docs: example of testing pkce against split resource server

[xenoterracide]

So I'd like to isolate this from a complete e2e example. I'm aware of that example, it's just kind of huge.

What'd I'd like is a lite example of "stub servers" that could be used to fake something like auth0. Mostly for "integration" testing to avoid exposing the real auth0 tokens. I don't want to use a real web browser to test that my configuration is correct, and stays that way.

Looking at #426 I need to go see if I ever figured it out as my last comment was about 30 seconds before my life went sideways. I don't think I actually did though.

[jgrandja]

@xenoterracide I don't understand what you are looking for? The heading says "testing pkce against split resource server" but PKCE is validated by the authorization server.

What'd I'd like is a lite example of "stub servers" that could be used to fake something like auth0. Mostly for "integration" testing to avoid exposing the real auth0 tokens

Are you just looking to standup an authorization server for integration testing purposes? If so, see gh-258

[xenoterracide]

Yes, partially, same use case. I had assumed this was a matter of documentation at this point.

My plan was to start a separate server which would avoid the bean conflict. Although I don't particularly have a problem with an in JVM approach...

I could say that I also don't think this particular flow is simply documented. Maybe it's just me that I prefer my docs to exist largely as "curl"/raw http instead of having to write a full fronted app in addition to my separated resource/idp server (other examples also seem to be bundling these into one server). Note: I appreciate that example existing, it's just a lot to traverse to get to the simplest thing that can possibly work.

[xenoterracide]

What I'm looking for is something like these details (when using the defaults).

https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#replace-implicit-flow-with-pkce

one could argue that an example test of the server here might be enough, or at least a major step in the right direction.

https://docs.spring.io/spring-authorization-server/reference/guides/how-to-pkce.html

[jgrandja]

@xenoterracide See gh-258 as I provided an "UPDATE" to the integration test support forthcoming. There is a branch and link to an integration test that shows how to startup a Spring Authorization Server (with custom config) for integration testing purposes.

I'll close this as a duplicate.

[xenoterracide]

So what's wrong with this request?

DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "GET /oauth/authorize?client_id=client&scope=openid+profile+email&redirect_uri=http://localhost:3000&response_type=code&state=sUmww5GH&audience=http://localhost&response_mode=query&nonce=FVO5cA3&code_challenge=g0bA5&code_challenge_method=S256&auth0Client=eyJuY HTTP/1.1[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Accept-Encoding: gzip, x-gzip, deflate[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Host: localhost:39413[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Connection: keep-alive[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "User-Agent: Apache-HttpClient/5.2.3 (Java/21.0.2)[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "[\r][\n]"

from what I can tell I'm calling with the correct parameters

I'm guessing it's the 3rd message

TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Retrieved registered client
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Validated authorization code request parameters
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Did not authenticate authorization code request since principal not authenticated

but explicitly in PKCE /login happens AFTER /authorize there's some things in there that aren't standard, but I'm not certain they should affect anything.