Validate handling of duplicated scopes in standard based OIDC IdPs

wso2 · Dec 2, 2024 · 525880f · 525880f
1 parent 85b690a
commit 525880f
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 0 deletions.
diff --git a/...c/test/java/org/wso2/identity/integration/test/rest/api/server/idp/v1/IdPFailureTest.java b/...c/test/java/org/wso2/identity/integration/test/rest/api/server/idp/v1/IdPFailureTest.java
@@ -36,13 +36,15 @@
 
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.core.IsNull.notNullValue;
+import static org.testng.Assert.assertNotNull;
 
 /**
  * Test class for Identity Provider Management REST APIs failure paths.
  */
 public class IdPFailureTest extends IdPTestBase {
 
     private String idPId;
+    private static final String OIDC_IDP_ID = "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I";
 
     @Factory(dataProvider = "restAPIUserConfigProvider")
     public IdPFailureTest(TestUserMode userMode) throws Exception {
@@ -179,4 +181,59 @@ public void testPatchIdPNonExistentProperties() throws IOException {
         Response response = getResponseOfPatch(IDP_API_BASE_PATH + PATH_SEPARATOR + idPId, body);
         validateErrorResponse(response, HttpStatus.SC_NOT_FOUND, "IDP-65005", "JWKS URI");
     }
+
+    @Test
+    public void testUpdateIdPWithDuplicateOIDCScopes() throws IOException {
+
+        String body = readResource("add-idp-oidc-standard-based.json");
+        Response response = getResponseOfPost(IDP_API_BASE_PATH, body);
+        response.then()
+                .log().ifValidationFails()
+                .assertThat()
+                .statusCode(HttpStatus.SC_CREATED)
+                .header(HttpHeaders.LOCATION, notNullValue());
+
+        String location = response.getHeader(HttpHeaders.LOCATION);
+        assertNotNull(location);
+        String oidcIdPId = location.substring(location.lastIndexOf("/") + 1);
+        assertNotNull(oidcIdPId);
+
+        // update the OIDC IDP with duplicated scopes
+        String updateBody = readResource("update-idp-oidc-standard-based-duplicated-scopes.json");
+        Response updateResponse = getResponseOfPut(IDP_API_BASE_PATH + PATH_SEPARATOR + oidcIdPId +
+                PATH_SEPARATOR + IDP_FEDERATED_AUTHENTICATORS_PATH + PATH_SEPARATOR + OIDC_IDP_ID, updateBody);
+        updateResponse.then()
+                .log().ifValidationFails()
+                .assertThat()
+                .statusCode(HttpStatus.SC_BAD_REQUEST)
+                .body("message", equalTo("Duplicate OIDC Scopes."))
+                .body("description", equalTo("Cannot set scopes in both Scopes and Additional Query Parameters. " +
+                        "Recommend to use Scopes field."));
+
+        deleteCreatedIdP(oidcIdPId);
+    }
+
+    /**
+     * Deletes an Identity Provider by its ID and verifies the deletion.
+     *
+     * @param idPId ID of the Identity Provider to be deleted.
+     */
+    private void deleteCreatedIdP(String idPId) {
+
+        Response response = getResponseOfDelete(IDP_API_BASE_PATH + PATH_SEPARATOR + idPId);
+        response.then()
+                .log().ifValidationFails()
+                .assertThat()
+                .statusCode(HttpStatus.SC_NO_CONTENT);
+
+        Response responseOfGet = getResponseOfGet(IDP_API_BASE_PATH + PATH_SEPARATOR + idPId);
+        responseOfGet.then()
+                .log().ifValidationFails()
+                .assertThat()
+                .assertThat()
+                .statusCode(HttpStatus.SC_NOT_FOUND)
+                .body("message", equalTo("Resource not found."))
+                .body("description", equalTo("Unable to find a resource matching the provided identity " +
+                        "provider identifier " + idPId + "."));
+    }
 }
diff --git a/...rg/wso2/identity/integration/test/rest/api/server/idp/v1/add-idp-oidc-standard-based.json b/...rg/wso2/identity/integration/test/rest/api/server/idp/v1/add-idp-oidc-standard-based.json
@@ -0,0 +1,61 @@
+{
+  "name": "OIDC IdP",
+  "alias": "",
+  "description": "Authenticate users with Enterprise OIDC connections.",
+  "image": "assets/images/logos/enterprise.svg",
+  "isPrimary": false,
+  "roles": {
+    "mappings": [],
+    "outboundProvisioningRoles": []
+  },
+  "certificate": {
+    "jwksUri": "https://test.com/jwks",
+    "certificates": [
+      ""
+    ]
+  },
+  "claims": {
+    "userIdClaim": {
+      "uri": ""
+    },
+    "provisioningClaims": [],
+    "roleClaim": {
+      "uri": ""
+    }
+  },
+  "federatedAuthenticators": {
+    "defaultAuthenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
+    "authenticators": [
+      {
+        "isEnabled": true,
+        "authenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
+        "properties": [
+          {
+            "key": "ClientId",
+            "value": "abcd1234wxyz5678ijklmnopqrst9012"
+          },
+          {
+            "key": "ClientSecret",
+            "value": "mnop3456qrst1234uvwx5678abcd9012"
+          },
+          {
+            "key": "OAuth2AuthzEPUrl",
+            "value": "https://test.com/authz"
+          },
+          {
+            "key": "OAuth2TokenEPUrl",
+            "value": "https://test.com/token"
+          },
+          {
+            "key": "callbackUrl",
+            "value": "https://test.com/commonauth"
+          }
+        ]
+      }
+    ]
+  },
+  "homeRealmIdentifier": "",
+  "isFederationHub": false,
+  "idpIssuerName": "",
+  "templateId": "enterprise-oidc-idp"
+}
diff --git a/...gration/test/rest/api/server/idp/v1/update-idp-oidc-standard-based-duplicated-scopes.json b/...gration/test/rest/api/server/idp/v1/update-idp-oidc-standard-based-duplicated-scopes.json
@@ -0,0 +1,15 @@
+{
+  "authenticatorId": "T3BlbklEQ29ubmVjdEF1dGhlbnRpY2F0b3I",
+  "isEnabled": true,
+  "isDefault": true,
+  "properties": [
+    {
+      "key": "commonAuthQueryParams",
+      "value": "scope=openid country profile"
+    },
+    {
+      "key": "Scopes",
+      "value": "openid country profile"
+    }
+  ]
+}