diff --git a/internal/api/grpc/user/v2/integration_test/user_test.go b/internal/api/grpc/user/v2/integration_test/user_test.go index dfedd7a404a..16a6a0b3d40 100644 --- a/internal/api/grpc/user/v2/integration_test/user_test.go +++ b/internal/api/grpc/user/v2/integration_test/user_test.go @@ -3197,7 +3197,7 @@ func TestServer_ListAuthenticationFactors(t *testing.T) { } require.NoError(ttt, err) - assert.ElementsMatch(t, tt.want.GetResult(), got.GetResult()) + assert.ElementsMatch(ttt, tt.want.GetResult(), got.GetResult()) }, retryDuration, tick, "timeout waiting for expected auth methods result") }) } diff --git a/internal/api/oidc/integration_test/client_test.go b/internal/api/oidc/integration_test/client_test.go index 43b000108c5..3f37a193f10 100644 --- a/internal/api/oidc/integration_test/client_test.go +++ b/internal/api/oidc/integration_test/client_test.go @@ -24,21 +24,16 @@ import ( ) func TestServer_Introspect(t *testing.T) { - project, err := Instance.CreateProject(CTX) - require.NoError(t, err) - app, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false) - require.NoError(t, err) - - wantAudience := []string{app.GetClientId(), project.GetId()} - tests := []struct { name string - api func(*testing.T) (apiID string, resourceServer rs.ResourceServer) + api func(*testing.T) (clientID string, audience []string, resourceServer rs.ResourceServer) wantErr bool }{ { name: "client assertion", - api: func(t *testing.T) (string, rs.ResourceServer) { + api: func(t *testing.T) (string, []string, rs.ResourceServer) { + project, err := Instance.CreateProject(CTX) + require.NoError(t, err) api, err := Instance.CreateAPIClientJWT(CTX, project.GetId()) require.NoError(t, err) keyResp, err := Instance.Client.Mgmt.AddAppKey(CTX, &management.AddAppKeyRequest{ @@ -48,63 +43,85 @@ func TestServer_Introspect(t *testing.T) { ExpirationDate: nil, }) require.NoError(t, err) + + app, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false) + require.NoError(t, err) + resourceServer, err := Instance.CreateResourceServerJWTProfile(CTX, keyResp.GetKeyDetails()) require.NoError(t, err) - return api.GetClientId(), resourceServer + return app.GetClientId(), []string{app.GetClientId(), project.GetId(), api.GetClientId()}, resourceServer }, }, { name: "client credentials", - api: func(t *testing.T) (string, rs.ResourceServer) { + api: func(t *testing.T) (string, []string, rs.ResourceServer) { + project, err := Instance.CreateProject(CTX) + require.NoError(t, err) api, err := Instance.CreateAPIClientBasic(CTX, project.GetId()) require.NoError(t, err) + app, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false) + require.NoError(t, err) + resourceServer, err := Instance.CreateResourceServerClientCredentials(CTX, api.GetClientId(), api.GetClientSecret()) require.NoError(t, err) - return api.GetClientId(), resourceServer + return app.GetClientId(), []string{app.GetClientId(), project.GetId(), api.GetClientId()}, resourceServer }, }, { name: "client invalid id, error", - api: func(t *testing.T) (string, rs.ResourceServer) { + api: func(t *testing.T) (string, []string, rs.ResourceServer) { + project, err := Instance.CreateProject(CTX) + require.NoError(t, err) + app, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false) + require.NoError(t, err) + api, err := Instance.CreateAPIClientBasic(CTX, project.GetId()) require.NoError(t, err) resourceServer, err := Instance.CreateResourceServerClientCredentials(CTX, "xxxxx", api.GetClientSecret()) require.NoError(t, err) - return api.GetClientId(), resourceServer + return app.GetClientId(), []string{app.GetClientId(), project.GetId(), api.GetClientId()}, resourceServer }, wantErr: true, }, { name: "client invalid secret, error", - api: func(t *testing.T) (string, rs.ResourceServer) { + api: func(t *testing.T) (string, []string, rs.ResourceServer) { + project, err := Instance.CreateProject(CTX) + require.NoError(t, err) + app, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false) + require.NoError(t, err) + api, err := Instance.CreateAPIClientBasic(CTX, project.GetId()) require.NoError(t, err) resourceServer, err := Instance.CreateResourceServerClientCredentials(CTX, api.GetClientId(), "xxxxx") require.NoError(t, err) - return api.GetClientId(), resourceServer + return app.GetClientId(), []string{app.GetClientId(), project.GetId(), api.GetClientId()}, resourceServer }, wantErr: true, }, { name: "client credentials on jwt client, error", - api: func(t *testing.T) (string, rs.ResourceServer) { + api: func(t *testing.T) (string, []string, rs.ResourceServer) { + project, err := Instance.CreateProject(CTX) + require.NoError(t, err) + app, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false) + require.NoError(t, err) + api, err := Instance.CreateAPIClientJWT(CTX, project.GetId()) require.NoError(t, err) resourceServer, err := Instance.CreateResourceServerClientCredentials(CTX, api.GetClientId(), "xxxxx") require.NoError(t, err) - return api.GetClientId(), resourceServer + return app.GetClientId(), []string{app.GetClientId(), project.GetId(), api.GetClientId()}, resourceServer }, wantErr: true, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - apiID, resourceServer := tt.api(t) - // wantAudience grows for every API we add to the project. - wantAudience = append(wantAudience, apiID) + clientID, wantAudience, resourceServer := tt.api(t) scope := []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess, oidc_api.ScopeResourceOwner} - authRequestID := createAuthRequest(t, Instance, app.GetClientId(), redirectURI, scope...) + authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, scope...) sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId()) linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{ AuthRequestId: authRequestID, @@ -119,7 +136,7 @@ func TestServer_Introspect(t *testing.T) { // code exchange code := assertCodeResponse(t, linkResp.GetCallbackUrl()) - tokens, err := exchangeTokens(t, Instance, app.GetClientId(), code, redirectURI) + tokens, err := exchangeTokens(t, Instance, clientID, code, redirectURI) require.NoError(t, err) assertTokens(t, tokens, true) assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID) @@ -133,7 +150,7 @@ func TestServer_Introspect(t *testing.T) { require.NoError(t, err) assertIntrospection(t, introspection, - Instance.OIDCIssuer(), app.GetClientId(), + Instance.OIDCIssuer(), clientID, scope, wantAudience, tokens.Expiry, tokens.Expiry.Add(-12*time.Hour)) }) diff --git a/internal/api/oidc/integration_test/keys_test.go b/internal/api/oidc/integration_test/keys_test.go index 5da841b1add..f681e9d9bcc 100644 --- a/internal/api/oidc/integration_test/keys_test.go +++ b/internal/api/oidc/integration_test/keys_test.go @@ -86,7 +86,7 @@ func TestServer_Keys(t *testing.T) { err = json.NewDecoder(resp.Body).Decode(got) require.NoError(ttt, err) - assert.Len(t, got.Keys, tt.wantLen) + assert.Len(ttt, got.Keys, tt.wantLen) for _, key := range got.Keys { _, ok := key.Key.(*rsa.PublicKey) require.True(ttt, ok)