-
-
Save ZilvinasKucinskas/46d2ae78f7a9c26529e1c5de89975fca to your computer and use it in GitHub Desktop.
Additional test for token introspection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| context 'authorized using Bearer token' do | |
| let(:client) { FactoryBot.create(:application) } | |
| let(:client2) { FactoryBot.create(:application) } | |
| let(:access_token) { FactoryBot.create(:access_token, application: client) } | |
| let(:access_token2) { FactoryBot.create(:access_token, application: client2) } | |
| it 'responds with full token introspection' do | |
| request.headers['Authorization'] = "Bearer #{access_token.token}" | |
| post :introspect, params: { token: access_token.token } | |
| should_have_json 'active', true | |
| expect(json_response).to include('client_id', 'token_type', 'exp', 'iat') | |
| end | |
| # We should be able to protect this use case as describbe in RFC 7662 | |
| # If the token can be used only at certain resource servers, the authorization server MUST determine whether or not the token can be used at the resource server making the introspection call. | |
| it 'responds with full token introspection' do | |
| request.headers['Authorization'] = "Bearer #{access_token.token}" | |
| post :introspect, params: { token: access_token2.token } | |
| should_have_json 'active', true | |
| expect(json_response).to include('client_id', 'token_type', 'exp', 'iat') | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment