Add a functional test for PAR-enabled authorization flows

kevinchalet · kevinchalet · commit bc3f423d66a9 · 2025-04-08T16:00:54.000+02:00
diff --git a/test/OrchardCore.Tests/Modules/OrchardCore.OpenId/OpenIdAuthenticationTests.cs b/test/OrchardCore.Tests/Modules/OrchardCore.OpenId/OpenIdAuthenticationTests.cs
@@ -117,16 +117,15 @@ await context.UsingTenantScopeAsync(async scope =>
             Assert.Contains("orchauth_" + shellSettings.Name, cookies.Keys);
 
             var codeVerifier = GenerateCodeVerifier();
-            var challengeCode = GenerateCodeChallenge(codeVerifier);
+            var codeChallenge = GenerateCodeChallenge(codeVerifier);
             var requestData = new Dictionary<string, string>
             {
                 { "client_id", clientId },
                 { "response_type", "code" },
                 { "redirect_uri", redirectUri },
                 { "scope", "openid offline_access" },
                 { "code_challenge_method", "S256" },
-                { "code_verifier", codeVerifier },
-                { "code_challenge", challengeCode },
+                { "code_challenge", codeChallenge },
             };
 
             var authorizeRequestMessage = HttpRequestHelper.CreatePostMessage("connect/authorize", requestData);
@@ -163,17 +162,163 @@ await context.UsingTenantScopeAsync(async scope =>
             var tokens = new ConcurrentBag<string>();
 
             // One one task should succeed since OpenId will only allow one access_token exchange for every authorization_code.
-            var taskOne = ExchangeCodeForTokenAsync(httpClient, cookies, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
-            var taskTwo = ExchangeCodeForTokenAsync(httpClient, cookies, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
-            var taskThree = ExchangeCodeForTokenAsync(httpClient, cookies, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
+            var taskOne = ExchangeCodeForTokenAsync(httpClient, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
+            var taskTwo = ExchangeCodeForTokenAsync(httpClient, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
+            var taskThree = ExchangeCodeForTokenAsync(httpClient, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
 
             await Task.WhenAll(taskOne, taskTwo, taskThree);
 
             Assert.Single(tokens);
         });
     }
 
-    private static async Task ExchangeCodeForTokenAsync(HttpClient httpClient, IDictionary<string, string> cookies, string authorizationCode, string clientId, string redirectUri, string codeVerifier, ConcurrentBag<string> tokens)
+    [Fact]
+    public async Task OpenId_CodeFlowWithPushedAuthorizationRequests_CanExchangeAuthorizationCodeForAccessTokenOnlyOnce()
+    {
+        var context = new SiteContext();
+
+        await context.InitializeAsync();
+
+        var redirectUri = context.Client.BaseAddress.ToString() + "signin-oidc";
+
+        var clientId = "test_id";
+
+        var recipeSteps = new JsonArray
+        {
+            new JsonObject
+            {
+                {"name", "Feature"},
+                {"enable", new JsonArray(
+                    "OrchardCore.Users",
+                    "OrchardCore.OpenId.Server",
+                    "OrchardCore.OpenId.Validation",
+                    "OrchardCore.OpenId")
+                },
+            },
+            new JsonObject
+            {
+                {"name", "OpenIdApplication"},
+                {"ClientId", clientId},
+                {"DisplayName", "Test Application"},
+                {"Type", "public"},
+                {"ConsentType", "implicit"},
+                {"AllowAuthorizationCodeFlow", true},
+                {"RequireProofKeyForCodeExchange", true},
+                {"RequirePushedAuthorizationRequests", true},
+                {"AllowRefreshTokenFlow", true},
+                {"RedirectUris", redirectUri},
+            },
+        };
+
+        var recipe = new JsonObject
+        {
+            {"steps", recipeSteps},
+        };
+
+        await RecipeHelpers.RunRecipeAsync(context, recipe);
+
+        await context.UsingTenantScopeAsync(async scope =>
+        {
+            var featureManager = scope.ServiceProvider.GetService<IShellFeaturesManager>();
+
+            Assert.True(await featureManager.IsFeatureEnabledAsync("OrchardCore.Users"));
+            Assert.True(await featureManager.IsFeatureEnabledAsync("OrchardCore.OpenId.Server"));
+            Assert.True(await featureManager.IsFeatureEnabledAsync("OrchardCore.OpenId.Validation"));
+            Assert.True(await featureManager.IsFeatureEnabledAsync("OrchardCore.OpenId"));
+
+            var httpClient = context.Client;
+
+            var session = scope.ServiceProvider.GetRequiredService<YesSql.ISession>();
+
+            var applications = await session.Query<OpenIdApplication, OpenIdApplicationIndex>(OpenIdApplication.OpenIdCollection).ListAsync();
+
+            Assert.Single(applications);
+
+            var application = applications.First();
+            Assert.True(application.ClientId == clientId);
+            Assert.Contains(redirectUri, application.RedirectUris);
+            Assert.Equal("implicit", application.ConsentType);
+            Assert.Contains(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode, application.Permissions);
+            Assert.Contains(OpenIddictConstants.Permissions.GrantTypes.RefreshToken, application.Permissions);
+            Assert.Contains(OpenIddictConstants.Permissions.Endpoints.Authorization, application.Permissions);
+            Assert.Contains(OpenIddictConstants.Permissions.Endpoints.PushedAuthorization, application.Permissions);
+            Assert.Contains(OpenIddictConstants.Permissions.Endpoints.Token, application.Permissions);
+            Assert.Contains(OpenIddictConstants.Permissions.ResponseTypes.Code, application.Permissions);
+
+            Assert.Contains(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange, application.Requirements);
+            Assert.Contains(OpenIddictConstants.Requirements.Features.PushedAuthorizationRequests, application.Requirements);
+
+            // Visit the login page to get the AntiForgery token.
+            var loginGetRequest = await httpClient.GetAsync("Login", CancellationToken.None);
+
+            var loginFormData = new Dictionary<string, string>
+            {
+                {"__RequestVerificationToken", await AntiForgeryHelper.ExtractAntiForgeryToken(loginGetRequest) },
+                {$"{nameof(LoginForm)}.{nameof(LoginViewModel.UserName)}", "admin"},
+                {$"{nameof(LoginForm)}.{nameof(LoginViewModel.Password)}", "Password01_"},
+            };
+
+            var shellSettings = scope.ServiceProvider.GetService<ShellSettings>();
+
+            var loginPostRequest = HttpRequestHelper.CreatePostMessageWithCookies($"Login?ReturnUrl=/{shellSettings.RequestUrlPrefix}?loggedIn=true", loginFormData, loginGetRequest);
+
+            // Login
+            var loginPostResponse = await httpClient.SendAsync(loginPostRequest, CancellationToken.None);
+
+            Assert.Equal(HttpStatusCode.Redirect, loginPostResponse.StatusCode);
+
+            var loginRequestRedirectToLocation = loginPostResponse.Headers.Location?.ToString();
+
+            Assert.NotEmpty(loginRequestRedirectToLocation);
+            Assert.Contains("loggedIn=true", loginRequestRedirectToLocation);
+
+            var cookies = CookiesHelper.ExtractCookies(loginPostResponse);
+
+            Assert.Contains("orchauth_" + shellSettings.Name, cookies.Keys);
+
+            var codeVerifier = GenerateCodeVerifier();
+            var codeChallenge = GenerateCodeChallenge(codeVerifier);
+
+            var requestData = new Dictionary<string, string>
+            {
+                { "client_id", clientId },
+                { "request_uri", await GetRequestUriAsync(httpClient, clientId, redirectUri, codeChallenge) }
+            };
+
+            var authorizeRequestMessage = HttpRequestHelper.CreatePostMessage("connect/authorize", requestData);
+            CookiesHelper.AddCookiesToRequest(authorizeRequestMessage, cookies);
+
+            Assert.True(authorizeRequestMessage.Headers.Contains("Cookie"), "Cookie header is missing from request.");
+
+            var authorizeResponse = await httpClient.SendAsync(authorizeRequestMessage, CancellationToken.None);
+
+            Assert.Equal(HttpStatusCode.Redirect, authorizeResponse.StatusCode);
+
+            var finalRedirect = authorizeResponse.Headers.Location?.ToString();
+
+            Assert.NotEmpty(finalRedirect);
+            Assert.StartsWith(redirectUri, finalRedirect);
+
+            // Extract the authorization code from the query string.
+            var queryParameters = HttpUtility.ParseQueryString(new Uri(finalRedirect).Query);
+            var authorizationCode = queryParameters["code"];
+
+            Assert.NotEmpty(authorizationCode);
+
+            var tokens = new ConcurrentBag<string>();
+
+            // One one task should succeed since OpenId will only allow one access_token exchange for every authorization_code.
+            var taskOne = ExchangeCodeForTokenAsync(httpClient, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
+            var taskTwo = ExchangeCodeForTokenAsync(httpClient, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
+            var taskThree = ExchangeCodeForTokenAsync(httpClient, authorizationCode, clientId, redirectUri, codeVerifier, tokens);
+
+            await Task.WhenAll(taskOne, taskTwo, taskThree);
+
+            Assert.Single(tokens);
+        });
+    }
+
+    private static async Task ExchangeCodeForTokenAsync(HttpClient httpClient, string authorizationCode, string clientId, string redirectUri, string codeVerifier, ConcurrentBag<string> tokens)
     {
         var data = new Dictionary<string, string>()
         {
@@ -185,7 +330,6 @@ private static async Task ExchangeCodeForTokenAsync(HttpClient httpClient, IDict
         };
 
         var request = HttpRequestHelper.CreatePostMessage("connect/token", data);
-        CookiesHelper.AddCookiesToRequest(request, cookies);
 
         var tokenResponse = await httpClient.SendAsync(request, CancellationToken.None);
 
@@ -201,6 +345,36 @@ private static async Task ExchangeCodeForTokenAsync(HttpClient httpClient, IDict
         }
     }
 
+    private static async Task<string> GetRequestUriAsync(HttpClient httpClient, string clientId, string redirectUri, string codeChallenge)
+    {
+        var data = new Dictionary<string, string>()
+        {
+            { "client_id", clientId },
+            { "response_type", "code" },
+            { "redirect_uri", redirectUri },
+            { "scope", "openid offline_access" },
+            { "code_challenge_method", "S256" },
+            { "code_challenge", codeChallenge },
+        };
+
+        var request = HttpRequestHelper.CreatePostMessage("connect/par", data);
+
+        var response = await httpClient.SendAsync(request, CancellationToken.None);
+        if (response.IsSuccessStatusCode)
+        {
+            var result = await response.Content.ReadFromJsonAsync<JsonObject>();
+            var value = result["request_uri"]?.ToString();
+
+            Assert.NotEmpty(value);
+
+            return value;
+        }
+        else
+        {
+            throw new InvalidOperationException("An error response was returned by the pushed authorization endpoint.");
+        }
+    }
+
     private static string GenerateCodeVerifier()
     {
         var randomBytes = new byte[32];
