plugin/pkg/auth/authenticator/token/oidc: update test to new go-oidc types

The provider config has changed a little bit in go-oidc. It is more complete and now throws errors when unmarshaling provider configs that are missing required fields (as defined by the OpenID Connect Discovery spec). Update the oidc plugin to use the new type.
2025-08-09 20:17:41 +00:00 · 2016-03-01 11:37:00 -08:00 · 2016-03-01 11:37:00 -08:00 · 8df55ddbe5
commit 8df55ddbe5
parent 3df0ca5bf9
2 changed files with 27 additions and 15 deletions
--- a/plugin/pkg/auth/authenticator/token/oidc/oidc.go
+++ b/plugin/pkg/auth/authenticator/token/oidc/oidc.go
@ -99,10 +99,6 @@ func New(issuerURL, clientID, caFile, usernameClaim, groupsClaim string) (*OIDCA

 	glog.Infof("Fetched provider config from %s: %#v", issuerURL, cfg)

-	if cfg.KeysEndpoint == "" {
-		return nil, fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery")
-	}
-
 	ccfg := oidc.ClientConfig{
 		HTTPClient:     hc,
 		Credentials:    oidc.ClientCredentials{ID: clientID},
--- a/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
+++ b/plugin/pkg/auth/authenticator/token/oidc/oidc_test.go
@ -31,6 +31,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@ -70,8 +71,16 @@ func newOIDCProvider(t *testing.T) *oidcProvider {

 }

+func mustParseURL(t *testing.T, s string) *url.URL {
+	u, err := url.Parse(s)
+	if err != nil {
+		t.Fatalf("Failed to parse url: %v", err)
+	}
+	return u
+}
+
 func (op *oidcProvider) handleConfig(w http.ResponseWriter, req *http.Request) {
-	b, err := json.Marshal(op.pcfg)
+	b, err := json.Marshal(&op.pcfg)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@ -203,7 +212,7 @@ func TestOIDCDiscoveryTimeout(t *testing.T) {

 func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
 	var err error
-	expectErr := fmt.Errorf("OIDC provider must provide 'jwks_uri' for public key discovery")
+	expectErr := fmt.Errorf("failed to fetch provider config after 3 retries")

 	cert := path.Join(os.TempDir(), "oidc-cert")
 	key := path.Join(os.TempDir(), "oidc-key")
@ -225,7 +234,7 @@ func TestOIDCDiscoveryNoKeyEndpoint(t *testing.T) {
 	// defer srv.Close()

 	op.pcfg = oidc.ProviderConfig{
-		Issuer: srv.URL,
+		Issuer: mustParseURL(t, srv.URL), // An invalid ProviderConfig. Keys endpoint is required.
 	}

 	_, err = New(srv.URL, "client-foo", cert, "sub", "")
@ -245,8 +254,8 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
 	// defer srv.Close()

 	op.pcfg = oidc.ProviderConfig{
-		Issuer:       srv.URL,
-		KeysEndpoint: srv.URL + "/keys",
+		Issuer:       mustParseURL(t, srv.URL),
+		KeysEndpoint: mustParseURL(t, srv.URL+"/keys"),
 	}

 	expectErr := fmt.Errorf("'oidc-issuer-url' (%q) has invalid scheme (%q), require 'https'", srv.URL, "http")
@ -282,8 +291,8 @@ func TestOIDCDiscoverySecureConnection(t *testing.T) {
 	// defer tlsSrv.Close()

 	op.pcfg = oidc.ProviderConfig{
-		Issuer:       tlsSrv.URL,
-		KeysEndpoint: tlsSrv.URL + "/keys",
+		Issuer:       mustParseURL(t, tlsSrv.URL),
+		KeysEndpoint: mustParseURL(t, tlsSrv.URL+"/keys"),
 	}

 	// Create a client using cert2, should fail.
@ -317,9 +326,15 @@ func TestOIDCAuthentication(t *testing.T) {
 	// TODO: Uncomment when fix #19254
 	// defer srv.Close()

+	// A provider config with all required fields.
 	op.pcfg = oidc.ProviderConfig{
-		Issuer:       srv.URL,
-		KeysEndpoint: srv.URL + "/keys",
+		Issuer:                  mustParseURL(t, srv.URL),
+		AuthEndpoint:            mustParseURL(t, srv.URL+"/auth"),
+		TokenEndpoint:           mustParseURL(t, srv.URL+"/token"),
+		KeysEndpoint:            mustParseURL(t, srv.URL+"/keys"),
+		ResponseTypesSupported:  []string{"code"},
+		SubjectTypesSupported:   []string{"public"},
+		IDTokenSigningAlgValues: []string{"RS256"},
 	}

 	tests := []struct {
@ -371,7 +386,7 @@ func TestOIDCAuthentication(t *testing.T) {
 			op.generateMalformedToken(t, srv.URL, "client-foo", "client-foo", "sub", "user-foo", "", nil),
 			nil,
 			false,
-			"malformed JWS, unable to decode signature",
+			"oidc: unable to verify JWT signature: no matching keys",
 		},
 		{
 			// Invalid 'aud'.
@ -404,7 +419,8 @@ func TestOIDCAuthentication(t *testing.T) {
 	for i, tt := range tests {
 		client, err := New(srv.URL, "client-foo", cert, tt.userClaim, tt.groupsClaim)
 		if err != nil {
-			t.Fatalf("Unexpected error: %v", err)
+			t.Errorf("Unexpected error: %v", err)
+			continue
 		}

 		user, result, err := client.AuthenticateToken(tt.token)