Skip to content

docs: example of testing pkce against split resource server #1600

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
xenoterracide opened this issue Apr 19, 2024 · 5 comments
Closed

docs: example of testing pkce against split resource server #1600

xenoterracide opened this issue Apr 19, 2024 · 5 comments
Assignees
@jgrandja
Labels
status: duplicate A duplicate of another issue

Comments

@xenoterracide
Copy link

So I'd like to isolate this from a complete e2e example. I'm aware of that example, it's just kind of huge.

What'd I'd like is a lite example of "stub servers" that could be used to fake something like auth0. Mostly for "integration" testing to avoid exposing the real auth0 tokens. I don't want to use a real web browser to test that my configuration is correct, and stays that way.

Looking at #426 I need to go see if I ever figured it out as my last comment was about 30 seconds before my life went sideways. I don't think I actually did though.
@xenoterracide xenoterracide added the type: enhancement A general enhancement label Apr 19, 2024
@jgrandja
Copy link
Collaborator

@xenoterracide I don't understand what you are looking for? The heading says "testing pkce against split resource server" but PKCE is validated by the authorization server.

What'd I'd like is a lite example of "stub servers" that could be used to fake something like auth0. Mostly for "integration" testing to avoid exposing the real auth0 tokens

Are you just looking to standup an authorization server for integration testing purposes? If so, see gh-258

@jgrandja jgrandja self-assigned this Apr 26, 2024
@jgrandja jgrandja added status: waiting-for-feedback We need additional information before we can continue and removed type: enhancement A general enhancement labels Apr 26, 2024
@xenoterracide
Copy link
Author

Yes, partially, same use case. I had assumed this was a matter of documentation at this point.

My plan was to start a separate server which would avoid the bean conflict. Although I don't particularly have a problem with an in JVM approach...

I could say that I also don't think this particular flow is simply documented. Maybe it's just me that I prefer my docs to exist largely as "curl"/raw http instead of having to write a full fronted app in addition to my separated resource/idp server (other examples also seem to be bundling these into one server). Note: I appreciate that example existing, it's just a lot to traverse to get to the simplest thing that can possibly work.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 29, 2024
@xenoterracide
Copy link
Author

What I'm looking for is something like these details (when using the defaults).

https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#replace-implicit-flow-with-pkce

one could argue that an example test of the server here might be enough, or at least a major step in the right direction.

https://docs.spring.io/spring-authorization-server/reference/guides/how-to-pkce.html

@jgrandja
Copy link
Collaborator

jgrandja commented May 2, 2024

@xenoterracide See gh-258 as I provided an "UPDATE" to the integration test support forthcoming. There is a branch and link to an integration test that shows how to startup a Spring Authorization Server (with custom config) for integration testing purposes.

I'll close this as a duplicate.

@jgrandja jgrandja closed this as completed May 2, 2024
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed status: feedback-provided Feedback has been provided labels May 2, 2024
@xenoterracide xenoterracide mentioned this issue May 10, 2024
Closed
@xenoterracide
Copy link
Author

So what's wrong with this request?

DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "GET /oauth/authorize?client_id=client&scope=openid+profile+email&redirect_uri=http://localhost:3000&response_type=code&state=sUmww5GH&audience=http://localhost&response_mode=query&nonce=FVO5cA3&code_challenge=g0bA5&code_challenge_method=S256&auth0Client=eyJuY HTTP/1.1[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Accept-Encoding: gzip, x-gzip, deflate[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Host: localhost:39413[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Connection: keep-alive[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "User-Agent: Apache-HttpClient/5.2.3 (Java/21.0.2)[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "[\r][\n]"

from what I can tell I'm calling with the correct parameters

I'm guessing it's the 3rd message

TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Retrieved registered client
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Validated authorization code request parameters
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Did not authenticate authorization code request since principal not authenticated

but explicitly in PKCE /login happens AFTER /authorize there's some things in there that aren't standard, but I'm not certain they should affect anything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xenoterracide @jgrandja @spring-projects-issues