test: add refresh narrowing and broadening e2e

ory · Jan 2, 2023 · d4115e2 · d4115e2
1 parent 7fa97d9
commit d4115e2
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/cypress/integration/oauth2/refresh_token.js b/cypress/integration/oauth2/refresh_token.js
@@ -89,4 +89,48 @@ describe("The OAuth 2.0 Refresh Token Grant", function () {
       })
     })
   })
+
+  it("should narrow Refresh Token scopes correctly", function () {
+    const referrer = `${Cypress.env("client_url")}/empty`
+    cy.visit(referrer, {
+      failOnStatusCode: false,
+    })
+
+    createClient({
+      scope: "offline_access openid foo bar baz",
+      redirect_uris: [referrer],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "none",
+    }).then((client) => {
+      cy.authCodeFlowBrowser(client, {
+        consent: { scope: ["offline_access openid foo bar baz"] },
+        createClient: false,
+      }).then((originalResponse) => {
+        expect(originalResponse.status).to.eq(200)
+        expect(originalResponse.body.refresh_token).to.not.be.empty
+        expect(originalResponse.body.scope).to.eq("offline_access openid foo bar baz")
+
+        const originalToken = originalResponse.body.refresh_token
+
+        cy.refreshTokenBrowserScope(client, originalToken, "offline_access openid foo").then(
+          (refreshedResponse) => {
+            expect(refreshedResponse.status).to.eq(200)
+            expect(refreshedResponse.body.refresh_token).to.not.be.empty
+            expect(refreshedResponse.body.scope).to.eq("offline_access openid foo")
+
+            const refreshedToken = refreshedResponse.body.refresh_token
+
+            cy.refreshTokenBrowserScope(client, refreshedToken, "offline_access openid foo bar baz").then(
+              (finalRefreshedResponse) => {
+                expect(finalRefreshedResponse.status).to.eq(200)
+                expect(finalRefreshedResponse.body.refresh_token).to.not.be.empty
+                expect(finalRefreshedResponse.body.scope).to.eq("offline_access openid foo bar baz")
+              },
+            )
+          },
+        )
+      })
+    })
+  })
 })
diff --git a/cypress/support/commands.js b/cypress/support/commands.js
@@ -216,3 +216,18 @@ Cypress.Commands.add("refreshTokenBrowser", (client, token) =>
     failOnStatusCode: false,
   }),
 )
+
+Cypress.Commands.add("refreshTokenBrowserScope", (client, token, scope) =>
+  cy.request({
+    url: `${Cypress.env("public_url")}/oauth2/token`,
+    method: "POST",
+    form: true,
+    body: {
+      grant_type: "refresh_token",
+      client_id: client.client_id,
+      refresh_token: token,
+      scope: scope,
+    },
+    failOnStatusCode: false,
+  }),
+)