Skip to content

Token introspection verification & integration tests#4180

Draft
stevenvegt wants to merge 7 commits into4144-4-server-side-flowfrom
4144-5-introspection-and-integration
Draft

Token introspection verification & integration tests#4180
stevenvegt wants to merge 7 commits into4144-4-server-side-flowfrom
4144-5-introspection-and-integration

Conversation

@stevenvegt
Copy link
Copy Markdown
Member

@stevenvegt stevenvegt commented Apr 13, 2026
edited
Loading

Parent PRD

#4144

Implementation Spec

Overview

Final PR in the mixed OAuth2 scopes feature. Adds end-to-end integration tests that exercise the dynamic scope policy path with a real AuthZen HTTP client (via httptest.NewServer), validating the full HTTP roundtrip that mock-based unit tests skip over.

No production code changes.

Key files

  • auth/api/iam/integration_test.go (new) — E2E integration tests for dynamic scope policy

Design decisions

Scope narrowed during self-review. The spec suggested a broad set of integration tests covering all scope policies and introspection behavior. On review, many would duplicate existing unit tests or test trivial pointer pass-through. The final test suite is focused on what actually requires integration:

  • Real HTTP roundtrip for dynamic scope policy — exercises request serialization, response parsing, and end-to-end wiring that mock-based unit tests don't reach.
  • Security-critical path — PDP denying the credential profile scope over real HTTP.

Tests explicitly not included (and why):

  • HTTP 500 / network errors — already covered by policy/authzen/client_test.go
  • Profile-only / passthrough integration — already covered by s2s_vptoken_test.go unit tests
  • Multi-scope introspection — introspection is Scope: &token.Scope (pointer pass-through); no multi-scope logic exists
  • Backwards compatibility — no version-specific code path to test

Tests added

TestIntegration_DynamicScopePolicy_AuthZenEndToEnd — uses real authzen.Client pointing at httptest.NewServer:

  1. PDP approves all scopes — asserts the token contains all scopes AND that the HTTP request body had the correct shape over the wire (subject.type=organization, action.name=request_scope, context.policy, ordered evaluations)
  2. PDP partial denial — denied scopes excluded from the token
  3. PDP denies credential profile scope — request rejected with access_denied, no token issued

Deviations from original spec

  • Dropped 6 proposed test cases as duplicative or trivial (see design decisions)
  • Added access_denied integration test (originally not in spec but identified as security-critical during review)
  • Consolidated to 3 focused tests instead of 6

Acceptance Criteria

  • Integration tests cover the dynamic scope policy end-to-end (real HTTP)
  • Security-critical paths (access_denied) validated over real HTTP
  • Request serialization verified on the wire
  • No production code changes needed (confirmed: introspection passes token.Scope through unchanged)
  • Multi-scope introspection tests — dropped: no multi-scope-specific code exists to test
  • Profile-only/passthrough integration tests — dropped: covered by existing unit tests

@qltysh
Copy link
Copy Markdown

qltysh bot commented Apr 13, 2026
edited
Loading

Qlty


Coverage Impact

⬇️ Merging this pull request will decrease total coverage on 4144-4-server-side-flow by 0.01%.

🚦 See full report on Qlty Cloud »

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@stevenvegt stevenvegt mentioned this pull request Apr 13, 2026
Open
@stevenvegt stevenvegt linked an issue Apr 13, 2026 that may be closed by this pull request
Support mixed OAuth2 scopes with configurable scope policy #4144
Open
@stevenvegt stevenvegt force-pushed the 4144-4-server-side-flow branch from 485a64b to de5213b Compare April 16, 2026 12:40
stevenvegt and others added 7 commits April 16, 2026 14:44
@stevenvegt
Initialize branch for PR
0a236af
@stevenvegt
Initialize branch for PR
358de07
@stevenvegt
Initialize branch for PR
50d47ff
@stevenvegt @claude
Add end-to-end integration tests for dynamic scope policy
85a3e06 
Exercises the server-side token handler with a real AuthZen HTTP client
talking to an httptest server. Unlike unit tests that mock the evaluator,
this validates the full HTTP roundtrip: request serialization, response
parsing, and error propagation.

Tests cover: PDP approves all, partial denial, HTTP 500 error.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@stevenvegt @claude
Add introspection tests for multi-scope tokens
28f442b 
Verify that tokens with space-delimited scope strings (from multi-scope
requests) are returned unchanged via both IntrospectAccessToken and
IntrospectAccessTokenExtended. Also cover backwards compatibility for
single-scope legacy tokens.

No production code changes needed — the existing introspection passes
AccessToken.Scope through as-is, which correctly handles the OAuth2
space-delimited scope format.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@stevenvegt @claude
Add introspection test for claims on multi-scope dynamic tokens
08c3981 
Verifies that tokens issued via dynamic scope policy carry their
validated credential claims through to the introspection response as
AdditionalProperties, enabling resource servers to make authorization
decisions without re-processing VPs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@stevenvegt @claude
Apply self-review fixes: consolidate integration and introspection tests
828a1c1 
Drop tests that duplicated existing unit-test coverage or tested trivial
pointer pass-through:
- Remove HTTP-500 integration test (covered by authzen client tests)
- Remove multi-scope introspection tests (introspection is a pointer
  pass-through; no multi-scope-specific code exists)
- Remove backwards-compat introspection test (no compat code exists)
- Remove multi-scope claims introspection test (duplicates existing
  InputDescriptorConstraintIdMap test)

Add the security-critical path:
- PDP denies credential profile scope over real HTTP → access_denied

Use t.Cleanup for httptest server cleanup (proper subtest scoping).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@stevenvegt stevenvegt force-pushed the 4144-5-introspection-and-integration branch from bd9d5ca to 828a1c1 Compare April 16, 2026 14:23
@stevenvegt stevenvegt mentioned this pull request Apr 16, 2026
Open
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woutslakhorst woutslakhorst Awaiting requested review from woutslakhorst woutslakhorst will be requested when the pull request is marked ready for review woutslakhorst is a code owner

@reinkrul reinkrul Awaiting requested review from reinkrul reinkrul will be requested when the pull request is marked ready for review reinkrul is a code owner

@gerardsn gerardsn Awaiting requested review from gerardsn gerardsn will be requested when the pull request is marked ready for review gerardsn is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support mixed OAuth2 scopes with configurable scope policy

1 participant

@stevenvegt