[PR #5234] [MERGED] auth/oidc: fix eager token fetch at startup, add validation and e2e tests #5195

New issue

Closed

opened 2026-05-05 14:56:30 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:56:30 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5234
Author: @fatedier
Created: 3/13/2026
Status: ✅ Merged
Merged: 3/15/2026
Merged by: @fatedier

Base: dev ← Head: new

📝 Commits (1)

ad23930 auth/oidc: fix eager token fetch at startup, add validation and e2e tests

📊 Changes

12 files changed (+885 additions, -35 deletions)

View changed files

📝 Release.md (+1 -0)
📝 client/service.go (+23 -12)
📝 client/service_test.go (+106 -0)
📝 pkg/auth/oidc.go (+52 -15)
📝 pkg/auth/oidc_test.go (+105 -7)
📝 pkg/config/v1/validation/client.go (+5 -0)
➕ pkg/config/v1/validation/oidc.go (+57 -0)
➕ pkg/config/v1/validation/oidc_test.go (+78 -0)
📝 pkg/util/http/server.go (+5 -1)
📝 pkg/vnet/controller.go (+3 -0)
➕ test/e2e/mock/server/oidcserver/oidcserver.go (+258 -0)
➕ test/e2e/v1/basic/oidc.go (+192 -0)

📄 Description

Summary

Fix startup regression from #5175: NewOidcAuthSetter no longer eagerly fetches a token at construction time. Instead, an oidcTokenSource wrapper defers the first fetch to SetLogin() inside loopLoginUntilSuccess(), so transient IdP outages no longer prevent the client from starting.
Add ValidateOIDCClientCredentialsConfig for early detection of misconfigured OIDC client credentials (missing clientID, invalid tokenEndpointURL, conflicting params).
Add OIDC e2e tests with a self-contained mock OIDC server (discovery + JWKS + token endpoint, zero external dependencies):
- Basic OIDC client credentials authentication
- HeartBeats scope with authenticated pings
- Adaptive fallback when provider omits expires_in (with token request count assertion)
- Rejection of invalid client credentials

Test plan

go test ./pkg/auth/... — unit tests pass (6 tests)
go test ./pkg/config/v1/validation/... — validation tests pass
golangci-lint run — 0 issues
make e2e --ginkgo.focus="Feature: OIDC" — 4 OIDC e2e tests pass
make e2e — full e2e suite passes (only pre-existing Ports Whitelist failure)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5234 **Author:** [@fatedier](https://github.com/fatedier) **Created:** 3/13/2026 **Status:** ✅ Merged **Merged:** 3/15/2026 **Merged by:** [@fatedier](https://github.com/fatedier) **Base:** `dev` ← **Head:** `new` --- ### 📝 Commits (1) - [`ad23930`](https://github.com/fatedier/frp/commit/ad239300f2058cd4125094a351646a1770d0c03d) auth/oidc: fix eager token fetch at startup, add validation and e2e tests ### 📊 Changes **12 files changed** (+885 additions, -35 deletions) <details> <summary>View changed files</summary> 📝 `Release.md` (+1 -0) 📝 `client/service.go` (+23 -12) 📝 `client/service_test.go` (+106 -0) 📝 `pkg/auth/oidc.go` (+52 -15) 📝 `pkg/auth/oidc_test.go` (+105 -7) 📝 `pkg/config/v1/validation/client.go` (+5 -0) ➕ `pkg/config/v1/validation/oidc.go` (+57 -0) ➕ `pkg/config/v1/validation/oidc_test.go` (+78 -0) 📝 `pkg/util/http/server.go` (+5 -1) 📝 `pkg/vnet/controller.go` (+3 -0) ➕ `test/e2e/mock/server/oidcserver/oidcserver.go` (+258 -0) ➕ `test/e2e/v1/basic/oidc.go` (+192 -0) </details> ### 📄 Description ## Summary - Fix startup regression from #5175: `NewOidcAuthSetter` no longer eagerly fetches a token at construction time. Instead, an `oidcTokenSource` wrapper defers the first fetch to `SetLogin()` inside `loopLoginUntilSuccess()`, so transient IdP outages no longer prevent the client from starting. - Add `ValidateOIDCClientCredentialsConfig` for early detection of misconfigured OIDC client credentials (missing clientID, invalid tokenEndpointURL, conflicting params). - Add OIDC e2e tests with a self-contained mock OIDC server (discovery + JWKS + token endpoint, zero external dependencies): - Basic OIDC client credentials authentication - HeartBeats scope with authenticated pings - Adaptive fallback when provider omits `expires_in` (with token request count assertion) - Rejection of invalid client credentials ## Test plan - [x] `go test ./pkg/auth/...` — unit tests pass (6 tests) - [x] `go test ./pkg/config/v1/validation/...` — validation tests pass - [x] `golangci-lint run` — 0 issues - [x] `make e2e --ginkgo.focus="Feature: OIDC"` — 4 OIDC e2e tests pass - [x] `make e2e` — full e2e suite passes (only pre-existing Ports Whitelist failure) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>