Token introspection verification & integration tests#4180
Merged
stevenvegt merged 7 commits intofeature/4144-mixed-scopesfrom Apr 24, 2026
Merged
Token introspection verification & integration tests#4180stevenvegt merged 7 commits intofeature/4144-mixed-scopesfrom
stevenvegt merged 7 commits intofeature/4144-mixed-scopesfrom
Conversation
|
Coverage Impact ⬇️ Merging this pull request will decrease total coverage on 🛟 Help
|
stevenvegt
force-pushed
the
4144-4-server-side-flow
branch
from
485a64b to
de5213b
Compare
Exercises the server-side token handler with a real AuthZen HTTP client talking to an httptest server. Unlike unit tests that mock the evaluator, this validates the full HTTP roundtrip: request serialization, response parsing, and error propagation. Tests cover: PDP approves all, partial denial, HTTP 500 error. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Verify that tokens with space-delimited scope strings (from multi-scope requests) are returned unchanged via both IntrospectAccessToken and IntrospectAccessTokenExtended. Also cover backwards compatibility for single-scope legacy tokens. No production code changes needed — the existing introspection passes AccessToken.Scope through as-is, which correctly handles the OAuth2 space-delimited scope format. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Verifies that tokens issued via dynamic scope policy carry their validated credential claims through to the introspection response as AdditionalProperties, enabling resource servers to make authorization decisions without re-processing VPs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drop tests that duplicated existing unit-test coverage or tested trivial pointer pass-through: - Remove HTTP-500 integration test (covered by authzen client tests) - Remove multi-scope introspection tests (introspection is a pointer pass-through; no multi-scope-specific code exists) - Remove backwards-compat introspection test (no compat code exists) - Remove multi-scope claims introspection test (duplicates existing InputDescriptorConstraintIdMap test) Add the security-critical path: - PDP denies credential profile scope over real HTTP → access_denied Use t.Cleanup for httptest server cleanup (proper subtest scoping). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
stevenvegt
force-pushed
the
4144-5-introspection-and-integration
branch
from
bd9d5ca to
828a1c1
Compare
22 tasks
stevenvegt
requested review from
gerardsn,
reinkrul and
woutslakhorst
as code owners
Base automatically changed from
4144-4-server-side-flow
to
feature/4144-mixed-scopes
April 24, 2026 12:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Parent PRD
#4144
Summary
Final PR in the mixed OAuth2 scopes feature. Adds focused end-to-end integration tests for the
dynamicscope policy path — realauthzen.Clientcalls,httptest.NewServerstanding in for the PDP — validating the HTTP roundtrip that mock-based unit tests skip.No production code changes.
What changed
auth/api/iam/integration_test.go(new, +176) — oneTestIntegration_DynamicScopePolicy_AuthZenEndToEndwith three subtests, each wiring a realauthzen.Clientpointed at anhttptest.NewServer:subject.type=organization,action.name=request_scope,context.policy, evaluations in request order).token.Scope.access_denied, no token issued.How to review
Read the test doc comment first — it states explicitly what's not covered to avoid duplicating
policy/authzen/client_test.go(HTTP errors, timeouts) ands2s_vptoken_test.go(VP validation, profile-only rejection).Then the three subtests. The
startPDPhelper both responds with canned decisions and captures the decoded request for post-call assertions. Subtest 1 is the only place where AuthZen request serialization is validated over the wire — evaluation order,context.policy, andsubject.typeall originate in code paths that unit tests mock past.Deviations from spec
policy/authzen/client_test.gos2s_vptoken_test.gotoken.Scope; no multi-scope-specific logicaccess_deniedintegration (not in spec) — identified as security-critical during self-review.Dependencies
Depends on: #4179 (server-side multi-scope flow) — provides
handleS2SAccessTokenRequestandPDPBackend.AuthZenEvaluator()that these tests exercise. Transitively depends on #4176, #4177, #4178.Review order: #4176 → #4177 → #4178 → #4179 → #4180. No new production API here, so the review value is confirming the scenarios are the right ones and the assertions catch what matters.
Design context
subject.type = organization)Acceptance Criteria
token.Scopethrough unchanged)Multi-scope introspection tests— dropped: no multi-scope-specific code existsProfile-only/passthrough integration tests— dropped: covered by existing unit testsHTTP error / timeout integration tests— dropped: covered bypolicy/authzen/client_test.goOriginal implementation spec (used during AI-assisted development)
Parent PRD
#4144
Implementation Spec
Overview
Final PR in the mixed OAuth2 scopes feature. Adds end-to-end integration tests that exercise the dynamic scope policy path with a real AuthZen HTTP client (via
httptest.NewServer), validating the full HTTP roundtrip that mock-based unit tests skip over.No production code changes.
Key files
auth/api/iam/integration_test.go(new) — E2E integration tests for dynamic scope policyDesign decisions
Scope narrowed during self-review. The spec suggested a broad set of integration tests covering all scope policies and introspection behavior. On review, many would duplicate existing unit tests or test trivial pointer pass-through. The final test suite is focused on what actually requires integration:
Tests explicitly not included (and why):
policy/authzen/client_test.gos2s_vptoken_test.gounit testsScope: &token.Scope(pointer pass-through); no multi-scope logic existsTests added
TestIntegration_DynamicScopePolicy_AuthZenEndToEnd— uses realauthzen.Clientpointing athttptest.NewServer:Deviations from original spec
Acceptance Criteria
token.Scopethrough unchanged)Multi-scope introspection tests— dropped: no multi-scope-specific code exists to testProfile-only/passthrough integration tests— dropped: covered by existing unit tests