From b17c76348d13ec3706412f8f02f794f6d752f987 Mon Sep 17 00:00:00 2001
From: Thilina Shashimal Senarath <thilinasenarath97@gmail.com>
Date: Thu, 15 Aug 2024 10:13:57 +0530
Subject: [PATCH] add negative test cases

---
 .../OIDCAccessTokenAttributesTestCase.java    | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oidc/OIDCAccessTokenAttributesTestCase.java b/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oidc/OIDCAccessTokenAttributesTestCase.java
index b36231bd671..e81559fea6c 100644
--- a/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oidc/OIDCAccessTokenAttributesTestCase.java
+++ b/modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oidc/OIDCAccessTokenAttributesTestCase.java
@@ -48,6 +48,7 @@ public class OIDCAccessTokenAttributesTestCase extends OIDCAbstractIntegrationTe
     private static final String OAUTH2_TOKEN_ENDPOINT_URI = "/oauth2/token";
     private static final String SERVICES = "/services";
     private OIDCApplication application;
+    private OpenIDConnectConfiguration oidcInboundConfig;
     protected String refreshToken;
     protected String sessionDataKey;
 
@@ -128,6 +129,76 @@ public void testValidateAccessTokenAttributesWithRefreshGrant() throws Exception
         Assert.assertNotNull(jwtClaimsSet.getClaim("username"), "Username is null.");
     }
 
+    @Test(groups = "wso2.is", description = "Update access token attributes of the application",
+            dependsOnMethods = "testValidateAccessTokenAttributesWithRefreshGrant")
+    public void testUpdateAccessTokenAttributes() throws Exception {
+
+        AccessTokenConfiguration accessTokenConfig = new AccessTokenConfiguration().type("JWT");
+        accessTokenConfig.setUserAccessTokenExpiryInSeconds(3600L);
+        accessTokenConfig.setApplicationAccessTokenExpiryInSeconds(3600L);
+        // Add access token attributes
+        accessTokenConfig.setAccessTokenAttributes(new ArrayList<>());
+        oidcInboundConfig.setAccessToken(accessTokenConfig);
+        updateApplicationInboundConfig(application.getApplicationId(), oidcInboundConfig, OIDC);
+
+        OpenIDConnectConfiguration updatedOidcInboundConfig =
+                getOIDCInboundDetailsOfApplication(application.getApplicationId());
+        Assert.assertTrue(updatedOidcInboundConfig.getAccessToken().getAccessTokenAttributes().isEmpty(),
+                "Access token attribute should be empty.");
+    }
+
+    @Test(groups = "wso2.is", description = "Validate access token attributes for empty allowed attributes",
+            dependsOnMethods = "testUpdateAccessTokenAttributes")
+    public void testValidateAccessTokenAttributesForEmptyAllowedAttributes() throws Exception {
+
+        Map<String, String> params = new HashMap<>();
+        params.put("grant_type", OAuth2Constant.OAUTH2_GRANT_TYPE_RESOURCE_OWNER);
+        params.put("scope", "");
+        params.put("username", OIDCUtilTest.user.getUserName());
+        params.put("password", OIDCUtilTest.user.getPassword());
+
+        Response response = getResponseOfFormPostWithAuth(OAUTH2_TOKEN_ENDPOINT_URI, params, new HashMap<>(),
+                application.getClientId(), application.getClientSecret());
+
+        response.then()
+                .log().ifValidationFails()
+                .assertThat()
+                .statusCode(HttpStatus.SC_OK)
+                .body("access_token", notNullValue())
+                .body("refresh_token", notNullValue());
+
+        String accessToken = response.then().extract().path("access_token");
+        refreshToken = response.then().extract().path("refresh_token");
+        Assert.assertNotNull(accessToken, "Access token is null");
+        JWTClaimsSet jwtClaimsSet = SignedJWT.parse(accessToken).getJWTClaimsSet();
+        Assert.assertNull(jwtClaimsSet.getClaim("username"), "Username is not null.");
+    }
+
+    @Test(groups = "wso2.is", description = "Validate access token attributes for empty allowed attributes with " +
+            "refresh grant", dependsOnMethods = "testValidateAccessTokenAttributesForEmptyAllowedAttributes")
+    public void testValidateAccessTokenAttributesForEmptyAllowedAttributesWithRefreshGrant() throws Exception {
+
+        Map<String, String> params = new HashMap<>();
+        params.put("grant_type", OAuth2Constant.OAUTH2_GRANT_TYPE_REFRESH_TOKEN);
+        params.put(OAuth2Constant.OAUTH2_GRANT_TYPE_REFRESH_TOKEN, refreshToken);
+
+        Response response = getResponseOfFormPostWithAuth(OAUTH2_TOKEN_ENDPOINT_URI, params, new HashMap<>(),
+                application.getClientId(), application.getClientSecret());
+
+        response.then()
+                .log().ifValidationFails()
+                .assertThat()
+                .statusCode(HttpStatus.SC_OK)
+                .body("access_token", notNullValue())
+                .body("refresh_token", notNullValue());
+
+        String accessToken = response.then().extract().path("access_token");
+        refreshToken = response.then().extract().path("refresh_token");
+        Assert.assertNotNull(accessToken, "Access token is null");
+        JWTClaimsSet jwtClaimsSet = SignedJWT.parse(accessToken).getJWTClaimsSet();
+        Assert.assertNull(jwtClaimsSet.getClaim("username"), "Username is not null.");
+    }
+
     /**
      * Invoke given endpointUri for Form POST request with given body, headers and Basic authentication credentials.
      *
@@ -186,6 +257,7 @@ private void createAccessTokenAttributesEnabledApplication(ApplicationModel appl
 
         String applicationId = addApplication(applicationModel);
         oidcConfig = getOIDCInboundDetailsOfApplication(applicationId);
+        oidcInboundConfig = oidcConfig;
 
         application.setApplicationId(applicationId);
         application.setClientId(oidcConfig.getClientId());