1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
|
<!DOCTYPE html>
<title>Federated Credential Management API network request tests.</title>
<link rel="help" href="https://fedidcg.github.io/FedCM">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
<body>
<script type="module">
import {alt_manifest_origin,
default_request_options,
default_alt_request_options,
request_options_with_auto_reauthn,
fedcm_test,
select_manifest,
set_fedcm_cookie} from './support/fedcm-helper.sub.js';
function loadUrlInIframe(url) {
let iframe = document.createElement("iframe");
return new Promise(resolve => {
iframe.src = url;
iframe.onload = function() { resolve(iframe); };
document.body.appendChild(iframe);
});
}
async function createIframeWithPermissionPolicyAndWaitForMessage(test, iframeUrl) {
const messageWatcher = new EventWatcher(test, window, "message");
let iframe = document.createElement("iframe");
iframe.src = iframeUrl;
iframe.allow = "identity-credentials-get";
document.body.appendChild(iframe);
const message = await messageWatcher.wait_for("message");
return message.data;
}
fedcm_test(async t => {
const cred = await navigator.credentials.get(default_request_options());
assert_equals(cred.token, "token");
}, "Successfully obtaining token should resolve the promise.");
fedcm_test(async t => {
const first = navigator.credentials.get(default_request_options());
const second = navigator.credentials.get(default_alt_request_options());
// We have to call promise_rejects_dom here, because if we call it after
// the promise gets rejected, the unhandled rejection event handler is called
// and fails the test even if we handle the rejection later.
const rej = promise_rejects_dom(t, 'AbortError', second);
const first_cred = await first;
assert_equals(first_cred.token, "token");
return rej;
},
"When there's a pending request, a second `get` call should be rejected. ");
fedcm_test(async t => {
let test_options = default_request_options();
test_options.identity.providers = [];
const cred = navigator.credentials.get(test_options);
return promise_rejects_js(t, TypeError, cred);
}, "Reject when provider list is empty");
fedcm_test(async t => {
let test_options = default_request_options();
delete test_options.identity.providers[0].configURL;
const cred = navigator.credentials.get(test_options);
return promise_rejects_js(t, TypeError, cred);
}, "Reject when configURL is missing" );
fedcm_test(async t => {
let test_options = default_request_options();
test_options.identity.providers[0].configURL = 'test';
const cred = navigator.credentials.get(test_options);
return promise_rejects_dom(t, "InvalidStateError", cred);
}, "Reject when configURL is invalid");
fedcm_test(async t => {
let test_options = default_request_options();
test_options.identity.providers[0].clientId = '';
const cred = navigator.credentials.get(test_options);
return promise_rejects_dom(t, "InvalidStateError", cred);
}, "Reject when clientId is empty");
fedcm_test(async t => {
let test_options = default_request_options();
assert_true("nonce" in test_options.identity.providers[0]);
delete test_options.identity.providers[0].nonce;
const cred = await navigator.credentials.get(test_options);
assert_equals(cred.token, "token");
}, "nonce is not required in FederatedIdentityProvider.");
fedcm_test(async t => {
let test_options = default_request_options();
delete test_options.identity.providers[0].clientId;
const cred = navigator.credentials.get(test_options);
return promise_rejects_js(t, TypeError, cred);
}, "Reject when clientId is missing" );
fedcm_test(async t => {
let controller = new AbortController();
let test_options = default_request_options();
test_options.signal = controller.signal;
const cred = navigator.credentials.get(test_options);
controller.abort();
return promise_rejects_dom(t, 'AbortError', cred);
}, "Test the abort signal");
fedcm_test(async t => {
let controller = new AbortController();
let test_options = default_request_options();
test_options.signal = controller.signal;
const first_cred = navigator.credentials.get(test_options);
controller.abort();
await promise_rejects_dom(t, 'AbortError', first_cred);
const second_cred = await navigator.credentials.get(default_request_options());
assert_equals(second_cred.token, "token");
}, "Get after abort should work");
fedcm_test(async t => {
let test_options = default_request_options('manifest-not-in-list.json');
const cred = navigator.credentials.get(test_options);
return promise_rejects_dom(t, 'NetworkError', cred);
}, 'Test that the promise is rejected if the manifest is not in the manifest list');
fedcm_test(async t => {
let test_options = default_request_options("manifest_redirect_accounts.json");
await select_manifest(t, test_options);
const cred = navigator.credentials.get(test_options);
return promise_rejects_dom(t, 'NetworkError', cred);
}, 'Test that promise is rejected if accounts endpoint redirects');
// A malicious site might impersonate an IDP, redirecting the accounts endpoint to a
// legitimate IDP in order to get the list of user accounts.
fedcm_test(async t => {
let test_options = default_request_options("manifest_redirect_token.json");
await select_manifest(t, test_options);
const cred = navigator.credentials.get(test_options);
return promise_rejects_dom(t, 'NetworkError', cred);
}, 'Test that token endpoint does not follow redirects');
// The token endpoint should not follow redirects because the user has not consented
// to share their identity with the redirect destination.
fedcm_test(async t => {
// Reset the client_metadata fetch count.
const clear_metadata_count_path = `support/fedcm/client_metadata_clear_count.py`;
await fetch(clear_metadata_count_path);
const cred = await navigator.credentials.get(default_request_options());
assert_equals(cred.token, "token");
await new Promise(resolve => {
let popup_window = window.open('support/fedcm/client_metadata.py?skip_checks=1');
const popup_window_load_handler = (event) => {
popup_window.removeEventListener('load', popup_window_load_handler);
popup_window.close();
resolve();
};
popup_window.addEventListener('load', popup_window_load_handler);
});
const client_metadata_counter = await fetch(clear_metadata_count_path);
const client_metadata_counter_text = await client_metadata_counter.text()
assert_equals(client_metadata_counter_text, "2");
}, 'Test client_metadata request');
// Test:
// - Headers sent to client metadata endpoint. (Counter is not incremented if the headers are
// wrong.)
// - That the client metadata response is not cached. If the client metadata response were
// cached, when the user visits the IDP as a first party, the IDP would be able to determine the
// last RP the user visited regardless of whether the user granted consent via the FedCM prompt.
fedcm_test(async t => {
const service_worker_url = 'support/fedcm/intercept_service_worker.js';
const sw_scope_url = '/credential-management/support/fedcm/';
// URL for querying number of page loads observed by service worker.
const query_sw_intercepts_url = 'support/fedcm/query_service_worker_intercepts.html';
const page_in_sw_scope_url = 'support/fedcm/simple.html';
const sw_registration = await service_worker_unregister_and_register(
t, service_worker_url, sw_scope_url);
t.add_cleanup(() => service_worker_unregister(t, sw_scope_url));
await wait_for_state(t, sw_registration.installing, 'activated');
// Verify that service worker works.
await loadUrlInIframe(page_in_sw_scope_url);
let query_sw_iframe = await loadUrlInIframe(query_sw_intercepts_url);
assert_equals(query_sw_iframe.contentDocument.body.textContent, "1");
await set_fedcm_cookie();
const cred = await navigator.credentials.get(default_request_options());
assert_equals(cred.token, "token");
// Use cache buster query parameter to avoid cached response.
let query_sw_iframe2 = await loadUrlInIframe(query_sw_intercepts_url + "?2");
assert_equals(query_sw_iframe2.contentDocument.body.textContent, "1");
}, 'Test that service worker cannot observe fetches performed by FedCM API');
fedcm_test(async t => {
const cred = await navigator.credentials.get(default_alt_request_options());
assert_equals(cred.token, "token");
const iframe_in_idp_scope = `${alt_manifest_origin}/\
credential-management/support/fedcm/userinfo-iframe.html`;
const message = await createIframeWithPermissionPolicyAndWaitForMessage(t, iframe_in_idp_scope);
assert_equals(message.result, "Pass");
assert_equals(message.numAccounts, 1);
assert_equals(message.firstAccountEmail, "john_doe@idp.example");
}, 'Test basic User InFo API flow');
fedcm_test(async t => {
const cred = await navigator.credentials.get(default_alt_request_options());
assert_equals(cred.token, "token");
const iframe_in_idp_scope = `support/fedcm/userinfo-iframe.html`;
const message = await createIframeWithPermissionPolicyAndWaitForMessage(t, iframe_in_idp_scope);
assert_equals(message.result, "Fail");
}, 'Test that User Info API only works when invoked from iframe that is same origin as the IDP');
fedcm_test(async t => {
const cred = await navigator.credentials.get(default_alt_request_options());
assert_equals(cred.token, "token");
try {
const manifest_path = `${alt_manifest_origin}/\
credential-management/support/fedcm/manifest.py`;
const user_info = await IdentityProvider.getUserInfo({
configURL: manifest_path,
// Approved client
clientId: '123',
});
assert_unreached("Failure message");
} catch (error) {
assert_equals(error.message, "UserInfo request must be initiated from a frame that is the same origin with the provider.");
// Expect failure
}
}, 'Test that User Info API does not work in the top frame');
fedcm_test(async t => {
let test_options = request_options_with_auto_reauthn("manifest_with_single_account.json");
await select_manifest(t, test_options);
// Signs in john_doe so that they will be a returning user
let cred = await navigator.credentials.get(test_options);
assert_equals(cred.token, "account_id=john_doe");
test_options = request_options_with_auto_reauthn("manifest_with_two_accounts.json");
await select_manifest(t, test_options);
// There are two accounts "Jane" and "John" returned in that order. Without
// auto re-authn, the first account "Jane" would be selected and an token
// would be issued to that account. However, since "John" is returning and
// "Jane" is a new user, the second account "John" will be selected.
cred = await navigator.credentials.get(test_options);
assert_equals(cred.token, "account_id=john_doe");
}, "Test that the returning account from the two accounts will be auto re-authenticated.");
</script>
|
