search

molgenis / molgenis-service-armadillo

Armadillo; a DataSHIELD implementation, part of the MOLGENIS suite
https://molgenis.github.io/molgenis-service-armadillo/
GNU Lesser General Public License v3.0
7 stars 10 forks source link

Cannot run tests with resources on CI #675

Open marikaris opened 6 months ago

marikaris commented 6 months ago

Because it's not possible to retrieve resources without an oidc token at the moment. When we implemented the resources part, we thought it wasn't necessary to be able to access it via basic auth, so we didn't implement it, although it is possible: https://github.com/obiba/resourcer/blob/f6becda6ed2e7e0bc5e7595e885b2b0f39f42e43/R/HttpFileResourceGetter.R#L51

In order to run tests which retrieve resources in the CI, we need to be able to retrieve resources via basic auth, so we can run those tests.

clemens-tolboom commented 5 months ago

Answer below from CoPilot boils down to use a browser ... not sure it's correct

Yes, you can automate testing with the Device login OIDC flow, but it's a bit more complex due to the nature of the flow. Here's a high-level overview of how you might approach it:

1. Initiate the Device Authorization Request: Your test script sends a POST request to the device authorization endpoint of your OIDC provider⁵. The request will include parameters like client_id and scope⁵.

  1. Handle the Device Authorization Response: The OIDC provider responds with a device_code, user_code, verification_uri, and expires_in⁵. Your script should store these values for the next steps⁵.

  2. Automate User Interaction: This is the tricky part. In a real-world scenario, the user would manually enter the user_code at the verification_uri⁵. For testing, you might need to simulate this step. Depending on your OIDC provider's setup, you could use a tool like Selenium to automate this interaction¹.

  3. Poll the Token Endpoint: While the user interaction is being simulated, your script starts polling the token endpoint using the device_code⁵. Once the user (or your automated Selenium script) completes the interaction, the server will respond with an access token⁵.

  4. Use the Access Token: Now that you have an access token, you can use it to authenticate API requests in your tests⁵.

Remember, the specifics of this process can vary depending on your OIDC provider's implementation of the Device flow⁵. Always refer to your provider's documentation for the most accurate information. Also, ensure that any automated testing does not compromise the security of your application.

Source: Conversation with Bing, 14/03/2024 (1) OAuth 2.0 Device Authorization Grant. https://oauth.net/2/device-flow/. (2) java - Automated Tests: OIDC: Authorization Code Flow with PKCE: Login .... https://stackoverflow.com/questions/72447453/automated-tests-oidc-authorization-code-flow-with-pkce-login-credentials. (3) Authorization Code Flow with OIDC. https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow. (4) Automated API testing of OAuth2/OpenID Connect protected API. https://stackoverflow.com/questions/39[1](https://oauth.net/2/device-flow/)80008/automated-api-testing-of-oauth[2](https://stackoverflow.com/questions/72447453/automated-tests-oidc-authorization-code-flow-with-pkce-login-credentials)-openid-connect-protected-api. (5) Signing in users with OIDC | Identity Platform Documentation - Google Cloud. https://cloud.google.com/identity-platform/docs/web/oidc. (6) undefined. https://app.example.com/callback. (7) undefined. https://api.example.com. (8) undefined. https://app.example.com/callback?. (9) undefined. https://yourApp/callback.