Skip to content

test(openid-connect): stop logout tests from calling live IdPs#13608

Merged
AlinsRan merged 2 commits into
apache:masterfrom
AlinsRan:test/openid-connect-deflake-auth0
Jun 26, 2026
Merged

test(openid-connect): stop logout tests from calling live IdPs#13608
AlinsRan merged 2 commits into
apache:masterfrom
AlinsRan:test/openid-connect-deflake-auth0

Conversation

@AlinsRan

Copy link
Copy Markdown
Contributor

Description

t/plugin/openid-connect.t TEST 36 and TEST 38 fetch the OIDC discovery
document from the live samples.auth0.com / accounts.google.com
endpoints. On CI runners that cannot validate the upstream TLS certificate
this fails deterministically (it is environmental, reruns do not help):

accessing discovery url (https://samples.auth0.com/.well-known/openid-configuration)
failed: 20: unable to get local issuer certificate
... openid-connect exits with http status code 503

Example failure (linux_openresty t/plugin/[l-z]*.t bucket):
https://github.com/apache/apisix/actions/runs/28147860875/job/83374909107

This PR removes the external dependency by pointing both tests at the in-tree
mock discovery already served on 127.0.0.1:1980, so the logout flow is
exercised entirely locally:

  • TEST 36 keeps using the existing discovery document (no
    end_session_endpoint) and covers the redirect_after_logout_uri path.
  • TEST 38 uses a new mock endpoint that advertises an
    end_session_endpoint, covering the end_session_endpoint path which was
    previously not tested at all.

It also fixes the assertions. The old checks used
string.find(location, ...) ~= -1, which is always true (string.find
returns nil or a number, never -1), so the redirect target was never
actually validated — and string.find was treating the expected value as a
Lua pattern. The assertions now unescape the Location header and match with
a plain-text find, so they verify the real redirect (including the
percent-encoded post_logout_redirect_uri).

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change (test-only change)
  • I have updated the documentation to reflect this change (n/a)
  • I have verified that this change is backward compatible (test-only change)

TEST 36/38 fetched the discovery document from the live
samples.auth0.com / accounts.google.com endpoints. On CI runners that
cannot validate the upstream TLS certificate this fails deterministically:

  accessing discovery url
  (https://samples.auth0.com/.well-known/openid-configuration) failed:
  20: unable to get local issuer certificate

Point both tests at the in-tree mock discovery served on 127.0.0.1:1980
so the logout flow is exercised without any external dependency:

- TEST 36 keeps using the existing discovery document (no
  end_session_endpoint) and covers the redirect_after_logout_uri path.
- TEST 38 uses a new mock that advertises an end_session_endpoint and
  covers the end_session_endpoint path, which was previously untested.

Also fix the assertions: `string.find(loc, ...) ~= -1` is always true
(find returns nil or a number, never -1), so the redirect target was
never actually validated. They now unescape the Location header and
match with a plain-text find.
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. CI labels Jun 26, 2026
@AlinsRan AlinsRan merged commit c24803a into apache:master Jun 26, 2026
19 checks passed
@AlinsRan AlinsRan deleted the test/openid-connect-deflake-auth0 branch June 26, 2026 03:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CI size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants