chore: add oidc idp for acceptance tests

2025-08-13 11:40:16 +00:00 · 2025-03-27 09:50:06 +01:00
parent 56a2316973
commit e5604edff8
7 changed files with 348 additions and 37 deletions
--- a/acceptance/idp/oidc/docker-compose.yaml
+++ b/acceptance/idp/oidc/docker-compose.yaml
@@ -0,0 +1,20 @@
+services:
+  oidcop:
+    image: golang:1.24-alpine
+    container_name: oidcop
+    command: go run main.go
+    environment:
+      API_URL: 'http://localhost:8080'
+      API_DOMAIN: 'localhost:8080'
+      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+      SCHEMA: 'http'
+      HOST: 'localhost'
+      PORT: "8004"
+    working_dir: /oidc
+    ports:
+      - 8004:8004
+    volumes:
+      - "../../pat:/pat"
+      - "./:/oidc"
+    extra_hosts:
+      - "localhost:host-gateway"
--- a/acceptance/idp/oidc/go.mod
+++ b/acceptance/idp/oidc/go.mod
@@ -0,0 +1,28 @@
+module github.com/zitadel/typescript/acceptance/idp/oidc
+
+go 1.24.1
+
+require github.com/zitadel/oidc/v3 v3.37.0
+
+require (
+	github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
+	github.com/go-chi/chi/v5 v5.2.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/muhlemmer/gu v0.3.1 // indirect
+	github.com/muhlemmer/httpforwarded v0.1.0 // indirect
+	github.com/rs/cors v1.11.1 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/zitadel/logging v0.6.2 // indirect
+	github.com/zitadel/schema v1.3.1 // indirect
+	go.opentelemetry.io/otel v1.29.0 // indirect
+	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+	golang.org/x/crypto v0.35.0 // indirect
+	golang.org/x/oauth2 v0.28.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+)
--- a/acceptance/idp/oidc/go.sum
+++ b/acceptance/idp/oidc/go.sum
@@ -0,0 +1,71 @@
+github.com/bmatcuk/doublestar/v4 v4.8.1 h1:54Bopc5c2cAvhLRAzqOGCYHYyhcDHsFF4wWIR5wKP38=
+github.com/bmatcuk/doublestar/v4 v4.8.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/muhlemmer/gu v0.3.1 h1:7EAqmFrW7n3hETvuAdmFmn4hS8W+z3LgKtrnow+YzNM=
+github.com/muhlemmer/gu v0.3.1/go.mod h1:YHtHR+gxM+bKEIIs7Hmi9sPT3ZDUvTN/i88wQpZkrdM=
+github.com/muhlemmer/httpforwarded v0.1.0 h1:x4DLrzXdliq8mprgUMR0olDvHGkou5BJsK/vWUetyzY=
+github.com/muhlemmer/httpforwarded v0.1.0/go.mod h1:yo9czKedo2pdZhoXe+yDkGVbU0TJ0q9oQ90BVoDEtw0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
+github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/zitadel/logging v0.6.2 h1:MW2kDDR0ieQynPZ0KIZPrh9ote2WkxfBif5QoARDQcU=
+github.com/zitadel/logging v0.6.2/go.mod h1:z6VWLWUkJpnNVDSLzrPSQSQyttysKZ6bCRongw0ROK4=
+github.com/zitadel/oidc/v3 v3.37.0 h1:nYATWlnP7f18XiAbw6upUruBaqfB1kUrXrSTf1EYGO8=
+github.com/zitadel/oidc/v3 v3.37.0/go.mod h1:/xDan4OUQhguJ4Ur73OOJrtugvR164OMnidXP9xfVNw=
+github.com/zitadel/schema v1.3.1 h1:QT3kwiRIRXXLVAs6gCK/u044WmUVh6IlbLXUsn6yRQU=
+github.com/zitadel/schema v1.3.1/go.mod h1:071u7D2LQacy1HAN+YnMd/mx1qVE2isb0Mjeqg46xnU=
+go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
+go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
+go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
+go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
+go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
+go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
+golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/acceptance/idp/oidc/main.go
+++ b/acceptance/idp/oidc/main.go
@@ -0,0 +1,186 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+	"time"
+
+	"github.com/zitadel/oidc/v3/example/server/exampleop"
+	"github.com/zitadel/oidc/v3/example/server/storage"
+)
+
+func main() {
+	apiURL := os.Getenv("API_URL")
+	pat := readPAT(os.Getenv("PAT_FILE"))
+	domain := os.Getenv("API_DOMAIN")
+	schema := os.Getenv("SCHEMA")
+	host := os.Getenv("HOST")
+	port := os.Getenv("PORT")
+
+	logger := slog.New(
+		slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{
+			AddSource: true,
+			Level:     slog.LevelDebug,
+		}),
+	)
+
+	issuer := fmt.Sprintf("%s://%s:%s/", schema, host, port)
+	redirectURI := fmt.Sprintf("%s/idps/callback", apiURL)
+
+	clientID := "web"
+	clientSecret := "secret"
+	storage.RegisterClients(
+		storage.WebClient(clientID, clientSecret, redirectURI),
+	)
+
+	storage := storage.NewStorage(storage.NewUserStore(issuer))
+	router := exampleop.SetupServer(issuer, storage, logger, false)
+
+	server := &http.Server{
+		Addr:    ":" + port,
+		Handler: router,
+	}
+	go func() {
+		if err := server.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
+			log.Fatalf("HTTP server error: %v", err)
+		}
+		log.Println("Stopped serving new connections.")
+	}()
+
+	createZitadelResources(apiURL, pat, domain, issuer, clientID, clientSecret)
+
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+	<-sigChan
+
+	shutdownCtx, shutdownRelease := context.WithTimeout(context.Background(), 10*time.Second)
+	defer shutdownRelease()
+
+	if err := server.Shutdown(shutdownCtx); err != nil {
+		log.Fatalf("HTTP shutdown error: %v", err)
+	}
+}
+
+func readPAT(path string) string {
+	f, err := os.Open(path)
+	if err != nil {
+		panic(err)
+	}
+	pat, err := io.ReadAll(f)
+	if err != nil {
+		panic(err)
+	}
+	return strings.Trim(string(pat), "\n")
+}
+
+func createZitadelResources(apiURL, pat, domain, issuer, clientID, clientSecret string) error {
+	idpID, err := CreateIDP(apiURL, pat, domain, issuer, clientID, clientSecret)
+	if err != nil {
+		return err
+	}
+	return ActivateIDP(apiURL, pat, domain, idpID)
+}
+
+type createIDP struct {
+	Name             string          `json:"name"`
+	Issuer           string          `json:"issuer"`
+	ClientId         string          `json:"clientId"`
+	ClientSecret     string          `json:"clientSecret"`
+	Scopes           []string        `json:"scopes"`
+	ProviderOptions  providerOptions `json:"providerOptions"`
+	IsIdTokenMapping bool            `json:"isIdTokenMapping"`
+	UsePkce          bool            `json:"usePkce"`
+}
+
+type providerOptions struct {
+	IsLinkingAllowed  bool   `json:"isLinkingAllowed"`
+	IsCreationAllowed bool   `json:"isCreationAllowed"`
+	IsAutoCreation    bool   `json:"isAutoCreation"`
+	IsAutoUpdate      bool   `json:"isAutoUpdate"`
+	AutoLinking       string `json:"autoLinking"`
+}
+
+type idp struct {
+	ID string `json:"id"`
+}
+
+func CreateIDP(apiURL, pat, domain string, issuer, clientID, clientSecret string) (string, error) {
+	createIDP := &createIDP{
+		Name:         "OIDC",
+		Issuer:       issuer,
+		ClientId:     clientID,
+		ClientSecret: clientSecret,
+		Scopes:       []string{"openid", "profile", "email"},
+		ProviderOptions: providerOptions{
+			IsLinkingAllowed:  true,
+			IsCreationAllowed: true,
+			IsAutoCreation:    true,
+			IsAutoUpdate:      true,
+			AutoLinking:       "AUTO_LINKING_OPTION_UNSPECIFIED",
+		},
+		IsIdTokenMapping: false,
+		UsePkce:          false,
+	}
+
+	resp, err := doRequestWithHeaders(apiURL+"/admin/v1/idps/generic_oidc", pat, domain, createIDP)
+	if err != nil {
+		return "", err
+	}
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	idp := new(idp)
+	if err := json.Unmarshal(data, idp); err != nil {
+		return "", err
+	}
+	return idp.ID, nil
+}
+
+type activateIDP struct {
+	IdpId string `json:"idpId"`
+}
+
+func ActivateIDP(apiURL, pat, domain string, idpID string) error {
+	activateIDP := &activateIDP{
+		IdpId: idpID,
+	}
+	_, err := doRequestWithHeaders(apiURL+"/admin/v1/policies/login/idps", pat, domain, activateIDP)
+	return err
+}
+
+func doRequestWithHeaders(apiURL, pat, domain string, body any) (*http.Response, error) {
+	data, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(http.MethodPost, apiURL, io.NopCloser(bytes.NewReader(data)))
+	if err != nil {
+		return nil, err
+	}
+	values := http.Header{}
+	values.Add("Authorization", "Bearer "+pat)
+	values.Add("x-forwarded-host", domain)
+	values.Add("Content-Type", "application/json")
+	req.Header = values
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	return resp, nil
+}
--- a/acceptance/idp/saml/main.go
+++ b/acceptance/idp/saml/main.go
@@ -86,22 +86,12 @@ UzreO96WzlBBMtY=
 // Example from https://github.com/crewjam/saml/blob/main/example/idp/idp.go
 func main() {
 	apiURL := os.Getenv("API_URL")
-	patFile := os.Getenv("PAT_FILE")
+	pat := readPAT(os.Getenv("PAT_FILE"))
 	domain := os.Getenv("API_DOMAIN")
 	schema := os.Getenv("SCHEMA")
 	host := os.Getenv("HOST")
 	port := os.Getenv("PORT")

-	f, err := os.Open(patFile)
-	if err != nil {
-		panic(err)
-	}
-	pat, err := io.ReadAll(f)
-	if err != nil {
-		panic(err)
-	}
-	patStr := strings.Trim(string(pat), "\n")
-
 	baseURL, err := url.Parse(schema + "://" + host + ":" + port)
 	if err != nil {

@@ -124,7 +114,7 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
-	idpID, err := createZitadelResources(apiURL, patStr, domain, metadata)
+	idpID, err := createZitadelResources(apiURL, pat, domain, metadata)
 	if err != nil {
 		panic(err)
 	}
@@ -148,6 +138,18 @@ func main() {
 	}
 }

+func readPAT(path string) string {
+	f, err := os.Open(path)
+	if err != nil {
+		panic(err)
+	}
+	pat, err := io.ReadAll(f)
+	if err != nil {
+		panic(err)
+	}
+	return strings.Trim(string(pat), "\n")
+}
+
 func addService(idpServer *samlidp.Server, spURLStr string) {
 	metadataResp, err := http.Get(spURLStr)
 	if err != nil {
--- a/acceptance/oidc/main.go
+++ b/acceptance/oidc/main.go
@@ -33,7 +33,7 @@ var (

 func main() {
 	apiURL := os.Getenv("API_URL")
-	patFile := os.Getenv("PAT_FILE")
+	pat := readPAT(os.Getenv("PAT_FILE"))
 	domain := os.Getenv("API_DOMAIN")
 	loginURL := os.Getenv("LOGIN_URL")
 	issuer := os.Getenv("ISSUER")
@@ -41,20 +41,10 @@ func main() {
 	port := os.Getenv("PORT")
 	scopeList := strings.Split(os.Getenv("SCOPES"), " ")

-	f, err := os.Open(patFile)
-	if err != nil {
-		panic(err)
-	}
-	pat, err := io.ReadAll(f)
-	if err != nil {
-		panic(err)
-	}
-	patStr := strings.Trim(string(pat), "\n")
-
 	redirectURI := fmt.Sprintf("%v:%v%v", host, port, callbackPath)
 	cookieHandler := httphelper.NewCookieHandler(key, key, httphelper.WithUnsecure())

-	clientID, clientSecret, err := createZitadelResources(apiURL, patStr, domain, redirectURI, loginURL)
+	clientID, clientSecret, err := createZitadelResources(apiURL, pat, domain, redirectURI, loginURL)
 	if err != nil {
 		panic(err)
 	}
@@ -173,6 +163,18 @@ func main() {
 	}
 }

+func readPAT(path string) string {
+	f, err := os.Open(path)
+	if err != nil {
+		panic(err)
+	}
+	pat, err := io.ReadAll(f)
+	if err != nil {
+		panic(err)
+	}
+	return strings.Trim(string(pat), "\n")
+}
+
 func createZitadelResources(apiURL, pat, domain, redirectURI, loginURL string) (string, string, error) {
 	projectID, err := CreateProject(apiURL, pat, domain)
 	if err != nil {
--- a/acceptance/saml/main.go
+++ b/acceptance/saml/main.go
@@ -87,28 +87,18 @@ FHHEZ+dR4eMaJp6PhNm8hu2O
 }()

 func hello(w http.ResponseWriter, r *http.Request) {
-	fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "displayName"))
+	fmt.Fprintf(w, "Hello, %s!", samlsp.AttributeFromContext(r.Context(), "UserName"))
 }

 func main() {
 	apiURL := os.Getenv("API_URL")
-	patFile := os.Getenv("PAT_FILE")
+	pat := readPAT(os.Getenv("PAT_FILE"))
 	domain := os.Getenv("API_DOMAIN")
 	loginURL := os.Getenv("LOGIN_URL")
 	idpURL := os.Getenv("IDP_URL")
 	host := os.Getenv("HOST")
 	port := os.Getenv("PORT")

-	f, err := os.Open(patFile)
-	if err != nil {
-		panic(err)
-	}
-	pat, err := io.ReadAll(f)
-	if err != nil {
-		panic(err)
-	}
-	patStr := strings.Trim(string(pat), "\n")
-
 	idpMetadataURL, err := url.Parse(idpURL)
 	if err != nil {
 		panic(err)
@@ -151,7 +141,7 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
-	if err := createZitadelResources(apiURL, patStr, domain, metadata, loginURL); err != nil {
+	if err := createZitadelResources(apiURL, pat, domain, metadata, loginURL); err != nil {
 		panic(err)
 	}

@@ -167,6 +157,18 @@ func main() {
 	}
 }

+func readPAT(path string) string {
+	f, err := os.Open(path)
+	if err != nil {
+		panic(err)
+	}
+	pat, err := io.ReadAll(f)
+	if err != nil {
+		panic(err)
+	}
+	return strings.Trim(string(pat), "\n")
+}
+
 func createZitadelResources(apiURL, pat, domain string, metadata []byte, loginURL string) error {
 	projectID, err := CreateProject(apiURL, pat, domain)
 	if err != nil {