test(e2e): negative-path Keycloak coverage#25
Merged
Conversation
Closes T2.4 from misc/next-steps.md. Adds four negative-path
tests against the real Keycloak demo stack so a regression in
any security-critical denial path fails CI rather than
production:
- TestKeycloakE2E_ConsentDenied — POST /consent action=deny
redirects 302 to the registered redirect_uri with
error=access_denied per RFC 6749 §4.1.2.1; IdP login is
never reached.
- TestKeycloakE2E_ReplayedCode — a successful /token exchange
consumes the authorization code; a second exchange with the
same code is rejected as code_replay (RFC 6749 §4.1.2 MUST).
- TestKeycloakE2E_RefreshReuseRevokesFamily — original refresh
replayed past REFRESH_RACE_GRACE_SEC rejects as
refresh_reuse_detected; the rotated sibling subsequently
rejects as refresh_family_revoked. Pins both rejection paths
of the cascade in one test.
- TestKeycloakE2E_ResourceMismatch — /token with `resource`
that does not identify this AS rejects as invalid_target
per RFC 8707 §2.2.
CI workflow updated: -run pattern changed from a single
hardcoded test name to ^TestKeycloakE2E so future negative tests
land in the matrix without a workflow change.
Helpers extracted (newE2EClient, refreshExchange, postRefresh,
extractConsentToken) so adding more negative cases is a
copy-paste-and-tweak.
Threat-model rows 2/4/5 updated to reference the new tests.
Verified locally against the running demo stack: all five
TestKeycloakE2E_* tests pass in ~3.2s total (the 3s sleep in
the refresh-reuse test dominates).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes T2.4 from `misc/next-steps.md`. Adds four negative-path tests against the real Keycloak demo stack so a regression in any security-critical denial path fails CI rather than production.
CI workflow change
`-run` pattern changed from a hardcoded single-test name to `^TestKeycloakE2E` (with `-v`). Future negative tests don't need workflow changes — explicit comment in the workflow names the convention.
Helpers extracted
Threat-model
Rows 2 (active-IdP-session phishing), 4 (authorization-code replay), and 5 (refresh-token replay) now reference the corresponding e2e test names. The matrix stays the live audit artifact.
Verification
Verified locally against the running demo stack: all five `TestKeycloakE2E_*` tests pass in ~3.2s total. The 3s sleep in the refresh-reuse test dominates; the other four are sub-second.
Test plan