test(oidc): add comprehensive PKCE test coverage with improved diagnostics (PROJQUAY-9281)
Add extensive test suite for PKCE (Proof Key for Code Exchange) functionality
across multiple layers of the application:
Test Coverage:
- Core PKCE utilities (code_verifier generation, S256 challenge computation)
- OAuth base class integration with PKCE parameters
- OIDC service with PKCE fixtures and authorization scenarios
- Dedicated PKCE flow testing (S256/plain methods, public client support)
- API endpoint integration for user PKCE operations
- Login flow integration with session-based verifier storage
Features Tested:
- S256 and plain code challenge methods
- Public client support (omitting client_secret)
- Session-based code_verifier storage and retrieval
- Error handling for missing/invalid verifiers
- Integration with existing OIDC authorization flows
- Descriptive assertion messages for CI diagnostics
All tests include informative error messages with expected vs actual values
to improve debugging in CI environments.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implement PKCE (Proof Key for Code Exchange) for OIDC authentication to enable
support for public clients and improve OAuth security.
Changes:
- Add oauth/pkce.py with code_verifier generation and S256/plain challenge methods
- Extend OAuthService to support extra auth/token params and public clients (no client_secret)
- Implement PKCE in OIDCLoginService with code_verifier token exchange
- Store PKCE verifier in session during auth initiation (endpoints/api/user.py)
- Add get_pkce_code_verifier() helper with defensive type checking
* Encapsulates pkce_enabled check and session data extraction
* Uses isinstance(data, dict) for safe type validation
* Centralizes logic across OAuth callbacks (callback, attach, cli)
- Include example Keycloak PKCE config in local-dev/stack/config.yaml
Security improvements:
- PKCE method validation to fail fast on invalid configuration
- Defensive session data validation in OAuth callbacks
- Explicit Content-Type headers for form-encoded OAuth requests
- Optimized non-verified JWT decode (skips unnecessary key fetching)
- Exponential backoff for token exchange retries (0.5s, 1.0s, 2.0s)
Configuration:
- PKCE is opt-in via USE_PKCE config (default: disabled)
- OIDC_SERVER must end with trailing slash
- Use host.containers.internal with podman for local dev
Co-authored-by: Claude <noreply@anthropic.com>
* oauth: Fallback to depricated_sub when sub has new value (PROJQUAY-9124)
Signed-off-by: harishsurf <hgovinda@redhat.com>
* Add test for rhsso backward compatability for deprecated_sub
* Address review comments
* Fix circular import
* Add additional tests for codecov
---------
Signed-off-by: harishsurf <hgovinda@redhat.com>
robots: Add robot federation for keyless auth (PROJQUAY-7652)
adds the ability to configure federated auth for robots by
using external OIDC providers. Each robot can be configured
to have multiple external OIDC providers as the source for
authentication.
* ui: add support for exposing quay UI as a dynamic plugin (PROJQUAY-3203)
* Introduces a new SSO JWT based auth for client side Oauth
* Adds a new entrypoint component for the UI without topnav and sidenav for plugin
* Adds webpack config to build dynamic plugin
Issue: https://issues.redhat.com/browse/PROJQUAY-1380
Changelog:
Added: OIDC login uses value of PREFERRED_URL_SCHEME when redirecting after successful authentication.
Testing:
Requires a custom external authentication OIDC provider to be configured and an installation to be behind a load balancer that is doing SSL termination.
Details:
Flask's url_for() function ignores the value of PREFERRED_URL_SCHEME which will break OAuth2 authentication because it requires redirecting to only HTTPS endpoints.
* Convert all Python2 to Python3 syntax.
* Removes oauth2lib dependency
* Replace mockredis with fakeredis
* byte/str conversions
* Removes nonexisting __nonzero__ in Python3
* Python3 Dockerfile and related
* [PROJQUAY-98] Replace resumablehashlib with rehash
* PROJQUAY-123 - replace gpgme with python3-gpg
* [PROJQUAY-135] Fix unhashable class error
* Update external dependencies for Python 3
- Move github.com/app-registry/appr to github.com/quay/appr
- github.com/coderanger/supervisor-stdout
- github.com/DevTable/container-cloud-config
- Update to latest mockldap with changes applied from coreos/mockldap
- Update dependencies in requirements.txt and requirements-dev.txt
* Default FLOAT_REPR function to str in json encoder and removes keyword assignment
True, False, and str were not keywords in Python2...
* [PROJQUAY-165] Replace package `bencode` with `bencode.py`
- Bencode is not compatible with Python 3.x and is no longer
maintained. Bencode.py appears to be a drop-in replacement/fork
that is compatible with Python 3.
* Make sure monkey.patch is called before anything else (
* Removes anunidecode dependency and replaces it with text_unidecode
* Base64 encode/decode pickle dumps/loads when storing value in DB
Base64 encodes/decodes the serialized values when storing them in the
DB. Also make sure to return a Python3 string instead of a Bytes when
coercing for db, otherwise, Postgres' TEXT field will convert it into
a hex representation when storing the value.
* Implement __hash__ on Digest class
In Python 3, if a class defines __eq__() but not __hash__(), its
instances will not be usable as items in hashable collections (e.g sets).
* Remove basestring check
* Fix expected message in credentials tests
* Fix usage of Cryptography.Fernet for Python3 (#219)
- Specifically, this addresses the issue where Byte<->String
conversions weren't being applied correctly.
* Fix utils
- tar+stream layer format utils
- filelike util
* Fix storage tests
* Fix endpoint tests
* Fix workers tests
* Fix docker's empty layer bytes
* Fix registry tests
* Appr
* Enable CI for Python 3.6
* Skip buildman tests
Skip buildman tests while it's being rewritten to allow ci to pass.
* Install swig for CI
* Update expected exception type in redis validation test
* Fix gpg signing calls
Fix gpg calls for updated gpg wrapper, and add signing tests.
* Convert / to // for Python3 integer division
* WIP: Update buildman to use asyncio instead of trollius.
This dependency is considered deprecated/abandoned and was only
used as an implementation/backport of asyncio on Python 2.x
This is a work in progress, and is included in the PR just to get the
rest of the tests passing. The builder is actually being rewritten.
* Target Python 3.8
* Removes unused files
- Removes unused files that were added accidentally while rebasing
- Small fixes/cleanup
- TODO tasks comments
* Add TODO to verify rehash backward compat with resumablehashlib
* Revert "[PROJQUAY-135] Fix unhashable class error" and implements __hash__ instead.
This reverts commit 735e38e3c1d072bf50ea864bc7e119a55d3a8976.
Instead, defines __hash__ for encryped fields class, using the parent
field's implementation.
* Remove some unused files ad imports
Co-authored-by: Kenny Lee Sin Cheong <kenny.lee@redhat.com>
Co-authored-by: Tom McKay <thomasmckay@redhat.com>
