forked from panva/oauth4webapi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathjwks_lifecycle.test.ts
131 lines (107 loc) · 3.3 KB
/
jwks_lifecycle.test.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
import anyTest, { type TestFn } from 'ava'
import setup, { type Context, teardown, issuer, endpoint, client } from './_setup.js'
import * as lib from '../src/index.js'
import * as jose from 'jose'
import timekeeper from 'timekeeper'
const test = anyTest as TestFn<Context>
test.before(setup)
test.after(teardown)
test.serial('jwks_uri force refetch', async (t) => {
const now = Date.now()
timekeeper.freeze(now)
let key = await lib.generateKeyPair('ES256')
t.context
.intercept({
path: '/jwks-force-refetch',
method: 'GET',
})
.reply(200, {
keys: [await jose.exportJWK(key.publicKey)],
})
const as: lib.AuthorizationServer = {
...issuer,
jwks_uri: endpoint('jwks-force-refetch'),
authorization_signing_alg_values_supported: ['ES256'],
}
const c: lib.Client = {
...client,
}
let jwt = await new jose.SignJWT({})
.setProtectedHeader({ alg: 'ES256' })
.setAudience(c.client_id)
.setExpirationTime('5m')
.setIssuer(as.issuer)
.sign(key.privateKey)
let params = new URLSearchParams({ response: jwt })
await lib.validateJwtAuthResponse(as, c, params)
await lib.validateJwtAuthResponse(as, c, params)
timekeeper.travel(now + 299 * 1000)
await lib.validateJwtAuthResponse(as, c, params)
timekeeper.travel(now + 300 * 1000)
// re-fetch forced
await t.throwsAsync(() => lib.validateJwtAuthResponse(as, c, params))
})
test.serial('jwks_uri refetch if off cooldown and needed', async (t) => {
const now = Date.now()
timekeeper.freeze(now)
let key = await lib.generateKeyPair('ES256')
t.context
.intercept({
path: '/jwks-refetch-off-cooldown',
method: 'GET',
})
.reply(200, {
keys: [
{
...(await jose.exportJWK(key.publicKey)),
kid: 'foo',
},
],
})
const as: lib.AuthorizationServer = {
...issuer,
jwks_uri: endpoint('jwks-refetch-off-cooldown'),
authorization_signing_alg_values_supported: ['ES256'],
}
const c: lib.Client = {
...client,
}
let jwt = await new jose.SignJWT({})
.setProtectedHeader({ alg: 'ES256', kid: 'foo' })
.setAudience(c.client_id)
.setExpirationTime('5m')
.setIssuer(as.issuer)
.sign(key.privateKey)
let params = new URLSearchParams({ response: jwt })
await lib.validateJwtAuthResponse(as, c, params)
jwt = await new jose.SignJWT({})
.setProtectedHeader({ alg: 'ES256', kid: 'foo2' })
.setAudience(c.client_id)
.setExpirationTime('5m')
.setIssuer(as.issuer)
.sign(key.privateKey)
params = new URLSearchParams({ response: jwt })
t.context
.intercept({
path: '/jwks-refetch-off-cooldown',
method: 'GET',
})
.reply(200, {
keys: [
{
...(await jose.exportJWK(key.publicKey)),
kid: 'foo2',
},
],
})
// re-fetch not allowed yet
await t.throwsAsync(() => lib.validateJwtAuthResponse(as, c, params), {
message: 'error when selecting a JWT verification key, no applicable keys found',
})
timekeeper.travel(now + 59 * 1000)
await t.throwsAsync(() => lib.validateJwtAuthResponse(as, c, params), {
message: 'error when selecting a JWT verification key, no applicable keys found',
})
timekeeper.travel(now + 60 * 1000)
await t.notThrowsAsync(() => lib.validateJwtAuthResponse(as, c, params))
})