Functional tests for OIDC authentication

[adamcfraser]

Add functional tests for OIDC authentication, including:

• Authentication via auth code flow
• Authentication using bearer ID token
• Authentication using session cookie
• Authentication using session passed back in the body
• Tests for invalid ID tokens (expired, bad signature, wrong client)
  • Create token with 5 second expiry, wait 10 seconds .. not currently configurable. (waiting on Have a way to configure tokens for expiry in POST request #1847 (comment))
  • Make up garbage token
  • Signature: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ use garbage in last bit.
• Token refresh - auth code flow
• Test for bring-your-own-token
• Config params, turn off session tokens (running into: OIDC running into issue running non-default provider #1858)
• Multiple providers
  • Define multiple providers (Google), make it the default, make sure the test endpoint is the provider
• NotAuthenticated option notauthenticated Return an authorization error for this user -- should get some sort of error back (401)
• OIDC scope tests Add OIDC scope to test provider, functional tests #1856
• After successfully obtaining an ID token, POST to the public _session endpoint with that token (and no cookie) to get a new session for that token. (note that session id won't be in the response, but set cookie will be on the header)

[tleyden]

Ports: 4984 (priority) should work against 4985

Use session got back

HTTP/1.1 200 OK.
Content-Length: 543.
Content-Type: application/json.
Server: Couchbase Sync Gateway/1.2 branch/ commit/.
Set-Cookie: SyncGatewaySession=7fe390e9b9e14b5510457457c073e7a34e3a34f7; Path=/db; Expires=Fri, 03 Jun 2016 19:55:40 GMT.
Date: Fri, 03 Jun 2016 18:55:40 GMT.
.
{"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6InN5bmNfZ2F0ZXdheV9vaWRjX3Rlc3RfcHJvdmlkZXIiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJzeW5jX2dhdGV3YXkiLCJlbWFpbCI6InRsZXlkZW4zQHN5bmNnYXRld2F5b2lkY3Rlc3RpbmcuY29tIiwiZXhwIjoxNDY0OTgzNzQwLCJpYXQiOjE0NjQ5ODAxNDAsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDk4NC9kYi9fb2lkY190ZXN0aW5nIiwic3ViIjoidGxleWRlbjMifQ.Agx3G-0C95hUWBsRk-ugwLDy0Guy83KIN9AxLTitBan9qK1-wCFJFZ71D5zvdekyN-vnkjerWfIGLourm3oaJK2DXpc7ZbAGBAWXiakg6MLug7vbvwgJ51MPKtZdBkdWXgciVTE_uwSTsqOMWvDPnHj75sx9XSvfTTL9Xz3bOg8","refresh_token":"WkVkNGJHVlhVbXhpYWswOQ=="}

Use the id token

curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InN5bmNfZ2F0ZXdheV9vaWRjX3Rlc3RfcHJvdmlkZXIiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJzeW5jX2dhdGV3YXkiLCJlbWFpbCI6InRsZXlkZW4zQHN5bmNnYXRld2F5b2lkY3Rlc3RpbmcuY29tIiwiZXhwIjoxNDY0OTgzNzQwLCJpYXQiOjE0NjQ5ODAxNDAsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDk4NC9kYi9fb2lkY190ZXN0aW5nIiwic3ViIjoidGxleWRlbjMifQ.Agx3G-0C95hUWBsRk-ugwLDy0Guy83KIN9AxLTitBan9qK1-wCFJFZ71D5zvdekyN-vnkjerWfIGLourm3oaJK2DXpc7ZbAGBAWXiakg6MLug7vbvwgJ51MPKtZdBkdWXgciVTE_uwSTsqOMWvDPnHj75sx9XSvfTTL9Xz3bOg8" localhost:4984/db/

Use refresh token

Doesn't work against internal test provider -- works against Google

curl localhost:4984/db/_oidc_refresh?refresh_token=WkVkNGJHVlhVbXhpYWswOQ==

Should return new token and session cookie. The session cookie should be valid.

[tleyden]

After successfully obtaining an ID token, POST to the public _session endpoint with that token (and no cookie)

@adamcfraser just to confirm, it should be sending the token via this header right?

"Authorization": "Bearer <token>"

[tleyden]

I'm trying to test:

After successfully obtaining an ID token, POST to the public _session endpoint with that token (and no cookie) to get a new session for that token. (note that session id won't be in the response, but set cookie will be on the header)

and it's returning a 401 response.

Here is the ngrep output:

https://gist.github.com/tleyden/c8c4a567182b47824a83cfec84e7592f

does anything jump out at you that the test is doing wrong?

The part I was least sure about is the {"name": "test_testuser"} JSON body.

[tleyden]

Define multiple providers targeting the same issuer in the config. Get an ID token for one of the providers, and verify that you can use it to authenticate successfully

I'm a bit confused on this.

It sounds like the config should be:

            "providers":{
               "test1":{
                  "issuer":"http://localhost:4984/db/_oidc_testing",
                  "client_id":"sync_gateway",
                  "validation_key":"R75hfd9lasdwertwerutecw8",
                  "callback_url":"http://localhost:4984/db/_oidc_callback",
                  "register":true
               },
               "test2":{
                  "issuer":"http://localhost:4984/db/_oidc_testing",
                  "client_id":"sync_gateway",
                  "validation_key":"R75hfd9lasdwertwerutecw8",
                  "callback_url":"http://localhost:4984/db/_oidc_callback",
                  "register":true
               },

and then an ID token should be obtained against the test1 provider, but I'm not sure what this means exactly:

and verify that you can use it to authenticate successfully

[tleyden]

After successfully obtaining an ID token, POST to the public _session endpoint with that token (and no cookie) to get a new session for that token. (note that session id won't be in the response, but set cookie will be on the header)

This passes after switching to latest master.

[tleyden]

I moved the remaining tests to a separate ticket: #1882

[tleyden]

PR: couchbaselabs/mobile-testkit#541