test: Update OIDC test to use real Solid-OIDC tokens

Discovered some weird behavior in a setup using Solid-OIDC
and wanted to make sure we test for it.

Author: joachimvh

package.json

@@ -79,6 +79,8 @@
     "@commitlint/cli": "^16.1.0",
     "@commitlint/config-conventional": "^16.0.0",
     "@comunica/bus-rdf-parse-html": "^4.4.0",
+    "@inrupt/solid-client-authn-core": "^3.1.1",
+    "@inrupt/solid-client-authn-node": "^3.1.1",
     "@types/node": "^20.19.1",
     "@typescript-eslint/eslint-plugin": "^5.12.1",
     "@typescript-eslint/parser": "^5.12.1",

test/integration/Oidc.test.ts

@@ -6,6 +6,7 @@ import { createServer, Server } from 'node:http';
 import path from 'node:path';
 import { getDefaultCssVariables, getPorts, instantiateFromConfig } from '../util/ServerUtil';
 import { findTokenEndpoint, noTokenFetch, generateCredentials } from '../util/UmaUtil';
+import { generateCssClientCredentials, generateCssClientCredentialsToken } from '../util/Util';
 
 const [ cssPort, umaPort ] = getPorts('OIDC');
 const idpPort = umaPort + 100;
@@ -21,7 +22,7 @@ describe('A server supporting OIDC tokens', (): void => {
   const oidcFormat = 'http://openid.net/specs/openid-connect-core-1_0.html#IDToken';
 
   beforeAll(async(): Promise<void> => {
-    setGlobalLoggerFactory(new WinstonLoggerFactory('off'));
+    setGlobalLoggerFactory(new WinstonLoggerFactory('info'));
 
     umaApp = await instantiateFromConfig(
       'urn:uma:default:App',
@@ -229,8 +230,7 @@ describe('A server supporting OIDC tokens', (): void => {
 
   describe('accessing a resource using a Solid OIDC token.', (): void => {
     const resource = `http://localhost:${cssPort}/alice/solid`;
-    // Using dummy server so we can spoof WebID
-    const alice =  idpUrl + 'alice/profile/card#me';
+    const alice =  `http://localhost:${cssPort}/alice/profile/card#me`;
     const policy = `
       @prefix ex: <http://example.org/>.
       @prefix odrl: <http://www.w3.org/ns/odrl/2/> .
@@ -254,30 +254,21 @@ describe('A server supporting OIDC tokens', (): void => {
       expect(response.status).toBe(201);
     });
 
-    // TODO: might want a test with an actual token from the RS IDP, but would require more steps and dependencies
     it('can get an access token.', async(): Promise<void> => {
       const { as_uri, ticket } = await noTokenFetch(resource, {
         method: 'PUT',
         headers: { 'content-type': 'text/plain' },
         body: 'hello',
       });
       const endpoint = await findTokenEndpoint(as_uri);
-
-      const jwk = await importJWK(privateKey, privateKey.alg);
-      const jwt = await new SignJWT({ webid: alice })
-        .setSubject(alice)
-        .setProtectedHeader({ alg: privateKey.alg, kid: privateKey.kid })
-        .setIssuedAt()
-        .setIssuer(idpUrl)
-        .setAudience([ 'solid', `http://localhost:${umaPort}/uma` ])
-        .setJti(randomUUID())
-        .setExpirationTime(Date.now() + 5000)
-        .sign(jwk);
+      const credentials = await generateCssClientCredentials(
+        `http://localhost:${cssPort}/`, 'alice@example.org', 'abc123', alice);
+      const token = await generateCssClientCredentialsToken(`http://localhost:${cssPort}/`, credentials.id, credentials.secret);
 
       const content: Record<string, string> = {
         grant_type: 'urn:ietf:params:oauth:grant-type:uma-ticket',
         ticket: ticket,
-        claim_token: jwt,
+        claim_token: token,
         claim_token_format: oidcFormat,
       };
 
@@ -332,6 +323,7 @@ describe('A server supporting OIDC tokens', (): void => {
       });
       const endpoint = await findTokenEndpoint(as_uri);
 
+      // Not using client credentials as we can't set the client_id that way (or I forgot how to do it)
       const jwk = await importJWK(privateKey, privateKey.alg);
       const jwt = await new SignJWT({ webid: bob, azp: client })
         .setSubject(bob)

test/util/Util.ts

@@ -1,7 +1,4 @@
-import { KeyValueStorage } from '@solid/community-server';
-import { UmaConfig } from '@solidlab/uma-css';
-import { Mocked } from 'vitest';
-
+import { joinUrl } from '@solid/community-server';
 
 /**
  * This is needed when you want to wait for all promises to resolve.
@@ -13,3 +10,52 @@ import { Mocked } from 'vitest';
 export async function flushPromises(): Promise<void> {
   return new Promise((await vi.importActual('timers')).setImmediate as any);
 }
+
+/**
+ * Registers client credentials for the given CSS account/WebID.
+ */
+export async function generateCssClientCredentials(serverUrl: string, email: string, password: string,
+  webId: string): Promise<{ id: string, secret: string }> {
+  let indexResponse = await fetch(joinUrl(serverUrl, '.account/'));
+  let { controls } = await indexResponse.json() as any;
+
+  let response = await fetch(controls.password.login, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json' },
+    body: JSON.stringify({ email, password }),
+  });
+  const { authorization } = await response.json() as any;
+
+  indexResponse = await fetch(joinUrl(serverUrl, '.account/'), {
+    headers: { authorization: `CSS-Account-Token ${authorization}` }
+  });
+  ({ controls } = await indexResponse.json() as any);
+
+  response = await fetch(controls.account.clientCredentials, {
+    method: 'POST',
+    headers: { authorization: `CSS-Account-Token ${authorization}`, 'content-type': 'application/json' },
+    body: JSON.stringify({ webId }),
+  });
+
+  return response.json() as any;
+}
+
+/**
+ * Uses the generated client credentials to request an access token.
+ */
+export async function generateCssClientCredentialsToken(serverUrl: string, id: string, secret: string):
+  Promise<string> {
+  const authString = `${encodeURIComponent(id)}:${encodeURIComponent(secret)}`;
+  const tokenUrl = joinUrl(serverUrl, '.oidc/token');
+  const response = await fetch(tokenUrl, {
+    method: 'POST',
+    headers: {
+      authorization: `Basic ${Buffer.from(authString).toString('base64')}`,
+      'content-type': 'application/x-www-form-urlencoded',
+    },
+    body: 'grant_type=client_credentials&scope=webid',
+  });
+
+  const { access_token: accessToken } = await response.json() as any;
+  return accessToken;
+}

yarn.lock

@@ -4939,6 +4939,29 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@inrupt/solid-client-authn-core@npm:^3.1.0, @inrupt/solid-client-authn-core@npm:^3.1.1":
+  version: 3.1.1
+  resolution: "@inrupt/solid-client-authn-core@npm:3.1.1"
+  dependencies:
+    events: "npm:^3.3.0"
+    jose: "npm:^5.1.3"
+    uuid: "npm:^11.1.0"
+  checksum: 10c0/837822a8df6b9bf268c6335f59859cc10331c88497b235b5c8767b5a6d74166b4972c2d4608fd956e99887d31431eddedc7ac6fdca65abfd33487c7a96c37445
+  languageName: node
+  linkType: hard
+
+"@inrupt/solid-client-authn-node@npm:^3.1.0":
+  version: 3.1.1
+  resolution: "@inrupt/solid-client-authn-node@npm:3.1.1"
+  dependencies:
+    "@inrupt/solid-client-authn-core": "npm:^3.1.1"
+    jose: "npm:^5.1.3"
+    openid-client: "npm:^5.7.1"
+    uuid: "npm:^11.1.0"
+  checksum: 10c0/f2099322e30f00e69a682e2d37bb8f209fe61304d00d865e05e9d02ded57b4a0cb4cb867ac178213376465ca8d409730cd509dface4d798b339895a216ad440b
+  languageName: node
+  linkType: hard
+
 "@ioredis/commands@npm:^1.1.1":
   version: 1.2.0
   resolution: "@ioredis/commands@npm:1.2.0"
@@ -5672,6 +5695,8 @@ __metadata:
     "@commitlint/cli": "npm:^16.1.0"
     "@commitlint/config-conventional": "npm:^16.0.0"
     "@comunica/bus-rdf-parse-html": "npm:^4.4.0"
+    "@inrupt/solid-client-authn-core": "npm:^3.1.0"
+    "@inrupt/solid-client-authn-node": "npm:^3.1.0"
     "@types/node": "npm:^20.19.1"
     "@typescript-eslint/eslint-plugin": "npm:^5.12.1"
     "@typescript-eslint/parser": "npm:^5.12.1"
@@ -9835,6 +9860,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jose@npm:^4.15.9":
+  version: 4.15.9
+  resolution: "jose@npm:4.15.9"
+  checksum: 10c0/4ed4ddf4a029db04bd167f2215f65d7245e4dc5f36d7ac3c0126aab38d66309a9e692f52df88975d99429e357e5fd8bab340ff20baab544d17684dd1d940a0f4
+  languageName: node
+  linkType: hard
+
 "jose@npm:^4.7.0":
   version: 4.15.4
   resolution: "jose@npm:4.15.4"
@@ -10953,6 +10985,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"object-hash@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "object-hash@npm:2.2.0"
+  checksum: 10c0/1527de843926c5442ed61f8bdddfc7dc181b6497f725b0e89fcf50a55d9c803088763ed447cac85a5aa65345f1e99c2469ba679a54349ef3c4c0aeaa396a3eb9
+  languageName: node
+  linkType: hard
+
 "object-inspect@npm:^1.12.2":
   version: 1.13.1
   resolution: "object-inspect@npm:1.13.1"
@@ -11020,6 +11059,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"oidc-token-hash@npm:^5.0.3":
+  version: 5.2.0
+  resolution: "oidc-token-hash@npm:5.2.0"
+  checksum: 10c0/4fa9a6f0a27c0b304aa2e4a37e433e871fb2e71418b62ada7305022ed7c70a4b325a81a4ee9661bf0c456cda0acdbeb564e68659bd6fe6a192b20bdec11688ea
+  languageName: node
+  linkType: hard
+
 "on-finished@npm:^2.4.1":
   version: 2.4.1
   resolution: "on-finished@npm:2.4.1"
@@ -11065,6 +11111,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"openid-client@npm:^5.7.1":
+  version: 5.7.1
+  resolution: "openid-client@npm:5.7.1"
+  dependencies:
+    jose: "npm:^4.15.9"
+    lru-cache: "npm:^6.0.0"
+    object-hash: "npm:^2.2.0"
+    oidc-token-hash: "npm:^5.0.3"
+  checksum: 10c0/6aae649758562002eace7574b6eda02be7eddbb0df61eef497ae98b7a4a0ae4c6b09f3f0c1b9b6cb7fcc0c70bbde2576691bf31b870db1f19ab634c1def10bc7
+  languageName: node
+  linkType: hard
+
 "optionator@npm:^0.9.3":
   version: 0.9.3
   resolution: "optionator@npm:0.9.3"
@@ -13580,7 +13638,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"uuid@npm:^11.0.0":
+"uuid@npm:^11.0.0, uuid@npm:^11.1.0":
   version: 11.1.0
   resolution: "uuid@npm:11.1.0"
   bin: