Skip to content

test(verify): M4 — OAuth login via in-process mock OIDC#17

Merged
Bccorb merged 4 commits into
mainfrom
verify-oauth-m4
Jun 29, 2026
Merged

test(verify): M4 — OAuth login via in-process mock OIDC#17
Bccorb merged 4 commits into
mainfrom
verify-oauth-m4

Conversation

@Bccorb

@Bccorb Bccorb commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Adds M4 of the seamless verify harness: OAuth login via an in-process mock OIDC provider.
Full suite is 24/24 green (seamless verify).

New cases

  • api/oauthPOST /oauth/mock/start → follow the authorize redirect for the code →
    POST /oauth/mock/callback → session (token + refresh + sub).
  • adapter/oauth — same through the Express adapter; asserts the callback sets the session
    cookie (/users/me → 200).

Mock OIDC (verify/harness/mock-oidc.ts)

Minimal IdP started in global-setup: /authorize (mint a code + fresh user, redirect back),
/token (validate PKCE S256 + consume the code), /userinfo. The API only uses the
access token + userinfo (no id_token/JWKS), so that's all it needs.

Networking: the API calls token/userinfo server-side while the harness drives
/authorize, so the provider config splits URLs — authorizationUrl via localhost,
tokenUrl/userInfoUrl via host.docker.internal (+ an extra_hosts entry on auth-api).

Findings surfaced (filed, not blocking)

Bccorb added 2 commits June 29, 2026 10:45
- mock-oidc.ts: minimal OIDC IdP (/authorize, /token with PKCE S256, /userinfo),
  started in global-setup; the API reaches it via host.docker.internal, the harness
  drives /authorize via localhost.
- compose: a 'mock' OAUTH_PROVIDERS entry (+ oauth in LOGIN_METHODS, extra_hosts).
- oauthLogin flow helper (generic over api '' / adapter '/auth'): start -> follow the
  authorize redirect for the code -> callback -> session.
- api/oauth + adapter/oauth specs. Full suite 24/24.

React OAuth is deferred (the starter/SDK has no provider UI yet) per scope.
Drives the provider button -> IdP redirect -> /oauth/callback -> signed-in flow.
Green under --local against the local @seamless-auth/react OAuth UI; released-green
once that ships (seamless-auth-react#44) and the starter bumps to it.
@Bccorb

Bccorb commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Added a React browser OAuth case (react/oauth.spec.ts): seamless verify --local is now 25/25, exercising provider button → mock IdP redirect → /oauth/callback → signed in. It depends on the OAuth UI from fells-code/seamless-auth-react#44 and the config-defaults fix in fells-code/seamless-auth-api#50, so it is green under --local now and released-green once those land + the starter bumps (same rollout as the registration cases).

Bccorb added 2 commits June 29, 2026 11:20
Bump the adapter to @seamless-auth/express 0.6.0-beta.20260629083811 (latest beta,
includes the non-JSON-response fix). Drop the explicit OAuth provider JSON paths now
that the API applies the schema defaults (seamless-auth-api#50), so the harness config
relies on those defaults. Released and --local runs are both 25/25.
@Bccorb Bccorb merged commit df50baa into main Jun 29, 2026
@Bccorb Bccorb deleted the verify-oauth-m4 branch June 29, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant