miracl · tatiNo5 · Nov 12, 2025 · Nov 11, 2025
diff --git a/integration-tests/README.md b/integration-tests/README.md
@@ -10,20 +10,22 @@ The integration test defines some flags. Use the following command to see them.
 ### Setup
 
 The integration tests can be run directly with Go or with a Docker container.
-You must pass the app's credentials to the tests through environment
-variables as follows:
+You must pass your [MIRACL Trust Portal](https://trust.miracl.cloud) application's
+credentials to the tests through environment variables as follows:
 
 ``` bash
 export CLIENT_ID=<client-id>
 export CLIENT_SECRET=<client-secret>
+export PROJECT_DOMAIN=<project_domain>
 ```
 
 ### Run
 
 ```bash
 go test . \
   -client-id $CLIENT_ID \
-  -client-secret $CLIENT_SECRET
+  -client-secret $CLIENT_SECRET \
+  -project-domain $PROJECT_DOMAIN
 ```
 
 ### Build and run the test binary
@@ -32,7 +34,8 @@ go test . \
 go test -mod=vendor -c -o integration-tests .
 ./integration-tests \
   -client-id $CLIENT_ID \
-  -client-secret $CLIENT_SECRET
+  -client-secret $CLIENT_SECRET \
+  -project-domain $PROJECT_DOMAIN
 ```
 
 ### See flags
@@ -48,5 +51,6 @@ docker run \
   --network host \
   ghcr.io/miracl/oidc-samples/integration-tests:latest \
     --client-id $CLIENT_ID \
-    --client-secret $CLIENT_SECRET
+    --client-secret $CLIENT_SECRET \
+    --project-domain $PROJECT_DOMAIN
 ```
diff --git a/integration-tests/auth_utils.go b/integration-tests/auth_utils.go
@@ -71,7 +71,7 @@ func pass1Request(httpClient *http.Client, identity identity, proof []byte, scop
 
 	resp, err := makeRequest(
 		httpClient,
-		options.apiURL+"/rps/v2/pass1",
+		options.projectDomain+"/rps/v2/pass1",
 		"POST",
 		payload,
 	)
@@ -99,7 +99,7 @@ func pass2Request(httpClient *http.Client, identity identity, proof []byte, wid
 
 	resp, err := makeRequest(
 		httpClient,
-		options.apiURL+"/rps/v2/pass2",
+		options.projectDomain+"/rps/v2/pass2",
 		"POST",
 		payload,
 	)
@@ -123,7 +123,7 @@ func authenticateRequest(httpClient *http.Client, authOTT string) (authResponse
 
 	resp, err := makeRequest(
 		httpClient,
-		options.apiURL+"/rps/v2/authenticate",
+		options.projectDomain+"/rps/v2/authenticate",
 		"POST",
 		payload,
 	)
@@ -147,7 +147,7 @@ func accessRequest(httpClient *http.Client, webOTT string) (accessResponse *acce
 
 	resp, err := makeRequest(
 		httpClient,
-		options.apiURL+"/rps/v2/access",
+		options.projectDomain+"/rps/v2/access",
 		"POST",
 		payload,
 	)

diff --git a/integration-tests/main_test.go b/integration-tests/main_test.go
@@ -10,9 +10,8 @@ import (
 var options struct {
 	clientID        string
 	clientSecret    string
-	projectID       string
 	redirectURL     string
-	apiURL          string
+	projectDomain   string
 	sampleURL       string
 	proxyHost       string
 	proxyPort       string
@@ -23,11 +22,10 @@ var options struct {
 }
 
 func TestMain(m *testing.M) {
-	flag.StringVar(&options.clientID, "client-id", "", "the client id for the portal app")
-	flag.StringVar(&options.clientSecret, "client-secret", "", "the client secret for the portal app")
-	flag.StringVar(&options.projectID, "project-id", "", "the project id for the portal app")
-	flag.StringVar(&options.redirectURL, "redirect-url", "http://localhost:8000/login", "the redirect url from the portal app")
-	flag.StringVar(&options.apiURL, "api-url", "https://api.mpin.io", "the mpin api URL")
+	flag.StringVar(&options.clientID, "client-id", "", "the client id of your MIRACL Trust Portal application")
+	flag.StringVar(&options.clientSecret, "client-secret", "", "the client secret of your MIRACL Trust Portal application")
+	flag.StringVar(&options.redirectURL, "redirect-url", "http://localhost:8000/login", "the redirect url of your MIRACL Trust Portal application")
+	flag.StringVar(&options.projectDomain, "project-domain", "", "the project domain of your MIRACL Trust Portal application")
 	flag.StringVar(&options.sampleURL, "sample-url", "http://127.0.0.1:8000", "the sample URL")
 	flag.StringVar(&options.proxyHost, "proxy-host", "", "Sample's proxy HOST")
 	flag.StringVar(&options.proxyPort, "proxy-port", "", "Sample's proxy PORT")
@@ -38,6 +36,10 @@ func TestMain(m *testing.M) {
 
 	flag.Parse()
 
+	if options.projectDomain == "" {
+		fmt.Println("ERROR: project-domain is missing.\nUse -h flag to see all args.")
+	}
+
 	if options.clientSecret == "" && options.clientID == "" {
 		fmt.Println("ERROR: client-id and client-secret args are missing.\nUse -h flag to see all args.")
 		os.Exit(1)

diff --git a/integration-tests/register_utils.go b/integration-tests/register_utils.go
@@ -12,18 +12,18 @@ import (
 	"code.miracl.com/maas/maas/src/lib/gomiracl/wrap"
 )
 
-func createSession(httpClient *http.Client, userID string) (*sessionResponse, error) {
+func createSession(httpClient *http.Client, projectID, userID string) (*sessionResponse, error) {
 	sessionRequest := &struct {
 		ProjectID string `json:"projectId"`
 		UserID    string `json:"userId"`
 	}{
-		options.projectID,
+		projectID,
 		userID,
 	}
 
 	sessionResp, err := makeRequest(
 		httpClient,
-		options.apiURL+"/rps/v2/session",
+		options.projectDomain+"/rps/v2/session",
 		http.MethodPost,
 		sessionRequest,
 		header{Key: "Content-Type", Value: "application/json"})
@@ -40,9 +40,9 @@ func createSession(httpClient *http.Client, userID string) (*sessionResponse, er
 	return createSessionResponse, nil
 }
 
-func register(httpClient *http.Client, userID, deviceName string, pin int, accessID string) (i identity, err error) {
+func register(httpClient *http.Client, projectID, userID, deviceName string, pin int, accessID string) (i identity, err error) {
 	// Call to /verification endpoint.
-	verifyURL, err := verificationRequest(httpClient, userID, deviceName, accessID)
+	verifyURL, err := verificationRequest(httpClient, userID, deviceName, accessID, projectID)
 	if err != nil {
 		return identity{}, err
 	}
@@ -65,6 +65,28 @@ func register(httpClient *http.Client, userID, deviceName string, pin int, acces
 	return id, nil
 }
 
+func getProjectID(httpClient *http.Client) (projectID string, err error) {
+	resp, err := makeRequest(
+		httpClient,
+		options.projectDomain+"/.well-known/project-configuration",
+		"GET",
+		nil,
+	)
+	if err != nil {
+		return "", err
+	}
+
+	var projectResponse *struct {
+		ID string `json:"id"`
+	}
+
+	if err := json.Unmarshal(resp, &projectResponse); err != nil {
+		return "", err
+	}
+
+	return projectResponse.ID, nil
+}
+
 func newIdentity(httpClient *http.Client, userID, deviceName, accessID, activationToken string, pin int) (i identity, err error) {
 	// Call to /rps/v2/user endpoint.
 	regResponse, err := registerRequest(httpClient, userID, deviceName, accessID, activationToken)
@@ -103,7 +125,7 @@ func newIdentity(httpClient *http.Client, userID, deviceName, accessID, activati
 	}, nil
 }
 
-func verificationRequest(httpClient *http.Client, userID, deviceName, accessID string) (string, error) {
+func verificationRequest(httpClient *http.Client, userID, deviceName, accessID, projectID string) (string, error) {
 	clientIDAndSecret := options.clientID + ":" + options.clientSecret
 	authHeaderValue := "Basic " + b64.StdEncoding.EncodeToString([]byte(clientIDAndSecret))
 
@@ -115,7 +137,7 @@ func verificationRequest(httpClient *http.Client, userID, deviceName, accessID s
 		Delivery      string `json:"delivery"`
 		Authorization string `json:"-"`
 	}{
-		options.projectID,
+		projectID,
 		userID,
 		deviceName,
 		accessID,
@@ -125,7 +147,7 @@ func verificationRequest(httpClient *http.Client, userID, deviceName, accessID s
 
 	resp, err := makeRequest(
 		httpClient,
-		options.apiURL+"/verification",
+		options.projectDomain+"/verification",
 		"POST",
 		payload,
 		header{Key: "Authorization", Value: authHeaderValue},
@@ -158,7 +180,7 @@ func registerRequest(httpClient *http.Client, userID, deviceName, accessID, acti
 
 	resp, err := makeRequest(
 		httpClient,
-		options.apiURL+"/rps/v2/user",
+		options.projectDomain+"/rps/v2/user",
 		"PUT",
 		payload,
 		header{Key: "X-MIRACL-CID", Value: "mcl"},
@@ -180,7 +202,7 @@ var errInvalidSignatureResponse = errors.New("invalid signature response")
 func signatureRequest(httpClient *http.Client, mpinID, regOTT string) (*signatureResponse, error) {
 	resp, err := makeRequest(
 		httpClient,
-		fmt.Sprintf(options.apiURL+"/rps/v2/signature/%v?regOTT=%v", mpinID, regOTT),
+		fmt.Sprintf(options.projectDomain+"/rps/v2/signature/%v?regOTT=%v", mpinID, regOTT),
 		"GET",
 		nil,
 	)
@@ -239,7 +261,7 @@ func verificationConfirmation(httpClient *http.Client, userID, code string) (str
 
 	resp, err := makeRequest(
 		httpClient,
-		options.apiURL+"/verification/confirmation",
+		options.projectDomain+"/verification/confirmation",
 		"POST",
 		payload,
 	)

diff --git a/integration-tests/sample_test.go b/integration-tests/sample_test.go
@@ -23,7 +23,12 @@ func TestAuth(t *testing.T) {
 		},
 	}
 
-	sessionResponse, err := createSession(httpClient, userID)
+	projectID, err := getProjectID(httpClient)
+	if err != nil {
+		t.Fatalf("failed to get project configuration: %v", err.Error())
+	}
+
+	sessionResponse, err := createSession(httpClient, projectID, userID)
 	if err != nil {
 		t.Fatalf("failed to create session: %v", err.Error())
 	}
@@ -35,7 +40,7 @@ func TestAuth(t *testing.T) {
 
 	accessID := qrURL.Fragment
 
-	identity, err := register(httpClient, userID, deviceName, pin, accessID)
+	identity, err := register(httpClient, projectID, userID, deviceName, pin, accessID)
 	if err != nil {
 		t.Fatalf("Error registering: %v", err)
 	}
@@ -70,6 +75,11 @@ func TestValidateSignature(t *testing.T) {
 		},
 	}
 
+	projectID, err := getProjectID(httpClient)
+	if err != nil {
+		t.Fatalf("failed to get project configuration: %v", err.Error())
+	}
+
 	client := newSampleClient(options.sampleURL, httpClient)
 	client.restart(options.restarterHost, options.restarterPort, options.sampleName)
 
@@ -83,7 +93,7 @@ func TestValidateSignature(t *testing.T) {
 	deviceName := "The device of " + name
 	pin := randPIN()
 
-	sessionResponse, err := createSession(httpClient, userID)
+	sessionResponse, err := createSession(httpClient, projectID, userID)
 	if err != nil {
 		t.Fatalf("failed to create session: %v", err.Error())
 	}
@@ -95,7 +105,7 @@ func TestValidateSignature(t *testing.T) {
 
 	accessID := qrURL.Fragment
 
-	identity, err := register(httpClient, userID, deviceName, pin, accessID)
+	identity, err := register(httpClient, projectID, userID, deviceName, pin, accessID)
 	if err != nil {
 		t.Fatalf("Error registering: %v", err)
 	}
@@ -126,7 +136,7 @@ func modifySignatureHandler(w http.ResponseWriter, r *http.Request) {
 
 	defer r.Body.Close()
 
-	const jwksURI = "https://api.mpin.io:443/oidc/certs"
+	var jwksURI = options.projectDomain + "/oidc/certs"
 
 	originalRequestURL := r.Header.Get("X-Forwarded-Host")
 	if originalRequestURL == jwksURI {