Add config to control whether to perform "OpenID Connect RP-Initiated Logout" when using an external OIDC provider #2590
Conversation
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186419332 The labels on this github issue will be updated when the story is started. |
- Add test coverage on the existing behavior described in #2589 where UAA attempts to log the user out of the external OIDC provider after a successful UAA logout (this is called the RP initiated logout) [#184752215]
peterhaochen47
force-pushed
the
pr/develop/rp-initiated-logout-config
branch
from
677283f to
388ecbc
Compare
peterhaochen47
changed the title
peterhaochen47
changed the title
peterhaochen47
force-pushed
the
pr/develop/rp-initiated-logout-config
branch
from
388ecbc to
1f895f6
Compare
- New config "performRpInitiatedLogout" (default to true to preserve existing behavior) added to /identity-providers API and uaa.yml. It is a flag controlling whether to log out of the external provider after a successful UAA logout per [OIDC RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)" - doc changes [more context: #2589] [#184752215]
peterhaochen47
force-pushed
the
pr/develop/rp-initiated-logout-config
branch
from
1f895f6 to
c4b2118
Compare
| @Test | ||
| public void successfulUaaLogoutTriggersExternalOIDCProviderLogout() { | ||
| validateSuccessfulOIDCLogin(zoneUrl, testAccounts.getUserName(), testAccounts.getPassword()); | ||
|
|
||
| String externalOIDCProviderLoginPage = baseUrl; | ||
| webDriver.get(externalOIDCProviderLoginPage); | ||
| Assert.assertThat("URL validation failed", webDriver.getCurrentUrl(), endsWith("/login")); | ||
| } | ||
|
|
||
| @Test | ||
| public void successfulUaaLogoutDoesNotTriggerExternalOIDCProviderLogout_whenConfiguredNotTo() { | ||
| identityProvider.getConfig().setPerformRpInitiatedLogout(false); | ||
| updateProvider(); | ||
|
|
||
| validateSuccessfulOIDCLogin(zoneUrl, testAccounts.getUserName(), testAccounts.getPassword()); | ||
|
|
||
| String externalOIDCProviderLoginPage = baseUrl; | ||
| webDriver.get(externalOIDCProviderLoginPage); | ||
| Assert.assertThat(webDriver.getPageSource(), containsString("Where to?")); | ||
| } | ||
|
|
There was a problem hiding this comment.
I don't understand which part of the tests check whether the OIDC logout is triggered or not.
It appears that you are testing that through the currentUrl and the PageSource of the webDriver?
If the integration tests aren't more precisely checking that we are indeed logged in/our of the OIDC provider, I don't really see the added value compared to the tests in ZoneAwareWhitelistLogoutHandlerTests.java
There was a problem hiding this comment.
webDriver.get(externalOIDCProviderLoginPage);
Assert.assertThat("URL validation failed", webDriver.getCurrentUrl(), endsWith("/login"));
^ This is going to the external OIDC provider login page (which is also a UAA), and verifies that you are redirected to the UAA /login endpoint. (which only happens if the user is unauthenticated/logged-out).
Assert.assertThat(webDriver.getPageSource(), containsString("Where to?"));
This "Where to?" string only shows up on the external OIDC provider login page (which is also a UAA), if you are still logged in as an authenticated user.
I understand that this way of checking is sort of hard to read, but it's consistent with how we perform the same type of check elsewhere. The "page object" refactor sort of addresses this readability issue by including this check inside of page objects, but I don't wanna include the page objects refactor in this PR, but I make it easy to perform that refactor in the future.
|
|
||
| String externalOIDCProviderLoginPage = baseUrl; | ||
| webDriver.get(externalOIDCProviderLoginPage); | ||
| Assert.assertThat("URL validation failed", webDriver.getCurrentUrl(), endsWith("/login")); |
There was a problem hiding this comment.
Why did you decide to add "URL validation failed" as the response to a failed assertion here? I don't feel like that's going to help debug.
There was a problem hiding this comment.
I'm just following the newest existing pattern brought by the "page objects" refactor. I assumed there's some benefit to this pattern? At least shouldn't harm.
There was a problem hiding this comment.
Hmm I don't like the word "validation" in this context.
shouldn't harm
I feel like the word "validation" shouts "I'm not test code". In test code we typically "assert", "test", "check". Validation is IMO when typically when real production code needs to validate something before doing something else with it.
It "harmed" my understanding when I read the code at first. I was thinking that it was a bad copy and paste from some functional code. I didn't think we could validate in tests.
@swalchemist what do you think?
There was a problem hiding this comment.
I think I should improve that message. We should only add these assertion messages if there's no better way to improve our understanding of what the test is doing and/or what happens when it fails.
In this case, I think "We're at the right URL" works better as the message, e.g., "AssertThat ... we're at the right URL."
There was a problem hiding this comment.
Ok, how about for the purpose of this PR, I'll forget about refactoring to using the shared "validateUrl" function in the future, and just formulate a reason param that works for the test here specifically (how about reason = "Not redirected to external OIDC provider login page." as that is what I'm actually testing here), or just taking the reason param out for now.
uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java
Show resolved
Hide resolved
...c/test/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthLogoutHandlerTest.java
Show resolved
Hide resolved
.../java/org/cloudfoundry/identity/uaa/authentication/ZoneAwareWhitelistLogoutHandlerTests.java
Show resolved
Hide resolved
...r/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/OauthIDPWrapperFactoryBean.java
Show resolved
Hide resolved
.../main/java/org/cloudfoundry/identity/uaa/authentication/ZoneAwareWhitelistLogoutHandler.java
Show resolved
Hide resolved
.../org/cloudfoundry/identity/uaa/provider/AbstractExternalOAuthIdentityProviderDefinition.java
Show resolved
Hide resolved
- to improve readibility, in test setup, explicitly set "performRpInitiatedLogout" config to "true" (even though that is the current default) [#186127119]
.../org/cloudfoundry/identity/uaa/provider/AbstractExternalOAuthIdentityProviderDefinition.java
Show resolved
Hide resolved
...r/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthLogoutHandler.java
Outdated
Show resolved
Hide resolved
|
|
||
| String externalOIDCProviderLoginPage = baseUrl; | ||
| webDriver.get(externalOIDCProviderLoginPage); | ||
| Assert.assertThat("URL validation failed", webDriver.getCurrentUrl(), endsWith("/login")); |
There was a problem hiding this comment.
Hmm I don't like the word "validation" in this context.
shouldn't harm
I feel like the word "validation" shouts "I'm not test code". In test code we typically "assert", "test", "check". Validation is IMO when typically when real production code needs to validate something before doing something else with it.
It "harmed" my understanding when I read the code at first. I was thinking that it was a bad copy and paste from some functional code. I didn't think we could validate in tests.
@swalchemist what do you think?
.../main/java/org/cloudfoundry/identity/uaa/authentication/ZoneAwareWhitelistLogoutHandler.java
Show resolved
Hide resolved
- no need to use the Object Boolean when primitive boolean will do [#184752215]
peterhaochen47
changed the title
peterhaochen47
added
in_review
[#184752215]
|
Review. 2 remarks from sonar 1 smell about raw type usage https://sonarcloud.io/project/issues?resolved=false&sinceLeakPeriod=true&types=CODE_SMELL&pullRequest=2590&id=cloudfoundry-identity-parent&open=AYunIauC0iXdSBD0Oshu |
- based on Sonar scan suggestion [#184752215]
type parameters)." - based on Sonar scan suggestion [#184752215]
Thanks! I've addressed all the ones I can. |
- a new oidc/oauth provider config "performRpInitiatedLogout" is added in cloudfoundry/uaa#2590 - this repo only requires an addition in the example config provided in the spec file (since uaa-release passes through the oauth/oidc provider config to uaa server verbatim, so no new translation logic required when adding a new config on this layer) - add the field to tests [#184752215]
- a new oidc/oauth provider config "performRpInitiatedLogout" is added in cloudfoundry/uaa#2590 - this repo only requires an addition in the example config provided in the spec file (since uaa-release passes through the oauth/oidc provider config to uaa server verbatim, so no new translation logic required when adding a new config on this layer) - add the field to tests [#184752215]
- a new oidc/oauth provider config "performRpInitiatedLogout" is added in cloudfoundry/uaa#2590 - this repo only requires an addition in the example config provided in the spec file (since uaa-release passes through the oauth/oidc provider config to uaa server verbatim, so no new translation logic required when adding a new config on this layer) - add the field to tests [#184752215]
Fixes #2589
Notes for reviewer:
performRpInitiatedLogout:SSOLogout,performSSOLogoutOnIdpAfterUAALogout,triggerExternalOIDCProviderLogoutetc.