Skip to content

Add OIDC authentication flows tests for federation #3575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xek wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add OIDC authentication flows tests for federation #3575

xek wants to merge 1 commit into from
+777 −11

Conversation

@xek
Copy link
Contributor

@xek xek commented Dec 23, 2025

This adds support for testing all OIDC authentication methods:

  • v3oidcpassword (Resource Owner Password Credentials)
  • v3oidcclientcredentials (Client Credentials)
  • v3oidcaccesstoken (Access Token Reuse)
  • v3oidcauthcode (Authorization Code)

New features:

  • Templates for each OIDC auth method configuration
  • Helper script to obtain tokens from Keycloak
  • Keycloak client setup for Service Accounts and Device Auth
  • Comprehensive test suite with assertions
  • Updated README with full documentation

Note: v3oidcdeviceauthz requires Python 3.10+ and is not
available in OSP18 which ships with Python 3.9.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 23, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@xek xek force-pushed the oidc-auth-tests branch 2 times, most recently from c2c5b11 to 133a0b4 Compare December 23, 2025 15:30
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Dec 23, 2025

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/6784616a5ea14ec68f0010c05d3dfdeb

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 36m 26s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 23m 55s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 37m 52s
cifmw-crc-podified-edpm-baremetal-minor-update FAILURE in 2h 22m 47s
✔️ cifmw-pod-zuul-files SUCCESS in 4m 48s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 59s
cifmw-pod-pre-commit FAILURE in 8m 09s
✔️ cifmw-molecule-federation SUCCESS in 1m 42s

@xek xek force-pushed the oidc-auth-tests branch from 133a0b4 to fdd1f2d Compare January 2, 2026 12:03
@softwarefactory-project-zuul
Copy link

softwarefactory-project-zuul bot commented Jan 2, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/888f51a660624496a38dbb9ea0ba7425

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 35m 57s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 24m 17s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 43m 29s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 2h 17m 29s
✔️ cifmw-pod-zuul-files SUCCESS in 23m 51s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 24s
cifmw-pod-pre-commit FAILURE in 8m 03s
✔️ cifmw-molecule-federation SUCCESS in 1m 43s

jagee
jagee reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

@jagee jagee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks good to me, just wanted see if you though we should remove one duplicate auth test from the older code.

@xek xek force-pushed the oidc-auth-tests branch 2 times, most recently from d7646fa to ab83014 Compare January 22, 2026 12:03
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 22, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign deydra71 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@xek
Add OIDC authentication flows tests for federation
63dd522 
This adds support for testing all OIDC authentication methods:
- v3oidcpassword (Resource Owner Password Credentials)
- v3oidcclientcredentials (Client Credentials)
- v3oidcaccesstoken (Access Token Reuse)
- v3oidcauthcode (Authorization Code)

Note: v3oidcdeviceauthz requires Python 3.10+ and is not
available in OSP18 which ships with Python 3.9.
@xek xek force-pushed the oidc-auth-tests branch from ab83014 to 63dd522 Compare January 22, 2026 12:29
@xek xek marked this pull request as ready for review January 22, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jagee jagee jagee left review comments

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xek @jagee