< Return to Summary | File Generated: Tue Apr 16 2024 11:59:39 GMT+0000 (Coordinated Universal Time)

booking-partner-authentication >> authorization-code-flow

Booking Flow:

Opportunity Type:

Feature: Authentication / Booking Partner Authentication for Multiple Seller Systems (Implemented)

Test: Authorization Code Flow

The Authorization Code Flow allows Sellers to authenticate with Booking Partners

Running only this test

npm start -- --runInBand test/features/authentication/booking-partner-authentication/implemented/authorization-code-flow-test.js

Is this test failing?

The OpenActive Reference Implementation test result for this test can be used as a reference to help with debugging.

✅ 6 passed with 0 failures, 0 warnings and 0 suggestions

✅ Open ID Connect Authentication

Credentials

The test suite is using the credentials below for this test:

clientId: 28a523b4-8531-4113-96cd-045c6e114bec
clientSecret: dHolpCVVO5bMABtiqHTYeGV2lxXnWFBVq2DZrzG8TFQ

These credentials were retrieved using Dynamic Client Registration by the Broker Microservice upon startup, using the following configuration within bookingPartners.primary.authentication:

initialAccessToken: openactive_test_suite_client_12345xaq

Discovery Request

GET https://localhost:5003/.well-known/openid-configuration

accept: "application/json"
accept-encoding: "gzip, deflate, br"
host: "localhost:5003"

Response status code: 200.

{
  "issuer": "https://localhost:5003",
  "jwks_uri": "https://localhost:5003/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost:5003/connect/authorize",
  "token_endpoint": "https://localhost:5003/connect/token",
  "userinfo_endpoint": "https://localhost:5003/connect/userinfo",
  "end_session_endpoint": "https://localhost:5003/connect/endsession",
  "check_session_iframe": "https://localhost:5003/connect/checksession",
  "revocation_endpoint": "https://localhost:5003/connect/revocation",
  "introspection_endpoint": "https://localhost:5003/connect/introspect",
  "device_authorization_endpoint": "https://localhost:5003/connect/deviceauthorization",
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "scopes_supported": [
    "openid",
    "openactive-identity",
    "openactive-openbooking",
    "openactive-ordersfeed",
    "offline_access"
  ],
  "claims_supported": [
    "sub",
    "https://openactive.io/sellerId",
    "https://openactive.io/sellerName",
    "https://openactive.io/sellerUrl",
    "https://openactive.io/sellerLogo",
    "https://openactive.io/bookingServiceName",
    "https://openactive.io/bookingServiceUrl",
    "name",
    "https://openactive.io/clientId"
  ],
  "grant_types_supported": [
    "authorization_code",
    "client_credentials",
    "refresh_token",
    "implicit",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "form_post",
    "query",
    "fragment"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "request_parameter_supported": true,
  "registration_endpoint": "https://localhost:5003/connect/register"
}

Authorization Code Flow - 1 Request

POST http://localhost:3000/browser-automation-for-auth

accept: "application/json, text/plain, */*"
content-type: "application/json;charset=utf-8"
content-length: 415
host: "localhost:3000"

{
  "headless": true,
  "offlineAccess": true,
  "username": "test1",
  "password": "test1",
  "authorizationUrl": "https://localhost:5003/connect/authorize?client_id=28a523b4-8531-4113-96cd-045c6e114bec&scope=openid%20openactive-openbooking%20offline_access%20openactive-identity&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcb&code_challenge=l-YEdhGg5D_NfJDe8qYgU81A3v1ai4RBl9A29op2NkY&code_challenge_method=S256"
}

Screenshot: Login page

"https://localhost:5003/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3D28a523b4-8531-4113-96cd-045c6e114bec%26scope%3Dopenid%2520openactive-openbooking%2520offline_access%2520openactive-identity%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A3000%252Fcb%26code_challenge%3Dl-YEdhGg5D_NfJDe8qYgU81A3v1ai4RBl9A29op2NkY%26code_challenge_method%3DS256"

Screenshot: Login page

Screenshot: Authorization page

"https://localhost:5003/consent?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3D28a523b4-8531-4113-96cd-045c6e114bec%26scope%3Dopenid%2520openactive-openbooking%2520offline_access%2520openactive-identity%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A3000%252Fcb%26code_challenge%3Dl-YEdhGg5D_NfJDe8qYgU81A3v1ai4RBl9A29op2NkY%26code_challenge_method%3DS256"

Screenshot: Authorization page

Callback URL

"/cb?code=B983B2A6F9590841DB4C754DF98785EE184B1985BB5DAED56621FA349EACFC6D&scope=openid%20openactive-openbooking%20offline_access%20openactive-identity&session_state=RIMhAQK7IqzepKI_Ie0AxmQ1wStZhIx11ZBO3LSunyU.501E9CAEE27AAB6FFB564C48B693340B"

Authorization Code Flow - 2 Request

POST https://localhost:5003/connect/token

authorization: "Basic MjhhNTIzYjQtODUzMS00MTEzLTk2Y2QtMDQ1YzZlMTE0YmVjOmRIb2xwQ1ZWTzViTUFCdGlxSFRZZUdWMmx4WG5XRkJWcTJEWnJ6RzhURlE="
accept: "application/json"
content-type: "application/x-www-form-urlencoded"
content-length: "205"
accept-encoding: "gzip, deflate, br"
host: "localhost:5003"

"grant_type=authorization_code&code=B983B2A6F9590841DB4C754DF98785EE184B1985BB5DAED56621FA349EACFC6D&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcb&code_verifier=6nzcoGNd9ND9GGlGZlQnKyiZeEYVIK6ZG49Xms4dtfs"

Response status code: 200.

{
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkIwNEY3QjkxREUzQjk0NzhDNjE4MzNGQjI0QUE1Q0RCIiwidHlwIjoiSldUIn0.eyJuYmYiOjE3MTMyNjg3ODEsImV4cCI6MTcxMzI2OTA4MSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImF1ZCI6IjI4YTUyM2I0LTg1MzEtNDExMy05NmNkLTA0NWM2ZTExNGJlYyIsImlhdCI6MTcxMzI2ODc4MSwiYXRfaGFzaCI6IjhNRGZDa2lQQzVLUXAxRDJlbGZnRVEiLCJzaWQiOiIwRkU1MUM3NzRBNzIzMTlFNThDOEM5REM3QUJFRDY0RCIsInN1YiI6IjEwMCIsImF1dGhfdGltZSI6MTcxMzI2ODc4MCwiaWRwIjoibG9jYWwiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyTmFtZSI6IkFjbWUgRml0bmVzcyBMdGQiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVySWQiOiJodHRwczovL2xvY2FsaG9zdDo1MDAxL2FwaS9pZGVudGlmaWVycy9zZWxsZXJzLzEiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyVXJsIjoiaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20iLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyTG9nbyI6Imh0dHBzOi8vcGxhY2VraXR0ZW4uY29tLzY0MC8zNjAiLCJhbXIiOlsicHdkIl19.KR0fa98SQW-VxJjpCaGaxpvo6g1pv7cEj3Bc0SGQWbP1TsdJg3Yf3TGKbMsXbtwId3ELRFw9w71A_hEyr5stu6IHhQTcxgQRNmA0myf2Ycw3WxBzqDqYTdc7n5-Xc1Vrn9adT_FLjUPhvR7plIlUaUf4kPXl4sMi-nLUimcBaaW8p9q7LZgVbdPkGp1ycKFiTwm6g3K7HHia65B39efeiLUmPiL_0PR62z-QL8hOQAksSOtsVdaYvCkQSzLPYfYxE8k1JvV7AcDDbMuAr3KCgRLXeAhABtpXhyjIis23ebGKnZm7bntNBAlhJzbvKIlWbYu6blipaxGINmwZIDmhFQ",
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkIwNEY3QjkxREUzQjk0NzhDNjE4MzNGQjI0QUE1Q0RCIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE3MTMyNjg3ODEsImV4cCI6MTcxMzI3MjM4MSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImF1ZCI6Im9wZW5ib29raW5nIiwiY2xpZW50X2lkIjoiMjhhNTIzYjQtODUzMS00MTEzLTk2Y2QtMDQ1YzZlMTE0YmVjIiwiaHR0cHM6Ly9vcGVuYWN0aXZlLmlvL2NsaWVudElkIjoiMjhhNTIzYjQtODUzMS00MTEzLTk2Y2QtMDQ1YzZlMTE0YmVjIiwic3ViIjoiMTAwIiwiYXV0aF90aW1lIjoxNzEzMjY4NzgwLCJpZHAiOiJsb2NhbCIsImh0dHBzOi8vb3BlbmFjdGl2ZS5pby9zZWxsZXJJZCI6Imh0dHBzOi8vbG9jYWxob3N0OjUwMDEvYXBpL2lkZW50aWZpZXJzL3NlbGxlcnMvMSIsImp0aSI6IkJGN0QwQkU3MEQwMThEREMwMUQ1OTQzNEY1ODQwMzAwIiwic2lkIjoiMEZFNTFDNzc0QTcyMzE5RTU4QzhDOURDN0FCRUQ2NEQiLCJpYXQiOjE3MTMyNjg3ODEsInNjb3BlIjpbIm9wZW5pZCIsIm9wZW5hY3RpdmUtb3BlbmJvb2tpbmciLCJvcGVuYWN0aXZlLWlkZW50aXR5Iiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.YHZMKnERHBwEB10W1bjmz9qEiu9z8Ug62QyJaPiYmM96KXz796VNYmyL63rJZs_JANcnpo2H7AF_ApLFbL0t8OYcWqW1cF3nmB5zItNvTs5Em1uECuiaom-6xhgUabTtqJFO8RVuIdsfuVkyy8uxx0T94Itu9H3vLdTYdvX3dEEmNBtLL0jlnZyTkWyRM7pE7iY75VTefZNtVnBJAsSsHWFcnaYpVO2SGYrwqkGqQrL8x-lwtAgULUeonbYwHGPVhHkM2vDZAF59pVz8EmzfjBy3_Ohd1-dcBXenHD_u-N2IAzRgxACP4CE6z-1WelcQzh6mUZxT7jcsQN0fYAwoIQ",
  "expires_in": 3600,
  "token_type": "Bearer",
  "refresh_token": "0C1AE788739C3180BE7C6C159ABF9B7B8BFCB8D10DF7F5FFA6BFAE1388421D7B",
  "scope": "openid openactive-openbooking offline_access openactive-identity"
}

Authorization Code Flow - 3 Request

GET https://localhost:5003/.well-known/openid-configuration/jwks

accept: "application/json"
accept-encoding: "gzip, deflate, br"
host: "localhost:5003"

Response status code: 200.

{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "B04F7B91DE3B9478C61833FB24AA5CDB",
      "e": "AQAB",
      "n": "yZO68vCGrvfBQ5R1z0DVCRAADOWeF3aLlhOaz1Je1SnmohmmlO-1F1hkRM_4MJtR5aECMxMz-MUW1nBCPmUrH0h_rrdCdDdlk8vTHki0ixK-gO73W2ZscOCZ6L2fZ2Oqz0_I840cnSCv55zpiOk9oGJL9TEsLAWYAIyQheaqZO3BkqImuBFmaLVTckvaZeONjHDQa01rxEjRQByir6oYSZPJy54XuRQJaPuCVNeOW8r0R9rKUQf9nl7tnVvhCsU3q1-UPrs8ZW_kaYXuYQJJMk392jX6XNm6czehIYM-O8Z5eGFdR3WW7IAWYEmqTCxrCRuuKU-EEcKOwksx8gBPgQ",
      "alg": "RS256"
    }
  ]
}

Authorization Code Flow - Claims Result

id_token claims:

{
  "nbf": 1713268781,
  "exp": 1713269081,
  "iss": "https://localhost:5003",
  "aud": "28a523b4-8531-4113-96cd-045c6e114bec",
  "iat": 1713268781,
  "at_hash": "8MDfCkiPC5KQp1D2elfgEQ",
  "sid": "0FE51C774A72319E58C8C9DC7ABED64D",
  "sub": "100",
  "auth_time": 1713268780,
  "idp": "local",
  "https://openactive.io/sellerName": "Acme Fitness Ltd",
  "https://openactive.io/sellerId": "https://localhost:5001/api/identifiers/sellers/1",
  "https://openactive.io/sellerUrl": "https://www.example.com",
  "https://openactive.io/sellerLogo": "https://placekitten.com/640/360",
  "amr": [
    "pwd"
  ]
}

Refresh Token Request

POST https://localhost:5003/connect/token

authorization: "Basic MjhhNTIzYjQtODUzMS00MTEzLTk2Y2QtMDQ1YzZlMTE0YmVjOmRIb2xwQ1ZWTzViTUFCdGlxSFRZZUdWMmx4WG5XRkJWcTJEWnJ6RzhURlE="
accept: "application/json"
content-type: "application/x-www-form-urlencoded"
content-length: "103"
accept-encoding: "gzip, deflate, br"
host: "localhost:5003"

"grant_type=refresh_token&refresh_token=0C1AE788739C3180BE7C6C159ABF9B7B8BFCB8D10DF7F5FFA6BFAE1388421D7B"

Response status code: 200.

{
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkIwNEY3QjkxREUzQjk0NzhDNjE4MzNGQjI0QUE1Q0RCIiwidHlwIjoiSldUIn0.eyJuYmYiOjE3MTMyNjg3ODEsImV4cCI6MTcxMzI2OTA4MSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImF1ZCI6IjI4YTUyM2I0LTg1MzEtNDExMy05NmNkLTA0NWM2ZTExNGJlYyIsImlhdCI6MTcxMzI2ODc4MSwiYXRfaGFzaCI6IkUtaVByZHhsTVJjcV9uUUhfZ0RkZWciLCJzdWIiOiIxMDAiLCJhdXRoX3RpbWUiOjE3MTMyNjg3ODAsImlkcCI6ImxvY2FsIiwiaHR0cHM6Ly9vcGVuYWN0aXZlLmlvL3NlbGxlck5hbWUiOiJBY21lIEZpdG5lc3MgTHRkIiwiaHR0cHM6Ly9vcGVuYWN0aXZlLmlvL3NlbGxlcklkIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMS9hcGkvaWRlbnRpZmllcnMvc2VsbGVycy8xIiwiaHR0cHM6Ly9vcGVuYWN0aXZlLmlvL3NlbGxlclVybCI6Imh0dHBzOi8vd3d3LmV4YW1wbGUuY29tIiwiaHR0cHM6Ly9vcGVuYWN0aXZlLmlvL3NlbGxlckxvZ28iOiJodHRwczovL3BsYWNla2l0dGVuLmNvbS82NDAvMzYwIiwiYW1yIjpbInB3ZCJdfQ.dVlfiv8TSgcVWFCJgtWpBXwaxVpI4czemqebat_Q40NkefPWtrzeuaNW1L9EWo0oCG7hE5xqSJvX_olb0-IfZNrANjFfJiJ5-mBmyxMeVCYebqppQg5mirsp5n0zfOQ0-UxyDcRRQGu2PN_SyC9VmZ-sSsI66dYdAWab7TxFRNsV4AoQkf1zDxzgaMN_hMphA1WYlIkxV7mw_W2L0A10sQDkiHJ9tzhxyH8pTMIiljxQuLcw862ixWmiBv3A6G_1O2-G6Eu5fNVPTMfnIHXQ99971YM3w66K4XOX69Ha-aX8z5HfBgq72Vej44PTUsR02_yr-gJB00PKfw9JsxDeyQ",
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkIwNEY3QjkxREUzQjk0NzhDNjE4MzNGQjI0QUE1Q0RCIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE3MTMyNjg3ODEsImV4cCI6MTcxMzI3MjM4MSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImF1ZCI6Im9wZW5ib29raW5nIiwiY2xpZW50X2lkIjoiMjhhNTIzYjQtODUzMS00MTEzLTk2Y2QtMDQ1YzZlMTE0YmVjIiwiaHR0cHM6Ly9vcGVuYWN0aXZlLmlvL2NsaWVudElkIjoiMjhhNTIzYjQtODUzMS00MTEzLTk2Y2QtMDQ1YzZlMTE0YmVjIiwic3ViIjoiMTAwIiwiYXV0aF90aW1lIjoxNzEzMjY4NzgwLCJpZHAiOiJsb2NhbCIsImh0dHBzOi8vb3BlbmFjdGl2ZS5pby9zZWxsZXJJZCI6Imh0dHBzOi8vbG9jYWxob3N0OjUwMDEvYXBpL2lkZW50aWZpZXJzL3NlbGxlcnMvMSIsImp0aSI6IjNGOUUzQkRCMkYxQzVGM0JEQ0NDODNDQUI3QkRDQjREIiwiaWF0IjoxNzEzMjY4NzgxLCJzY29wZSI6WyJvcGVuaWQiLCJvcGVuYWN0aXZlLW9wZW5ib29raW5nIiwib3BlbmFjdGl2ZS1pZGVudGl0eSIsIm9mZmxpbmVfYWNjZXNzIl0sImFtciI6WyJwd2QiXX0.s_LdrPWiA48RkjelKnLc18jvj0TyCiBAdxNM1SxKtR0EFifhPVWlaG8WpI0vLE_Uz13szFBM2_EZRBdgar8bcAX1qYV-MDGxKvYclYAOwuEVdym_aSKNxV5Ks___htAz9XBy4MZ_NSgC2HB_ysl9fNQC2FCf8H_jxRs88wf2bdyUaQrkStziIm2LysloU9sk5aSfFTcKUfBOliUureNOGLo8eLHulyNPvdIf93YxUDX2IY9fEvciaqykeuJqF17qDeVmXF-XfTCC0pvgM2jhDcuzB2-3K2tXlPPyTqVwdqluAkLWZU0YbVtv8RQowKqjRV6p6yp-Tz-5iIol-DGiwg",
  "expires_in": 3600,
  "token_type": "Bearer",
  "refresh_token": "82EA06EF9BAEC89E764311BC9CF1FB0BC4BFD76E6ACBB0BBE68BCDF2693898D6",
  "scope": "openid openactive-openbooking openactive-identity offline_access"
}

Specs

✅ should complete Discovery successfully
✅ should complete Authorization Code Flow successfully
✅ should include expected https://openactive.io/sellerId claim in id_token
✅ should return claims within id_token as defined in specification
✅ should complete token refresh successfully