diff --git a/src/zutil/Timer.java b/src/zutil/Timer.java index 83706c2..249340d 100755 --- a/src/zutil/Timer.java +++ b/src/zutil/Timer.java @@ -40,10 +40,12 @@ public class Timer { /** - * Creates a new timer that in reset state. + * Create a new timer that will timeout in a specified amount of time from now. + * + * @param millisecond the time in milliseconds that the timeout should happen. */ - public Timer(long milisec){ - this.period = milisec; + public Timer(long millisecond){ + this.period = millisecond; reset(); } diff --git a/src/zutil/net/http/page/oauth/OAuth2Registry.java b/src/zutil/net/http/page/oauth/OAuth2Registry.java index a6a7e41..d9bbf07 100644 --- a/src/zutil/net/http/page/oauth/OAuth2Registry.java +++ b/src/zutil/net/http/page/oauth/OAuth2Registry.java @@ -144,6 +144,8 @@ public class OAuth2Registry { ClientRegister reg = getClientRegistry(clientId); if (reg != null) { + boolean b1 = reg.accessTokens.containsKey(token); + boolean b2 = reg.accessTokens.get(token).hasTimedOut(); return reg.accessTokens.containsKey(token) && !reg.accessTokens.get(token).hasTimedOut(); } @@ -161,7 +163,7 @@ public class OAuth2Registry { ClientRegister reg = getClientRegistry(clientId); if (reg != null) { - reg.authCodes.put(code, new Timer(timeoutMillis)); + reg.authCodes.put(code, new Timer(timeoutMillis).start()); return timeoutMillis; } return -1; @@ -174,7 +176,7 @@ public class OAuth2Registry { ClientRegister reg = getClientRegistry(clientId); if (reg != null) { - reg.accessTokens.put(token, new Timer(timeoutMillis)); + reg.accessTokens.put(token, new Timer(timeoutMillis).start()); return timeoutMillis; } return -1; diff --git a/src/zutil/net/http/page/oauth/OAuth2TokenPage.java b/src/zutil/net/http/page/oauth/OAuth2TokenPage.java index 6eff956..1e6cd75 100644 --- a/src/zutil/net/http/page/oauth/OAuth2TokenPage.java +++ b/src/zutil/net/http/page/oauth/OAuth2TokenPage.java @@ -81,20 +81,20 @@ public class OAuth2TokenPage extends HttpJsonPage { /** The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed. **/ - protected static final String ERROR_INVALID_REQUEST = "invalid_request"; + private static final String ERROR_INVALID_REQUEST = "invalid_request"; /** Client authentication failed (e.g., unknown client, no client authentication included, or unsupported - authentication method). **/ - protected static final String ERROR_INVALID_CLIENT = "invalid_client"; + authentication method). **/ + private static final String ERROR_INVALID_CLIENT = "invalid_client"; /** The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. **/ - protected static final String ERROR_INVALID_GRANT = "invalid_grant"; + private static final String ERROR_INVALID_GRANT = "invalid_grant"; /** The authenticated client is not authorized to use this authorization grant type. **/ - protected static final String ERROR_UNAUTHORIZED_CLIENT = "unauthorized_client"; + private static final String ERROR_UNAUTHORIZED_CLIENT = "unauthorized_client"; /** The authorization grant type is not supported by the authorization server. **/ - protected static final String ERROR_UNSUPPORTED_GRANT_TYPE = "unsupported_grant_type"; + private static final String ERROR_UNSUPPORTED_GRANT_TYPE = "unsupported_grant_type"; /** The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. **/ - protected static final String ERROR_INVALID_SCOPE = "invalid_scope"; + private static final String ERROR_INVALID_SCOPE = "invalid_scope"; private Random random = new Random(); private OAuth2Registry registry; @@ -119,18 +119,48 @@ public class OAuth2TokenPage extends HttpJsonPage { out.setHeader("Cache-Control", "no-store"); out.setHeader("Pragma", "no-cache"); + // ----------------------------------------------- + // Validate parameters + // ----------------------------------------------- + DataNode jsonRes = new DataNode(DataNode.DataType.Map); + // Validate client_id + if (!request.containsKey("client_id")) - return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter client_id."); + return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter: client_id"); String clientId = request.get("client_id"); - if (registry.isClientIdValid(clientId)) + if (!registry.isClientIdValid(clientId)) return errorResponse(out, ERROR_INVALID_CLIENT , request.get("state"), "Invalid client_id value."); + // Validate code + + if (!request.containsKey("code")) + return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter: code"); + if (!registry.isAuthorizationCodeValid(clientId, request.get("code"))) - return errorResponse(out, ERROR_INVALID_GRANT, request.get("state"), "Invalid authorization code value provided."); + return errorResponse(out, ERROR_INVALID_GRANT, request.get("state"), "Invalid authorization code value."); + + // Validate redirect_uri + + if (!request.containsKey("redirect_uri")) + return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter: redirect_uri"); + + // TODO: ensure that the "redirect_uri" parameter is present if the + // "redirect_uri" parameter was included in the initial authorization + // request as described in Section 4.1.1, and if included ensure that + // their values are identical. + + // Validate grant_type + + if (!request.containsKey("grant_type")) + return errorResponse(out, ERROR_INVALID_REQUEST , request.get("state"), "Missing mandatory parameter grant_type."); + + // ----------------------------------------------- + // Handle request + // ----------------------------------------------- String grantType = request.get("grant_type"); diff --git a/test/zutil/net/http/page/oauth/OAuth2AuthorizationPageTest.java b/test/zutil/net/http/page/oauth/OAuth2AuthorizationPageTest.java new file mode 100644 index 0000000..e73417b --- /dev/null +++ b/test/zutil/net/http/page/oauth/OAuth2AuthorizationPageTest.java @@ -0,0 +1,174 @@ +/* + * The MIT License (MIT) + * + * Copyright (c) 2020 Ziver Koc + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +package zutil.net.http.page.oauth; + +import org.junit.Before; +import org.junit.Test; +import zutil.net.http.HttpHeader; +import zutil.net.http.HttpTestUtil; +import zutil.net.http.HttpURL; + +import java.io.IOException; + +import static org.junit.Assert.*; + + +public class OAuth2AuthorizationPageTest { + + private static final String VALID_CLIENT_ID = "12345"; + private static final String VALID_REDIRECT_URI = "https://example.com"; + + private OAuth2Registry registry; + private OAuth2AuthorizationPage authPage; + + @Before + public void init(){ + registry = new OAuth2Registry(); + authPage = new OAuth2AuthorizationPage(registry); + + registry.addWhitelist(VALID_CLIENT_ID); + } + + @Test + public void invalidRedirect() throws IOException { + HttpHeader reqHeader = new HttpHeader(); + HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + // redirect_uri and client_id not provided + + assertEquals(400, rspHeader.getResponseStatusCode()); + assertNull(rspHeader.getHeader("Location")); + + // redirect_uri not provided + + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + assertEquals(400, rspHeader.getResponseStatusCode()); + assertNull(rspHeader.getHeader("Location")); + + // redirect_uri is not a valid URL + + reqHeader.setURLAttribute("redirect_uri", "invalid_url"); + rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + assertEquals(400, rspHeader.getResponseStatusCode()); + assertNull(rspHeader.getHeader("Location")); + + // redirect_uri is not HTTPS + + reqHeader.setURLAttribute("redirect_uri", "http://example.com"); + rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + assertEquals(400, rspHeader.getResponseStatusCode()); + assertNull(rspHeader.getHeader("Location")); + } + + @Test + public void invalidClientId() throws IOException { + HttpHeader reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + // client_id not provided + + assertEquals(400, rspHeader.getResponseStatusCode()); + assertNull(rspHeader.getHeader("Location")); + + } + + @Test + public void errorInvalidRequest() throws IOException { + HttpHeader reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + // Missing response_type + + assertEquals(302, rspHeader.getResponseStatusCode()); + HttpURL url = new HttpURL(rspHeader.getHeader("Location")); + assertNull(url.getParameter("code")); + assertEquals("invalid_request", url.getParameter("error")); + + // response_type is not code + + reqHeader.setURLAttribute("response_type", "not_code"); + rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + assertEquals(302, rspHeader.getResponseStatusCode()); + assertNull(url.getParameter("code")); + assertEquals("invalid_request", url.getParameter("error")); + } + + /** The client is not authorized to request an authorization code using this method. **/ + @Test + public void errorUnauthorizedClient() throws IOException { + HttpHeader reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", "67890"); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + // Missing response_type + + assertEquals(302, rspHeader.getResponseStatusCode()); + HttpURL url = new HttpURL(rspHeader.getHeader("Location")); + assertNull(url.getParameter("code")); + assertEquals("unauthorized_client", url.getParameter("error")); + } + + @Test + public void requestBasic() throws IOException { + HttpHeader reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("response_type", "code"); + HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + assertEquals(302, rspHeader.getResponseStatusCode()); + HttpURL url = new HttpURL(rspHeader.getHeader("Location")); + assertEquals("example.com", url.getHost()); + assertNotNull(url.getParameter("code")); + assertNull(url.getParameter("state")); + + assertTrue(registry.isAuthorizationCodeValid("12345", url.getParameter("code"))); + } + + @Test + public void requestWithState() throws IOException { + HttpHeader reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("response_type", "code"); + reqHeader.setURLAttribute("state", "app_state"); + HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + + assertEquals(302, rspHeader.getResponseStatusCode()); + HttpURL url = new HttpURL(rspHeader.getHeader("Location")); + assertEquals("app_state", url.getParameter("state")); + + assertTrue(registry.isAuthorizationCodeValid("12345", url.getParameter("code"))); + } +} \ No newline at end of file diff --git a/test/zutil/net/http/page/oauth/OAuth2TokenPageTest.java b/test/zutil/net/http/page/oauth/OAuth2TokenPageTest.java index 5ca11eb..c60792f 100644 --- a/test/zutil/net/http/page/oauth/OAuth2TokenPageTest.java +++ b/test/zutil/net/http/page/oauth/OAuth2TokenPageTest.java @@ -26,147 +26,154 @@ package zutil.net.http.page.oauth; import org.junit.Before; import org.junit.Test; +import zutil.io.IOUtil; import zutil.net.http.HttpHeader; import zutil.net.http.HttpTestUtil; -import zutil.net.http.HttpURL; +import zutil.parser.DataNode; +import zutil.parser.json.JSONParser; import java.io.IOException; -import java.net.MalformedURLException; import static org.junit.Assert.*; public class OAuth2TokenPageTest { + private static final String VALID_CLIENT_ID = "12345"; + private static final String VALID_REDIRECT_URI = "https://example.com"; + private static final String VALID_AUTH_CODE = "secret_code"; + private static final String VALID_GRANT_TYPE = "authorization_code"; + private OAuth2Registry registry; - private OAuth2AuthorizationPage authPage; + private OAuth2TokenPage tokenPage; @Before public void init(){ registry = new OAuth2Registry(); - authPage = new OAuth2AuthorizationPage(registry); + tokenPage = new OAuth2TokenPage(registry); + + registry.addWhitelist(VALID_CLIENT_ID); + registry.registerAuthorizationCode(VALID_CLIENT_ID, VALID_AUTH_CODE); } - @Test - public void invalidRedirect() throws IOException { - registry.addWhitelist("12345"); - HttpHeader reqHeader = new HttpHeader(); - HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); - - // redirect_uri and client_id not provided - - assertEquals(400, rspHeader.getResponseStatusCode()); - assertNull(rspHeader.getHeader("Location")); - - // redirect_uri not provided - - reqHeader.setURLAttribute("client_id", "12345"); - rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); - - assertEquals(400, rspHeader.getResponseStatusCode()); - assertNull(rspHeader.getHeader("Location")); - - // redirect_uri is not a valid URL - - reqHeader.setURLAttribute("redirect_uri", "incorrect url"); - rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); - - assertEquals(400, rspHeader.getResponseStatusCode()); - assertNull(rspHeader.getHeader("Location")); - - // redirect_uri is not HTTPS - - reqHeader.setURLAttribute("redirect_uri", "http://example.com"); - rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); - - assertEquals(400, rspHeader.getResponseStatusCode()); - assertNull(rspHeader.getHeader("Location")); - } - - @Test - public void invalidClientId() throws IOException { - HttpHeader reqHeader = new HttpHeader(); - reqHeader.setURLAttribute("redirect_uri", "https://example.com"); - HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); - - // client_id not provided - - assertEquals(400, rspHeader.getResponseStatusCode()); - assertNull(rspHeader.getHeader("Location")); - - } - - /** The request is missing a required parameter, includes an invalid parameter value, includes a parameter - more than once, or is otherwise malformed. **/ @Test public void errorInvalidRequest() throws IOException { - registry.addWhitelist("12345"); HttpHeader reqHeader = new HttpHeader(); - reqHeader.setURLAttribute("client_id", "12345"); - reqHeader.setURLAttribute("redirect_uri", "https://example.com"); - HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); - // Missing response_type + assertEquals(400, rspHeader.getResponseStatusCode()); + DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertEquals("invalid_request", json.getString("error")); - assertEquals(302, rspHeader.getResponseStatusCode()); - HttpURL url = new HttpURL(rspHeader.getHeader("Location")); - assertNull(url.getParameter("code")); - assertEquals("invalid_request", url.getParameter("error")); + // Missing grant_type - // response_type is not code + reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("code", VALID_AUTH_CODE); + rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); - reqHeader.setURLAttribute("response_type", "not_code"); - rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + assertEquals(400, rspHeader.getResponseStatusCode()); + json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertEquals("invalid_request", json.getString("error")); - assertEquals(302, rspHeader.getResponseStatusCode()); - assertNull(url.getParameter("code")); - assertEquals("invalid_request", url.getParameter("error")); + // Missing code + + reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE); + rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); + + assertEquals(400, rspHeader.getResponseStatusCode()); + json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertEquals("invalid_request", json.getString("error")); + + // Missing redirect_uri + + reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE); + reqHeader.setURLAttribute("code", VALID_AUTH_CODE); + rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); + + assertEquals(400, rspHeader.getResponseStatusCode()); + json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertEquals("invalid_request", json.getString("error")); + + // Missing client_id + + reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE); + reqHeader.setURLAttribute("code", VALID_AUTH_CODE); + rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); + + assertEquals(400, rspHeader.getResponseStatusCode()); + json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertEquals("invalid_request", json.getString("error")); } - /** The client is not authorized to request an authorization code using this method. **/ @Test - public void errorUnauthorizedClient() throws IOException { - registry.addWhitelist("12345"); + public void errorInvalidClient() throws IOException { HttpHeader reqHeader = new HttpHeader(); reqHeader.setURLAttribute("client_id", "67890"); - reqHeader.setURLAttribute("redirect_uri", "https://example.com"); - HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE); + reqHeader.setURLAttribute("code", VALID_AUTH_CODE); + HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); - // Missing response_type + assertEquals(400, rspHeader.getResponseStatusCode()); + DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertEquals("invalid_client", json.getString("error")); - assertEquals(302, rspHeader.getResponseStatusCode()); - HttpURL url = new HttpURL(rspHeader.getHeader("Location")); - assertNull(url.getParameter("code")); - assertEquals("unauthorized_client", url.getParameter("error")); } + @Test + public void errorInvalidGrant() throws IOException { + HttpHeader reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE); + reqHeader.setURLAttribute("code", "fake_code"); + HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); + + assertEquals(400, rspHeader.getResponseStatusCode()); + DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertEquals("invalid_grant", json.getString("error")); + } + + @Test + public void errorUnsupportedGrantType() throws IOException { + HttpHeader reqHeader = new HttpHeader(); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("grant_type", "fake_grant_type"); + reqHeader.setURLAttribute("code", VALID_AUTH_CODE); + HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); + + assertEquals(400, rspHeader.getResponseStatusCode()); + DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertEquals("unsupported_grant_type", json.getString("error")); + } + + @Test public void requestBasic() throws IOException { - registry.addWhitelist("12345"); HttpHeader reqHeader = new HttpHeader(); - reqHeader.setURLAttribute("client_id", "12345"); - reqHeader.setURLAttribute("redirect_uri", "https://example.com"); - reqHeader.setURLAttribute("response_type", "code"); - HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); + reqHeader.setURLAttribute("client_id", VALID_CLIENT_ID); + reqHeader.setURLAttribute("redirect_uri", VALID_REDIRECT_URI); + reqHeader.setURLAttribute("grant_type", VALID_GRANT_TYPE); + reqHeader.setURLAttribute("code", VALID_AUTH_CODE); + HttpHeader rspHeader = HttpTestUtil.makeRequest(tokenPage, reqHeader); - assertEquals(302, rspHeader.getResponseStatusCode()); - HttpURL url = new HttpURL(rspHeader.getHeader("Location")); - assertEquals("example.com", url.getHost()); - assertNotNull(url.getParameter("code")); - assertNull(url.getParameter("state")); - } + assertEquals(200, rspHeader.getResponseStatusCode()); + assertEquals("application/json", rspHeader.getHeader("Content-Type")); + DataNode json = JSONParser.read(IOUtil.readContentAsString(rspHeader.getInputStream())); + assertNotNull(json.getString("refresh_token")); + assertNotNull(json.getString("access_token")); + assertNotNull(json.getString("expires_in")); + assertEquals("bearer", json.getString("token_type")); - @Test - public void requestWithState() throws IOException { - registry.addWhitelist("12345"); - HttpHeader reqHeader = new HttpHeader(); - reqHeader.setURLAttribute("client_id", "12345"); - reqHeader.setURLAttribute("redirect_uri", "https://example.com"); - reqHeader.setURLAttribute("response_type", "code"); - reqHeader.setURLAttribute("state", "app_state"); - HttpHeader rspHeader = HttpTestUtil.makeRequest(authPage, reqHeader); - - assertEquals(302, rspHeader.getResponseStatusCode()); - HttpURL url = new HttpURL(rspHeader.getHeader("Location")); - assertEquals("app_state", url.getParameter("state")); + assertTrue(registry.isAccessTokenValid(VALID_CLIENT_ID, json.getString("access_token"))); } } \ No newline at end of file