mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-07 05:57:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

support response_mode=form_post in upstream OIDC IDPs

Browse Source
This commit is contained in:
Ryan Richard
2025-03-06 12:34:20 -08:00
parent 308c76cd69
commit 749633e43c
9 changed files with 308 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
test/integration/supervisor_login_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package integration
@@ -362,6 +362,27 @@ func TestSupervisorLogin_Browser(t *testing.T) {
// the ID token Username should include the upstream user ID after the upstream issuer name
wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" },
},
{
name: "oidc with upstream response_mode=form_post",
maybeSkip: skipNever,
createIDP: func(t *testing.T) string {
providerSpec := basicOIDCIdentityProviderSpec()
providerSpec.AuthorizationConfig.AdditionalAuthorizeParameters = []idpv1alpha1.Parameter{{
// Note that at the time of writing this comment, Dex completely ignores this param
// and just treats it as the default response_mode by returning a redirect.
// However, when the external OIDC provider is Okta, this should actually test
// using this capability. Okta will cause the user's browser to POST the authcode
// to the Supervisor's callback endpoint.
Name: "response_mode",
Value: "form_post",
}}
return testlib.CreateTestOIDCIdentityProvider(t, providerSpec, idpv1alpha1.PhaseReady).Name
},
requestAuthorization: requestAuthorizationUsingBrowserAuthcodeFlowOIDC,
wantDownstreamIDTokenSubjectToMatch: expectedIDTokenSubjectRegexForUpstreamOIDC,
// the ID token Username should include the upstream user ID after the upstream issuer name
wantDownstreamIDTokenUsernameToMatch: func(_ string) string { return "^" + regexp.QuoteMeta(env.SupervisorUpstreamOIDC.Issuer+"?sub=") + ".+" },
},
{
name: "oidc IDP using secrets of type opaque to source ca bundle with default username and groups claim settings",
maybeSkip: skipExternalCABundleOIDCTestsWhenCABundleIsEmpty,