nimbus no longer permits scope param in token requests

Author: jksolbakken

build.gradle.kts

@@ -4,7 +4,7 @@ import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask
 val assertjVersion = "3.25.2"
 val kotlinLoggingVersion = "3.0.5"
 val logbackVersion = "1.4.14"
-val nimbusSdkVersion = "11.9.1"
+val nimbusSdkVersion = "11.7"
 val mockWebServerVersion = "4.12.0"
 val jacksonVersion = "2.16.1"
 val nettyVersion = "4.1.106.Final"

src/main/kotlin/no/nav/security/mock/oauth2/debugger/SessionManager.kt

@@ -66,6 +66,7 @@ class SessionManager {
                     null
                 },
             )
+
         companion object {
             const val DEBUGGER_SESSION_COOKIE = "debugger-session"
         }

src/main/kotlin/no/nav/security/mock/oauth2/http/OAuth2HttpServer.kt

@@ -102,11 +102,12 @@ MockWebServerWrapper
 
         override fun port(): Int = mockWebServer.port
 
-        override fun url(path: String): HttpUrl = mockWebServer
-            .url(path)
-            .newBuilder()
-            .host(address?.hostName ?: mockWebServer.hostName)
-            .build()
+        override fun url(path: String): HttpUrl =
+            mockWebServer
+                .url(path)
+                .newBuilder()
+                .host(address?.hostName ?: mockWebServer.hostName)
+                .build()
 
         override fun sslConfig(): Ssl? = ssl
 

src/test/kotlin/no/nav/security/mock/oauth2/e2e/InteractiveLoginIntegrationTest.kt

@@ -90,7 +90,6 @@ class InteractiveLoginIntegrationTest {
                 "client_id" to "client1",
                 "client_secret" to "secret",
                 "grant_type" to "authorization_code",
-                "scope" to "openid scope1",
                 "redirect_uri" to "http://mycallback",
                 "code" to authCode,
             ),

src/test/kotlin/no/nav/security/mock/oauth2/e2e/MockOAuth2ServerIntegrationTest.kt

@@ -115,7 +115,6 @@ class MockOAuth2ServerIntegrationTest {
                 "client_id" to "client1",
                 "client_secret" to "secret",
                 "grant_type" to "authorization_code",
-                "scope" to "openid scope1",
                 "redirect_uri" to "http://mycallback",
                 "code" to "1234",
             ),

src/test/kotlin/no/nav/security/mock/oauth2/e2e/OidcAuthorizationCodeGrantIntegrationTest.kt

@@ -56,17 +56,15 @@ class OidcAuthorizationCodeGrantIntegrationTest {
                 "client_id" to "client1",
                 "client_secret" to "secret",
                 "grant_type" to "authorization_code",
-                "scope" to "openid scope1",
                 "redirect_uri" to "http://mycallback",
                 "code" to code,
             ),
         ).toTokenResponse().asClue {
             it.accessToken shouldNotBe null
             it.idToken shouldNotBe null
             it.expiresIn shouldBeGreaterThan 0
-            it.scope shouldBe "openid scope1"
             it.idToken?.audience shouldContainExactly listOf("client1")
-            it.accessToken?.audience shouldContainExactly listOf("scope1")
+            it.accessToken?.audience shouldContainExactly listOf("default")
         }
     }
 
@@ -90,17 +88,15 @@ class OidcAuthorizationCodeGrantIntegrationTest {
                 "client_id" to "client1",
                 "client_secret" to "secret",
                 "grant_type" to "authorization_code",
-                "scope" to "openid scope1",
                 "redirect_uri" to "http://mycallback",
                 "code" to code,
             ),
         ).toTokenResponse().asClue {
             it.accessToken shouldNotBe null
             it.idToken shouldNotBe null
             it.expiresIn shouldBeGreaterThan 0
-            it.scope shouldBe "openid scope1"
             it.idToken?.audience shouldContainExactly listOf("client1")
-            it.accessToken?.audience shouldContainExactly listOf("scope1")
+            it.accessToken?.audience shouldContainExactly listOf("default")
             it.idToken?.subject shouldBe "foo"
         }
         server.shutdown()
@@ -152,7 +148,6 @@ class OidcAuthorizationCodeGrantIntegrationTest {
             "client_id" to "client1",
             "client_secret" to "secret",
             "grant_type" to "authorization_code",
-            "scope" to "openid scope1",
             "redirect_uri" to "http://mycallback",
             "code" to code,
         ).apply {

src/test/kotlin/no/nav/security/mock/oauth2/e2e/RefreshTokenGrantIntegrationTest.kt

@@ -50,7 +50,6 @@ class RefreshTokenGrantIntegrationTest {
                         "code" to authorizationCode,
                         "client_id" to "id",
                         "client_secret" to "secret",
-                        "scope" to "openid",
                         "redirect_uri" to "http://something",
                     ),
                 ).toTokenResponse()

src/test/kotlin/no/nav/security/mock/oauth2/e2e/RevocationIntegrationTest.kt

@@ -71,7 +71,6 @@ class RevocationIntegrationTest {
                 "code" to authorizationCode,
                 "client_id" to "id",
                 "client_secret" to "secret",
-                "scope" to "openid",
                 "redirect_uri" to "http://something",
             ),
         ).toTokenResponse()

src/test/kotlin/no/nav/security/mock/oauth2/examples/openidconnect/ExampleAppWithOpenIdConnect.kt

@@ -32,7 +32,6 @@ class ExampleAppWithOpenIdConnect(oidcDiscoveryUrl: String) : AbstractExampleApp
                             .post(
                                 FormBody.Builder()
                                     .add("client_id", "client1")
-                                    .add("scope", authenticationRequest().scope.toString())
                                     .add("code", code)
                                     .add("redirect_uri", exampleApp.url("/callback").toString())
                                     .add("grant_type", "authorization_code")

src/test/kotlin/no/nav/security/mock/oauth2/grant/AuthorizationCodeHandlerTest.kt

@@ -122,7 +122,6 @@ internal class AuthorizationCodeHandlerTest {
     private fun tokenRequest(
         code: String,
         redirectUri: String = "http://redirect",
-        scope: String = "openid",
     ): OAuth2HttpRequest {
         return OAuth2HttpRequest(
             headers = Headers.headersOf("Content-Type", "application/x-www-form-urlencoded"),
@@ -133,8 +132,7 @@ internal class AuthorizationCodeHandlerTest {
                     "client_id=client1&" +
                     "client_secret=secret&" +
                     "code=$code&" +
-                    "redirect_uri=$redirectUri&" +
-                    "scope=$scope",
+                    "redirect_uri=$redirectUri&"
         )
     }
 }