Skip to content

Integration Tests for Embedded Auth Server#3556

Merged
tgrunnagle merged 3 commits intomainfrom
auth-server_iss_234_2026-02-02
Feb 4, 2026
Merged

Integration Tests for Embedded Auth Server#3556
tgrunnagle merged 3 commits intomainfrom
auth-server_iss_234_2026-02-02

Conversation

@tgrunnagle
Copy link
Contributor

@tgrunnagle tgrunnagle commented Feb 2, 2026
edited
Loading

Depends on #3541

Summary

Adds integration tests for the embedded authorization server to ensure OAuth/OIDC endpoints work correctly when integrated with the proxy runner and operate alongside MCP endpoints without conflict.

Related Issue: stacklok/stacklok-epics#234

Why This Change

The embedded auth server is a critical component that enables MCP clients to authenticate using standard OAuth 2.0 flows. Without integration tests, we risk:

  • Breaking OAuth/OIDC discovery endpoints that clients depend on for configuration
  • Introducing routing conflicts between auth endpoints and MCP endpoints
  • Resource leaks if cleanup isn't handled properly
  • Regressions in RFC 8707 (resource indicators) compliance required by MCP spec

What's Tested

OAuth/OIDC Compliance

  • Discovery endpoints return valid metadata (JWKS, OAuth AS Metadata, OIDC Discovery)
  • Authorization flow correctly redirects to upstream IDP
  • RFC 8707 resource parameter is enforced (required for MCP)
  • Dynamic Client Registration (RFC 7591) works correctly
  • Token endpoint properly rejects invalid requests

Runner Integration

  • Auth endpoints are mounted at correct URL prefixes
  • OAuth endpoints don't interfere with MCP endpoints
  • Auth server handles concurrent requests safely
  • Resources are cleaned up properly when runner stops

Configuration Validation

  • Missing required config (audiences, upstreams) produces clear errors
  • Invalid issuer URLs are rejected
  • Both ephemeral (dev mode) and file-based signing keys work

Test Approach

Tests use a mock upstream IDP rather than real OAuth providers to:

  • Enable parallel test execution without external dependencies
  • Provide deterministic, reproducible results
  • Allow testing edge cases and error conditions

Files Changed

test/integration/authserver/
├── authserver_integration_test.go    # Auth server functionality tests
├── runner_integration_test.go        # Runner integration tests
├── README.md                         # Test documentation
└── helpers/
    ├── authserver.go                 # Auth server test utilities
    ├── http_client.go                # OAuth client for testing flows
    └── mock_upstream.go              # Mock upstream IDP

+1,406 lines across 6 new files

Large PR Justification

  • All changes are part of one integration test suite

@tgrunnagle tgrunnagle requested a review from jhrozek February 2, 2026 17:45
@github-actions github-actions bot added the size/XL Extra large PR: 1000+ lines changed label Feb 2, 2026
github-actions[bot]
github-actions bot previously requested changes Feb 2, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

This review will be automatically dismissed once you add the justification section.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 2, 2026
View reviewed changes
@codecov
Copy link

codecov bot commented Feb 2, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 67.27273% with 54 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.54%. Comparing base (a82c591) to head (f0a7f57).
⚠️ Report is 30 commits behind head on main.

Files with missing lines Patch % Lines
test/integration/authserver/helpers/http_client.go 64.21% 18 Missing and 16 partials ⚠️
test/integration/authserver/helpers/authserver.go 71.42% 19 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff            @@
##             main    #3556    +/-   ##
========================================
  Coverage   65.53%   65.54%            
========================================
  Files         405      408     +3     
  Lines       39678    40248   +570     
========================================
+ Hits        26004    26379   +375     
- Misses      11672    11808   +136     
- Partials     2002     2061    +59

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tgrunnagle tgrunnagle changed the base branch from main to auth-server_issue-230b_2026-01-30 February 2, 2026 19:11
Base automatically changed from auth-server_issue-230b_2026-01-30 to main February 2, 2026 20:38
@tgrunnagle tgrunnagle force-pushed the auth-server_iss_234_2026-02-02 branch from 6f55550 to 9db2809 Compare February 2, 2026 20:40
@tgrunnagle tgrunnagle force-pushed the auth-server_iss_234_2026-02-02 branch from 9db2809 to 9c94f75 Compare February 2, 2026 23:26
@github-actions github-actions bot added size/XL Extra large PR: 1000+ lines changed and removed size/XL Extra large PR: 1000+ lines changed labels Feb 2, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

@github-actions github-actions bot dismissed their stale review February 2, 2026 23:27

Large PR justification has been provided. Thank you!

jhrozek
jhrozek reviewed Feb 3, 2026
View reviewed changes
jhrozek
jhrozek reviewed Feb 3, 2026
View reviewed changes
jhrozek
jhrozek reviewed Feb 3, 2026
View reviewed changes
jhrozek
jhrozek reviewed Feb 3, 2026
View reviewed changes
jhrozek
jhrozek reviewed Feb 3, 2026
View reviewed changes
@tgrunnagle
Address PR feedback
f0a7f57 
- Avoid `require` in helper functions for go-routine safety (thus did not add `c.tb.Helper()` to helpers)
- use `bytes.NewReader`
- remove README
- remove unused helper function
@github-actions github-actions bot added size/XL Extra large PR: 1000+ lines changed and removed size/XL Extra large PR: 1000+ lines changed labels Feb 4, 2026
@tgrunnagle tgrunnagle merged commit f41772b into main Feb 4, 2026
35 checks passed
@tgrunnagle tgrunnagle deleted the auth-server_iss_234_2026-02-02 branch February 4, 2026 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek jhrozek approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

@dmjb dmjb Awaiting requested review from dmjb

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@amirejaz amirejaz Awaiting requested review from amirejaz

@eleftherias eleftherias Awaiting requested review from eleftherias

@lujunsan lujunsan Awaiting requested review from lujunsan

Assignees

No one assigned

Labels

size/XL Extra large PR: 1000+ lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tgrunnagle @jhrozek