zitadel/internal/idp/providers/azuread/azuread_test.go

package azuread

import (
	"context"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"github.com/zitadel/oidc/v3/pkg/client/rp"
	openid "github.com/zitadel/oidc/v3/pkg/oidc"

	"github.com/zitadel/zitadel/internal/idp"
	"github.com/zitadel/zitadel/internal/idp/providers/oauth"
	"github.com/zitadel/zitadel/internal/idp/providers/oidc"
)

func TestProvider_BeginAuth(t *testing.T) {
	type fields struct {
		name         string
		clientID     string
		clientSecret string
		redirectURI  string
		scopes       []string
		options      []ProviderOptions
	}
	tests := []struct {
		name   string
		fields fields
		want   idp.Session
	}{
		{
			name: "default common tenant",
			fields: fields{
				clientID:     "clientID",
				clientSecret: "clientSecret",
				redirectURI:  "redirectURI",
			},
			want: &oidc.Session{
				AuthURL: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email+phone+User.Read&state=testState",
			},
		},
		{
			name: "tenant",
			fields: fields{
				clientID:     "clientID",
				clientSecret: "clientSecret",
				redirectURI:  "redirectURI",
				options: []ProviderOptions{
					WithTenant(ConsumersTenant),
				},
			},
			want: &oidc.Session{
				AuthURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email+phone+User.Read&state=testState",
			},
		},
		{
			name: "custom scopes",
			fields: fields{
				clientID:     "clientID",
				clientSecret: "clientSecret",
				redirectURI:  "redirectURI",
				scopes:       []string{openid.ScopeOpenID, openid.ScopeProfile, "custom"},
				options: []ProviderOptions{
					WithTenant(ConsumersTenant),
				},
			},
			want: &oidc.Session{
				AuthURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+custom+User.Read&state=testState",
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			a := assert.New(t)
			r := require.New(t)

			provider, err := New(tt.fields.name, tt.fields.clientID, tt.fields.clientSecret, tt.fields.redirectURI, tt.fields.scopes, tt.fields.options...)
			r.NoError(err)

			ctx := context.Background()
			session, err := provider.BeginAuth(ctx, "testState")
			r.NoError(err)

			wantAuth, wantErr := tt.want.GetAuth(ctx)
			gotAuth, gotErr := session.GetAuth(ctx)
			a.Equal(wantAuth, gotAuth)
			a.ErrorIs(gotErr, wantErr)
		})
	}
}

func TestProvider_Options(t *testing.T) {
	type fields struct {
		name         string
		clientID     string
		clientSecret string
		redirectURI  string
		scopes       []string
		options      []ProviderOptions
	}
	type want struct {
		name            string
		tenant          TenantType
		emailVerified   bool
		linkingAllowed  bool
		creationAllowed bool
		autoCreation    bool
		autoUpdate      bool
		pkce            bool
	}
	tests := []struct {
		name   string
		fields fields
		want   want
	}{
		{
			name: "default common tenant",
			fields: fields{
				name:         "default common tenant",
				clientID:     "clientID",
				clientSecret: "clientSecret",
				redirectURI:  "redirectURI",
				scopes:       nil,
				options:      nil,
			},
			want: want{
				name:            "default common tenant",
				tenant:          CommonTenant,
				emailVerified:   false,
				linkingAllowed:  false,
				creationAllowed: false,
				autoCreation:    false,
				autoUpdate:      false,
				pkce:            false,
			},
		},
		{
			name: "all set",
			fields: fields{
				name:         "custom tenant",
				clientID:     "clientID",
				clientSecret: "clientSecret",
				redirectURI:  "redirectURI",
				options: []ProviderOptions{
					WithTenant("tenant"),
					WithEmailVerified(),
					WithOAuthOptions(
						oauth.WithLinkingAllowed(),
						oauth.WithCreationAllowed(),
						oauth.WithAutoCreation(),
						oauth.WithAutoUpdate(),
						oauth.WithRelyingPartyOption(rp.WithPKCE(nil)),
					),
				},
			},
			want: want{
				name:            "custom tenant",
				tenant:          "tenant",
				emailVerified:   true,
				linkingAllowed:  true,
				creationAllowed: true,
				autoCreation:    true,
				autoUpdate:      true,
				pkce:            true,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			a := assert.New(t)

			provider, err := New(tt.fields.name, tt.fields.clientID, tt.fields.clientSecret, tt.fields.redirectURI, tt.fields.scopes, tt.fields.options...)
			require.NoError(t, err)

			a.Equal(tt.want.name, provider.Name())
			a.Equal(tt.want.tenant, provider.tenant)
			a.Equal(tt.want.emailVerified, provider.emailVerified)
			a.Equal(tt.want.linkingAllowed, provider.IsLinkingAllowed())
			a.Equal(tt.want.creationAllowed, provider.IsCreationAllowed())
			a.Equal(tt.want.autoCreation, provider.IsAutoCreation())
			a.Equal(tt.want.autoUpdate, provider.IsAutoUpdate())
			a.Equal(tt.want.pkce, provider.RelyingParty.IsPKCE())
		})
	}
}
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`package azuread`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
chore(deps): upgrade to oidc v3 (#6737) This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does. Related to #6619 2023-10-17 18:19:51 +03:00			`"github.com/zitadel/oidc/v3/pkg/client/rp"`
			`openid "github.com/zitadel/oidc/v3/pkg/oidc"`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00
			`"github.com/zitadel/zitadel/internal/idp"`
			`"github.com/zitadel/zitadel/internal/idp/providers/oauth"`
			`"github.com/zitadel/zitadel/internal/idp/providers/oidc"`
			`)`

			`func TestProvider_BeginAuth(t *testing.T) {`
			`type fields struct {`
			`name string`
			`clientID string`
			`clientSecret string`
			`redirectURI string`
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers 2023-03-15 07:48:37 +01:00			`scopes []string`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`options []ProviderOptions`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`want idp.Session`
			`}{`
			`{`
			`name: "default common tenant",`
			`fields: fields{`
			`clientID: "clientID",`
			`clientSecret: "clientSecret",`
			`redirectURI: "redirectURI",`
			`},`
			`want: &oidc.Session{`
fix: ensure minimal scope for azure ad (#5686) * fix: ensure minimal scope for azure ad * docs(idps): mention scopes which are always sent --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-17 09:02:16 +02:00			`AuthURL: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email+phone+User.Read&state=testState",`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`},`
			`},`
			`{`
			`name: "tenant",`
			`fields: fields{`
			`clientID: "clientID",`
			`clientSecret: "clientSecret",`
			`redirectURI: "redirectURI",`
			`options: []ProviderOptions{`
			`WithTenant(ConsumersTenant),`
			`},`
			`},`
			`want: &oidc.Session{`
fix: ensure minimal scope for azure ad (#5686) * fix: ensure minimal scope for azure ad * docs(idps): mention scopes which are always sent --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-17 09:02:16 +02:00			`AuthURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+email+phone+User.Read&state=testState",`
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers 2023-03-15 07:48:37 +01:00			`},`
			`},`
			`{`
			`name: "custom scopes",`
			`fields: fields{`
			`clientID: "clientID",`
			`clientSecret: "clientSecret",`
			`redirectURI: "redirectURI",`
fix: ensure minimal scope for azure ad (#5686) * fix: ensure minimal scope for azure ad * docs(idps): mention scopes which are always sent --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-17 09:02:16 +02:00			`scopes: []string{openid.ScopeOpenID, openid.ScopeProfile, "custom"},`
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers 2023-03-15 07:48:37 +01:00			`options: []ProviderOptions{`
			`WithTenant(ConsumersTenant),`
			`},`
			`},`
			`want: &oidc.Session{`
fix: ensure minimal scope for azure ad (#5686) * fix: ensure minimal scope for azure ad * docs(idps): mention scopes which are always sent --------- Co-authored-by: adlerhurst <silvan.reusser@gmail.com> 2023-04-17 09:02:16 +02:00			`AuthURL: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=openid+profile+custom+User.Read&state=testState",`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`a := assert.New(t)`
			`r := require.New(t)`

feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers 2023-03-15 07:48:37 +01:00			`provider, err := New(tt.fields.name, tt.fields.clientID, tt.fields.clientSecret, tt.fields.redirectURI, tt.fields.scopes, tt.fields.options...)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`r.NoError(err)`

feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-09-29 11:26:14 +02:00			`ctx := context.Background()`
			`session, err := provider.BeginAuth(ctx, "testState")`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`r.NoError(err)`

fix(api): return typed saml form post data in idp intent (#10136) <!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved The current user V2 API returns a `[]byte` containing a whole HTML document including the form on `StartIdentifyProviderIntent` for intents based on form post (e.g. SAML POST bindings). This is not usable for most clients as they cannot handle that and render a whole page inside their app. For redirect based intents, the url to which the client needs to redirect is returned. # How the Problems Are Solved - Changed the returned type to a new `FormData` message containing the url and a `fields` map. - internal changes: - Session.GetAuth now returns an `Auth` interfacce and error instead of (content string, redirect bool) - Auth interface has two implementations: `RedirectAuth` and `FormAuth` - All use of the GetAuth function now type switch on the returned auth object - A template has been added to the login UI to execute the form post automatically (as is). # Additional Changes - Some intent integration test did not check the redirect url and were wrongly configured. # Additional Context - relates to zitadel/typescript#410 2025-06-30 11:07:33 -04:00			`wantAuth, wantErr := tt.want.GetAuth(ctx)`
			`gotAuth, gotErr := session.GetAuth(ctx)`
			`a.Equal(wantAuth, gotAuth)`
			`a.ErrorIs(gotErr, wantErr)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`})`
			`}`
			`}`

			`func TestProvider_Options(t *testing.T) {`
			`type fields struct {`
			`name string`
			`clientID string`
			`clientSecret string`
			`redirectURI string`
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers 2023-03-15 07:48:37 +01:00			`scopes []string`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`options []ProviderOptions`
			`}`
			`type want struct {`
			`name string`
			`tenant TenantType`
			`emailVerified bool`
			`linkingAllowed bool`
			`creationAllowed bool`
			`autoCreation bool`
			`autoUpdate bool`
			`pkce bool`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`want want`
			`}{`
			`{`
			`name: "default common tenant",`
			`fields: fields{`
			`name: "default common tenant",`
			`clientID: "clientID",`
			`clientSecret: "clientSecret",`
			`redirectURI: "redirectURI",`
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers 2023-03-15 07:48:37 +01:00			`scopes: nil,`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`options: nil,`
			`},`
			`want: want{`
			`name: "default common tenant",`
			`tenant: CommonTenant,`
			`emailVerified: false,`
			`linkingAllowed: false,`
			`creationAllowed: false,`
			`autoCreation: false,`
			`autoUpdate: false,`
			`pkce: false,`
			`},`
			`},`
			`{`
			`name: "all set",`
			`fields: fields{`
			`name: "custom tenant",`
			`clientID: "clientID",`
			`clientSecret: "clientSecret",`
			`redirectURI: "redirectURI",`
			`options: []ProviderOptions{`
			`WithTenant("tenant"),`
			`WithEmailVerified(),`
			`WithOAuthOptions(`
			`oauth.WithLinkingAllowed(),`
			`oauth.WithCreationAllowed(),`
			`oauth.WithAutoCreation(),`
			`oauth.WithAutoUpdate(),`
			`oauth.WithRelyingPartyOption(rp.WithPKCE(nil)),`
			`),`
			`},`
			`},`
			`want: want{`
			`name: "custom tenant",`
			`tenant: "tenant",`
			`emailVerified: true,`
			`linkingAllowed: true,`
			`creationAllowed: true,`
			`autoCreation: true,`
			`autoUpdate: true,`
			`pkce: true,`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`a := assert.New(t)`

feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers 2023-03-15 07:48:37 +01:00			`provider, err := New(tt.fields.name, tt.fields.clientID, tt.fields.clientSecret, tt.fields.redirectURI, tt.fields.scopes, tt.fields.options...)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`require.NoError(t, err)`

			`a.Equal(tt.want.name, provider.Name())`
			`a.Equal(tt.want.tenant, provider.tenant)`
			`a.Equal(tt.want.emailVerified, provider.emailVerified)`
			`a.Equal(tt.want.linkingAllowed, provider.IsLinkingAllowed())`
			`a.Equal(tt.want.creationAllowed, provider.IsCreationAllowed())`
			`a.Equal(tt.want.autoCreation, provider.IsAutoCreation())`
			`a.Equal(tt.want.autoUpdate, provider.IsAutoUpdate())`
			`a.Equal(tt.want.pkce, provider.RelyingParty.IsPKCE())`
			`})`
			`}`
			`}`