Merge branch 'master' into feat-limit-maximum-password-length

ory · Feb 27, 2024 · 963e663 · 963e663
2 parents 37810b3 + 9710549
commit 963e663
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@
 
 **Table of Contents**
 
-- [ (2024-02-22)](#2024-02-22)
+- [ (2024-02-23)](#2024-02-23)
   - [Bug Fixes](#bug-fixes)
   - [Features](#features)
   - [Tests](#tests)
@@ -321,7 +321,7 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# [](https://github.com/ory/kratos/compare/v1.1.0...v) (2024-02-22)
+# [](https://github.com/ory/kratos/compare/v1.1.0...v) (2024-02-23)
 
 ### Bug Fixes
 
@@ -342,6 +342,9 @@
 - Prevent SMTP URL leak on unparsable URL
   ([#3770](https://github.com/ory/kratos/issues/3770))
   ([c5f39f4](https://github.com/ory/kratos/commit/c5f39f4bc481e400f736ede7f8f0be546a55eebf))
+- Test assertions on declassifying OIDC tokens
+  ([#3773](https://github.com/ory/kratos/issues/3773))
+  ([7f8a7f1](https://github.com/ory/kratos/commit/7f8a7f142a91c8c74f32eadb41224fc4f69c2109))
 
 ### Features
 

diff --git a/identity/handler_test.go b/identity/handler_test.go
@@ -610,22 +610,25 @@ func TestHandler(t *testing.T) {
 			}
 		})
 
-		t.Run("case=should fail to get oidc credential", func(t *testing.T) {
+		t.Run("case=should return empty tokens if decryption fails", func(t *testing.T) {
 			id := createOidcIdentity(t, "foo-failed.oidc@bar.com", "foo_token", "bar_token", "id_token", false)
 			for name, ts := range map[string]*httptest.Server{"public": publicTS, "admin": adminTS} {
 				t.Run("endpoint="+name, func(t *testing.T) {
-					t.Logf("no oidc token")
 					res := get(t, ts, "/identities/"+i.ID.String()+"?include_credential=oidc", http.StatusOK)
 					assert.NotContains(t, res.Raw, "identifier_credentials", res.Raw)
 
-					t.Logf("get oidc token")
 					res = get(t, ts, "/identities/"+id+"?include_credential=oidc", http.StatusOK)
-					assert.NotContains(t, res.Raw, "identifier_credentials", res.Raw)
+					assert.Equal(t, "bar:foo-failed.oidc@bar.com", res.Get("credentials.oidc.identifiers.0").String(), "%s", res.Raw)
+					assert.Equal(t, "", res.Get("credentials.oidc.config.providers.0.initial_access_token").String(), "%s", res.Raw)
+					assert.Equal(t, "", res.Get("credentials.oidc.config.providers.0.initial_id_token").String(), "%s", res.Raw)
+					assert.Equal(t, "", res.Get("credentials.oidc.config.providers.0.initial_refresh_token").String(), "%s", res.Raw)
 				})
 			}
+		})
 
+		t.Run("case=should return decrypted token", func(t *testing.T) {
 			e, _ := reg.Cipher(ctx).Encrypt(context.Background(), []byte("foo_token"))
-			id = createOidcIdentity(t, "foo-failed-2.oidc@bar.com", e, "bar_token", "id_token", false)
+			id := createOidcIdentity(t, "foo-failed-2.oidc@bar.com", e, "bar_token", "id_token", false)
 			for name, ts := range map[string]*httptest.Server{"public": publicTS, "admin": adminTS} {
 				t.Run("endpoint="+name, func(t *testing.T) {
 					t.Logf("no oidc token")
@@ -634,7 +637,8 @@ func TestHandler(t *testing.T) {
 
 					t.Logf("get oidc token")
 					res = get(t, ts, "/identities/"+id+"?include_credential=oidc", http.StatusOK)
-					assert.NotContains(t, res.Raw, "identifier_credentials", res.Raw)
+					assert.Equal(t, "bar:foo-failed-2.oidc@bar.com", res.Get("credentials.oidc.identifiers.0").String(), "%s", res.Raw)
+					assert.Equal(t, "foo_token", res.Get("credentials.oidc.config.providers.0.initial_access_token").String(), "%s", res.Raw)
 				})
 			}
 		})