Skip to content

Add integration tests for CIMD embedded auth server support#5379

Draft
amirejaz wants to merge 2 commits into
cimd-phase2-pr6-cimd-validationfrom
cimd-phase2-pr4-integration-tests
Draft

Add integration tests for CIMD embedded auth server support#5379
amirejaz wants to merge 2 commits into
cimd-phase2-pr6-cimd-validationfrom
cimd-phase2-pr4-integration-tests

Conversation

@amirejaz
Copy link
Copy Markdown
Contributor

@amirejaz amirejaz commented May 25, 2026

Summary

  • Stacked on Wire CIMD config through embedded AS and enable storage decorator #5348 (wire CIMD config through embedded AS). Merge that first.
  • Adds four integration tests in test/integration/authserver/ that exercise the CIMD feature end-to-end against a real EmbeddedAuthServer instance — no mocks, no binary required:
    1. Discoveryclient_id_metadata_document_supported: true appears in both /.well-known/oauth-authorization-server and /.well-known/openid-configuration when CIMD is enabled; absent when disabled
    2. Authorize accepts CIMD URL/oauth/authorize with a CIMD URL as client_id redirects to the upstream IDP without prior DCR registration
    3. Authorize rejects CIMD URL when disabled — same request fails when CIMD is off
    4. No DCR required — flow completes without any call to /oauth/register, proving on-the-fly client resolution works

Also adds WithCIMD functional option to the integration test helper in test/integration/authserver/helpers/authserver.go.

Type of change

  • Test coverage (no production code change)

Test plan

  • go test ./test/integration/authserver/... passes
  • task lint-fix clean

Generated with Claude Code

@github-actions github-actions Bot added the size/M Medium PR: 300-599 lines changed label May 25, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 25, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.79%. Comparing base (90db2a6) to head (f9e761d).

Additional details and impacted files 
@@                         Coverage Diff                         @@
##           cimd-phase2-pr6-cimd-validation    #5379      +/-   ##
===================================================================
- Coverage                            68.79%   68.79%   -0.01%     
===================================================================
  Files                                  627      627              
  Lines                                63668    63672       +4     
===================================================================
  Hits                                 43801    43801              
- Misses                               16612    16614       +2     
- Partials                              3255     3257       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@amirejaz amirejaz force-pushed the cimd-phase2-pr4-integration-tests branch from 91b1244 to d27bbf5 Compare May 25, 2026 21:23
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 25, 2026
@amirejaz amirejaz force-pushed the cimd-phase2-pr4-integration-tests branch from d27bbf5 to bc4cb59 Compare May 26, 2026 13:48
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 26, 2026
@amirejaz amirejaz force-pushed the cimd-phase2-pr4-integration-tests branch from bc4cb59 to 9cc0ec9 Compare May 26, 2026 14:47
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 26, 2026
@amirejaz amirejaz force-pushed the cimd-phase2-pr4-integration-tests branch from 9cc0ec9 to 2d834ed Compare May 26, 2026 17:41
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 26, 2026
Base automatically changed from cimd-phase2-pr3-wiring to main May 26, 2026 20:12
@github-actions github-actions Bot added size/L Large PR: 600-999 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 26, 2026
amirejaz and others added 2 commits May 27, 2026 02:08
@amirejaz @claude
Validate CIMD scope, grant_types and response_types against AS policy
90db2a6 
C3 - Thread ScopesSupported into NewCIMDStorageDecorator so CIMD scope
     handling is consistent with DCR. Uses registration.ValidateScopes
     (same function as the DCR handler) to validate declared scopes
     against the AS allowlist and compute the effective scope list.
     When ScopesSupported is unset, the document's declared scopes are
     used directly; omitted scopes default to DefaultScopes.

C4 - Reject CIMD documents that declare grant_types or response_types
     the embedded AS does not support for public clients
     (authorization_code + refresh_token; code). Consistent with DCR
     which returns invalid_client_metadata for the same cases.

buildFositeClient now receives pre-computed scopes from fetch() rather
than re-parsing doc.Scope, matching the DCR handler pattern where scope
computation and validation happen before client construction.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@amirejaz @claude
Add integration tests for CIMD support in embedded auth server
f9e761d 
Four integration tests that exercise the CIMD flow end-to-end against
a real EmbeddedAuthServer instance:

- Discovery advertises client_id_metadata_document_supported when CIMD
  is enabled, and omits the flag when disabled
- Authorize accepts a CIMD URL as client_id and redirects to the
  upstream IDP without any prior DCR registration call
- Authorize rejects a CIMD URL when CIMD is disabled
- No DCR call is required — CIMD resolves the client on the fly

Also adds a WithCIMD functional option to the integration test helper.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@amirejaz amirejaz force-pushed the cimd-phase2-pr4-integration-tests branch from 2d834ed to f9e761d Compare May 26, 2026 21:11
@amirejaz amirejaz changed the base branch from main to cimd-phase2-pr6-cimd-validation May 26, 2026 21:11
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/L Large PR: 600-999 lines changed size/M Medium PR: 300-599 lines changed labels May 26, 2026
@amirejaz amirejaz force-pushed the cimd-phase2-pr6-cimd-validation branch 3 times, most recently from 8e68d45 to 36b5e97 Compare May 26, 2026 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek Awaiting requested review from jhrozek jhrozek will be requested when the pull request is marked ready for review jhrozek is a code owner

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX will be requested when the pull request is marked ready for review JAORMX is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns will be requested when the pull request is marked ready for review ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla will be requested when the pull request is marked ready for review yrobla is a code owner

Assignees

No one assigned

Labels

size/M Medium PR: 300-599 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amirejaz