zitadel/internal/idp/providers/jwt/jwt_test.go

package jwt

import (
	"context"
	"errors"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"go.uber.org/mock/gomock"

	"github.com/zitadel/zitadel/internal/crypto"
	"github.com/zitadel/zitadel/internal/idp"
)

func TestProvider_BeginAuth(t *testing.T) {
	type fields struct {
		name          string
		issuer        string
		jwtEndpoint   string
		keysEndpoint  string
		headerName    string
		encryptionAlg func(t *testing.T) crypto.EncryptionAlgorithm
	}
	type args struct {
		state  string
		params []idp.Parameter
	}
	type want struct {
		session idp.Session
		err     func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		want   want
	}{
		{
			name: "missing state, error",
			fields: fields{
				issuer:       "https://jwt.com",
				jwtEndpoint:  "https://auth.com/jwt",
				keysEndpoint: "https://jwt.com/keys",
				headerName:   "jwt-header",
				encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {
					return crypto.CreateMockEncryptionAlg(gomock.NewController(t))
				},
			},
			args: args{
				state:  "",
				params: nil,
			},
			want: want{
				err: func(err error) bool {
					return errors.Is(err, ErrMissingState)
				},
			},
		},
		{
			name: "missing userAgentID, fallback to state",
			fields: fields{
				issuer:       "https://jwt.com",
				jwtEndpoint:  "https://auth.com/jwt",
				keysEndpoint: "https://jwt.com/keys",
				headerName:   "jwt-header",
				encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {
					return crypto.CreateMockEncryptionAlg(gomock.NewController(t))
				},
			},
			args: args{
				state:  "testState",
				params: nil,
			},
			want: want{
				session: &Session{AuthURL: "https://auth.com/jwt?authRequestID=testState&userAgentID=dGVzdFN0YXRl"},
			},
		},
		{
			name: "successful auth",
			fields: fields{
				issuer:       "https://jwt.com",
				jwtEndpoint:  "https://auth.com/jwt",
				keysEndpoint: "https://jwt.com/keys",
				headerName:   "jwt-header",
				encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {
					return crypto.CreateMockEncryptionAlg(gomock.NewController(t))
				},
			},
			args: args{
				state: "testState",
				params: []idp.Parameter{
					idp.UserAgentID("agent"),
				},
			},
			want: want{
				session: &Session{AuthURL: "https://auth.com/jwt?authRequestID=testState&userAgentID=YWdlbnQ"},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			a := assert.New(t)

			provider, err := New(
				tt.fields.name,
				tt.fields.issuer,
				tt.fields.jwtEndpoint,
				tt.fields.keysEndpoint,
				tt.fields.headerName,
				tt.fields.encryptionAlg(t),
			)
			require.NoError(t, err)

			ctx := context.Background()
			session, err := provider.BeginAuth(ctx, tt.args.state, tt.args.params...)
			if tt.want.err != nil && !tt.want.err(err) {
				a.Fail("invalid error", err)
			}
			if tt.want.err == nil {
				a.NoError(err)
				wantAuth, wantErr := tt.want.session.GetAuth(ctx)
				gotAuth, gotErr := session.GetAuth(ctx)
				a.Equal(wantAuth, gotAuth)
				a.ErrorIs(gotErr, wantErr)
			}
		})
	}
}

func TestProvider_Options(t *testing.T) {
	type fields struct {
		name          string
		issuer        string
		jwtEndpoint   string
		keysEndpoint  string
		headerName    string
		encryptionAlg func(t *testing.T) crypto.EncryptionAlgorithm
		opts          []ProviderOpts
	}
	type want struct {
		name            string
		linkingAllowed  bool
		creationAllowed bool
		autoCreation    bool
		autoUpdate      bool
		pkce            bool
	}
	tests := []struct {
		name   string
		fields fields
		want   want
	}{
		{
			name: "default",
			fields: fields{
				name:         "jwt",
				issuer:       "https://jwt.com",
				jwtEndpoint:  "https://auth.com/jwt",
				keysEndpoint: "https://jwt.com/keys",
				headerName:   "jwt-header",
				encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {
					return crypto.CreateMockEncryptionAlg(gomock.NewController(t))
				},
				opts: nil,
			},
			want: want{
				name:            "jwt",
				linkingAllowed:  false,
				creationAllowed: false,
				autoCreation:    false,
				autoUpdate:      false,
				pkce:            false,
			},
		},
		{
			name: "all true",
			fields: fields{
				name:         "jwt",
				issuer:       "https://jwt.com",
				jwtEndpoint:  "https://auth.com/jwt",
				keysEndpoint: "https://jwt.com/keys",
				headerName:   "jwt-header",
				encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {
					return crypto.CreateMockEncryptionAlg(gomock.NewController(t))
				},
				opts: []ProviderOpts{
					WithLinkingAllowed(),
					WithCreationAllowed(),
					WithAutoCreation(),
					WithAutoUpdate(),
				},
			},
			want: want{
				name:            "jwt",
				linkingAllowed:  true,
				creationAllowed: true,
				autoCreation:    true,
				autoUpdate:      true,
				pkce:            true,
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			a := assert.New(t)

			provider, err := New(
				tt.fields.name,
				tt.fields.issuer,
				tt.fields.jwtEndpoint,
				tt.fields.keysEndpoint,
				tt.fields.headerName,
				tt.fields.encryptionAlg(t),
				tt.fields.opts...,
			)
			require.NoError(t, err)

			a.Equal(tt.want.name, provider.Name())
			a.Equal(tt.want.linkingAllowed, provider.IsLinkingAllowed())
			a.Equal(tt.want.creationAllowed, provider.IsCreationAllowed())
			a.Equal(tt.want.autoCreation, provider.IsAutoCreation())
			a.Equal(tt.want.autoUpdate, provider.IsAutoUpdate())
		})
	}
}
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`package jwt`

			`import (`
			`"context"`
			`"errors"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
chore(Makefile): add go generate target (#6944) This change adds a core_generate_all make target. It installs the required tools and runs generate on the complete project. `golang/mock` is no longer maintained and a fork is available from the Uber folks. So the latter is used as tool. All the mock files have been regenerated and are part of the PR. The obsolete `tools` directory has been removed, as all the tools are now part of specific make targets. Co-authored-by: Silvan <silvan.reusser@gmail.com> 2023-11-22 12:56:43 +02:00			`"go.uber.org/mock/gomock"`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00
			`"github.com/zitadel/zitadel/internal/crypto"`
			`"github.com/zitadel/zitadel/internal/idp"`
			`)`

			`func TestProvider_BeginAuth(t *testing.T) {`
			`type fields struct {`
			`name string`
			`issuer string`
			`jwtEndpoint string`
			`keysEndpoint string`
			`headerName string`
			`encryptionAlg func(t *testing.T) crypto.EncryptionAlgorithm`
			`}`
			`type args struct {`
feat: JWT IdP intent (#9966) # Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758 2025-05-27 16:26:46 +02:00			`state string`
fix: improve login_hint usage on IDPs (#6899) * only set prompt if no login_hint is set * update to current state and cleanup 2023-11-13 10:25:26 +02:00			`params []idp.Parameter`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`}`
			`type want struct {`
			`session idp.Session`
			`err func(error) bool`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`want want`
			`}{`
			`{`
feat: JWT IdP intent (#9966) # Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758 2025-05-27 16:26:46 +02:00			`name: "missing state, error",`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`fields: fields{`
			`issuer: "https://jwt.com",`
			`jwtEndpoint: "https://auth.com/jwt",`
			`keysEndpoint: "https://jwt.com/keys",`
			`headerName: "jwt-header",`
			`encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {`
			`return crypto.CreateMockEncryptionAlg(gomock.NewController(t))`
			`},`
			`},`
			`args: args{`
feat: JWT IdP intent (#9966) # Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758 2025-05-27 16:26:46 +02:00			`state: "",`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`params: nil,`
			`},`
			`want: want{`
			`err: func(err error) bool {`
feat: JWT IdP intent (#9966) # Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758 2025-05-27 16:26:46 +02:00			`return errors.Is(err, ErrMissingState)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`},`
			`},`
			`},`
feat: JWT IdP intent (#9966) # Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758 2025-05-27 16:26:46 +02:00			`{`
			`name: "missing userAgentID, fallback to state",`
			`fields: fields{`
			`issuer: "https://jwt.com",`
			`jwtEndpoint: "https://auth.com/jwt",`
			`keysEndpoint: "https://jwt.com/keys",`
			`headerName: "jwt-header",`
			`encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {`
			`return crypto.CreateMockEncryptionAlg(gomock.NewController(t))`
			`},`
			`},`
			`args: args{`
			`state: "testState",`
			`params: nil,`
			`},`
			`want: want{`
			`session: &Session{AuthURL: "https://auth.com/jwt?authRequestID=testState&userAgentID=dGVzdFN0YXRl"},`
			`},`
			`},`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`{`
			`name: "successful auth",`
			`fields: fields{`
			`issuer: "https://jwt.com",`
			`jwtEndpoint: "https://auth.com/jwt",`
			`keysEndpoint: "https://jwt.com/keys",`
			`headerName: "jwt-header",`
			`encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {`
			`return crypto.CreateMockEncryptionAlg(gomock.NewController(t))`
			`},`
			`},`
			`args: args{`
feat: JWT IdP intent (#9966) # Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758 2025-05-27 16:26:46 +02:00			`state: "testState",`
fix: improve login_hint usage on IDPs (#6899) * only set prompt if no login_hint is set * update to current state and cleanup 2023-11-13 10:25:26 +02:00			`params: []idp.Parameter{`
			`idp.UserAgentID("agent"),`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`},`
			`},`
			`want: want{`
			`session: &Session{AuthURL: "https://auth.com/jwt?authRequestID=testState&userAgentID=YWdlbnQ"},`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`a := assert.New(t)`

			`provider, err := New(`
			`tt.fields.name,`
			`tt.fields.issuer,`
			`tt.fields.jwtEndpoint,`
			`tt.fields.keysEndpoint,`
			`tt.fields.headerName,`
			`tt.fields.encryptionAlg(t),`
			`)`
			`require.NoError(t, err)`

feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2023-09-29 11:26:14 +02:00			`ctx := context.Background()`
feat: JWT IdP intent (#9966) # Which Problems Are Solved The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2 uses idp intents for such cases, which were not yet able to handle JWT IdPs. # How the Problems Are Solved - Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent` - The redirect returned by the start, uses the existing `authRequestID` and `userAgentID` parameter names for compatibility reasons. - Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint , which extracts and validates the JWT against the configured endpoint. # Additional Changes None # Additional Context - closes #9758 2025-05-27 16:26:46 +02:00			`session, err := provider.BeginAuth(ctx, tt.args.state, tt.args.params...)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`if tt.want.err != nil && !tt.want.err(err) {`
			`a.Fail("invalid error", err)`
			`}`
			`if tt.want.err == nil {`
			`a.NoError(err)`
fix(api): return typed saml form post data in idp intent (#10136) <!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved The current user V2 API returns a `[]byte` containing a whole HTML document including the form on `StartIdentifyProviderIntent` for intents based on form post (e.g. SAML POST bindings). This is not usable for most clients as they cannot handle that and render a whole page inside their app. For redirect based intents, the url to which the client needs to redirect is returned. # How the Problems Are Solved - Changed the returned type to a new `FormData` message containing the url and a `fields` map. - internal changes: - Session.GetAuth now returns an `Auth` interfacce and error instead of (content string, redirect bool) - Auth interface has two implementations: `RedirectAuth` and `FormAuth` - All use of the GetAuth function now type switch on the returned auth object - A template has been added to the login UI to execute the form post automatically (as is). # Additional Changes - Some intent integration test did not check the redirect url and were wrongly configured. # Additional Context - relates to zitadel/typescript#410 2025-06-30 11:07:33 -04:00			`wantAuth, wantErr := tt.want.session.GetAuth(ctx)`
			`gotAuth, gotErr := session.GetAuth(ctx)`
			`a.Equal(wantAuth, gotAuth)`
			`a.ErrorIs(gotErr, wantErr)`
feat: add basic structure of idp templates (#5053) add basic structure and implement first providers for IDP templates to be able to manage and use them in the future 2023-01-23 08:11:40 +01:00			`}`
			`})`
			`}`
			`}`

			`func TestProvider_Options(t *testing.T) {`
			`type fields struct {`
			`name string`
			`issuer string`
			`jwtEndpoint string`
			`keysEndpoint string`
			`headerName string`
			`encryptionAlg func(t *testing.T) crypto.EncryptionAlgorithm`
			`opts []ProviderOpts`
			`}`
			`type want struct {`
			`name string`
			`linkingAllowed bool`
			`creationAllowed bool`
			`autoCreation bool`
			`autoUpdate bool`
			`pkce bool`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`want want`
			`}{`
			`{`
			`name: "default",`
			`fields: fields{`
			`name: "jwt",`
			`issuer: "https://jwt.com",`
			`jwtEndpoint: "https://auth.com/jwt",`
			`keysEndpoint: "https://jwt.com/keys",`
			`headerName: "jwt-header",`
			`encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {`
			`return crypto.CreateMockEncryptionAlg(gomock.NewController(t))`
			`},`
			`opts: nil,`
			`},`
			`want: want{`
			`name: "jwt",`
			`linkingAllowed: false,`
			`creationAllowed: false,`
			`autoCreation: false,`
			`autoUpdate: false,`
			`pkce: false,`
			`},`
			`},`
			`{`
			`name: "all true",`
			`fields: fields{`
			`name: "jwt",`
			`issuer: "https://jwt.com",`
			`jwtEndpoint: "https://auth.com/jwt",`
			`keysEndpoint: "https://jwt.com/keys",`
			`headerName: "jwt-header",`
			`encryptionAlg: func(t *testing.T) crypto.EncryptionAlgorithm {`
			`return crypto.CreateMockEncryptionAlg(gomock.NewController(t))`
			`},`
			`opts: []ProviderOpts{`
			`WithLinkingAllowed(),`
			`WithCreationAllowed(),`
			`WithAutoCreation(),`
			`WithAutoUpdate(),`
			`},`
			`},`
			`want: want{`
			`name: "jwt",`
			`linkingAllowed: true,`
			`creationAllowed: true,`
			`autoCreation: true,`
			`autoUpdate: true,`
			`pkce: true,`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`a := assert.New(t)`

			`provider, err := New(`
			`tt.fields.name,`
			`tt.fields.issuer,`
			`tt.fields.jwtEndpoint,`
			`tt.fields.keysEndpoint,`
			`tt.fields.headerName,`
			`tt.fields.encryptionAlg(t),`
			`tt.fields.opts...,`
			`)`
			`require.NoError(t, err)`

			`a.Equal(tt.want.name, provider.Name())`
			`a.Equal(tt.want.linkingAllowed, provider.IsLinkingAllowed())`
			`a.Equal(tt.want.creationAllowed, provider.IsCreationAllowed())`
			`a.Equal(tt.want.autoCreation, provider.IsAutoCreation())`
			`a.Equal(tt.want.autoUpdate, provider.IsAutoUpdate())`
			`})`
			`}`
			`}`