@Test public void useAuthorizationCodeWithInalidScopesTest() throws InterruptedException, JSONException { String currentUrl = OauthAuthorizationPageHelper.loginAndAuthorize( this.getWebBaseUrl(), this.getClient1ClientId(), this.getClient1RedirectUri(), ScopePathType.ORCID_WORKS_CREATE.value(), null, this.getUser1UserName(), this.getUser1Password(), true, webDriver); Matcher matcher = AUTHORIZATION_CODE_PATTERN.matcher(currentUrl); assertTrue(matcher.find()); String authorizationCode = matcher.group(1); assertFalse(PojoUtil.isEmpty(authorizationCode)); ClientResponse tokenResponse = getClientResponse( this.getClient1ClientId(), this.getClient1ClientSecret(), ScopePathType.ORCID_WORKS_UPDATE.getContent(), this.getClient1RedirectUri(), authorizationCode); assertEquals(401, tokenResponse.getStatus()); OrcidMessage result = tokenResponse.getEntity(OrcidMessage.class); assertNotNull(result); assertNotNull(result.getErrorDesc()); assertEquals( "OAuth2 problem : Invalid scopes: /orcid-works/update available scopes for this code are: [/orcid-works/create]", result.getErrorDesc().getContent()); }
/** * Test that asking for different scopes generates different tokens * * <p>IMPORTANT NOTE: For this test to run, the user should not have tokens for any of the * following scopes: - FUNDING_CREATE - AFFILIATIONS_CREATE - ORCID_WORKS_UPDATE */ @Test public void testDifferentScopesGeneratesDifferentAccessTokens() throws InterruptedException, JSONException { // First get the authorization code signout(); String currentUrl = OauthAuthorizationPageHelper.loginAndAuthorize( this.getWebBaseUrl(), this.getClient1ClientId(), this.getClient1RedirectUri(), ScopePathType.FUNDING_CREATE.value(), null, this.getUser1UserName(), this.getUser1Password(), true, webDriver); Matcher matcher = AUTHORIZATION_CODE_PATTERN.matcher(currentUrl); assertTrue(matcher.find()); String authorizationCode = matcher.group(1); assertFalse(PojoUtil.isEmpty(authorizationCode)); ClientResponse tokenResponse = getClientResponse( this.getClient1ClientId(), this.getClient1ClientSecret(), ScopePathType.FUNDING_CREATE.getContent(), this.getClient1RedirectUri(), authorizationCode); assertEquals(200, tokenResponse.getStatus()); String body = tokenResponse.getEntity(String.class); JSONObject jsonObject = new JSONObject(body); String accessToken = (String) jsonObject.get("access_token"); assertNotNull(accessToken); assertFalse(PojoUtil.isEmpty(accessToken)); signout(); // Then, ask again for permissions over other scopes. currentUrl = OauthAuthorizationPageHelper.loginAndAuthorize( this.getWebBaseUrl(), this.getClient1ClientId(), this.getClient1RedirectUri(), ScopePathType.AFFILIATIONS_CREATE.value(), null, this.getUser1UserName(), this.getUser1Password(), true, webDriver); matcher = AUTHORIZATION_CODE_PATTERN.matcher(currentUrl); assertTrue(matcher.find()); authorizationCode = matcher.group(1); assertFalse(PojoUtil.isEmpty(authorizationCode)); tokenResponse = getClientResponse( this.getClient1ClientId(), this.getClient1ClientSecret(), ScopePathType.AFFILIATIONS_CREATE.getContent(), this.getClient1RedirectUri(), authorizationCode); assertEquals(200, tokenResponse.getStatus()); body = tokenResponse.getEntity(String.class); jsonObject = new JSONObject(body); String otherAccessToken = (String) jsonObject.get("access_token"); assertNotNull(otherAccessToken); assertFalse(PojoUtil.isEmpty(otherAccessToken)); assertFalse(otherAccessToken.equals(accessToken)); signout(); currentUrl = OauthAuthorizationPageHelper.loginAndAuthorize( this.getWebBaseUrl(), this.getClient1ClientId(), this.getClient1RedirectUri(), ScopePathType.ORCID_WORKS_UPDATE.value(), null, this.getUser1UserName(), this.getUser1Password(), true, webDriver); matcher = AUTHORIZATION_CODE_PATTERN.matcher(currentUrl); assertTrue(matcher.find()); authorizationCode = matcher.group(1); assertFalse(PojoUtil.isEmpty(authorizationCode)); tokenResponse = getClientResponse( this.getClient1ClientId(), this.getClient1ClientSecret(), ScopePathType.ORCID_WORKS_UPDATE.getContent(), this.getClient1RedirectUri(), authorizationCode); assertEquals(200, tokenResponse.getStatus()); body = tokenResponse.getEntity(String.class); jsonObject = new JSONObject(body); String otherAccessToken2 = (String) jsonObject.get("access_token"); assertNotNull(otherAccessToken2); assertFalse(PojoUtil.isEmpty(otherAccessToken2)); assertFalse(otherAccessToken2.equals(accessToken)); assertFalse(otherAccessToken2.equals(otherAccessToken)); }