Java tutorial
/* * Copyright 2012 SURFnet bv, The Netherlands * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.surfnet.oaaas.selenium; import org.apache.commons.lang.StringUtils; import org.junit.Test; import org.openqa.selenium.WebDriver; import org.surfnet.oaaas.model.AccessTokenResponse; import java.net.URLEncoder; import static org.junit.Assert.*; import static org.junit.matchers.JUnitMatchers.containsString; /** * Integration test (using Selenium) for the Authorization Code flow. */ public class AuthorizationCodeTestIT extends SeleniumSupport { private String clientId = "it-test-client"; private String secret = "somesecret"; @Test public void authCode() throws Exception { String accessTokenRedirectUri = startAuthorizationCallbackServer(clientId, secret); WebDriver webdriver = getWebDriver(); String responseType = "code"; String scopes = "read,write"; String url = String.format("%s/oauth2/authorize?response_type=%s&scope=%s&client_id=%s&redirect_uri=%s", baseUrl(), responseType, scopes, clientId, accessTokenRedirectUri); webdriver.get(url); login(webdriver, false); // get token response String tokenResponse = getAuthorizationCodeRequestHandler().getTokenResponseBlocking(); AccessTokenResponse accessTokenResponse = getMapper().readValue(tokenResponse, AccessTokenResponse.class); assertTrue(StringUtils.isNotBlank(accessTokenResponse.getAccessToken())); assertTrue(StringUtils.isBlank(accessTokenResponse.getRefreshToken())); assertTrue(StringUtils.isNotBlank(accessTokenResponse.getScope())); assertTrue(StringUtils.isNotBlank(accessTokenResponse.getTokenType())); assertEquals(accessTokenResponse.getExpiresIn(), 0L); } @Test public void invalidParams() { final WebDriver webdriver = getWebDriver(); webdriver.get(baseUrlWith("/oauth2/authorize")); String pageSource = webdriver.getPageSource(); assertThat(pageSource, containsString("The supported response_type values are 'token' and 'code'")); } @Test public void stateParam() throws Exception { String accessTokenRedirectUri = startAuthorizationCallbackServer(clientId, secret); WebDriver webdriver = getWebDriver(); /* The RFC says (http://tools.ietf.org/html/rfc6749#appendix-A.5): state = 1*VSCHAR Defined in http://tools.ietf.org/html/rfc6749#appendix-A: VSCHAR = %x20-7E The variable 'state' below contains all chars in 0x20-0x7E */ String state = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmno0070pqrstuvwxyz{|}~"; String url = String.format( "%s/oauth2/authorize?response_type=%s&scope=%s&client_id=%s&redirect_uri=%s&state=%s", baseUrl(), "code", "read,write", clientId, URLEncoder.encode(accessTokenRedirectUri, "UTF-8"), URLEncoder.encode(state, "UTF-8")); webdriver.get(url); login(webdriver, false); // wait for token response to arrive, therefore block getAuthorizationCodeRequestHandler().getTokenResponseBlocking(); String stateFromResponse = getAuthorizationCodeRequestHandler().getAuthorizationResponseState(); assertEquals("State from response should be equal to provided state", state, stateFromResponse); } }