offline 스코프 제거, rp_claims 값 표준화

2026-06-11 14:50:26 +09:00
parent f60b15a17b
commit c495e9119b
26 changed files with 1034 additions and 300 deletions
--- a/backend/internal/handler/client_tenant_access_test.go
+++ b/backend/internal/handler/client_tenant_access_test.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"

 	"github.com/gofiber/fiber/v2"
@@ -135,6 +136,42 @@ func TestMergeRequestedScopesWithClientRequirements_AddsTenantScope(t *testing.T
 	assert.Equal(t, []string{"openid", "tenant", "profile"}, merged)
 }

+func TestMergeRequestedScopesWithClientRequirements_StripsRefreshTokenScopeAliases(t *testing.T) {
+	client := domain.HydraClient{
+		Metadata: map[string]any{
+			"tenant_access_restricted": true,
+			"structured_scopes": []map[string]any{
+				{"name": "offline", "mandatory": true},
+				{"name": "offline_access", "locked": true},
+				{"name": "email", "mandatory": true},
+			},
+		},
+	}
+
+	merged := mergeRequestedScopesWithClientRequirements(
+		client,
+		[]string{"openid", "offline", "profile", "offline_access"},
+	)
+
+	assert.Equal(t, []string{"openid", "tenant", "profile", "email"}, merged)
+}
+
+func TestBuildHydraAuthorizationURL_StripsRefreshTokenScopeAliases(t *testing.T) {
+	urlString := buildHydraAuthorizationURL(
+		"client-refresh",
+		[]string{"offline", "profile", "offline_access", "email"},
+		[]string{"https://rp.example.com/callback"},
+	)
+
+	parsed, err := url.Parse(urlString)
+	assert.NoError(t, err)
+	scopes := parsed.Query().Get("scope")
+
+	assert.Equal(t, "openid profile email", scopes)
+	assert.NotContains(t, scopes, "offline")
+	assert.NotContains(t, scopes, "offline_access")
+}
+
 func TestGetConsentRequest_DeniesTenantAccess(t *testing.T) {
 	transport := roundTripFunc(func(r *http.Request) (*http.Response, error) {
 		switch {