feat: JWT bearer assertions for client authentication (#566)

Co-authored-by: Kyle Mendell <ksm@ofkm.us> Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Elias Schneider <login@eliasschneider.com>
2026-02-04 13:21:45 +00:00 · 2025-06-06 03:23:51 -07:00
parent 035b2c022b
commit 05bfe00924
38 changed files with 1464 additions and 293 deletions
--- a/tests/utils/cleanup.util.ts
+++ b/tests/utils/cleanup.util.ts
@@ -1,12 +1,15 @@
 import playwrightConfig from "../playwright.config";

 export async function cleanupBackend() {
-  const response = await fetch(
-    playwrightConfig.use!.baseURL + "/api/test/reset",
-    {
-      method: "POST",
-    }
-  );
+  const url = new URL("/api/test/reset", playwrightConfig.use!.baseURL);
+
+  if (process.env.SKIP_LDAP_TESTS === "true") {
+    url.searchParams.append("skip-ldap", "true");
+  }
+
+  const response = await fetch(url, {
+    method: "POST",
+  });

  if (!response.ok) {
    throw new Error(
--- a/tests/utils/oidc.util.ts
+++ b/tests/utils/oidc.util.ts
@@ -1,7 +1,7 @@
 import type { Page } from '@playwright/test';

-async function getUserCode(page: Page, clientId: string, clientSecret: string) {
-	const response = await page.request
+export async function getUserCode(page: Page, clientId: string, clientSecret: string): Promise<string> {
+	return page.request
 		.post('/api/oidc/device/authorize', {
 			headers: {
 				'Content-Type': 'application/x-www-form-urlencoded'
@@ -12,11 +12,29 @@ async function getUserCode(page: Page, clientId: string, clientSecret: string) {
 				scope: 'openid profile email'
 			}
 		})
-		.then((r) => r.json());
-
-	return response.user_code;
+		.then((r) => r.json())
+		.then((r) => r.user_code);
 }

-export default {
-	getUserCode
-};
+export async function exchangeCode(page: Page, params: Record<string,string>): Promise<{access_token?: string, token_type?: string, expires_in?: number, error?: string}> {
+	return page.request
+		.post('/api/oidc/token', {
+			headers: {
+				'Content-Type': 'application/x-www-form-urlencoded'
+			},
+			form: params,
+		})
+		.then((r) => r.json());
+}
+
+export async function getClientAssertion(page: Page, data: {issuer: string, audience: string, subject: string}): Promise<string> {
+	return page.request
+		.post('/api/externalidp/sign', {
+			data: {
+				iss: data.issuer,
+				aud: data.audience,
+				sub: data.subject,
+			},
+		})
+		.then((r) => r.text());
+}