feat(auth): Implement ID Token validation in OIDCClient

backend/tests/test_oidc_validation.py

@@ -0,0 +1,68 @@
+import pytest
+from unittest.mock import MagicMock, patch
+from ea_chatbot.auth import OIDCClient
+from jose import jwt
+
+@pytest.fixture
+def oidc_config():
+    return {
+        "client_id": "test_id",
+        "client_secret": "test_secret",
+        "server_metadata_url": "https://example.com/.well-known/openid-configuration",
+        "redirect_uri": "http://localhost:5173/auth/callback"
+    }
+
+@pytest.fixture
+def mock_metadata():
+    return {
+        "issuer": "https://example.com",
+        "jwks_uri": "https://example.com/jwks",
+        "id_token_signing_alg_values_supported": ["RS256"]
+    }
+
+def test_oidc_validate_id_token_success(oidc_config, mock_metadata):
+    client = OIDCClient(**oidc_config)
+    
+    id_token_payload = {
+        "iss": "https://example.com",
+        "sub": "user123",
+        "aud": "test_id",
+        "nonce": "test_nonce",
+        "exp": 9999999999,
+        "iat": 1000000000
+    }
+    
+    # Mock JWT decoding, JWKS fetching, and metadata fetching
+    with patch("ea_chatbot.auth.jwt.decode") as mock_decode, \
+         patch.object(client, "fetch_jwks") as mock_fetch_jwks, \
+         patch.object(client, "fetch_metadata") as mock_fetch_metadata:
+        
+        mock_decode.return_value = id_token_payload
+        mock_fetch_metadata.return_value = mock_metadata
+        mock_fetch_jwks.return_value = {"keys": []}
+        
+        claims = client.validate_id_token("fake_token", nonce="test_nonce")
+        
+        assert claims == id_token_payload
+        mock_decode.assert_called_once()
+
+def test_oidc_validate_id_token_invalid_nonce(oidc_config, mock_metadata):
+    client = OIDCClient(**oidc_config)
+    
+    id_token_payload = {
+        "iss": "https://example.com",
+        "aud": "test_id",
+        "nonce": "wrong_nonce",
+        "exp": 9999999999
+    }
+    
+    with patch("ea_chatbot.auth.jwt.decode") as mock_decode, \
+         patch.object(client, "fetch_jwks") as mock_fetch_jwks, \
+         patch.object(client, "fetch_metadata") as mock_fetch_metadata:
+        
+        mock_decode.return_value = id_token_payload
+        mock_fetch_metadata.return_value = mock_metadata
+        mock_fetch_jwks.return_value = {"keys": []}
+        
+        with pytest.raises(ValueError, match="Invalid nonce"):
+            client.validate_id_token("fake_token", nonce="test_nonce")