Merge pull request #642 from crstrn13/token_introspect

Add test for token introspection.

Author: crstrn13

testsuite/kuadrant/policy/authorization/sections.py

@@ -15,8 +15,9 @@
     Cache,
     ResourceAttributes,
 )
+from testsuite.oidc.keycloak import Keycloak
 from testsuite.utils import asdict
-from testsuite.kubernetes import modify, Selector
+from testsuite.kubernetes import modify, Selector, KubernetesObject
 
 if TYPE_CHECKING:
     from .auth_config import AuthConfig
@@ -172,6 +173,21 @@ def add_plain(self, name, auth_json, **common_features):
         """Adds plain identity"""
         self.add_item(name, {"plain": asdict(ValueFrom(auth_json))}, **common_features)
 
+    @modify
+    def add_oauth2_introspection(self, name: str, keycloak: Keycloak, client_secret: KubernetesObject):
+        """Add introspection for tokens with keycloak and client credentials stored in secret"""
+        self.add_item(
+            name,
+            {
+                "oauth2Introspection": {
+                    "endpoint": f"{keycloak.server_url}/realms/{keycloak.realm_name}/protocol/openid-connect/token/"
+                    f"introspect",
+                    "tokenTypeHint": "requesting_party_token",
+                    "credentialsRef": {"name": client_secret.name()},
+                }
+            },
+        )
+
 
 class MetadataSection(Section):
     """Section which contains metadata configuration"""

testsuite/tests/singlecluster/authorino/metadata/test_token_introspect.py

@@ -0,0 +1,51 @@
+"""
+Test for checking I OAuth 2.0 access tokens (e.g. opaque tokens) for online user data and token validation in
+request-time.
+https://github.com/Kuadrant/authorino/blob/main/docs/user-guides/oauth2-token-introspection.md
+"""
+
+import pytest
+
+from testsuite.httpx.auth import HttpxOidcClientAuth
+
+pytestmark = [pytest.mark.authorino]
+
+
+@pytest.fixture(scope="module")
+def client_secret(create_client_secret, keycloak, blame):
+    """create the required secrets that will be used by Authorino to authenticate with Keycloak"""
+    return create_client_secret(blame("secret"), keycloak.client.auth_id, keycloak.client.secret)
+
+
+@pytest.fixture(scope="function")
+def _auth(oidc_provider):
+    return HttpxOidcClientAuth(oidc_provider.get_token, "authorization")
+
+
+@pytest.fixture(scope="module")
+def authorization(client_secret, authorization, keycloak):
+    """
+    On every request, Authorino will try to verify the token remotely with the Keycloak server with the introspect
+    endpoint. It's credentials are referenced from the secret created before.
+    """
+    authorization.identity.add_oauth2_introspection("default", keycloak, client_secret)
+    return authorization
+
+
+def test_no_token(client):
+    """Test access with no auth"""
+    response = client.get("get")
+    assert response.status_code == 401
+
+
+def test_access_token(client, _auth):
+    """Tests auth with token granted from fixture"""
+    response = client.get("get", auth=_auth)
+    assert response.status_code == 200
+
+
+def test_revoked_token(client, _auth, keycloak):
+    """Revoke token by logging out and test if is unauthorized"""
+    keycloak.oidc_client.logout(_auth.token.refresh_token)
+    response = client.get("get", auth=_auth)
+    assert response.status_code == 401