OIDCAuthenticatorConstants.IS_PKCE_ENABLED, "false"); Map paramMap = new HashMap<>(); paramMap.put("redirect_uri", "http:/localhost:9443/oauth2/redirect"); when(mockAuthenticationContext.getProperty(OIDC_PARAM_MAP_STRING)).thenReturn(paramMap);