@Test public void useAuthorizationCodeWithInalidScopesTest() throws InterruptedException, JSONException { String currentUrl = OauthAuthorizationPageHelper.loginAndAuthorize( this.getWebBaseUrl(), this.getClient1ClientId(), this.getClient1RedirectUri(), ScopePathType.ORCID_WORKS_CREATE.value(), null, this.getUser1UserName(), this.getUser1Password(), true, webDriver); Matcher matcher = AUTHORIZATION_CODE_PATTERN.matcher(currentUrl); assertTrue(matcher.find()); String authorizationCode = matcher.group(1); assertFalse(PojoUtil.isEmpty(authorizationCode)); ClientResponse tokenResponse = getClientResponse( this.getClient1ClientId(), this.getClient1ClientSecret(), ScopePathType.ORCID_WORKS_UPDATE.getContent(), this.getClient1RedirectUri(), authorizationCode); assertEquals(401, tokenResponse.getStatus()); OrcidMessage result = tokenResponse.getEntity(OrcidMessage.class); assertNotNull(result); assertNotNull(result.getErrorDesc()); assertEquals( "OAuth2 problem : Invalid scopes: /orcid-works/update available scopes for this code are: [/orcid-works/create]", result.getErrorDesc().getContent()); }
@Test(expected = InvalidScopeException.class) public void testInvalidCredentialsScopes() throws Exception { ClientDetailsEntity clientDetailsEntity = new ClientDetailsEntity(); Set<ClientScopeEntity> scopes = new HashSet<ClientScopeEntity>(2); scopes.add(new ClientScopeEntity(ScopePathType.ORCID_WORKS_UPDATE.value())); scopes.add(new ClientScopeEntity(ScopePathType.ORCID_BIO_READ_LIMITED.value())); clientDetailsEntity.setClientScopes(scopes); String orcid = "2875-8158-1475-6194"; when(clientDetailsService.loadClientByClientId(orcid)).thenReturn(clientDetailsEntity); OrcidClientCredentialsChecker checker = new OrcidClientCredentialsChecker(clientDetailsService, oAuth2RequestFactory); Set<String> requestedScopes = new HashSet<String>(Arrays.asList(ScopePathType.ORCID_WORKS_UPDATE.value())); checker.validateCredentials( "client_credentials", new TokenRequest( Collections.<String, String>emptyMap(), orcid, requestedScopes, "client_credentials")); }
/** * Test that asking for different scopes generates different tokens * * <p>IMPORTANT NOTE: For this test to run, the user should not have tokens for any of the * following scopes: - FUNDING_CREATE - AFFILIATIONS_CREATE - ORCID_WORKS_UPDATE */ @Test public void testDifferentScopesGeneratesDifferentAccessTokens() throws InterruptedException, JSONException { // First get the authorization code signout(); String currentUrl = OauthAuthorizationPageHelper.loginAndAuthorize( this.getWebBaseUrl(), this.getClient1ClientId(), this.getClient1RedirectUri(), ScopePathType.FUNDING_CREATE.value(), null, this.getUser1UserName(), this.getUser1Password(), true, webDriver); Matcher matcher = AUTHORIZATION_CODE_PATTERN.matcher(currentUrl); assertTrue(matcher.find()); String authorizationCode = matcher.group(1); assertFalse(PojoUtil.isEmpty(authorizationCode)); ClientResponse tokenResponse = getClientResponse( this.getClient1ClientId(), this.getClient1ClientSecret(), ScopePathType.FUNDING_CREATE.getContent(), this.getClient1RedirectUri(), authorizationCode); assertEquals(200, tokenResponse.getStatus()); String body = tokenResponse.getEntity(String.class); JSONObject jsonObject = new JSONObject(body); String accessToken = (String) jsonObject.get("access_token"); assertNotNull(accessToken); assertFalse(PojoUtil.isEmpty(accessToken)); signout(); // Then, ask again for permissions over other scopes. currentUrl = OauthAuthorizationPageHelper.loginAndAuthorize( this.getWebBaseUrl(), this.getClient1ClientId(), this.getClient1RedirectUri(), ScopePathType.AFFILIATIONS_CREATE.value(), null, this.getUser1UserName(), this.getUser1Password(), true, webDriver); matcher = AUTHORIZATION_CODE_PATTERN.matcher(currentUrl); assertTrue(matcher.find()); authorizationCode = matcher.group(1); assertFalse(PojoUtil.isEmpty(authorizationCode)); tokenResponse = getClientResponse( this.getClient1ClientId(), this.getClient1ClientSecret(), ScopePathType.AFFILIATIONS_CREATE.getContent(), this.getClient1RedirectUri(), authorizationCode); assertEquals(200, tokenResponse.getStatus()); body = tokenResponse.getEntity(String.class); jsonObject = new JSONObject(body); String otherAccessToken = (String) jsonObject.get("access_token"); assertNotNull(otherAccessToken); assertFalse(PojoUtil.isEmpty(otherAccessToken)); assertFalse(otherAccessToken.equals(accessToken)); signout(); currentUrl = OauthAuthorizationPageHelper.loginAndAuthorize( this.getWebBaseUrl(), this.getClient1ClientId(), this.getClient1RedirectUri(), ScopePathType.ORCID_WORKS_UPDATE.value(), null, this.getUser1UserName(), this.getUser1Password(), true, webDriver); matcher = AUTHORIZATION_CODE_PATTERN.matcher(currentUrl); assertTrue(matcher.find()); authorizationCode = matcher.group(1); assertFalse(PojoUtil.isEmpty(authorizationCode)); tokenResponse = getClientResponse( this.getClient1ClientId(), this.getClient1ClientSecret(), ScopePathType.ORCID_WORKS_UPDATE.getContent(), this.getClient1RedirectUri(), authorizationCode); assertEquals(200, tokenResponse.getStatus()); body = tokenResponse.getEntity(String.class); jsonObject = new JSONObject(body); String otherAccessToken2 = (String) jsonObject.get("access_token"); assertNotNull(otherAccessToken2); assertFalse(PojoUtil.isEmpty(otherAccessToken2)); assertFalse(otherAccessToken2.equals(accessToken)); assertFalse(otherAccessToken2.equals(otherAccessToken)); }