@@ -366,3 +366,160 @@ func TestPrivateKeyJwtTokenSourceRefresh(t *testing.T) {
366366 // Verify server received two requests
367367 assert .Equal (t , 2 , requestCount )
368368}
369+
370+ func TestPrivateKeyJwtTokenSourceErrors (t * testing.T ) {
371+ // Generate a test RSA key for valid cases
372+ privateKey , err := rsa .GenerateKey (rand .Reader , 2048 )
373+ require .NoError (t , err )
374+ privateKeyBytes := x509 .MarshalPKCS1PrivateKey (privateKey )
375+ privateKeyPEM := pem .EncodeToMemory (& pem.Block {
376+ Type : "RSA PRIVATE KEY" ,
377+ Bytes : privateKeyBytes ,
378+ })
379+
380+ t .Run ("invalid algorithm" , func (t * testing.T ) {
381+ ts := & privateKeyJwtTokenSource {
382+ ctx : context .Background (),
383+ uri : "https://example.com" ,
384+ clientID : "client-id" ,
385+ clientAssertionSigningAlg : "INVALID_ALG" , // Invalid algorithm
386+ clientAssertionSigningKey : string (privateKeyPEM ),
387+ audience : "audience" ,
388+ }
389+
390+ _ , err := ts .Token ()
391+ assert .Error (t , err )
392+ assert .Contains (t , err .Error (), "invalid algorithm" )
393+ })
394+
395+ t .Run ("invalid URI" , func (t * testing.T ) {
396+ ts := & privateKeyJwtTokenSource {
397+ ctx : context .Background (),
398+ uri : "://invalid-uri" , // Invalid URI format
399+ clientID : "client-id" ,
400+ clientAssertionSigningAlg : "RS256" ,
401+ clientAssertionSigningKey : string (privateKeyPEM ),
402+ audience : "audience" ,
403+ }
404+
405+ _ , err := ts .Token ()
406+ assert .Error (t , err )
407+ assert .Contains (t , err .Error (), "invalid URI" )
408+ })
409+
410+ t .Run ("invalid signing key" , func (t * testing.T ) {
411+ ts := & privateKeyJwtTokenSource {
412+ ctx : context .Background (),
413+ uri : "https://example.com" ,
414+ clientID : "client-id" ,
415+ clientAssertionSigningAlg : "RS256" ,
416+ clientAssertionSigningKey : "not-a-valid-key" , // Invalid key
417+ audience : "audience" ,
418+ }
419+
420+ _ , err := ts .Token ()
421+ assert .Error (t , err )
422+ assert .Contains (t , err .Error (), "failed to create client assertion" )
423+ })
424+
425+ t .Run ("token request failure" , func (t * testing.T ) {
426+ // Create a server that returns an error
427+ server := httptest .NewServer (http .HandlerFunc (func (w http.ResponseWriter , _ * http.Request ) {
428+ w .WriteHeader (http .StatusInternalServerError )
429+ w .Write ([]byte (`{"error": "server_error"}` ))
430+ }))
431+ defer server .Close ()
432+
433+ ts := & privateKeyJwtTokenSource {
434+ ctx : context .Background (),
435+ uri : server .URL ,
436+ clientID : "client-id" ,
437+ clientAssertionSigningAlg : "RS256" ,
438+ clientAssertionSigningKey : string (privateKeyPEM ),
439+ audience : "audience" ,
440+ }
441+
442+ _ , err := ts .Token ()
443+ assert .Error (t , err )
444+ assert .Contains (t , err .Error (), "token request failed" )
445+ })
446+
447+ t .Run ("connection refused error" , func (t * testing.T ) {
448+ // Create a server, then immediately close it to simulate a connection refused error
449+ server := httptest .NewServer (http .HandlerFunc (func (w http.ResponseWriter , _ * http.Request ) {}))
450+ serverURL := server .URL
451+ server .Close () // Close immediately to simulate connection failure
452+
453+ ts := & privateKeyJwtTokenSource {
454+ ctx : context .Background (),
455+ uri : serverURL ,
456+ clientID : "client-id" ,
457+ clientAssertionSigningAlg : "RS256" ,
458+ clientAssertionSigningKey : string (privateKeyPEM ),
459+ audience : "audience" ,
460+ }
461+
462+ _ , err := ts .Token ()
463+ assert .Error (t , err )
464+ assert .Contains (t , err .Error (), "token request failed" )
465+ })
466+ }
467+
468+ func TestCreateClientAssertionErrors (t * testing.T ) {
469+ // Test with invalid key
470+ t .Run ("invalid key" , func (t * testing.T ) {
471+ _ , err := CreateClientAssertion (
472+ jwa .RS256 ,
473+ "not-a-valid-key" ,
474+ "client-id" ,
475+ "https://example.com/" ,
476+ )
477+ assert .Error (t , err )
478+ assert .Contains (t , err .Error (), "failed to parse signing key" )
479+ })
480+
481+ // Test with incompatible key type
482+ t .Run ("incompatible key type" , func (t * testing.T ) {
483+ // Generate EC key
484+ ecKey , err := ecdsa .GenerateKey (elliptic .P256 (), rand .Reader )
485+ require .NoError (t , err )
486+
487+ ecKeyBytes , err := x509 .MarshalECPrivateKey (ecKey )
488+ require .NoError (t , err )
489+
490+ ecKeyPEM := pem .EncodeToMemory (& pem.Block {
491+ Type : "EC PRIVATE KEY" ,
492+ Bytes : ecKeyBytes ,
493+ })
494+
495+ // Try to use EC key with RS256
496+ _ , err = CreateClientAssertion (
497+ jwa .RS256 ,
498+ string (ecKeyPEM ),
499+ "client-id" ,
500+ "https://example.com/" ,
501+ )
502+ assert .Error (t , err )
503+ assert .Contains (t , err .Error (), "requires an RSA key" )
504+ })
505+
506+ // Test unsupported algorithm
507+ t .Run ("unsupported algorithm" , func (t * testing.T ) {
508+ privateKey , err := rsa .GenerateKey (rand .Reader , 2048 )
509+ require .NoError (t , err )
510+
511+ privateKeyBytes := x509 .MarshalPKCS1PrivateKey (privateKey )
512+ privateKeyPEM := pem .EncodeToMemory (& pem.Block {
513+ Type : "RSA PRIVATE KEY" ,
514+ Bytes : privateKeyBytes ,
515+ })
516+
517+ key , err := jwk .ParseKey (privateKeyPEM , jwk .WithPEM (true ))
518+ require .NoError (t , err )
519+
520+ // Using an unsupported algorithm
521+ err = verifyKeyCompatibility ("unsupported" /* using string instead of jwa.SignatureAlgorithm */ , key )
522+ assert .Error (t , err )
523+ assert .Contains (t , err .Error (), "unsupported algorithm" )
524+ })
525+ }
0 commit comments