Add Openid connect integration tests #49111
Labels
:Security/Authentication
Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Team:Security
Meta label for security team
>test
Issues or PRs that are addressing/adding tests
Comments
jkakavas
added
>test
|
Pinging @elastic/es-security (:Security/Authentication) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Given the async nature of openid connect authentication and the back channel communication required with the userinfo and token endpoints, unit tests such as the ones in OpenIdConnectAuthenticatorTests do not provide sufficient coverage.
Currently we only have OpenidConnectAuthenticationIT which uses a live openid provider to perform tests that cover expected functionality with the authentication flows. We should also add additional integration tests that used a mock OP ( a mock http server should suffice) that can create malicious and/or malformed responses and tokens in response to proper requests. This would allow us to verify that our behavior is the proper one in such cases also and help prevent additional bugs such as the one fixed in #49080
The text was updated successfully, but these errors were encountered: