test(parser): add additional tests for bad token

Author: ndyakov

internal/errors.go

@@ -3,7 +3,6 @@ package internal
 import "fmt"
 
 var ErrInvalidIDPResponse = fmt.Errorf("invalid identity provider response")
-var ErrInvalidIDPResponseType = fmt.Errorf("invalid identity provider response type")
 var ErrAuthResultNotFound = fmt.Errorf("auth result not found")
 var ErrAccessTokenNotFound = fmt.Errorf("access token not found")
 var ErrRawTokenNotFound = fmt.Errorf("raw token not found")

manager/manager_test.go

@@ -84,6 +84,25 @@ func newTestJWTToken(expiresOn time.Time) string {
 	return tokenStr
 }
 
+func newTestJWTTokenWithoutOID(expiresOn time.Time) string {
+	claims := struct {
+		jwt.RegisteredClaims
+	}{}
+
+	// Parse the token to extract claims, but note that signature verification
+	// should be handled by the identity provider
+	_, _, err := jwt.NewParser().ParseUnverified(testJWTToken, &claims)
+	if err != nil {
+		panic(err)
+	}
+	claims.ExpiresAt = jwt.NewNumericDate(expiresOn)
+	tokenStr, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString([]byte("qwertyuiopasdfghjklzxcvbnm123456"))
+	if err != nil {
+		panic(err)
+	}
+	return tokenStr
+}
+
 type mockIdentityProviderResponseParser struct {
 	// Mock implementation of the IdentityProviderResponseParser interface
 	mock.Mock

manager/token_manager_test.go

@@ -439,6 +439,34 @@ func TestDefaultIdentityProviderResponseParser(t *testing.T) {
 		assert.NotNil(t, token1)
 		assert.InEpsilon(t, authResultVal.ExpiresOn.Unix(), token1.ExpirationOn().Unix(), 1)
 	})
+	t.Run("Default IdentityProviderResponseParser with type AuthResult and empty token", func(t *testing.T) {
+		t.Parallel()
+		authResultVal := &public.AuthResult{
+			ExpiresOn:   time.Now().Add(time.Hour).UTC(),
+			AccessToken: "",
+		}
+		idpResponse := &authResult{
+			ResultType:    shared.ResponseTypeAuthResult,
+			AuthResultVal: authResultVal,
+		}
+		token1, err := parser.ParseResponse(idpResponse)
+		assert.Error(t, err)
+		assert.Nil(t, token1)
+	})
+	t.Run("Default IdentityProviderResponseParser with type AuthResult and token without oid", func(t *testing.T) {
+		t.Parallel()
+		authResultVal := &public.AuthResult{
+			ExpiresOn:   time.Now().Add(time.Hour).UTC(),
+			AccessToken: newTestJWTTokenWithoutOID(time.Now().Add(time.Hour).UTC()),
+		}
+		idpResponse := &authResult{
+			ResultType:    shared.ResponseTypeAuthResult,
+			AuthResultVal: authResultVal,
+		}
+		token1, err := parser.ParseResponse(idpResponse)
+		assert.Error(t, err)
+		assert.Nil(t, token1)
+	})
 	t.Run("Default IdentityProviderResponseParser with type AccessToken", func(t *testing.T) {
 		t.Parallel()
 		accessToken := &azcore.AccessToken{

shared/identity_provider_response.go

@@ -19,7 +19,6 @@ const (
 )
 
 var ErrInvalidIDPResponse = internal.ErrInvalidIDPResponse
-var ErrInvalidIDPResponseType = internal.ErrInvalidIDPResponseType
 var ErrAuthResultNotFound = internal.ErrAuthResultNotFound
 var ErrAccessTokenNotFound = internal.ErrAccessTokenNotFound
 var ErrRawTokenNotFound = internal.ErrRawTokenNotFound