< Return to Summary | File Generated: Thu May 09 2024 14:48:47 GMT+0000 (Coordinated Universal Time)

Collapse All Sections Show All Sections Show Only First Error

booking-partner-authentication >> authorization-persisted

Booking Flow:

Opportunity Type:

Feature: Authentication / Booking Partner Authentication for Multiple Seller Systems (Implemented)

Test: Authorization persists when not requesting offline access

When authorisation is requested without offline access and a user has already given permission, consent must not be required.

Running only this test

npm start -- --runInBand test/features/authentication/booking-partner-authentication/implemented/authorization-persisted-test.js

Is this test failing?

The OpenActive Reference Implementation test result for this test can be used as a reference to help with debugging.

✅ 9 passed with 0 failures, 0 warnings and 0 suggestions

✅ Open ID Connect Authentication

Credentials

The test suite is using the credentials configured by bookingPartnersForSpecificTests.authorizationPersisted.authentication.clientCredentials for this test:

• clientId: clientid_801
• clientSecret: secret

Discovery Request

GET https://localhost:5003/.well-known/openid-configuration

• accept: "application/json"
• accept-encoding: "gzip, deflate, br"
• host: "localhost:5003"

Response status code: 200.

{
  "issuer": "https://localhost:5003",
  "jwks_uri": "https://localhost:5003/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost:5003/connect/authorize",
  "token_endpoint": "https://localhost:5003/connect/token",
  "userinfo_endpoint": "https://localhost:5003/connect/userinfo",
  "end_session_endpoint": "https://localhost:5003/connect/endsession",
  "check_session_iframe": "https://localhost:5003/connect/checksession",
  "revocation_endpoint": "https://localhost:5003/connect/revocation",
  "introspection_endpoint": "https://localhost:5003/connect/introspect",
  "device_authorization_endpoint": "https://localhost:5003/connect/deviceauthorization",
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "scopes_supported": [
    "openid",
    "openactive-identity",
    "openactive-openbooking",
    "openactive-ordersfeed",
    "offline_access"
  ],
  "claims_supported": [
    "sub",
    "https://openactive.io/sellerId",
    "https://openactive.io/sellerName",
    "https://openactive.io/sellerUrl",
    "https://openactive.io/sellerLogo",
    "https://openactive.io/bookingServiceName",
    "https://openactive.io/bookingServiceUrl",
    "name",
    "https://openactive.io/clientId"
  ],
  "grant_types_supported": [
    "authorization_code",
    "client_credentials",
    "refresh_token",
    "implicit",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "form_post",
    "query",
    "fragment"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "request_parameter_supported": true,
  "registration_endpoint": "https://localhost:5003/connect/register"
}

Authorization Code Flow (first attempt) - 1 Request

POST http://localhost:3000/browser-automation-for-auth

• accept: "application/json, text/plain, */*"
• content-type: "application/json;charset=utf-8"
• content-length: 349
• host: "localhost:3000"

{
  "headless": true,
  "offlineAccess": true,
  "username": "test1",
  "password": "test1",
  "authorizationUrl": "https://localhost:5003/connect/authorize?client_id=clientid_801&scope=openid%20openactive-identity&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcb&code_challenge=q5NjdT2mG2OVQ95RccOrjBf0xZZTSHxzRSGBCx9Vu14&code_challenge_method=S256"
}

Screenshot: Login page

"https://localhost:5003/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dclientid_801%26scope%3Dopenid%2520openactive-identity%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A3000%252Fcb%26code_challenge%3Dq5NjdT2mG2OVQ95RccOrjBf0xZZTSHxzRSGBCx9Vu14%26code_challenge_method%3DS256"

Screenshot: Authorization page

"https://localhost:5003/consent?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dclientid_801%26scope%3Dopenid%2520openactive-identity%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A3000%252Fcb%26code_challenge%3Dq5NjdT2mG2OVQ95RccOrjBf0xZZTSHxzRSGBCx9Vu14%26code_challenge_method%3DS256"

Callback URL

"/cb?code=62ACBF443783A42BDA32EB77C7E20545149120E4BBFDF09BE778AC85E8B5A4E3&scope=openid%20openactive-identity&session_state=Jrmz5rlarLqM4kezZggH7RnUg07dnN3znNQcg4A2Hag.0ADA20496DD3C7D4A8FA988EA7F5559C"

Authorization Code Flow (first attempt) - 2 Request

POST https://localhost:5003/connect/token

• authorization: "Basic Y2xpZW50aWRfODAxOnNlY3JldA=="
• accept: "application/json"
• content-type: "application/x-www-form-urlencoded"
• content-length: "205"
• accept-encoding: "gzip, deflate, br"
• host: "localhost:5003"

"grant_type=authorization_code&code=62ACBF443783A42BDA32EB77C7E20545149120E4BBFDF09BE778AC85E8B5A4E3&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcb&code_verifier=pOJq3KnsoHyV7fWi-YmGf6kfEJ7vBQmrGyciACYh_eE"

Response status code: 200.

{
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkIwNEY3QjkxREUzQjk0NzhDNjE4MzNGQjI0QUE1Q0RCIiwidHlwIjoiSldUIn0.eyJuYmYiOjE3MTUyNjYxMjksImV4cCI6MTcxNTI2NjQyOSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImF1ZCI6ImNsaWVudGlkXzgwMSIsImlhdCI6MTcxNTI2NjEyOSwiYXRfaGFzaCI6IkktWWJHdXZ3a3dlZ09ORDJLWFRtQ0EiLCJzaWQiOiI5MzY2NDlDRjA3ODBBNzEyN0Q3ODUwOUM1OTcxMzY5QSIsInN1YiI6IjEwMCIsImF1dGhfdGltZSI6MTcxNTI2NjEyOCwiaWRwIjoibG9jYWwiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyTmFtZSI6IkFjbWUgRml0bmVzcyBMdGQiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVySWQiOiJodHRwczovL2xvY2FsaG9zdDo1MDAxL2FwaS9pZGVudGlmaWVycy9zZWxsZXJzLzEiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyVXJsIjoiaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20iLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyTG9nbyI6Imh0dHBzOi8vcGxhY2VraXR0ZW4uY29tLzY0MC8zNjAiLCJhbXIiOlsicHdkIl19.CbBnjXRBsWGOW0tuMiAej-K0IDfp5zRkpqS0OyhChHSXyMdyX36Lm_Yqy5t-VWGiaafMYCwciSIC8knFMLxPwZLwYPbwS82TEUKejuWA_L6bqJnOFU5lqCALxT5XRxAp4ycobyGCyEseHvW10CW3pPlNfyokkhwvdn4qdM7Xjzmzpl3yFvbjv_GDHT1NGjArSZb3I4nL7wFwCShEF7dZvJCrLTS-9Nu3YgPWs5CrsIX648JYL_c8T6tNLBKbrC_z4M9Ve7sSxA7O6KyhbHAvYMw0Vj_E5X81GYLX4k1nCd6-7SnRhAsFdccGifClQItchVbz5QkxSoQFg7T_1o1cTA",
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkIwNEY3QjkxREUzQjk0NzhDNjE4MzNGQjI0QUE1Q0RCIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE3MTUyNjYxMjksImV4cCI6MTcxNTI2OTcyOSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImNsaWVudF9pZCI6ImNsaWVudGlkXzgwMSIsImh0dHBzOi8vb3BlbmFjdGl2ZS5pby9jbGllbnRJZCI6ImNsaWVudGlkXzgwMSIsInN1YiI6IjEwMCIsImF1dGhfdGltZSI6MTcxNTI2NjEyOCwiaWRwIjoibG9jYWwiLCJqdGkiOiI5RTUzQjQxNEMxQ0YzNzZFODNCMTdCNDc1RDlGMkJGOCIsInNpZCI6IjkzNjY0OUNGMDc4MEE3MTI3RDc4NTA5QzU5NzEzNjlBIiwiaWF0IjoxNzE1MjY2MTI5LCJzY29wZSI6WyJvcGVuaWQiLCJvcGVuYWN0aXZlLWlkZW50aXR5Il0sImFtciI6WyJwd2QiXX0.AaOv0z71YGdMQlj-3GjjIfVErzKwuNmS_PUNL_xsTg_LQDw0R4voCyOfkxtsEKyGrG0fNczrR2QPuK1EWuSX1Pt76yEwbhyP6nWqdesLZCBCEmqVwhNokCqUMusuSkUHuNyNODqIFj6zorhBVnZ7dNxp0tTC622W52iIisOxEOCbS8-UmzkXO9_0DQ7mi13UNbvCn9klasW6fOEpsfpKzkVvRT3e8Ixbhu68YD16OaIvP-yCNxIQkcP8Gz21VlTJF_FXJTC0usJMO38NXOwg8FSmVFwVHQPhWwejYDqTIEEiKElZ9GUD6fJSSOR46xOSDbuSKonGLUX0yhN90XMLfQ",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "openid openactive-identity"
}

Authorization Code Flow (first attempt) - 3 Request

GET https://localhost:5003/.well-known/openid-configuration/jwks

• accept: "application/json"
• accept-encoding: "gzip, deflate, br"
• host: "localhost:5003"

Response status code: 200.

{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "kid": "B04F7B91DE3B9478C61833FB24AA5CDB",
      "e": "AQAB",
      "n": "yZO68vCGrvfBQ5R1z0DVCRAADOWeF3aLlhOaz1Je1SnmohmmlO-1F1hkRM_4MJtR5aECMxMz-MUW1nBCPmUrH0h_rrdCdDdlk8vTHki0ixK-gO73W2ZscOCZ6L2fZ2Oqz0_I840cnSCv55zpiOk9oGJL9TEsLAWYAIyQheaqZO3BkqImuBFmaLVTckvaZeONjHDQa01rxEjRQByir6oYSZPJy54XuRQJaPuCVNeOW8r0R9rKUQf9nl7tnVvhCsU3q1-UPrs8ZW_kaYXuYQJJMk392jX6XNm6czehIYM-O8Z5eGFdR3WW7IAWYEmqTCxrCRuuKU-EEcKOwksx8gBPgQ",
      "alg": "RS256"
    }
  ]
}

Authorization Code Flow (first attempt) - Claims Result

id_token claims:

{
  "nbf": 1715266129,
  "exp": 1715266429,
  "iss": "https://localhost:5003",
  "aud": "clientid_801",
  "iat": 1715266129,
  "at_hash": "I-YbGuvwkwegOND2KXTmCA",
  "sid": "936649CF0780A7127D78509C5971369A",
  "sub": "100",
  "auth_time": 1715266128,
  "idp": "local",
  "https://openactive.io/sellerName": "Acme Fitness Ltd",
  "https://openactive.io/sellerId": "https://localhost:5001/api/identifiers/sellers/1",
  "https://openactive.io/sellerUrl": "https://www.example.com",
  "https://openactive.io/sellerLogo": "https://placekitten.com/640/360",
  "amr": [
    "pwd"
  ]
}

Authorization Code Flow (second attempt) - 1 Request

POST http://localhost:3000/browser-automation-for-auth

• accept: "application/json, text/plain, */*"
• content-type: "application/json;charset=utf-8"
• content-length: 349
• host: "localhost:3000"

{
  "headless": true,
  "offlineAccess": true,
  "username": "test1",
  "password": "test1",
  "authorizationUrl": "https://localhost:5003/connect/authorize?client_id=clientid_801&scope=openid%20openactive-identity&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcb&code_challenge=01eDJSQKYhKdv1mQUMf_mpPTzyphL1m8TXd_uUIOHXo&code_challenge_method=S256"
}

Screenshot: Login page

"https://localhost:5003/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dclientid_801%26scope%3Dopenid%2520openactive-identity%26response_type%3Dcode%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A3000%252Fcb%26code_challenge%3D01eDJSQKYhKdv1mQUMf_mpPTzyphL1m8TXd_uUIOHXo%26code_challenge_method%3DS256"

Callback URL

"/cb?code=788F890EFCD29037E4AA0957A3DF2F99516D9CC2AB18628A59946EF3A4318D86&scope=openid%20openactive-identity&session_state=8njVBXnle3hKJvRF8Y10RsjI2ed8gW8nG9dWGN_jrA8.5AEEDAA0DAD5B586CB0385DA16F1388A"

Authorization Code Flow (second attempt) - 2 Request

POST https://localhost:5003/connect/token

• authorization: "Basic Y2xpZW50aWRfODAxOnNlY3JldA=="
• accept: "application/json"
• content-type: "application/x-www-form-urlencoded"
• content-length: "205"
• accept-encoding: "gzip, deflate, br"
• host: "localhost:5003"

"grant_type=authorization_code&code=788F890EFCD29037E4AA0957A3DF2F99516D9CC2AB18628A59946EF3A4318D86&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcb&code_verifier=Io5PBeBKzaN3sxdU6NmgIDhTyhafafPLwNqlvVhUR1Y"

Response status code: 200.

{
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkIwNEY3QjkxREUzQjk0NzhDNjE4MzNGQjI0QUE1Q0RCIiwidHlwIjoiSldUIn0.eyJuYmYiOjE3MTUyNjYxMzAsImV4cCI6MTcxNTI2NjQzMCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImF1ZCI6ImNsaWVudGlkXzgwMSIsImlhdCI6MTcxNTI2NjEzMCwiYXRfaGFzaCI6Il9sbHA1eHo1SkZnV2lDSDQ5V05yc0EiLCJzaWQiOiI5MUUyNEQ0OUJEODA3MDg2MDlERDE3RUI2NUI1REE4MiIsInN1YiI6IjEwMCIsImF1dGhfdGltZSI6MTcxNTI2NjEzMCwiaWRwIjoibG9jYWwiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyTmFtZSI6IkFjbWUgRml0bmVzcyBMdGQiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVySWQiOiJodHRwczovL2xvY2FsaG9zdDo1MDAxL2FwaS9pZGVudGlmaWVycy9zZWxsZXJzLzEiLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyVXJsIjoiaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20iLCJodHRwczovL29wZW5hY3RpdmUuaW8vc2VsbGVyTG9nbyI6Imh0dHBzOi8vcGxhY2VraXR0ZW4uY29tLzY0MC8zNjAiLCJhbXIiOlsicHdkIl19.FmgSvqgtyl3TEG_HqbweeLM31XKAkIjZ6_U8hWPsllMNWGWavsskHWpoGiEbN9AZ1vmdUxcZcSpgpPdtYK9eRf0XqdHg4kv3zE4AFRCCb5uzfxkSxinc_oVg0nQKb3LHvA1DagvlbGiBhy2ebZRDwn_AO4AH6Af2RjYxI96lkLA93uF5DyeIHXqT87kQrRdvLUeJ6GfblMTjd71A7ruaNI82AhKgRsnZXjH0l5LDakbHAVy1ZfUWVMB5zrYNdvkDWkkSq7tsk8xM3dFsSxCqe0wUq7sE3j_Wa212hmltunleDBYUusfmsTSfXuhkW_Gnq_4R7Zx_QBYXxjyduVZoow",
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkIwNEY3QjkxREUzQjk0NzhDNjE4MzNGQjI0QUE1Q0RCIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE3MTUyNjYxMzAsImV4cCI6MTcxNTI2OTczMCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NTAwMyIsImNsaWVudF9pZCI6ImNsaWVudGlkXzgwMSIsImh0dHBzOi8vb3BlbmFjdGl2ZS5pby9jbGllbnRJZCI6ImNsaWVudGlkXzgwMSIsInN1YiI6IjEwMCIsImF1dGhfdGltZSI6MTcxNTI2NjEzMCwiaWRwIjoibG9jYWwiLCJqdGkiOiIyNzU0NEUyNDQwOTYwQzY4QjE3NzJBOTcxNDVCMTQ0RiIsInNpZCI6IjkxRTI0RDQ5QkQ4MDcwODYwOUREMTdFQjY1QjVEQTgyIiwiaWF0IjoxNzE1MjY2MTMwLCJzY29wZSI6WyJvcGVuaWQiLCJvcGVuYWN0aXZlLWlkZW50aXR5Il0sImFtciI6WyJwd2QiXX0.xR_qns2B3B-RV1c3IcIBO5LWCrvwVuMmAyGulN-owYNr66JB4MUYlw4aNbwS9l9OG8y5nZh1AbV9p8rwCejRYKcVtXx98lVZ3cRu_G0IgMcaCvDmzz3JpgRfWjdTXu_00J9SvxcQBmENdQAlh216zSxwcudKVZGTKtUxtVT_P2hlZdIxqN5X7bjuKYerEM8sE57xugrAhiOVLKSUYHRu78yYfdZhmzJfHfQCiSPl13abTTi19u8indDRRxjBpda_aD0oQCXEmvTdsuhwYo_AwVCBz9KU_y_0kCdQdcq1Vetz3zXP-vyUIKnwu5trZOnaCXIy5-a_5W_ovv1DWHCh9A",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "openid openactive-identity"
}

Authorization Code Flow (second attempt) - Claims Result

id_token claims:

{
  "nbf": 1715266130,
  "exp": 1715266430,
  "iss": "https://localhost:5003",
  "aud": "clientid_801",
  "iat": 1715266130,
  "at_hash": "_llp5xz5JFgWiCH49WNrsA",
  "sid": "91E24D49BD80708609DD17EB65B5DA82",
  "sub": "100",
  "auth_time": 1715266130,
  "idp": "local",
  "https://openactive.io/sellerName": "Acme Fitness Ltd",
  "https://openactive.io/sellerId": "https://localhost:5001/api/identifiers/sellers/1",
  "https://openactive.io/sellerUrl": "https://www.example.com",
  "https://openactive.io/sellerLogo": "https://placekitten.com/640/360",
  "amr": [
    "pwd"
  ]
}

Specs

• ✅ should complete Discovery successfully
• ✅ should complete Authorization Code Flow successfully
• ✅ should include expected https://openactive.io/sellerId claim in id_token
• ✅ should return claims within id_token as defined in specification
• ✅ should complete Authorization Code Flow successfully
• ✅ should include expected https://openactive.io/sellerId claim in id_token
• ✅ should return claims within id_token as defined in specification
• ✅ should not require a consent prompt for Authorization Code Flow (second attempt)