diff --git a/authentik/blueprints/tests/test_packaged.py b/authentik/blueprints/tests/test_packaged.py index 32d392447f..38a52f2c24 100644 --- a/authentik/blueprints/tests/test_packaged.py +++ b/authentik/blueprints/tests/test_packaged.py @@ -35,6 +35,6 @@ def blueprint_tester(file_name: Path) -> Callable: for blueprint_file in Path("blueprints/").glob("**/*.yaml"): - if "local" in str(blueprint_file): + if "local" in str(blueprint_file) or "testing" in str(blueprint_file): continue setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file)) diff --git a/tests/manual/openid-conformance/oidc-conformance.yaml b/blueprints/testing/oidc-conformance.yaml similarity index 54% rename from tests/manual/openid-conformance/oidc-conformance.yaml rename to blueprints/testing/oidc-conformance.yaml index 54f3da1ff8..7654913613 100644 --- a/tests/manual/openid-conformance/oidc-conformance.yaml +++ b/blueprints/testing/oidc-conformance.yaml @@ -1,6 +1,8 @@ version: 1 metadata: - name: OIDC conformance testing + name: OpenID Conformance testing + labels: + blueprints.goauthentik.io/instantiate: "false" entries: - identifiers: managed: goauthentik.io/providers/oauth2/scope-address @@ -21,38 +23,72 @@ entries: attrs: name: "authentik default OAuth Mapping: OpenID 'phone'" scope_name: phone - description: "General phone Information" + description: "General phone information" expression: | return { "phone_number": "+1234", "phone_number_verified": True, } + - identifiers: + managed: goauthentik.io/providers/oauth2/scope-profile-oidc-standard + model: authentik_providers_oauth2.scopemapping + attrs: + name: "OIDC conformance profile" + scope_name: profile + description: "General profile information" + expression: | + return { + # Because authentik only saves the user's full name, and has no concept of first and last names, + # the full name is used as given name. + # You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")` + "name": request.user.name, + "given_name": request.user.name, + "preferred_username": request.user.username, + "nickname": request.user.username, + "groups": [group.name for group in request.user.ak_groups.all()], + "website" : "foo", + "zoneinfo" : "foo", + "birthdate" : "2000", + "gender" : "foo", + "profile" : "foo", + "middle_name" : "foo", + "locale" : "foo", + "picture" : "foo", + "updated_at" : 1748557810, + "family_name" : "foo", + } + - model: authentik_providers_oauth2.oauth2provider - id: provider + id: oidc-conformance-1 identifiers: - name: provider + name: oidc-conformance-1 attrs: authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] + invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + # Required as OIDC Conformance test requires issues to be the same across multiple clients issuer_mode: global client_id: 4054d882aff59755f2f279968b97ce8806a926e1 client_secret: 4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867 - redirect_uris: | - https://localhost:8443/test/a/authentik/callback - https://localhost.emobix.co.uk:8443/test/a/authentik/callback + redirect_uris: + - matching_mode: strict + url: https://localhost:8443/test/a/authentik/callback + - matching_mode: strict + url: https://host.docker.internal:8443/test/a/authentik/callback property_mappings: - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-openid]] - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-email]] - - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile]] + - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile-oidc-standard]] - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-address]] - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-phone]] + - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-offline_access]] signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] - model: authentik_core.application identifiers: - slug: conformance + slug: oidc-conformance-1 attrs: - provider: !KeyOf provider - name: Conformance + provider: !KeyOf oidc-conformance-1 + name: OIDC Conformance (1) - model: authentik_providers_oauth2.oauth2provider id: oidc-conformance-2 @@ -60,22 +96,27 @@ entries: name: oidc-conformance-2 attrs: authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]] + invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]] + # Required as OIDC Conformance test requires issues to be the same across multiple clients issuer_mode: global client_id: ad64aeaf1efe388ecf4d28fcc537e8de08bcae26 client_secret: ff2e34a5b04c99acaf7241e25a950e7f6134c86936923d8c698d8f38bd57647750d661069612c0ee55045e29fe06aa101804bdae38e8360647d595e771fea789 - redirect_uris: | - https://localhost:8443/test/a/authentik/callback - https://localhost.emobix.co.uk:8443/test/a/authentik/callback + redirect_uris: + - matching_mode: strict + url: https://localhost:8443/test/a/authentik/callback + - matching_mode: strict + url: https://host.docker.internal:8443/test/a/authentik/callback property_mappings: - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-openid]] - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-email]] - - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile]] + - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile-oidc-standard]] - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-address]] - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-phone]] + - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-offline_access]] signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]] - model: authentik_core.application identifiers: slug: oidc-conformance-2 attrs: provider: !KeyOf oidc-conformance-2 - name: OIDC Conformance + name: OIDC Conformance (2) diff --git a/tests/manual/openid-conformance/README.md b/tests/manual/openid-conformance/README.md deleted file mode 100644 index 41b6fe7f9c..0000000000 --- a/tests/manual/openid-conformance/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# #Test files for OpenID Conformance testing. - -These config files assume testing is being done using the [OpenID Conformance Suite -](https://openid.net/certification/about-conformance-suite/), locally. - -See https://gitlab.com/openid/conformance-suite/-/wikis/Developers/Build-&-Run for running the conformance suite locally. - -Requires docker containers to be able to access the host via `host.docker.internal` and an entry in the hosts file that maps `host.docker.internal` to localhost. diff --git a/tests/manual/openid-conformance/test-config.json b/tests/manual/openid-conformance/test-config.json deleted file mode 100644 index 2eed023ffa..0000000000 --- a/tests/manual/openid-conformance/test-config.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "alias": "authentik", - "description": "authentik", - "server": { - "discoveryUrl": "http://host.docker.internal:9000/application/o/conformance/.well-known/openid-configuration" - }, - "client": { - "client_id": "4054d882aff59755f2f279968b97ce8806a926e1", - "client_secret": "4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867" - }, - "client_secret_post": { - "client_id": "4054d882aff59755f2f279968b97ce8806a926e1", - "client_secret": "4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867" - }, - "client2": { - "client_id": "ad64aeaf1efe388ecf4d28fcc537e8de08bcae26", - "client_secret": "ff2e34a5b04c99acaf7241e25a950e7f6134c86936923d8c698d8f38bd57647750d661069612c0ee55045e29fe06aa101804bdae38e8360647d595e771fea789" - }, - "consent": {} -} diff --git a/tests/openid_conformance/compose.yml b/tests/openid_conformance/compose.yml new file mode 100644 index 0000000000..31c8daf48f --- /dev/null +++ b/tests/openid_conformance/compose.yml @@ -0,0 +1,29 @@ +services: + mongodb: + image: mongo:6.0.13 + httpd: + image: ghcr.io/beryju/oidc-conformance-suite-httpd:v5.1.32 + ports: + - "8443:8443" + - "8444:8444" + depends_on: + - server + server: + image: ghcr.io/beryju/oidc-conformance-suite-server:v5.1.32 + ports: + - "9999:9999" + extra_hosts: + - "host.docker.internal:host-gateway" + command: > + java + -Xdebug -Xrunjdwp:transport=dt_socket,address=*:9999,server=y,suspend=n + -jar /server/fapi-test-suite.jar + -Djdk.tls.maxHandshakeMessageSize=65536 + --fintechlabs.base_url=https://host.docker.internal:8443 + --fintechlabs.base_mtls_url=https://host.docker.internal:8444 + --fintechlabs.devmode=true + --fintechlabs.startredir=true + links: + - mongodb:mongodb + depends_on: + - mongodb