11// Copyright © 2022 Ory Corp
22// SPDX-License-Identifier: Apache-2.0
33
4+ import { validate as uuidValidate } from "uuid"
5+
46import { createClient , prng , rotateJwks , validateJwt } from "../../helpers"
57
68const accessTokenStrategies = [ "opaque" , "jwt" ]
@@ -101,9 +103,6 @@ describe("The OAuth 2.0 Refresh Token Grant", function () {
101103 } )
102104 } )
103105
104- const validateJwtAndGetKid = ( token ) =>
105- validateJwt ( token ) . then ( ( { header } ) => header . kid )
106-
107106 it ( "should refresh the Access and ID Token with newly rotated keys" , function ( ) {
108107 if (
109108 accessTokenStrategy === "opaque" ||
@@ -130,26 +129,45 @@ describe("The OAuth 2.0 Refresh Token Grant", function () {
130129 scope : [ "offline_access" , "openid" ] ,
131130 } ,
132131 createClient : false ,
133- } ) . then ( ( { body : tokensBefore } ) => {
134- const kidsBefore = {
135- accessToken : validateJwtAndGetKid ( tokensBefore . access_token ) ,
136- idToken : validateJwtAndGetKid ( tokensBefore . id_token ) ,
137- }
132+ } ) . then ( ( originalResponse ) => {
133+ expect ( originalResponse . status ) . to . eq ( 200 )
134+ expect ( originalResponse . body . refresh_token ) . to . not . be . empty
135+
136+ const originalToken = originalResponse . body . refresh_token
138137
139138 rotateJwks ( "hydra.jwt.access-token" )
140139 rotateJwks ( "hydra.openid.id-token" )
141140
142- cy . refreshTokenBrowser ( client , tokensBefore . refresh_token ) . then (
143- ( { body : tokensAfter } ) => {
144- const kidsAfter = {
145- accessToken : validateJwtAndGetKid ( tokensAfter . access_token ) ,
146- idToken : validateJwtAndGetKid ( tokensAfter . id_token ) ,
147- }
148-
149- expect ( kidsAfter . accessToken ) . to . not . equal (
150- kidsBefore . accessToken ,
151- )
152- expect ( kidsAfter . idToken ) . to . not . equal ( kidsBefore . idToken )
141+ cy . refreshTokenBrowser ( client , originalToken ) . then (
142+ ( refreshedResponse ) => {
143+ expect ( refreshedResponse . status ) . to . eq ( 200 )
144+ expect ( refreshedResponse . body . refresh_token ) . to . not . be . empty
145+
146+ validateJwt ( originalResponse . body . access_token )
147+ . its ( "body.header.kid" )
148+ . then ( ( originalKid ) => {
149+ expect ( originalKid ) . to . satisfy ( uuidValidate )
150+
151+ validateJwt ( refreshedResponse . body . access_token )
152+ . its ( "body.header.kid" )
153+ . then ( ( refreshedKid ) => {
154+ expect ( refreshedKid ) . to . satisfy ( uuidValidate )
155+ expect ( refreshedKid ) . to . not . eq ( originalKid )
156+ } )
157+ } )
158+
159+ validateJwt ( originalResponse . body . id_token )
160+ . its ( "body.header.kid" )
161+ . then ( ( originalKid ) => {
162+ expect ( originalKid ) . to . satisfy ( uuidValidate )
163+
164+ validateJwt ( refreshedResponse . body . id_token )
165+ . its ( "body.header.kid" )
166+ . then ( ( refreshedKid ) => {
167+ expect ( refreshedKid ) . to . satisfy ( uuidValidate )
168+ expect ( refreshedKid ) . to . not . eq ( originalKid )
169+ } )
170+ } )
153171 } ,
154172 )
155173 } )
0 commit comments