test: Add automated test for service account token acquisition (ADR-002 Tier 1)
Add comprehensive automated integration test for Keycloak service account token acquisition via client_credentials grant, validating ADR-002 Tier 1 implementation for external IdP mode. Changes: - Add keycloak_oauth_client fixture in tests/conftest.py - Creates KeycloakOAuthClient instance for service account operations - Session-scoped fixture with automatic cleanup - Discovers Keycloak endpoints automatically - Add test_keycloak_service_account_token_acquisition test - Tests client_credentials grant token acquisition - Verifies token response structure (access_token, token_type, expires_in) - Validates token works with Nextcloud APIs via capabilities endpoint - Documents limitation for Nextcloud OIDC app (integrated mode) - Update ADR-002 documentation - Mark automated test as complete (✅) - Document supported providers (Keycloak ✅, Nextcloud OIDC app ❌) - Add note that KeycloakOAuthClient is provider-agnostic - Clarify that Nextcloud OIDC app support requires config only Test results: - ✅ Service account token acquired successfully (300s expiry, Bearer type) - ✅ Token validated by Nextcloud user_oidc app - ✅ Token works with Nextcloud capabilities API Note: Nextcloud OIDC app (integrated mode) service account token support not yet implemented. See app.py:631-635 for current status. Resolves: "TODO: Automated integration tests needed for both Keycloak and Nextcloud OIDC app" from ADR-002
This commit is contained in:
@@ -51,8 +51,14 @@ We will implement a **tiered OAuth authentication strategy** for background oper
|
||||
- Background worker uses service account token directly
|
||||
- No user-specific delegation or impersonation
|
||||
- **Implementation**: `KeycloakOAuthClient.get_service_account_token()` (keycloak_oauth.py:341-395)
|
||||
- **Testing**: Manual test in `tests/manual/test_token_exchange.py`
|
||||
- **TODO**: Automated integration tests needed for both Keycloak and Nextcloud OIDC app
|
||||
- **Testing**:
|
||||
- ✅ **Automated test**: `tests/server/oauth/test_keycloak_external_idp.py::test_keycloak_service_account_token_acquisition`
|
||||
- ✅ **Manual test**: `tests/manual/test_token_exchange.py`
|
||||
- **Supported Providers**:
|
||||
- ✅ **Keycloak** (external IdP mode) - Fully tested and validated
|
||||
- ❌ **Nextcloud OIDC app** (integrated mode) - Not yet implemented (see app.py:631-635)
|
||||
- The `KeycloakOAuthClient` class is provider-agnostic and works with any OIDC provider
|
||||
- Extending support to Nextcloud OIDC app requires configuration/initialization only
|
||||
|
||||
**Trade-offs**:
|
||||
- ✅ Works with nearly all OIDC providers
|
||||
|
||||
Reference in New Issue
Block a user