|
8 | 8 | use PHPUnit\Framework\MockObject\Stub; |
9 | 9 | use PHPUnit\Framework\TestCase; |
10 | 10 | use Psr\Http\Message\ServerRequestInterface; |
| 11 | +use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface; |
11 | 12 | use SimpleSAML\Module\oidc\Helpers; |
12 | 13 | use SimpleSAML\Module\oidc\Server\RequestRules\Result; |
13 | 14 | use SimpleSAML\Module\oidc\Server\RequestRules\ResultBag; |
14 | 15 | use SimpleSAML\Module\oidc\Server\RequestRules\Rules\AddClaimsToIdTokenRule; |
| 16 | +use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule; |
15 | 17 | use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule; |
16 | 18 | use SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface; |
17 | 19 | use SimpleSAML\Module\oidc\Services\LoggerService; |
@@ -136,6 +138,57 @@ public static function invalidResponseTypeProvider(): array |
136 | 138 | ]; |
137 | 139 | } |
138 | 140 |
|
| 141 | + /** |
| 142 | + * A client configured with the administrator-only `add_claims_to_id_token` option gets the claims released |
| 143 | + * in the ID Token even for a response type that would not otherwise trigger it (e.g. `id_token token`). |
| 144 | + * |
| 145 | + * @throws \Throwable |
| 146 | + */ |
| 147 | + public function testAddsClaimsWhenClientConfiguredEvenForNonIdTokenResponseType(): void |
| 148 | + { |
| 149 | + $this->resultBag->add(new Result(ResponseTypeRule::class, 'id_token token')); |
| 150 | + |
| 151 | + $clientStub = $this->createStub(ClientEntityInterface::class); |
| 152 | + $clientStub->method('getAddClaimsToIdToken')->willReturn(true); |
| 153 | + $this->resultBag->add(new Result(ClientRule::class, $clientStub)); |
| 154 | + |
| 155 | + $result = $this->sut()->checkRule( |
| 156 | + $this->requestStub, |
| 157 | + $this->resultBag, |
| 158 | + $this->loggerServiceStub, |
| 159 | + [], |
| 160 | + $this->responseModeStub, |
| 161 | + ) ?? |
| 162 | + new Result(AddClaimsToIdTokenRule::class, null); |
| 163 | + |
| 164 | + $this->assertTrue($result->getValue()); |
| 165 | + } |
| 166 | + |
| 167 | + /** |
| 168 | + * When neither the response type nor the client requests it, claims are not released in the ID Token. |
| 169 | + * |
| 170 | + * @throws \Throwable |
| 171 | + */ |
| 172 | + public function testDoesNotAddClaimsWhenNeitherResponseTypeNorClientRequestIt(): void |
| 173 | + { |
| 174 | + $this->resultBag->add(new Result(ResponseTypeRule::class, 'id_token token')); |
| 175 | + |
| 176 | + $clientStub = $this->createStub(ClientEntityInterface::class); |
| 177 | + $clientStub->method('getAddClaimsToIdToken')->willReturn(false); |
| 178 | + $this->resultBag->add(new Result(ClientRule::class, $clientStub)); |
| 179 | + |
| 180 | + $result = $this->sut()->checkRule( |
| 181 | + $this->requestStub, |
| 182 | + $this->resultBag, |
| 183 | + $this->loggerServiceStub, |
| 184 | + [], |
| 185 | + $this->responseModeStub, |
| 186 | + ) ?? |
| 187 | + new Result(AddClaimsToIdTokenRule::class, null); |
| 188 | + |
| 189 | + $this->assertFalse($result->getValue()); |
| 190 | + } |
| 191 | + |
139 | 192 | /** |
140 | 193 | * @throws \Throwable |
141 | 194 | * @throws \SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException |
|
0 commit comments