From 8d4ae74f7a4f87f7fb826e83a056ad6c3f434887 Mon Sep 17 00:00:00 2001 From: arekkas Date: Tue, 23 Oct 2018 23:27:40 +0200 Subject: [PATCH 1/5] e2e: Check for access/id token claims Signed-off-by: arekkas --- test/mock-cb/main.go | 6 ++++- test/mock-client/main.go | 50 +++++++++++++++++++++++++++++++++++++++- test/mock-lcp/main.go | 6 ++++- 3 files changed, 59 insertions(+), 3 deletions(-) diff --git a/test/mock-cb/main.go b/test/mock-cb/main.go index 0fc36dc2d49..b9e193193c1 100644 --- a/test/mock-cb/main.go +++ b/test/mock-cb/main.go @@ -22,6 +22,7 @@ package main import ( "context" + "encoding/json" "log" "net/http" "os" @@ -53,7 +54,10 @@ func callback(rw http.ResponseWriter, r *http.Request) { return } - rw.Write([]byte(`access_token=` + token.AccessToken)) + if err := json.NewEncoder(rw).Encode(token); err != nil { + http.Error(rw, err.Error(), http.StatusInternalServerError) + return + } } func main() { diff --git a/test/mock-client/main.go b/test/mock-client/main.go index 967c3565bb9..cc862459f6c 100644 --- a/test/mock-client/main.go +++ b/test/mock-client/main.go @@ -21,6 +21,7 @@ package main import ( + "encoding/json" "fmt" "io/ioutil" "log" @@ -30,7 +31,10 @@ import ( "os" "strings" + "github.com/dgrijalva/jwt-go" "golang.org/x/oauth2" + + "github.com/ory/hydra/sdk/go/hydra/swagger" ) func main() { @@ -69,20 +73,64 @@ func main() { if err != nil { log.Fatalf("Unable to make request: %s", err) } - defer resp.Body.Close() out, err := ioutil.ReadAll(resp.Body) if err != nil { log.Fatalf("Unable to read body: %s", err) } + resp.Body.Close() if resp.StatusCode != http.StatusOK { log.Fatalf("Got status code %d and body %s", resp.StatusCode, out) } + var token oauth2.Token + if err := json.Unmarshal(out, &token); err != nil { + log.Fatalf("Unable transform to token: %s", err) + } + for _, c := range c.Cookies(u) { if c.Name == "oauth2_authentication_session" { fmt.Print(c.Value) } } + + resp, err = http.PostForm(strings.TrimRight(os.Getenv("HYDRA_ADMIN_URL"), "/")+"/oauth2/introspect", url.Values{"token": {token.AccessToken}}) + if err != nil { + log.Fatalf("Unable to make introspection request: %s", err) + } else if resp.StatusCode != http.StatusOK { + log.Fatalf("Unable to make introspection request: got status code %d", resp.StatusCode) + } + + var intro swagger.OAuth2TokenIntrospection + if err := json.NewDecoder(resp.Body).Decode(&intro); err != nil { + log.Fatalf("Unable to decode introspection response: %s", err) + } + resp.Body.Close() + + if intro.Sub != "the-subject" { + log.Fatalf("Expected subject from access token to be %s but got %s", "the-subject", intro.Sub) + } + + if intro.Ext["foo"] != "bar" { + log.Fatalf("Expected extra field \"foo\" from access token to be \"bar\" but got %s", intro.Ext["foo"]) + } + + payload, err := jwt.DecodeSegment(strings.Split(fmt.Sprintf("%s", token.Extra("id_token")), ".")[1]) + if err != nil { + log.Fatalf("Unable to decode id token segment: %s", err) + } + + var claims map[string]interface{} + if err := json.Unmarshal(payload, &claims); err != nil { + log.Fatalf("Unable to unmarshal id token body: %s", err) + } + + if fmt.Sprintf("%s", claims["sub"]) != "the-subject" { + log.Fatalf("Expected subject from id token to be %s but got %s", "the-subject", claims["sub"]) + } + + if fmt.Sprintf("%s", claims["foo"]) != "bar" { + log.Fatalf("Expected extra field \"foo\" from access token to be \"bar\" but got %s", intro.Ext["foo"]) + } } diff --git a/test/mock-lcp/main.go b/test/mock-lcp/main.go index e3c61287da7..a1a297fbde3 100644 --- a/test/mock-lcp/main.go +++ b/test/mock-lcp/main.go @@ -47,7 +47,7 @@ func login(rw http.ResponseWriter, r *http.Request) { remember = true } v, resp, err = client.AcceptLoginRequest(challenge, swagger.AcceptLoginRequest{ - Subject: "foobar", + Subject: "the-subject", Remember: remember, }) } else { @@ -81,6 +81,10 @@ func consent(rw http.ResponseWriter, r *http.Request) { v, resp, err = client.AcceptConsentRequest(challenge, swagger.AcceptConsentRequest{ GrantScope: o.RequestedScope, Remember: remember, + Session: swagger.ConsentRequestSession{ + AccessToken: map[string]interface{}{"foo": "bar"}, + IdToken: map[string]interface{}{"baz": "bar"}, + }, }) } else { v, resp, err = client.RejectConsentRequest(challenge, swagger.RejectRequest{ From 02981d3046214f2968ad0ae1527b85925991939c Mon Sep 17 00:00:00 2001 From: arekkas Date: Tue, 23 Oct 2018 23:48:45 +0200 Subject: [PATCH 2/5] e2e: Check for access/id token claims --- scripts/test-e2e-jwt.sh | 2 +- scripts/test-e2e-opaque.sh | 2 +- scripts/test-e2e-plugin.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/test-e2e-jwt.sh b/scripts/test-e2e-jwt.sh index 64c6637bb16..f5fe27afa92 100755 --- a/scripts/test-e2e-jwt.sh +++ b/scripts/test-e2e-jwt.sh @@ -15,7 +15,7 @@ export OAUTH2_CLIENT_SECRET=bazbar export OAUTH2_ISSUER_URL=http://127.0.0.1:4444/ export LOG_LEVEL=debug export REDIRECT_URL=http://127.0.0.1:5555/callback -export AUTH2_SCOPE=openid,offline +export OAUTH2_SCOPE=openid,offline go install . go install ./test/mock-client diff --git a/scripts/test-e2e-opaque.sh b/scripts/test-e2e-opaque.sh index bb453934983..74aecdd6fc6 100755 --- a/scripts/test-e2e-opaque.sh +++ b/scripts/test-e2e-opaque.sh @@ -15,7 +15,7 @@ export OAUTH2_CLIENT_SECRET=bazbar export OAUTH2_ISSUER_URL=http://127.0.0.1:4444/ export LOG_LEVEL=debug export REDIRECT_URL=http://127.0.0.1:5555/callback -export AUTH2_SCOPE=openid,offline +export OAUTH2_SCOPE=openid,offline go install . go install ./test/mock-client diff --git a/scripts/test-e2e-plugin.sh b/scripts/test-e2e-plugin.sh index fd4a6528df0..f51d33e089d 100755 --- a/scripts/test-e2e-plugin.sh +++ b/scripts/test-e2e-plugin.sh @@ -13,7 +13,7 @@ export OAUTH2_CLIENT_SECRET=bazbar export OAUTH2_ISSUER_URL=http://127.0.0.1:4444/ export LOG_LEVEL=debug export REDIRECT_URL=http://127.0.0.1:4445/callback -export AUTH2_SCOPE=openid,offline +export OAUTH2_SCOPE=openid,offline go install . go build -buildmode=plugin -o memtest.so ./test/plugin From bcdb74b1dcf66152b2c6ae8b59bc3505629b7095 Mon Sep 17 00:00:00 2001 From: arekkas Date: Tue, 23 Oct 2018 23:57:54 +0200 Subject: [PATCH 3/5] e2e: Check for access/id token claims Signed-off-by: arekkas --- test/mock-client/main.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/test/mock-client/main.go b/test/mock-client/main.go index cc862459f6c..ef6cdf7dc6a 100644 --- a/test/mock-client/main.go +++ b/test/mock-client/main.go @@ -89,6 +89,8 @@ func main() { log.Fatalf("Unable transform to token: %s", err) } + log.Printf("Got token: %+v", token) + for _, c := range c.Cookies(u) { if c.Name == "oauth2_authentication_session" { fmt.Print(c.Value) @@ -116,7 +118,12 @@ func main() { log.Fatalf("Expected extra field \"foo\" from access token to be \"bar\" but got %s", intro.Ext["foo"]) } - payload, err := jwt.DecodeSegment(strings.Split(fmt.Sprintf("%s", token.Extra("id_token")), ".")[1]) + idt := fmt.Sprintf("%s", token.Extra("id_token")) + if len(idt) == 0 { + log.Fatalf("ID Token does not seem to be set: %+v", token) + } + + payload, err := jwt.DecodeSegment(strings.Split(idt, ".")[1]) if err != nil { log.Fatalf("Unable to decode id token segment: %s", err) } From e375853dcb335431c475314cabda441519c5fef6 Mon Sep 17 00:00:00 2001 From: aeneasr Date: Wed, 24 Oct 2018 14:20:19 +0200 Subject: [PATCH 4/5] oauth2: Fix missing session data in jwt at This patch fixes missing session data in OAuth2 Access Tokens formatted as JSON Web Tokens. It also improves e2e tests which now test if claims and data are set correctly, including after refreshes. Related #1106 Signed-off-by: aeneasr --- go.mod | 2 +- go.sum | 2 + oauth2/session.go | 4 +- scripts/test-e2e-jwt.sh | 2 +- test/mock-cb/main.go | 16 ++++- test/mock-client/main.go | 142 +++++++++++++++++++++++++++++++-------- test/mock-lcp/main.go | 9 ++- 7 files changed, 143 insertions(+), 34 deletions(-) diff --git a/go.mod b/go.mod index 8a25c42f961..e5682c67ee1 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/oleiade/reflections v1.0.0 github.com/opentracing/opentracing-go v1.0.2 - github.com/ory/fosite v0.25.0 + github.com/ory/fosite v0.26.0 github.com/ory/go-convenience v0.1.0 github.com/ory/graceful v0.1.0 github.com/ory/herodot v0.4.1 diff --git a/go.sum b/go.sum index 609e5acec1a..990d4023a7e 100644 --- a/go.sum +++ b/go.sum @@ -105,6 +105,8 @@ github.com/ory/dockertest v3.3.2+incompatible h1:uO+NcwH6GuFof/Uz8yzjNi1g0sGT5SL github.com/ory/dockertest v3.3.2+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs= github.com/ory/fosite v0.25.0 h1:GELSEQc6OIDsfvtx1nC0snzPpFF14W/f6MeMXPEiZ9I= github.com/ory/fosite v0.25.0/go.mod h1:uttCRNB0lM7+BJFX7CC8Bqo9gAPrcpmA9Ezc80Trwuw= +github.com/ory/fosite v0.26.0 h1:jWJ5RnF2fp5ZPvghq682yyAzi91zilCfMlvGdn6gC8o= +github.com/ory/fosite v0.26.0/go.mod h1:uttCRNB0lM7+BJFX7CC8Bqo9gAPrcpmA9Ezc80Trwuw= github.com/ory/go-convenience v0.1.0 h1:zouLKfF2GoSGnJwGq+PE/nJAE6dj2Zj5QlTgmMTsTS8= github.com/ory/go-convenience v0.1.0/go.mod h1:uEY/a60PL5c12nYz4V5cHY03IBmwIAEm8TWB0yn9KNs= github.com/ory/graceful v0.1.0 h1:zilpYtcR5vp4GubV4bN2GFJewHaSkMFnnRiJxyH8FAc= diff --git a/oauth2/session.go b/oauth2/session.go index 1cbed1874b8..f4cc72b47c4 100644 --- a/oauth2/session.go +++ b/oauth2/session.go @@ -52,12 +52,12 @@ func NewSession(subject string) *Session { } } -func (s *Session) GetJWTClaims() *jwt.JWTClaims { +func (s *Session) GetJWTClaims() jwt.JWTClaimsContainer { claims := &jwt.JWTClaims{ Subject: s.Subject, Audience: s.Audience, Issuer: s.DefaultSession.Claims.Issuer, - Extra: s.Extra, + Extra: map[string]interface{}{"ext": s.Extra}, ExpiresAt: s.GetExpiresAt(fosite.AccessToken), IssuedAt: time.Now(), NotBefore: time.Now(), diff --git a/scripts/test-e2e-jwt.sh b/scripts/test-e2e-jwt.sh index f5fe27afa92..d4f7e738692 100755 --- a/scripts/test-e2e-jwt.sh +++ b/scripts/test-e2e-jwt.sh @@ -16,6 +16,7 @@ export OAUTH2_ISSUER_URL=http://127.0.0.1:4444/ export LOG_LEVEL=debug export REDIRECT_URL=http://127.0.0.1:5555/callback export OAUTH2_SCOPE=openid,offline +export OAUTH2_ACCESS_TOKEN_STRATEGY=jwt go install . go install ./test/mock-client @@ -27,7 +28,6 @@ DATABASE_URL=memory \ OAUTH2_LOGIN_URL=http://127.0.0.1:3000/login \ OAUTH2_ERROR_URL=http://127.0.0.1:3000/error \ OAUTH2_SHARE_ERROR_DEBUG=true \ - OAUTH2_ACCESS_TOKEN_STRATEGY=jwt \ hydra serve all --dangerous-force-http --disable-telemetry & PORT=3000 mock-lcp & diff --git a/test/mock-cb/main.go b/test/mock-cb/main.go index b9e193193c1..b98d054dbc6 100644 --- a/test/mock-cb/main.go +++ b/test/mock-cb/main.go @@ -23,10 +23,12 @@ package main import ( "context" "encoding/json" + "fmt" "log" "net/http" "os" "strings" + "time" "golang.org/x/oauth2" ) @@ -54,7 +56,19 @@ func callback(rw http.ResponseWriter, r *http.Request) { return } - if err := json.NewEncoder(rw).Encode(token); err != nil { + if err := json.NewEncoder(rw).Encode(&struct { + IDToken string `json:"id_token"` + AccessToken string `json:"access_token"` + TokenType string `json:"token_type,omitempty"` + RefreshToken string `json:"refresh_token,omitempty"` + Expiry time.Time `json:"expiry,omitempty"` + }{ + IDToken: fmt.Sprintf("%s", token.Extra("id_token")), + AccessToken: token.AccessToken, + RefreshToken: token.RefreshToken, + TokenType: token.TokenType, + Expiry: token.Expiry, + }); err != nil { http.Error(rw, err.Error(), http.StatusInternalServerError) return } diff --git a/test/mock-client/main.go b/test/mock-client/main.go index ef6cdf7dc6a..51a2531818d 100644 --- a/test/mock-client/main.go +++ b/test/mock-client/main.go @@ -21,6 +21,7 @@ package main import ( + "bytes" "encoding/json" "fmt" "io/ioutil" @@ -30,13 +31,25 @@ import ( "net/url" "os" "strings" + "time" "github.com/dgrijalva/jwt-go" "golang.org/x/oauth2" "github.com/ory/hydra/sdk/go/hydra/swagger" + "github.com/ory/x/cmdx" ) +var sdk = swagger.NewOAuth2ApiWithBasePath(os.Getenv("HYDRA_ADMIN_URL")) + +type oauth2token struct { + IDToken string `json:"id_token"` + AccessToken string `json:"access_token"` + TokenType string `json:"token_type,omitempty"` + RefreshToken string `json:"refresh_token,omitempty"` + Expiry time.Time `json:"expiry,omitempty"` +} + func main() { conf := oauth2.Config{ ClientID: os.Getenv("OAUTH2_CLIENT_ID"), @@ -70,60 +83,135 @@ func main() { return nil }, }).Get(au) - if err != nil { - log.Fatalf("Unable to make request: %s", err) - } + cmdx.CheckResponse(err, http.StatusOK, resp) + defer resp.Body.Close() out, err := ioutil.ReadAll(resp.Body) if err != nil { log.Fatalf("Unable to read body: %s", err) } - resp.Body.Close() - if resp.StatusCode != http.StatusOK { - log.Fatalf("Got status code %d and body %s", resp.StatusCode, out) + for _, c := range c.Cookies(u) { + if c.Name == "oauth2_authentication_session" { + fmt.Print(c.Value) + } } - var token oauth2.Token + var token oauth2token if err := json.Unmarshal(out, &token); err != nil { log.Fatalf("Unable transform to token: %s", err) } - log.Printf("Got token: %+v", token) + checkTokenResponse(token) + for i := 0; i <= 5; i++ { + token = refreshToken(token) + checkTokenResponse(token) + } - for _, c := range c.Cookies(u) { - if c.Name == "oauth2_authentication_session" { - fmt.Print(c.Value) - } + refreshToken(token) + + // refreshing the same token twice does not work + resp, err = refreshTokenRequest(token) + cmdx.CheckResponse(err, http.StatusBadRequest, resp) + defer resp.Body.Close() +} + +func checkResponse(err error, expectedStatusCode int, response *swagger.APIResponse) { + var r *http.Response + if response != nil { + r = response.Response + r.Body = ioutil.NopCloser(bytes.NewBuffer(response.Payload)) } - resp, err = http.PostForm(strings.TrimRight(os.Getenv("HYDRA_ADMIN_URL"), "/")+"/oauth2/introspect", url.Values{"token": {token.AccessToken}}) - if err != nil { - log.Fatalf("Unable to make introspection request: %s", err) - } else if resp.StatusCode != http.StatusOK { - log.Fatalf("Unable to make introspection request: got status code %d", resp.StatusCode) + cmdx.CheckResponse(err, expectedStatusCode, r) +} + +func refreshTokenRequest(token oauth2token) (*http.Response, error) { + req, err := http.NewRequest("POST", strings.TrimRight(os.Getenv("HYDRA_URL"), "/")+"/oauth2/token", bytes.NewBufferString(url.Values{ + "refresh_token": {token.RefreshToken}, + "grant_type": {"refresh_token"}, + }.Encode())) + cmdx.Must(err, "%s", err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.SetBasicAuth(os.Getenv("OAUTH2_CLIENT_ID"), os.Getenv("OAUTH2_CLIENT_SECRET")) + return http.DefaultClient.Do(req) +} + +func refreshToken(token oauth2token) (result oauth2token) { + resp, err := refreshTokenRequest(token) + cmdx.CheckResponse(err, http.StatusOK, resp) + defer resp.Body.Close() + + err = json.NewDecoder(resp.Body).Decode(&result) + cmdx.Must(err, "Unable to decode refresh token: %s", err) + return result +} + +func checkTokenResponse(token oauth2token) { + if token.RefreshToken == "" { + log.Fatalf("Expected a refresh token but none received: %+v", token) } - var intro swagger.OAuth2TokenIntrospection - if err := json.NewDecoder(resp.Body).Decode(&intro); err != nil { - log.Fatalf("Unable to decode introspection response: %s", err) + // This value oscillates between bar and rab, depending on whether authorization was remembered or not. Check + // mock-lcp which sets the value + expectedValue := "bar" + if strings.Contains(os.Getenv("OAUTH2_EXTRA"), "prompt=none") { + expectedValue = "rab" + } + + if os.Getenv("OAUTH2_ACCESS_TOKEN_STRATEGY") == "jwt" { + parts := strings.Split(token.AccessToken, ".") + + if len(parts) != 3 { + log.Fatalf("JWT Access Token does not seem to have three parts: %d - %+v - %v", len(parts), token, parts) + } + + payload, err := jwt.DecodeSegment(parts[1]) + if err != nil { + log.Fatalf("Unable to decode id token segment: %s", err) + } + + var claims map[string]interface{} + if err := json.Unmarshal(payload, &claims); err != nil { + log.Fatalf("Unable to unmarshal id token body: %s", err) + } + + if fmt.Sprintf("%s", claims["sub"]) != "the-subject" { + log.Fatalf("Expected subject from access token to be %s but got %s", "the-subject", claims["sub"]) + } + + ext := claims["ext"].(map[string]interface{}) + if ext["foo"] != expectedValue { + log.Fatalf("Expected extra field \"foo\" from access token to be \"%s\" but got %s", expectedValue, ext["foo"]) + } + } + + intro, sdkResp, err := sdk.IntrospectOAuth2Token(token.AccessToken, "") + checkResponse(err, http.StatusOK, sdkResp) + + if !intro.Active { + log.Fatalf("Expected token to be active: %s", token.AccessToken) } - resp.Body.Close() if intro.Sub != "the-subject" { log.Fatalf("Expected subject from access token to be %s but got %s", "the-subject", intro.Sub) } - if intro.Ext["foo"] != "bar" { - log.Fatalf("Expected extra field \"foo\" from access token to be \"bar\" but got %s", intro.Ext["foo"]) + if intro.Ext["foo"] != expectedValue { + log.Fatalf("Expected extra field \"foo\" from access token to be \"%s\" but got %s", expectedValue, intro.Ext["foo"]) } - idt := fmt.Sprintf("%s", token.Extra("id_token")) + idt := fmt.Sprintf("%s", token.IDToken) if len(idt) == 0 { log.Fatalf("ID Token does not seem to be set: %+v", token) } - payload, err := jwt.DecodeSegment(strings.Split(idt, ".")[1]) + parts := strings.Split(idt, ".") + if len(parts) != 3 { + log.Fatalf("ID Token does not seem to have three parts: %d - %+v - %v", len(parts), token, parts) + } + + payload, err := jwt.DecodeSegment(parts[1]) if err != nil { log.Fatalf("Unable to decode id token segment: %s", err) } @@ -137,7 +225,7 @@ func main() { log.Fatalf("Expected subject from id token to be %s but got %s", "the-subject", claims["sub"]) } - if fmt.Sprintf("%s", claims["foo"]) != "bar" { - log.Fatalf("Expected extra field \"foo\" from access token to be \"bar\" but got %s", intro.Ext["foo"]) + if fmt.Sprintf("%s", claims["baz"]) != expectedValue { + log.Fatalf("Expected extra field \"baz\" from access token to be \"%s\" but got \"%s\"", expectedValue, claims["baz"]) } } diff --git a/test/mock-lcp/main.go b/test/mock-lcp/main.go index a1a297fbde3..5f875ee1fbb 100644 --- a/test/mock-lcp/main.go +++ b/test/mock-lcp/main.go @@ -78,12 +78,17 @@ func consent(rw http.ResponseWriter, r *http.Request) { if strings.Contains(o.RequestUrl, "rememberConsent=yes") { remember = true } + value := "bar" + if o.Skip == true { + value = "rab" + } + v, resp, err = client.AcceptConsentRequest(challenge, swagger.AcceptConsentRequest{ GrantScope: o.RequestedScope, Remember: remember, Session: swagger.ConsentRequestSession{ - AccessToken: map[string]interface{}{"foo": "bar"}, - IdToken: map[string]interface{}{"baz": "bar"}, + AccessToken: map[string]interface{}{"foo": value}, + IdToken: map[string]interface{}{"baz": value}, }, }) } else { From 08de0ea1e04b29a8ec9ededc1ec6e471504050f6 Mon Sep 17 00:00:00 2001 From: aeneasr Date: Wed, 24 Oct 2018 15:06:05 +0200 Subject: [PATCH 5/5] oauth2: Fix missing session data in jwt at This patch fixes missing session data in OAuth2 Access Tokens formatted as JSON Web Tokens. It also improves e2e tests which now test if claims and data are set correctly, including after refreshes. Related #1106 Signed-off-by: aeneasr --- UPGRADE.md | 10 ++++++++++ oauth2/oauth2_auth_code_test.go | 4 ++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/UPGRADE.md b/UPGRADE.md index d66edaa1963..d3762962262 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -105,6 +105,16 @@ before finalizing the upgrade process. ## 1.0.0-rc.1 +### JSON Web Token formatted Access Token data + +Previously, extra fields coming from `session.access_token` where directly embedded in the OAuth 2.0 Access Token when +the JSON Web Token strategy was used. However, the token introspection response returned the extra data as a field `ext: {...}`. + +In order to have a streamlined experience, session data is from now on stored in a field `ext: {...}` for Access +Tokens formatted as JSON Web Tokens. + +This change does not impact the opaque strategy, which is the default one. + ### CLI Changes Flags `https-tls-key-path` and `https-tls-cert-path` have been removed from the `hydra serve *` commands. diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go index 9d9274d6b1b..8d8ac18d1ee 100644 --- a/oauth2/oauth2_auth_code_test.go +++ b/oauth2/oauth2_auth_code_test.go @@ -329,7 +329,7 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) { assert.NotEmpty(t, data["nbf"]) assert.EqualValues(t, data["nbf"], data["iat"]) assert.EqualValues(t, []interface{}{"hydra", "offline", "openid"}, data["scp"]) - assert.EqualValues(t, "bar", data["foo"]) + assert.EqualValues(t, "map[foo:bar]", fmt.Sprintf("%s", data["ext"])) }, }, { @@ -408,7 +408,7 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) { assert.NotEmpty(t, data["nbf"]) assert.EqualValues(t, data["nbf"], data["iat"]) assert.EqualValues(t, []interface{}{"hydra", "offline"}, data["scp"]) - assert.EqualValues(t, "bar", data["foo"]) + assert.EqualValues(t, "map[foo:bar]", fmt.Sprintf("%s", data["ext"])) }, }, {