implement OOB token request handling

Added oobResponseAsState extension to process out-of-band authentication API responses.
Updated error handling for OOB and token responses, supporting OAuth2 and API errors.
Introduced polling context for OOB authentication flow.

Author: FeiChen-okta

okta-direct-auth/src/androidHostTest/kotlin/com/okta/directauth/DirectAuthenticationFlowImplTest.kt

@@ -4,6 +4,7 @@ import com.okta.directauth.http.KtorHttpExecutor
 import com.okta.directauth.model.PrimaryFactor
 import com.okta.directauth.model.DirectAuthenticationError
 import com.okta.directauth.model.DirectAuthenticationState
+import com.okta.directauth.model.OobChannel
 import io.ktor.client.HttpClient
 import kotlinx.coroutines.test.runTest
 import kotlinx.serialization.SerializationException
@@ -72,4 +73,22 @@ class DirectAuthenticationFlowImplTest {
         assertThat((state as DirectAuthenticationError.InternalError).throwable, instanceOf(SerializationException::class.java))
         assertThat(flow.authenticationState.value, equalTo(state))
     }
+
+    @Test
+    fun start_withOobFactor_returnsOobAuthenticateState() = runTest {
+        val flow = DirectAuthenticationFlowBuilder.create(issuerUrl, clientId, scope) {
+            apiExecutor = KtorHttpExecutor(HttpClient(oobAuthenticateResponseMockEngine))
+        }.getOrThrow()
+
+        val state = flow.start("test_user", PrimaryFactor.Oob(OobChannel.PUSH))
+
+        assertThat(state, instanceOf(DirectAuthenticationState.OobAuthenticate::class.java))
+        val oobState = state as DirectAuthenticationState.OobAuthenticate
+        assertThat(oobState.pollContext.oobCode, equalTo("example_oob_code"))
+        assertThat(oobState.pollContext.channel, equalTo(OobChannel.PUSH.value))
+        assertThat(oobState.pollContext.expiresIn, equalTo(120))
+        assertThat(oobState.pollContext.interval, equalTo(5))
+
+        assertThat(flow.authenticationState.value, equalTo(state))
+    }
 }

okta-direct-auth/src/androidHostTest/kotlin/com/okta/directauth/MockEngineUtil.kt

@@ -9,27 +9,26 @@ import io.ktor.utils.io.ByteReadChannel
 
 const val TOKEN_RESPONSE_JSON =
     """{"access_token":"example_access_token","token_type":"Bearer","expires_in":3600,"scope":"openid email profile offline_access","refresh_token":"example_refresh_token","id_token":"example_id_token"}"""
-const val AUTHORIZATION_PENDING_JSON =
-    """{"error":"authorization_pending","error_description":"The user has not yet approved the push notification."}"""
-const val OAUTH2_ERROR_JSON =
-    """{"error":"invalid_grant","error_description":"The password was invalid."}"""
-const val SERVER_ERROR_JSON =
-    """{"errorCode":"E00000","errorSummary":"Internal Server Error"}"""
-const val MFA_REQUIRED_JSON =
-    """{"error":"mfa_required","error_description":"MFA is required for this transaction.","mfa_token":"example_mfa_token"}"""
-const val INVALID_MFA_REQUIRED_JSON =
-    """{"error":"mfa_required","error_description":"MFA is required for this transaction."}"""
+const val AUTHORIZATION_PENDING_JSON = """{"error":"authorization_pending","error_description":"The user has not yet approved the push notification."}"""
+const val OAUTH2_ERROR_JSON = """{"error":"invalid_grant","error_description":"The password was invalid."}"""
+const val SERVER_ERROR_JSON = """{"errorCode":"E00000","errorSummary":"Internal Server Error"}"""
+const val MFA_REQUIRED_JSON = """{"error":"mfa_required","error_description":"MFA is required for this transaction.","mfa_token":"example_mfa_token"}"""
+const val INVALID_MFA_REQUIRED_JSON = """{"error":"mfa_required","error_description":"MFA is required for this transaction."}"""
 const val UNKNOWN_JSON_TYPE = """{"unknown_json_type":"bad response"}"""
+const val OOB_AUTHENTICATE_RESPONSE_JSON = """{"oob_code":"example_oob_code","channel":"push","binding_method":"none","expires_in": 120,"interval":5}"""
+const val OOB_AUTHENTICATE_OAUTH2_ERROR_JSON = """{"error":"invalid_request","error_description":"abc is not a valid channel hint"}"""
 
 // Malformed JSON with trailing comma
 const val MALFORMED_JSON = """{"access_token": "token","token_type": "Bearer",}"""
 const val MALFORMED_JSON_ERROR_CODE = """{"errorCode": "error","errorSummary": "error description",}"""
 const val MALFORMED_JSON_ERROR = """{"error": "access_denied","error_description": "error description",}"""
 
+val contentType = headersOf("Content-Type", "application/json")
+
 fun createMockEngine(
     jsonResponse: String,
     httpStatusCode: HttpStatusCode,
-    headers: Headers = headersOf("Content-Type", "application/json")
+    headers: Headers = contentType
 ): MockEngine = MockEngine {
     respond(
         content = ByteReadChannel(jsonResponse),
@@ -64,6 +63,12 @@ val emptyResponseOkMockEngine = createMockEngine("", HttpStatusCode.OK)
 
 val malformedJsonOkMockEngine = createMockEngine(MALFORMED_JSON, HttpStatusCode.OK)
 
+val malformedJsonClientMockEngine = createMockEngine(MALFORMED_JSON_ERROR_CODE, HttpStatusCode.TooManyRequests)
+
 val malformedJsonErrorMockEngine = createMockEngine(MALFORMED_JSON_ERROR, HttpStatusCode.BadRequest)
 
 val malformedJsonErrorCodeMockEngine = createMockEngine(MALFORMED_JSON_ERROR_CODE, HttpStatusCode.BadRequest)
+
+val oobAuthenticateResponseMockEngine = createMockEngine(OOB_AUTHENTICATE_RESPONSE_JSON, HttpStatusCode.OK)
+
+val oobAuthenticateOauth2ErrorMockEngine = createMockEngine(OOB_AUTHENTICATE_OAUTH2_ERROR_JSON, HttpStatusCode.BadRequest)

okta-direct-auth/src/androidHostTest/kotlin/com/okta/directauth/http/DirectAuthOobAuthenticateRequestTest.kt

@@ -0,0 +1,173 @@
+package com.okta.directauth.http
+
+import com.okta.authfoundation.GrantType
+import com.okta.authfoundation.api.http.ApiRequestMethod
+import com.okta.authfoundation.api.http.log.AuthFoundationLogger
+import com.okta.authfoundation.api.http.log.LogLevel
+import com.okta.directauth.model.DirectAuthenticationContext
+import com.okta.directauth.model.DirectAuthenticationError
+import com.okta.directauth.model.DirectAuthenticationIntent
+import com.okta.directauth.model.DirectAuthenticationState
+import com.okta.directauth.model.OobChannel
+import com.okta.directauth.notJsonMockEngine
+import com.okta.directauth.oobAuthenticateOauth2ErrorMockEngine
+import com.okta.directauth.oobAuthenticateResponseMockEngine
+import com.okta.directauth.serverErrorMockEngine
+import com.okta.directauth.unknownJsonTypeMockEngine
+import io.ktor.client.HttpClient
+import io.ktor.client.engine.mock.MockEngine
+import io.ktor.client.engine.mock.respond
+import io.ktor.http.HttpHeaders
+import io.ktor.http.HttpStatusCode
+import io.ktor.http.headersOf
+import kotlinx.coroutines.test.runTest
+import org.hamcrest.CoreMatchers.equalTo
+import org.hamcrest.CoreMatchers.instanceOf
+import org.hamcrest.CoreMatchers.nullValue
+import org.hamcrest.MatcherAssert.assertThat
+import org.junit.Before
+import org.junit.Test
+
+class DirectAuthOobAuthenticateRequestTest {
+    private lateinit var context: DirectAuthenticationContext
+
+    @Before
+    fun setUp() {
+        context = DirectAuthenticationContext(
+            issuerUrl = "https://example.okta.com",
+            clientId = "test_client_id",
+            scope = listOf("openid", "email", "profile", "offline_access"),
+            authorizationServerId = "",
+            clientSecret = "",
+            grantTypes = listOf(GrantType.Password, GrantType.Otp),
+            acrValues = emptyList(),
+            directAuthenticationIntent = DirectAuthenticationIntent.SIGN_IN,
+            apiExecutor = KtorHttpExecutor(),
+            logger = object : AuthFoundationLogger {
+                override fun write(message: String, tr: Throwable?, logLevel: LogLevel) {
+                    // No-op logger for tests
+                }
+            },
+            clock = { 1654041600 }, // 2022-06-01
+            additionalParameters = mapOf()
+        )
+    }
+
+    @Test
+    fun oobAuthenticateRequest_WithDefaultParameters() {
+        val request = DirectAuthOobAuthenticateRequest(
+            context = context,
+            loginHint = "test_user",
+            oobChannel = OobChannel.PUSH
+        )
+
+        assertThat(request.url(), equalTo("https://example.okta.com/oauth2/v1/oob-authenticate"))
+        assertThat(request.method(), equalTo(ApiRequestMethod.POST))
+        assertThat(request.contentType(), equalTo("application/x-www-form-urlencoded"))
+        assertThat(request.headers(), equalTo(mapOf("Accept" to listOf("application/json"))))
+        assertThat(request.query(), nullValue())
+
+        val formParameters = request.formParameters()
+        assertThat(formParameters["client_id"], equalTo(listOf("test_client_id")))
+        assertThat(formParameters["login_hint"], equalTo(listOf("test_user")))
+        assertThat(formParameters["channel_hint"], equalTo(listOf("push")))
+        assertThat(formParameters.containsKey("client_secret"), equalTo(false))
+    }
+
+    @Test
+    fun oobAuthenticateRequest_WithCustomParameters() {
+        val customContext = context.copy(
+            authorizationServerId = "aus_test_id",
+            clientSecret = "test_client_secret",
+            additionalParameters = mapOf("custom" to "value")
+        )
+
+        val request = DirectAuthOobAuthenticateRequest(
+            context = customContext,
+            loginHint = "test_user",
+            oobChannel = OobChannel.SMS
+        )
+
+        assertThat(request.url(), equalTo("https://example.okta.com/oauth2/aus_test_id/v1/oob-authenticate"))
+        assertThat(request.query(), equalTo(mapOf("custom" to "value")))
+
+        val formParameters = request.formParameters()
+        assertThat(formParameters["client_id"], equalTo(listOf("test_client_id")))
+        assertThat(formParameters["login_hint"], equalTo(listOf("test_user")))
+        assertThat(formParameters["channel_hint"], equalTo(listOf("sms")))
+        assertThat(formParameters["client_secret"], equalTo(listOf("test_client_secret")))
+    }
+
+    @Test
+    fun oobAuthenticateRequest_returnsOobAuthenticateStateOnSuccess() = runTest {
+        val request = DirectAuthOobAuthenticateRequest(context, "test_user", OobChannel.PUSH)
+        val apiResponse = KtorHttpExecutor(HttpClient(oobAuthenticateResponseMockEngine)).execute(request).getOrThrow()
+
+        val state = apiResponse.oobResponseAsState(context)
+
+        assertThat(state, instanceOf(DirectAuthenticationState.OobAuthenticate::class.java))
+        val oobState = state as DirectAuthenticationState.OobAuthenticate
+        assertThat(oobState.pollContext.oobCode, equalTo("example_oob_code"))
+        assertThat(oobState.pollContext.channel, equalTo(OobChannel.PUSH.value))
+        assertThat(oobState.pollContext.expiresIn, equalTo(120))
+        assertThat(oobState.pollContext.interval, equalTo(5))
+        assertThat(oobState.pollContext.bindingMethod, equalTo("none"))
+        assertThat(oobState.pollContext.bindingCode, nullValue())
+    }
+
+    @Test
+    fun oobAuthenticateRequest_returnsOauth2ErrorStateOnApiError() = runTest {
+        val request = DirectAuthOobAuthenticateRequest(context, "test_user", OobChannel.PUSH)
+        val apiResponse = KtorHttpExecutor(HttpClient(oobAuthenticateOauth2ErrorMockEngine)).execute(request).getOrThrow()
+
+        val state = apiResponse.oobResponseAsState(context)
+
+        assertThat(state, instanceOf(DirectAuthenticationError.HttpError.Oauth2Error::class.java))
+        val errorState = state as DirectAuthenticationError.HttpError.Oauth2Error
+        assertThat(errorState.error, equalTo("invalid_request"))
+        assertThat(errorState.errorDescription, equalTo("abc is not a valid channel hint"))
+    }
+
+    @Test
+    fun oobAuthenticateRequest_returnsApiErrorStateOnServerError() = runTest {
+        val request = DirectAuthOobAuthenticateRequest(context, "test_user", OobChannel.PUSH)
+        val apiResponse = KtorHttpExecutor(HttpClient(serverErrorMockEngine)).execute(request).getOrThrow()
+
+        val state = apiResponse.oobResponseAsState(context)
+
+        assertThat(state, instanceOf(DirectAuthenticationError.HttpError.ApiError::class.java))
+        val errorState = state as DirectAuthenticationError.HttpError.ApiError
+        assertThat(errorState.errorCode, equalTo("E00000"))
+        assertThat(errorState.errorSummary, equalTo("Internal Server Error"))
+        assertThat(errorState.httpStatusCode, equalTo(HttpStatusCode.InternalServerError))
+    }
+
+    @Test
+    fun oobAuthenticateRequest_returnsInternalErrorOnUnsupportedContentType() = runTest {
+        val request = DirectAuthOobAuthenticateRequest(context, "test_user", OobChannel.PUSH)
+        val apiResponse = KtorHttpExecutor(HttpClient(notJsonMockEngine)).execute(request).getOrThrow()
+
+        val state = apiResponse.oobResponseAsState(context)
+
+        assertThat(state, instanceOf(DirectAuthenticationError.InternalError::class.java))
+        val error = state as DirectAuthenticationError.InternalError
+        assertThat(error.errorCode, equalTo(UNSUPPORTED_CONTENT_TYPE))
+        assertThat(error.throwable, instanceOf(IllegalStateException::class.java))
+        assertThat(error.throwable.message, equalTo("Unsupported content type: text/plain"))
+    }
+
+    @Test
+    fun oobAuthenticateRequest_unparseableClientErrorResponse() = runTest {
+        val request = DirectAuthOobAuthenticateRequest(context, "test_user", OobChannel.PUSH)
+
+        val apiResponse = KtorHttpExecutor(HttpClient(unknownJsonTypeMockEngine)).execute(request).getOrThrow()
+        val directAuthState = apiResponse.tokenResponseAsState(context)
+
+        assertThat(directAuthState, instanceOf(DirectAuthenticationError.InternalError::class.java))
+        val error = directAuthState as DirectAuthenticationError.InternalError
+        assertThat(error.errorCode, equalTo(INVALID_RESPONSE))
+        assertThat(error.throwable, instanceOf(IllegalStateException::class.java))
+        assertThat(error.throwable.message, equalTo("No parsable error response body: HTTP ${HttpStatusCode.BadRequest}"))
+    }
+
+}

okta-direct-auth/src/androidHostTest/kotlin/com/okta/directauth/http/DirectAuthTokenRequestTest.kt

@@ -9,6 +9,7 @@ import com.okta.directauth.emptyResponseMockEngine
 import com.okta.directauth.emptyResponseOkMockEngine
 import com.okta.directauth.internalServerErrorMockEngine
 import com.okta.directauth.invalidMfaRequiredMockEngine
+import com.okta.directauth.malformedJsonClientMockEngine
 import com.okta.directauth.malformedJsonErrorCodeMockEngine
 import com.okta.directauth.malformedJsonErrorMockEngine
 import com.okta.directauth.malformedJsonOkMockEngine
@@ -399,6 +400,19 @@ class DirectAuthTokenRequestTest {
         assertThat(error.throwable, instanceOf(SerializationException::class.java))
     }
 
+    @Test
+    fun request_malformedJsonInClientErrorStatus() = runTest {
+        val request = DirectAuthTokenRequest.Password(context, "test_user", "test_password")
+        val apiResponse = KtorHttpExecutor(HttpClient(malformedJsonClientMockEngine)).execute(request).getOrThrow()
+        val directAuthState = apiResponse.tokenResponseAsState(context)
+
+        assertThat(directAuthState, instanceOf(InternalError::class.java))
+        val error = directAuthState as InternalError
+        assertThat(error.errorCode, equalTo(UNKNOWN_ERROR))
+        assertThat(error.description, containsString("Unexpected JSON token at offset"))
+        assertThat(error.throwable, instanceOf(SerializationException::class.java))
+    }
+
     @Test
     fun request_malformedJsonInDirectAuthenticationErrorResponse() = runTest {
         val request = DirectAuthTokenRequest.Password(context, "test_user", "test_password")

okta-direct-auth/src/androidHostTest/kotlin/com/okta/directauth/model/DirectAuthenticationErrorCodeTest.kt

@@ -0,0 +1,48 @@
+package com.okta.directauth.model
+
+import org.junit.Assert.assertEquals
+import org.junit.Assert.fail
+import org.junit.Test
+
+class DirectAuthenticationErrorCodeTest {
+    @Test
+    fun `fromString returns correct enum for all valid codes`() {
+        DirectAuthenticationErrorCode.entries.forEach { expectedEnum ->
+            val actualEnum = DirectAuthenticationErrorCode.fromString(expectedEnum.code)
+            assertEquals(
+                "fromString should return the correct enum for code '${expectedEnum.code}'",
+                expectedEnum,
+                actualEnum
+            )
+        }
+    }
+
+    @Test
+    fun `fromString throws IllegalArgumentException for unknown code`() {
+        val unknownCode = "this_is_not_a_valid_code"
+        try {
+            DirectAuthenticationErrorCode.fromString(unknownCode)
+            fail("Expected IllegalArgumentException was not thrown for code '$unknownCode'")
+        } catch (e: IllegalArgumentException) {
+            // This is the expected outcome.
+            assertEquals("Unknown DirectAuthenticationErrorCode: $unknownCode", e.message)
+        }
+    }
+
+    @Test
+    fun `enum codes have correct string values`() {
+        assertEquals("mfa_required", DirectAuthenticationErrorCode.MFA_REQUIRED.code)
+        assertEquals("authorization_pending", DirectAuthenticationErrorCode.AUTHORIZATION_PENDING.code)
+        assertEquals("access_denied", DirectAuthenticationErrorCode.ACCESS_DENIED.code)
+        assertEquals("invalid_grant", DirectAuthenticationErrorCode.INVALID_GRANT.code)
+        assertEquals("invalid_request", DirectAuthenticationErrorCode.INVALID_REQUEST.code)
+        assertEquals("invalid_scope", DirectAuthenticationErrorCode.INVALID_SCOPE.code)
+        assertEquals("invalid_client", DirectAuthenticationErrorCode.INVALID_CLIENT.code)
+        assertEquals("unauthorized_client", DirectAuthenticationErrorCode.UNAUTHORIZED_CLIENT.code)
+        assertEquals("unsupported_grant_type", DirectAuthenticationErrorCode.UNSUPPORTED_GRANT_TYPE.code)
+        assertEquals("unsupported_response_type", DirectAuthenticationErrorCode.UNSUPPORTED_RESPONSE_TYPE.code)
+        assertEquals("temporarily_unavailable", DirectAuthenticationErrorCode.TEMPORARILY_UNAVAILABLE.code)
+        assertEquals("server_error", DirectAuthenticationErrorCode.SERVER_ERROR.code)
+    }
+}
+