-
Notifications
You must be signed in to change notification settings - Fork 603
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add tests for scenarios to cover retrieving caller claims from multiple tokens #26878
add tests for scenarios to cover retrieving caller claims from multiple tokens #26878
Conversation
#build |
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_By9lYH6uEe6pmuZkFgD-jA Target locations of links might be accessible only to IBM employees. |
The build arunavemulapalli-26878-20231108-2022 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_By9lYH6uEe6pmuZkFgD-jA |
L2 message review not required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggested changes
@@ -298,3 +298,8 @@ pkceCodeChallengeMethod.S256=S256 | |||
|
|||
tokenRequestOriginHeader=Token request origin header | |||
tokenRequestOriginHeader.desc=Specifies the value to use in the Origin HTTP header that is included in the HTTP POST request to the token endpoint of the OpenID Connect provider. If not specified, an Origin HTTP header is not included in the request. | |||
|
|||
tokenOrderToFetchCallerClaims=Specify one or more tokens to fetch caller claims | |||
tokenOrderToFetchCallerClaims.desc=Specifies the order of the token/s to fetch the caller name and group claim values. If the claim does not exist in the first token, then the OpenID Connect client will continue the search with other tokens in the list |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Change "the order of the token/s" to "token order"
Info: Current style guidelines ask us to use plural ("tokens" instead of "token/s"). With the suggested change you don't need to specify plural.
- Change "will continue" to "continues"
- Add a period to the end of the last sentence
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tokenOrderToFetchCallerClaims=Specify one or more tokens to fetch caller claims | ||
tokenOrderToFetchCallerClaims.desc=Specifies the order of the token/s to fetch the caller name and group claim values. If the claim does not exist in the first token, then the OpenID Connect client will continue the search with other tokens in the list | ||
tokenOrderToFetchCallerClaims.IDToken=Use IDToken only to determine the caller claims | ||
tokenOrderToFetchCallerClaims.ACCESSAndIDAndUITokens=Use AccessToken, IDToken and Userinfo tokens in this order, to determine the caller claims. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a comma after "IDToken" and remove the comma after "order" >>
"Use AccessToken, IDToken, and Userinfo tokens in this order to determine the caller claims."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressed this review comment in the runtime , config PR - #26719
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#26719 looks good. I'll add the ID reviewed label to this PR. Thanks for making the changes!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think my comments can be addressed with a follow on work item
/** | ||
* testing tokenOrderTofetchCallerClaims="Access Token IDToken Userinfo" | ||
* caller group claim exist in idtoken and userinfo | ||
* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IdToken and acess_token
} | ||
|
||
/** | ||
* testing tokenOrderTofetchCallerClaims="Access Token IDToken Userinfo" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IDToken
|
||
/******************************* tests *******************************/ | ||
/** | ||
* testing tokenOrderTofetchCallerClaims="Access Token IDToken Userinfo" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IDToken
/******************************* tests *******************************/ | ||
/** | ||
* testing tokenOrderTofetchCallerClaims="Access Token IDToken Userinfo" | ||
* caller group claim exist in all tokens only |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
access_token and userinfo only
} | ||
|
||
/** | ||
* testing tokenOrderTofetchCallerClaims="Access Token IDToken Userinfo" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IDToken
|
||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I would suggest adding some tests that contain the claim that is being tested with different/alt values. If the search order is TOKEN_ORDER_ACCESSTOKEN_IDTOKEN_USERINFO, have access_token contain the claim as expected and then have id_token and userinfo contain some other value (cases with different values and others with a superset of the value in the access_token)
- Have configs with different multiple token orders - such as TOKEN_ORDER_ACCESSTOKEN_IDTOKEN_USERINFO and TOKEN_ORDER_USERINFO_IDTOKEN_ACCESSTOKEN, ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @c00crane for the review |
#libby |
#build |
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_HC7TwIAaEe6pmuZkFgD-jA Target locations of links might be accessible only to IBM employees. |
The build arunavemulapalli-26878-20231110-1601 |
3af0967
to
e74de8a
Compare
#build |
Your personal build request is at https://libh-proxy1.fyre.ibm.com/cognitive/pipelineAnalysis.html?uuid=56aca1b4-0b79-473f-a9fa-987ae1414ce2 Target locations of links might be accessible only to IBM employees. |
Your personal build request is at https://wasrtc.hursley.ibm.com:9443/jazz/resource/itemOid/com.ibm.team.build.BuildResult/_2zIRAYDtEe6tffXfLjKGSA Target locations of links might be accessible only to IBM employees. |
The build arunavemulapalli-26878-20231111-1704 For help analyzing your personal build, go to https://libh-proxy1.fyre.ibm.com/cognitive/buildAnalysis.html?uuid=_2zIRAYDtEe6tffXfLjKGSA |
#libby |
Code analysis and actionsDO NOT DELETE THIS COMMENT.
|
Fixes fetch caller claims from multiple tokens - tests #26889
For Support to Obtain the Role Information from the Access Token / OIDC Configuration #25460