add negative test cases

modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oidc/OIDCAccessTokenAttributesTestCase.java

@@ -48,6 +48,7 @@ public class OIDCAccessTokenAttributesTestCase extends OIDCAbstractIntegrationTe
  private static final String OAUTH2_TOKEN_ENDPOINT_URI = "/oauth2/token";
  private static final String SERVICES = "/services";
  private OIDCApplication application;
+ private OpenIDConnectConfiguration oidcInboundConfig;
  protected String refreshToken;
  protected String sessionDataKey;
 
@@ -128,6 +129,76 @@ public void testValidateAccessTokenAttributesWithRefreshGrant() throws Exception
  Assert.assertNotNull(jwtClaimsSet.getClaim("username"), "Username is null.");
  }
 
+ @Test(groups = "wso2.is", description = "Update access token attributes of the application",
+ dependsOnMethods = "testValidateAccessTokenAttributesWithRefreshGrant")
+ public void testUpdateAccessTokenAttributes() throws Exception {
+
+ AccessTokenConfiguration accessTokenConfig = new AccessTokenConfiguration().type("JWT");
+ accessTokenConfig.setUserAccessTokenExpiryInSeconds(3600L);
+ accessTokenConfig.setApplicationAccessTokenExpiryInSeconds(3600L);
+ // Add access token attributes
+ accessTokenConfig.setAccessTokenAttributes(new ArrayList<>());
+ oidcInboundConfig.setAccessToken(accessTokenConfig);
+ updateApplicationInboundConfig(application.getApplicationId(), oidcInboundConfig, OIDC);
+
+ OpenIDConnectConfiguration updatedOidcInboundConfig =
+ getOIDCInboundDetailsOfApplication(application.getApplicationId());
+ Assert.assertTrue(updatedOidcInboundConfig.getAccessToken().getAccessTokenAttributes().isEmpty(),
+ "Access token attribute should be empty.");
+ }
+
+ @Test(groups = "wso2.is", description = "Validate access token attributes for empty allowed attributes",
+ dependsOnMethods = "testUpdateAccessTokenAttributes")
+ public void testValidateAccessTokenAttributesForEmptyAllowedAttributes() throws Exception {
+
+ Map<String, String> params = new HashMap<>();
+ params.put("grant_type", OAuth2Constant.OAUTH2_GRANT_TYPE_RESOURCE_OWNER);
+ params.put("scope", "");
+ params.put("username", OIDCUtilTest.user.getUserName());
+ params.put("password", OIDCUtilTest.user.getPassword());
+
+ Response response = getResponseOfFormPostWithAuth(OAUTH2_TOKEN_ENDPOINT_URI, params, new HashMap<>(),
+ application.getClientId(), application.getClientSecret());
+
+ response.then()
+ .log().ifValidationFails()
+ .assertThat()
+ .statusCode(HttpStatus.SC_OK)
+ .body("access_token", notNullValue())
+ .body("refresh_token", notNullValue());
+
+ String accessToken = response.then().extract().path("access_token");
+ refreshToken = response.then().extract().path("refresh_token");
+ Assert.assertNotNull(accessToken, "Access token is null");
+ JWTClaimsSet jwtClaimsSet = SignedJWT.parse(accessToken).getJWTClaimsSet();
+ Assert.assertNull(jwtClaimsSet.getClaim("username"), "Username is not null.");
+ }
+
+ @Test(groups = "wso2.is", description = "Validate access token attributes for empty allowed attributes with " +
+ "refresh grant", dependsOnMethods = "testValidateAccessTokenAttributesForEmptyAllowedAttributes")
+ public void testValidateAccessTokenAttributesForEmptyAllowedAttributesWithRefreshGrant() throws Exception {
+
+ Map<String, String> params = new HashMap<>();
+ params.put("grant_type", OAuth2Constant.OAUTH2_GRANT_TYPE_REFRESH_TOKEN);
+ params.put(OAuth2Constant.OAUTH2_GRANT_TYPE_REFRESH_TOKEN, refreshToken);
+
+ Response response = getResponseOfFormPostWithAuth(OAUTH2_TOKEN_ENDPOINT_URI, params, new HashMap<>(),
+ application.getClientId(), application.getClientSecret());
+
+ response.then()
+ .log().ifValidationFails()
+ .assertThat()
+ .statusCode(HttpStatus.SC_OK)
+ .body("access_token", notNullValue())
+ .body("refresh_token", notNullValue());
+
+ String accessToken = response.then().extract().path("access_token");
+ refreshToken = response.then().extract().path("refresh_token");
+ Assert.assertNotNull(accessToken, "Access token is null");
+ JWTClaimsSet jwtClaimsSet = SignedJWT.parse(accessToken).getJWTClaimsSet();
+ Assert.assertNull(jwtClaimsSet.getClaim("username"), "Username is not null.");
+ }
+
  /**
  * Invoke given endpointUri for Form POST request with given body, headers and Basic authentication credentials.
  *
@@ -186,6 +257,7 @@ private void createAccessTokenAttributesEnabledApplication(ApplicationModel appl
 
  String applicationId = addApplication(applicationModel);
  oidcConfig = getOIDCInboundDetailsOfApplication(applicationId);
+ oidcInboundConfig = oidcConfig;
 
  application.setApplicationId(applicationId);
  application.setClientId(oidcConfig.getClientId());