test(playwright): add nightly SAML session renewal coverage#27619
test(playwright): add nightly SAML session renewal coverage#27619
Conversation
Covers OM's JWT refresh behavior for SAML sessions end-to-end against the local Keycloak fixture: silent refresh after expiry, concurrent 401s queuing behind a single refresh call, and forced re-login when the server-side SAML HttpSession is gone. Reuses the snapshot/restore mechanism and keycloak-azure-saml provider helper introduced in #27164; shortens samlConfiguration.security.token Validity to 10s so the suite observes multiple expiry cycles in <60s. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
siddhant1
requested review from
a team,
akash-jain-10,
harshach and
tutte
as code owners
|
Hi there 👋 Thanks for your contribution! The OpenMetadata team will review the PR shortly! Once it has been labeled as Let us know if you need any help! |
siddhant1
added
UI
There was a problem hiding this comment.
Pull request overview
Adds a new Playwright nightly E2E spec to validate SAML session renewal behavior (silent JWT refresh, concurrent-401 coalescing, and forced re-login on server-side session loss) against the local Keycloak SAML fixture, and wires it into the existing nightly SSO workflow.
Changes:
- Introduces
SSORenewal.spec.tscovering access-token refresh, refresh de-duplication, and session-loss relogin. - Adds reusable helpers in
playwright/utils/sessionRenewal.ts(TTL override, JWT exp decode, expiry wait, cookie clearing). - Updates Playwright config + nightly workflow to include the new spec in the
sso-authnightly run.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| openmetadata-ui/src/main/resources/ui/playwright/utils/sessionRenewal.ts | Adds helpers to shorten SAML token validity and drive renewal-related assertions. |
| openmetadata-ui/src/main/resources/ui/playwright/e2e/Auth/SSORenewal.spec.ts | New nightly E2E coverage for SAML JWT refresh + forced relogin scenarios. |
| openmetadata-ui/src/main/resources/ui/playwright.config.ts | Includes the new spec in the sso-auth project and excludes it from default runs. |
| .github/workflows/playwright-sso-login-nightly.yml | Executes the new renewal spec alongside the existing SSO login spec on the nightly workflow. |
…Renewal.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Jest test CoverageUI tests summary
|
🟡 Playwright Results — all passed (17 flaky)✅ 3694 passed · ❌ 0 failed · 🟡 17 flaky · ⏭️ 89 skipped
🟡 17 flaky test(s) (passed on retry)
How to debug locally# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip # view trace |
page.reload() remounts React and re-races the axios interceptor setup in AuthProvider — the useEffect that wires authenticatorRef.renewIdToken onto TokenService has a ref-typed dependency that doesn't reliably re-run, so the first 401 after reload sometimes finds renewToken=null and the interceptor silently logs the user out instead of refreshing. Click the Explore sidebar link instead. The click triggers authenticated API calls while staying inside the already-mounted React tree, so the interceptor always reaches the wired TokenService. Spec now passes 10/10 locally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
| test.skip( | ||
| providerType !== SUPPORTED_PROVIDER || !username || !password, | ||
| `${SSO_ENV.PROVIDER_TYPE}=${SUPPORTED_PROVIDER} + ${SSO_ENV.USERNAME} + ${SSO_ENV.PASSWORD} must be set` | ||
| ); |
There was a problem hiding this comment.
Do we need this skip?
There was a problem hiding this comment.
Yes, the spec mutates the server's security config to a 10s SAML JWT TTL via withShortSamlTokenValidity. That's safe against the local Keycloak SAML container we boot in CI, but unsafe against the shared Okta tenant.
Okta is a public OIDC client, there's no server-side tokenValidity knob to mutate, the test can't lean on natural expiry; it has to mock OM API responses to inject 401s and observe Okta's renewal endpoint from the browser side. Happy to take that on as a follow-up.
|
|
||
| // Limited to the local Keycloak SAML fixture because the TTL override mutates | ||
| // shared security config and is too aggressive to point at the Okta tenant. | ||
| const SUPPORTED_PROVIDER = 'keycloak-azure-saml'; |
There was a problem hiding this comment.
Why we need to hardcode this?
There was a problem hiding this comment.
Same reason as the skip above — SUPPORTED_PROVIDER is the gate that keeps the TTL override from being applied to anything other than the local Keycloak fixture.
Drop the redundant SSORenewal.spec.ts entry from the chromium project's testIgnore (already covered by **/Auth/**), pull serial-mode config out of the describe block, and stop duplicating the spec file list in the nightly workflow command (the sso-auth project's testMatch already lists both files). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Code Review ✅ ApprovedAdds Playwright coverage for nightly SAML session renewal scenarios. No issues were found. OptionsDisplay: compact → Showing less information. Comment with these commands to change:
Was this helpful? React with 👍 / 👎 | Gitar |
|
Summary
HttpSessionloss.keycloak-azure-samlprovider helper introduced in test(playwright): add nightly SSO login spec starting #27164, and tightenssamlConfiguration.security.tokenValidityto 10s so the suite observes multiple expiry cycles in under 60s.playwright-sso-login-nightly.ymlso the renewal scenarios run on the nightly cadence alongside the existing SSO login spec.Test plan
cd openmetadata-ui/src/main/resources/ui && yarn playwright:run playwright/e2e/Auth/SSORenewal.spec.ts🤖 Generated with Claude Code
Summary by Gitar
playwright-sso-login-nightly.ymlby removing explicit file listings.playwright.config.tsconfiguration and updated the test suite initialization inSSORenewal.spec.tsfor improved stability.This will update automatically on new commits.