Files
demo-oidc/tests
herel baef35115a fix(oidc): Add state parameter and validate nonce against login CSRF
The OIDC implicit-flow authorize request carried no state parameter and
the nonce was generated with weak Math.random() and never validated
client- or server-side, enabling login CSRF / forced authentication /
replay (AUTHZ-VULN-05).

Generate state and nonce with the Web Crypto CSPRNG, send state in the
authorize request, and validate both state and the id_token nonce claim
in the callback before storing tokens. Forward the nonce to /validate-
token so the backend also binds the id_token to the login flow.

Fixes the forged-callback fragment attack where a planted id_token with
a mismatched nonce was accepted, stored, and used by the SPA.
2026-07-08 13:34:31 +02:00
..

Testing

This directory contains tests for the OIDC validator application.

Setup

  1. Run the setup script:
    ./setup_test_env.sh
    

This will create a virtual environment and install all dependencies.

Manual setup

  1. Create and activate a virtual environment:

    python3 -m venv venv
    source venv/bin/activate
    
  2. Install application dependencies:

    pip install -r requirements.txt
    
  3. Install test dependencies:

    pip install -r requirements-test.txt
    

Running Tests

./run_tests.sh

This will automatically activate the virtual environment and run the tests.

Manual execution

  1. Activate the virtual environment:

    source venv/bin/activate
    
  2. Run tests:

    # Run all tests
    pytest
    
    # Run tests with coverage (excluding tests directory)
    pytest --cov=. --cov-config=.coveragerc
    
    # Run tests with verbose output
    pytest -v
    
  3. Deactivate the virtual environment when done:

    deactivate
    

Coverage Reports

The test suite generates coverage reports to help you understand how well the code is tested:

  • Terminal coverage report is displayed after running tests
  • HTML coverage report is generated in the htmlcov/ directory
  • The coverage configuration excludes the tests directory itself from coverage statistics

Test Structure

  • conftest.py: Contains pytest fixtures shared across tests
  • test_main.py: Tests for the main FastAPI application endpoints
  • test_token_validation.py: Tests for token validation and refresh logic
  • test_utils.py: Tests for utility functions

Test Coverage

The tests cover:

  • Health check endpoint
  • Token validation endpoint
  • Token refresh endpoint
  • Client configuration endpoint
  • Utility functions for OIDC operations
  • Error handling for various failure scenarios
  • Edge cases and invalid inputs