Add client code and test for JWT assertion support

Author: divoxx

client_agent.go

@@ -93,6 +93,19 @@ func (c ClientAgent) RefreshToken(refreshToken, scope string) (*Authorization, e
 	})
 }
 
+// Assertion implements the assertion grant type as defined by https://tools.ietf.org/html/rfc7521
+func (c ClientAgent) Assertion(profile, assertion, scope string) (*Authorization, error) {
+	return c.doTokenRequest(url.Values{
+		"grant_type": []string{profile},
+		"assertion":  []string{assertion},
+		"scope":      []string{scope},
+	})
+}
+
+var (
+	AssertionJWT = "urn:ietf:params:oauth:grant-type:jwt-bearer"
+)
+
 // doTokenRequest performs a request against token endpoint and returns a Authorization.
 func (c ClientAgent) doTokenRequest(params url.Values) (*Authorization, error) {
 	body := []byte(params.Encode())

integration_test.go

@@ -24,7 +24,9 @@ import (
 	"net/url"
 	"reflect"
 	"testing"
+	"time"
 
+	"github.com/gostack/jwt"
 	"github.com/gostack/oauth2"
 )
 
@@ -245,6 +247,41 @@ func TestPasswordGrantType(t *testing.T) {
 	}
 }
 
+func TestAssertionGrantType(t *testing.T) {
+	p, clt, srv := setupProvider()
+	defer srv.Close()
+
+	tk := jwt.NewToken()
+	tk.JWTID = "id"
+	tk.Issuer = "http://client.jwt.test"
+	tk.Subject = "[email protected]"
+	tk.Audience = "http://authz.jwt.test"
+	tk.Expires = time.Now().Add(time.Minute * 1)
+
+	signedTk, err := tk.Sign(clt.Secret)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	a, err := clt.Assertion(oauth2.AssertionJWT, signedTk, "basic_profile email")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	a2, err := p.GetAuthorizationByAccessToken(a.AccessToken)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if a2.Client.ID != clt.ID || a2.User.Login != "username" {
+		t.Errorf("Authorization does not match client or user")
+	}
+
+	if a2.Scope != "basic_profile email" {
+		t.Errorf("Authorization scope does not match what was requested")
+	}
+}
+
 func TestClientCredentials(t *testing.T) {
 	p, clt, srv := setupProvider()
 	defer srv.Close()