Skip to content

feat: add a helper for asserting JWT Client Auth claims and header #303

feat: add a helper for asserting JWT Client Auth claims and header

feat: add a helper for asserting JWT Client Auth claims and header #303

Workflow file for this run

name: Conformance Checks
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '55 11 * * 1'
workflow_dispatch:
jobs:
build:
if: ${{ github.repository == 'panva/node-oidc-provider' || github.event_name == 'workflow_dispatch' }}
uses: panva/.github/.github/workflows/build-conformance-suite.yml@main
run:
runs-on: ubuntu-latest
needs:
- build
env:
SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
SETUP: ${{ toJSON(matrix.setup) }}
strategy:
fail-fast: false
matrix:
setup:
# OP Basic
- plan: oidcc-basic-certification-test-plan
# OP Hybrid
- plan: oidcc-hybrid-certification-test-plan
# OP Implicit
- plan: oidcc-implicit-certification-test-plan
# OP Dynamic
- plan: oidcc-dynamic-certification-test-plan
response_type: code
- plan: oidcc-dynamic-certification-test-plan
response_type: id_token
- plan: oidcc-dynamic-certification-test-plan
response_type: id_token token
- plan: oidcc-dynamic-certification-test-plan
response_type: code id_token
- plan: oidcc-dynamic-certification-test-plan
response_type: code token
- plan: oidcc-dynamic-certification-test-plan
response_type: code id_token token
# RP-Initiated OP
- plan: oidcc-rp-initiated-logout-certification-test-plan
# Back-Channel OP
- plan: oidcc-backchannel-rp-initiated-logout-certification-test-plan
# FAPI 2.0 Security Profile ID2
- plan: fapi2-security-profile-id2-test-plan
client_auth_type: private_key_jwt
sender_constrain: dpop
openid: openid_connect
- plan: fapi2-security-profile-id2-test-plan
client_auth_type: private_key_jwt
sender_constrain: dpop
openid: plain_oauth
- plan: fapi2-security-profile-id2-test-plan
client_auth_type: private_key_jwt
sender_constrain: mtls
openid: openid_connect
- plan: fapi2-security-profile-id2-test-plan
client_auth_type: private_key_jwt
sender_constrain: mtls
openid: plain_oauth
- plan: fapi2-security-profile-id2-test-plan
client_auth_type: mtls
sender_constrain: dpop
openid: openid_connect
- plan: fapi2-security-profile-id2-test-plan
client_auth_type: mtls
sender_constrain: dpop
openid: plain_oauth
- plan: fapi2-security-profile-id2-test-plan
client_auth_type: mtls
sender_constrain: mtls
openid: openid_connect
- plan: fapi2-security-profile-id2-test-plan
client_auth_type: mtls
sender_constrain: mtls
openid: plain_oauth
# FAPI 2.0 Message Signing ID1
- plan: fapi2-message-signing-id1-test-plan
client_auth_type: private_key_jwt
sender_constrain: dpop
openid: openid_connect
- plan: fapi2-message-signing-id1-test-plan
client_auth_type: private_key_jwt
sender_constrain: dpop
openid: plain_oauth
- plan: fapi2-message-signing-id1-test-plan
client_auth_type: private_key_jwt
sender_constrain: mtls
openid: openid_connect
- plan: fapi2-message-signing-id1-test-plan
client_auth_type: private_key_jwt
sender_constrain: mtls
openid: plain_oauth
- plan: fapi2-message-signing-id1-test-plan
client_auth_type: mtls
sender_constrain: dpop
openid: openid_connect
- plan: fapi2-message-signing-id1-test-plan
client_auth_type: mtls
sender_constrain: dpop
openid: plain_oauth
- plan: fapi2-message-signing-id1-test-plan
client_auth_type: mtls
sender_constrain: mtls
openid: openid_connect
- plan: fapi2-message-signing-id1-test-plan
client_auth_type: mtls
sender_constrain: mtls
openid: plain_oauth
# FAPI 1.0 Advanced (Final)
- plan: fapi1-advanced-final-test-plan
fapi_auth_request_method: by_value
client_auth_type: private_key_jwt
fapi_response_mode: plain_response
- plan: fapi1-advanced-final-test-plan
fapi_auth_request_method: pushed
client_auth_type: private_key_jwt
fapi_response_mode: plain_response
- plan: fapi1-advanced-final-test-plan
fapi_auth_request_method: by_value
client_auth_type: private_key_jwt
fapi_response_mode: jarm
- plan: fapi1-advanced-final-test-plan
fapi_auth_request_method: pushed
client_auth_type: private_key_jwt
fapi_response_mode: jarm
- plan: fapi1-advanced-final-test-plan
fapi_auth_request_method: by_value
client_auth_type: mtls
fapi_response_mode: plain_response
- plan: fapi1-advanced-final-test-plan
fapi_auth_request_method: pushed
client_auth_type: mtls
fapi_response_mode: plain_response
- plan: fapi1-advanced-final-test-plan
fapi_auth_request_method: by_value
client_auth_type: mtls
fapi_response_mode: jarm
- plan: fapi1-advanced-final-test-plan
fapi_auth_request_method: pushed
client_auth_type: mtls
fapi_response_mode: jarm
# FAPI RW-CIBA-ID1
- plan: fapi-ciba-id1-test-plan
client_auth_type: private_key_jwt
ciba_mode: poll
- plan: fapi-ciba-id1-test-plan
client_auth_type: private_key_jwt
ciba_mode: ping
- plan: fapi-ciba-id1-test-plan
client_auth_type: mtls
ciba_mode: poll
- plan: fapi-ciba-id1-test-plan
client_auth_type: mtls
ciba_mode: ping
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: lts/*
cache: 'npm'
- run: npm clean-install
- name: Run oidc-provider (OIDC)
run: |
set -o pipefail
node certification/oidc/docker |& tee server.log &
if: ${{ startsWith(matrix.setup.plan, 'oidcc') }}
env:
PORT: 3000
DEBUG: oidc-provider:*
ISSUER: https://172.17.0.1:3000
NODE_TLS_REJECT_UNAUTHORIZED: 0
- name: Run oidc-provider (FAPI)
run: |
set -o pipefail
node certification/fapi |& tee server.log &
if: ${{ startsWith(matrix.setup.plan, 'fapi') }}
env:
ISSUER: https://172.17.0.1:3000
PORT: 3000
DEBUG: oidc-provider:*
NODE_OPTIONS: --tls-cipher-list="ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384"
NODE_TLS_REJECT_UNAUTHORIZED: 0
- name: Set Conformance Suite Version
run: |
export VERSION=($(curl --silent "https://gitlab.com/api/v4/projects/4175605/releases" | jq -r '.[0].tag_name'))
echo "VERSION=$VERSION" >> $GITHUB_ENV
- name: Load Cached Conformance Suite Build
uses: actions/cache@v4
id: cache
with:
path: ./conformance-suite
key: ${{ needs.build.outputs.cache-key }}
fail-on-cache-miss: true
- name: Run Conformance Suite
working-directory: ./conformance-suite
run: |
docker compose -f docker-compose-dev.yml up -d
while ! curl -skfail https://localhost.emobix.co.uk:8443/api/runner/available >/dev/null; do sleep 2; done
- name: Adjust configuration files for CI
run: |
sed -i -e 's/op.panva.cz/172.17.0.1:3000/g' certification/oidc/plan.json
sed -i -e 's/mtls.fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json
sed -i -e 's/fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json
- name: Run the plan
run: npx mocha --timeout 0 --retries 1 certification/runner
env:
NODE_TLS_REJECT_UNAUTHORIZED: 0
- name: Add server log to artifact
if: ${{ failure() }}
run: |
zip -ur ${{ env.EXPORT_FILE }} server.log
- name: Upload test artifacts
uses: actions/upload-artifact@v4
with:
path: export-*.zip
name: certification html results idx(${{ strategy.job-index }})
if-no-files-found: ignore
if: ${{ always() }}
- name: Stop Conformance Suite
working-directory: ./conformance-suite
run: |
killall -SIGINT node
docker compose -f docker-compose-dev.yml down
sudo rm -rf mongo