Update ORCID provider tests for OpenID Connect requirements

dauglyon · dauglyon · commit 7e3bca1bed72 · 2025-09-08T13:31:34.000-07:00
- Update scope in login URL tests from 'openid' to 'openid+%2Fauthenticate'
- Add JWT tokens to tests that were missing them after OpenID Connect changes
- Update getIdentityWithNoJWT test to expect new error when JWT is missing
- Fix error condition tests to provide valid JWTs so they test intended errors
diff --git a/src/test/java/us/kbase/test/auth2/providers/OrcIDIdentityProviderTest.java b/src/test/java/us/kbase/test/auth2/providers/OrcIDIdentityProviderTest.java
@@ -121,12 +121,12 @@ public void simpleOperationsWithConfigurator() throws Exception {
 		assertThat("incorrect environments", oip.getEnvironments(), is(set("myenv")));
 		assertThat("incorrect login url", oip.getLoginURI("foo3", "pkce", false, null),
 				is(new URI("https://ologin.com/oauth/authorize?" +
-						"scope=openid" +
+						"scope=openid+%2Fauthenticate" +
 						"&state=foo3&redirect_uri=https%3A%2F%2Fologinredir.com" +
 						"&response_type=code&client_id=ofoo")));
 		assertThat("incorrect link url", oip.getLoginURI("foo4", "pkce", true, null),
 				is(new URI("https://ologin.com/oauth/authorize?" +
-						"scope=openid" +
+						"scope=openid+%2Fauthenticate" +
 						"&state=foo4&redirect_uri=https%3A%2F%2Folinkredir.com" +
 						"&response_type=code&client_id=ofoo")));
 		
@@ -150,12 +150,12 @@ public void simpleOperationsWithoutConfigurator() throws Exception {
 		assertThat("incorrect environments", oip.getEnvironments(), is(set("myenv")));
 		assertThat("incorrect login url", oip.getLoginURI("foo5", "pkce", false, null),
 				is(new URI("https://ologin.com/oauth/authorize?" +
-						"scope=openid" +
+						"scope=openid+%2Fauthenticate" +
 						"&state=foo5&redirect_uri=https%3A%2F%2Fologinredir.com" +
 						"&response_type=code&client_id=ofoo")));
 		assertThat("incorrect link url", oip.getLoginURI("foo6", "pkce", true, null),
 				is(new URI("https://ologin.com/oauth/authorize?" +
-						"scope=openid" +
+						"scope=openid+%2Fauthenticate" +
 						"&state=foo6&redirect_uri=https%3A%2F%2Folinkredir.com" +
 						"&response_type=code&client_id=ofoo")));
 		
@@ -267,15 +267,15 @@ public void returnsIllegalAuthtokenResponse() throws Exception {
 		final IdentityRetrievalException e =
 				new IdentityRetrievalException("No access token was returned by OrcID");
 		
-		setUpCallAuthToken(acode, null, redir, cliid, clisec, "name", "fake ID");
+		setUpCallAuthTokenWithJWT(acode, null, redir, cliid, clisec, "name", "fake ID", createJWTWithoutAmr("fake ID"));
 		failGetIdentities(idp, acode, "pkce", false, e);
-		setUpCallAuthToken(acode, "\t  ", redir, cliid, clisec, "name", "fake ID");
+		setUpCallAuthTokenWithJWT(acode, "\t  ", redir, cliid, clisec, "name", "fake ID", createJWTWithoutAmr("fake ID"));
 		failGetIdentities(idp, acode, "pkce", false, e);
 		
-		setUpCallAuthToken(acode, "fake token", redir, cliid, clisec, "my name", null);
+		setUpCallAuthTokenWithJWT(acode, "fake token", redir, cliid, clisec, "my name", null, createJWTWithoutAmr("fake ID"));
 		failGetIdentities(idp, acode, "pkce", false, new IdentityRetrievalException(
 				"No id was returned by OrcID"));
-		setUpCallAuthToken(acode, "fake token", redir, cliid, clisec, "my name", "   \t  \n  ");
+		setUpCallAuthTokenWithJWT(acode, "fake token", redir, cliid, clisec, "my name", "   \t  \n  ", createJWTWithoutAmr("fake ID"));
 		failGetIdentities(idp, acode, "pkce", false, new IdentityRetrievalException(
 				"No id was returned by OrcID"));
 	}
@@ -336,12 +336,12 @@ public void returnsBadResponseIdentity() throws Exception {
 		final String authtoken = "bartoken";
 		final String orcID = "0000-0001-1234-5678";
 		
-		setUpCallAuthToken(authCode, authtoken, redir, cliid, clisec, "my name", orcID);
+		setUpCallAuthTokenWithJWT(authCode, authtoken, redir, cliid, clisec, "my name", orcID, createJWTWithoutAmr(orcID));
 		setupCallID(authtoken, orcID, APP_JSON, 200, "bleah");
 		failGetIdentities(idp, authCode, "pkce", false, new IdentityRetrievalException(
 				"Unable to parse response from OrcID service."));
 		
-		setUpCallAuthToken(authCode, authtoken, redir, cliid, clisec, "my name", orcID);
+		setUpCallAuthTokenWithJWT(authCode, authtoken, redir, cliid, clisec, "my name", orcID, createJWTWithoutAmr(orcID));
 		setupCallID(authtoken, orcID, "text/html", 200, MAPPER.writeValueAsString(
 				map("id", "id1", "displayName", "dispname1", "emails", Arrays.asList(
 						map("value", "email1")))));
@@ -398,8 +398,8 @@ private void getIdentityWithLoginURL(final String email, final Map<String, Objec
 		final IdentityProvider idp = new OrcIDIdentityProvider(idconfig);
 		final String orcID = "0000-0001-1234-5678";
 		
-		setUpCallAuthToken(authCode, "footoken3", "https://ologinredir.com",
-				idconfig.getClientID(), idconfig.getClientSecret(), " My name ", orcID);
+		setUpCallAuthTokenWithJWT(authCode, "footoken3", "https://ologinredir.com",
+				idconfig.getClientID(), idconfig.getClientSecret(), " My name ", orcID, createJWTWithoutAmr(orcID));
 		setupCallID("footoken3", orcID, APP_JSON, 200, MAPPER.writeValueAsString(response));
 		final Set<RemoteIdentity> rids = idp.getIdentities(authCode, "pkce", false, null);
 		assertThat("incorrect number of idents", rids.size(), is(1));
@@ -454,9 +454,9 @@ private void getIdentityWithLinkURL(final String email, final Map<String, Object
 		final IdentityProvider idp = new OrcIDIdentityProvider(idconfig);
 		final String orcID = "0000-0001-1234-5678";
 		
-		setUpCallAuthToken(authCode, "footoken2", "https://olinkredir2.com",
+		setUpCallAuthTokenWithJWT(authCode, "footoken2", "https://olinkredir2.com",
 				idconfig.getClientID(), idconfig.getClientSecret(),
-				null, orcID);
+				null, orcID, createJWTWithoutAmr(orcID));
 		setupCallID("footoken2", orcID, APP_JSON, 200, MAPPER.writeValueAsString(
 				response));
 		final Set<RemoteIdentity> rids = idp.getIdentities(authCode, "pkce", true, null);
@@ -547,12 +547,15 @@ public void getIdentityWithNoJWT() throws Exception {
 				idconfig.getClientID(), idconfig.getClientSecret(), " My name ", orcID);
 		setupCallID("footoken5", orcID, APP_JSON, 200, MAPPER.writeValueAsString(
 				map("email", Arrays.asList(map("email", "noid@test.com")))));
-		final Set<RemoteIdentity> rids = idp.getIdentities(authCode, "pkce", false, null);
-		assertThat("incorrect number of idents", rids.size(), is(1));
-		final Set<RemoteIdentity> expected = new HashSet<>();
-		expected.add(new RemoteIdentity(new RemoteIdentityID(ORCID, orcID),
-				new RemoteIdentityDetails(orcID, "My name", "noid@test.com", MfaStatus.UNKNOWN)));
-		assertThat("incorrect ident set", rids, is(expected));
+		
+		// Now that JWT is required, this should fail with missing JWT error
+		try {
+			idp.getIdentities(authCode, "pkce", false, null);
+			fail("Expected IdentityRetrievalException");
+		} catch (IdentityRetrievalException e) {
+			assertThat("incorrect exception message", e.getMessage(), 
+					is("10030 Identity retrieval failed: No JWT token provided by ORCID despite requesting OpenID scope"));
+		}
 	}
 	
 	@Test
