mindersec / minder / 25334664832

coverage: 60.442% (-0.1%) from 60.56%
25334664832

push

github

web-flow 
Generalize identity provider and implement OIDC discovery (#6265)

* feat(auth): generalize identity provider and implement OIDC discovery

This commit decouples Minder from Keycloak-specific paths by:
- Implementing OIDC discovery for identity server configuration.
- Defining the IdentityManager interface for administrative operations.
- Refactoring event synchronization and user management to use the new interface.
- Removing legacy Keycloak-specific configuration helpers.
- Updating tests to use the generalized IdentityManager mock.

* chore(auth): fix linting and unit test regressions in identity refactor

- Fix duplicate DeleteUser call in handlers_user.go
- Resolve linting issues (unused receivers, missing docs) in interface.go
- Update tests to properly inject MockIdentityManager

* chore(auth): fix linting and add missing unit/integration tests

* refactor(auth): address PR maintainer feedback for IdentityProviders

- Use zitadel/oidc generic client for openid configuration discovery
- OIDC issuer claim matches the discovered client issuer output
- Add missing GitHub IDs clarification
- Include TODOs about unused methods for tracking

* fix(auth): address additional code review feedback

- Fix strings.Contains on ErrNotFound
- Export auth.ErrNotFound
- Restore removed TODO in token handler
- Remove noop test to exclude from coverage as requested
- Discard unintentional metrics/version test commits
- Remove obsolete httptest.NewServer loops

* feat: Add ResolveFederated to auth interface for generic OIDC support

* fix: use issuer_claim for WWW-Authenticate header and accept dual issuer URLs in docker-compose

* style: fix gci formatting in keycloak files

36 of 167 new or added lines in 11 files covered. (21.56%)

1 existing line in 1 file now uncovered.

20396 of 33745 relevant lines covered (60.44%)

38.8 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0
/internal/auth/github.go
1 
// SPDX-FileCopyrightText: Copyright 2023 The Minder Authors
2 
// SPDX-License-Identifier: Apache-2.0
3 









4



// Package auth contains the authentication logic for the control plane










5



package auth










6












7



import (










8



        "context"










9



        "errors"










10



        "fmt"










11



)










12












13



// GetUserForGitHubId looks up a user in the identity provider by their GitHub ID.










14



//










15



// If the user is found, it returns their subject suitable for use in










16



// the `sub` claim of a JWT, and in OpenFGA's user field. Note that this function may










17



// return a user of "" with no error if no users were found matching the GitHub ID.











NEW


18



func GetUserForGitHubId(ctx context.Context, idClient Resolver, ghUser int64) (string, error) {




×








NEW


19



        // look up the user in the identity provider




×








NEW


20



        id, err := idClient.ResolveFederated(ctx, "github", fmt.Sprintf("%d", ghUser))




×







21



        if err != nil {




×








NEW


22



                // If the user is not found, return an empty string and no error




×








NEW


23



                if errors.Is(err, ErrNotFound) {




×








NEW


24



                        return "", nil




×








NEW


25



                }




×







26



                return "", err




×







27



        }










28













NEW


29



        return id.UserID, nil




×







30



}
























    

  • 

    •