providers/oauth2: add conformance tools (#15228)

add conformance tools

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/blueprints/tests/test_packaged.py

@@ -35,6 +35,6 @@ def blueprint_tester(file_name: Path) -> Callable:
 
 
 for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
-    if "local" in str(blueprint_file):
+    if "local" in str(blueprint_file) or "testing" in str(blueprint_file):
         continue
     setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))

blueprints/testing/oidc-conformance.yaml

@@ -1,6 +1,8 @@
 version: 1
 metadata:
-  name: OIDC conformance testing
+  name: OpenID Conformance testing
+  labels:
+    blueprints.goauthentik.io/instantiate: "false"
 entries:
   - identifiers:
       managed: goauthentik.io/providers/oauth2/scope-address
@@ -21,38 +23,72 @@ entries:
     attrs:
       name: "authentik default OAuth Mapping: OpenID 'phone'"
       scope_name: phone
-      description: "General phone Information"
+      description: "General phone information"
       expression: |
         return {
             "phone_number": "+1234",
             "phone_number_verified": True,
         }
+  - identifiers:
+      managed: goauthentik.io/providers/oauth2/scope-profile-oidc-standard
+    model: authentik_providers_oauth2.scopemapping
+    attrs:
+      name: "OIDC conformance profile"
+      scope_name: profile
+      description: "General profile information"
+      expression: |
+        return {
+            # Because authentik only saves the user's full name, and has no concept of first and last names,
+            # the full name is used as given name.
+            # You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`
+            "name": request.user.name,
+            "given_name": request.user.name,
+            "preferred_username": request.user.username,
+            "nickname": request.user.username,
+            "groups": [group.name for group in request.user.ak_groups.all()],
+            "website" : "foo",
+            "zoneinfo" : "foo",
+            "birthdate" : "2000",
+            "gender" : "foo",
+            "profile" : "foo",
+            "middle_name" : "foo",
+            "locale" : "foo",
+            "picture" : "foo",
+            "updated_at" : 1748557810,
+            "family_name" : "foo",
+        }
+
 
   - model: authentik_providers_oauth2.oauth2provider
-    id: provider
+    id: oidc-conformance-1
     identifiers:
-      name: provider
+      name: oidc-conformance-1
     attrs:
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      # Required as OIDC Conformance test requires issues to be the same across multiple clients
       issuer_mode: global
       client_id: 4054d882aff59755f2f279968b97ce8806a926e1
       client_secret: 4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867
-      redirect_uris: |
+      redirect_uris:
-        https://localhost:8443/test/a/authentik/callback
+        - matching_mode: strict
-        https://localhost.emobix.co.uk:8443/test/a/authentik/callback
+          url: https://localhost:8443/test/a/authentik/callback
+        - matching_mode: strict
+          url: https://host.docker.internal:8443/test/a/authentik/callback
       property_mappings:
         - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-openid]]
         - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-email]]
-        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile-oidc-standard]]
         - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-address]]
         - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-phone]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-offline_access]]
       signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
   - model: authentik_core.application
     identifiers:
-      slug: conformance
+      slug: oidc-conformance-1
     attrs:
-      provider: !KeyOf provider
+      provider: !KeyOf oidc-conformance-1
-      name: Conformance
+      name: OIDC Conformance (1)
 
   - model: authentik_providers_oauth2.oauth2provider
     id: oidc-conformance-2
@@ -60,22 +96,27 @@ entries:
       name: oidc-conformance-2
     attrs:
       authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+      invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+      # Required as OIDC Conformance test requires issues to be the same across multiple clients
       issuer_mode: global
       client_id: ad64aeaf1efe388ecf4d28fcc537e8de08bcae26
       client_secret: ff2e34a5b04c99acaf7241e25a950e7f6134c86936923d8c698d8f38bd57647750d661069612c0ee55045e29fe06aa101804bdae38e8360647d595e771fea789
-      redirect_uris: |
+      redirect_uris:
-        https://localhost:8443/test/a/authentik/callback
+        - matching_mode: strict
-        https://localhost.emobix.co.uk:8443/test/a/authentik/callback
+          url: https://localhost:8443/test/a/authentik/callback
+        - matching_mode: strict
+          url: https://host.docker.internal:8443/test/a/authentik/callback
       property_mappings:
         - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-openid]]
         - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-email]]
-        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-profile-oidc-standard]]
         - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-address]]
         - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-phone]]
+        - !Find [authentik_providers_oauth2.scopemapping, [managed, goauthentik.io/providers/oauth2/scope-offline_access]]
       signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
   - model: authentik_core.application
     identifiers:
       slug: oidc-conformance-2
     attrs:
       provider: !KeyOf oidc-conformance-2
-      name: OIDC Conformance
+      name: OIDC Conformance (2)

tests/manual/openid-conformance/README.md

@@ -1,8 +0,0 @@
-# #Test files for OpenID Conformance testing.
-
-These config files assume testing is being done using the [OpenID Conformance Suite
-](https://openid.net/certification/about-conformance-suite/), locally.
-
-See https://gitlab.com/openid/conformance-suite/-/wikis/Developers/Build-&-Run for running the conformance suite locally.
-
-Requires docker containers to be able to access the host via `host.docker.internal` and an entry in the hosts file that maps `host.docker.internal` to localhost.

tests/manual/openid-conformance/test-config.json

@@ -1,20 +0,0 @@
-{
-    "alias": "authentik",
-    "description": "authentik",
-    "server": {
-        "discoveryUrl": "http://host.docker.internal:9000/application/o/conformance/.well-known/openid-configuration"
-    },
-    "client": {
-        "client_id": "4054d882aff59755f2f279968b97ce8806a926e1",
-        "client_secret": "4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867"
-    },
-    "client_secret_post": {
-        "client_id": "4054d882aff59755f2f279968b97ce8806a926e1",
-        "client_secret": "4c7e4933009437fb486b5389d15b173109a0555dc47e0cc0949104f1925bcc6565351cb1dffd7e6818cf074f5bd50c210b565121a7328ee8bd40107fc4bbd867"
-    },
-    "client2": {
-        "client_id": "ad64aeaf1efe388ecf4d28fcc537e8de08bcae26",
-        "client_secret": "ff2e34a5b04c99acaf7241e25a950e7f6134c86936923d8c698d8f38bd57647750d661069612c0ee55045e29fe06aa101804bdae38e8360647d595e771fea789"
-    },
-    "consent": {}
-}

tests/openid_conformance/compose.yml

@@ -0,0 +1,29 @@
+services:
+  mongodb:
+    image: mongo:6.0.13
+  httpd:
+    image: ghcr.io/beryju/oidc-conformance-suite-httpd:v5.1.32
+    ports:
+      - "8443:8443"
+      - "8444:8444"
+    depends_on:
+      - server
+  server:
+    image: ghcr.io/beryju/oidc-conformance-suite-server:v5.1.32
+    ports:
+      - "9999:9999"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    command: >
+      java
+      -Xdebug -Xrunjdwp:transport=dt_socket,address=*:9999,server=y,suspend=n
+      -jar /server/fapi-test-suite.jar
+      -Djdk.tls.maxHandshakeMessageSize=65536
+      --fintechlabs.base_url=https://host.docker.internal:8443
+      --fintechlabs.base_mtls_url=https://host.docker.internal:8444
+      --fintechlabs.devmode=true
+      --fintechlabs.startredir=true
+    links:
+      - mongodb:mongodb
+    depends_on:
+      - mongodb