Skip to content

test(e2e): cover OIDC/JWT claim -> dynamic key mapping#560

Merged
rickcrawford merged 1 commit into
mainfrom
rickcrawford/wor-1560-oidc-map-e2e
Jun 28, 2026
Merged

test(e2e): cover OIDC/JWT claim -> dynamic key mapping#560
rickcrawford merged 1 commit into
mainfrom
rickcrawford/wor-1560-oidc-map-e2e

Conversation

@rickcrawford

Copy link
Copy Markdown
Contributor

Closes the OIDC-map gap in the dynamic-key e2e (WOR-1560).

Boots the release binary with key_management.oidc_claim_map (claim_field: key_ref) plus a jwt auth provider on an AI origin whose upstream is a dead loopback port. Then:

  • mints a key capped at max_requests_per_minute: 1,
  • signs an HS256 JWT whose key_ref claim names that key,
  • asserts the first request passes the gate and the second is 429 — proving the verified JWT identity resolved to the key (no sk- bearer) and the key's rate limit was enforced through the OIDC mapping,
  • asserts a JWT signed with the wrong secret is 401 at the gate.

Verification: e2e is excluded from the required CI gate by project policy, so this is verified by a local run against a freshly built release binary (cargo test -p sbproxy-e2e --release --test key_oidc_map → 1 passed). The last WOR-1560 gap, cross-replica invalidation, needs a two-node mesh in the harness and is left as a follow-up.

Closes the OIDC-map gap in the dynamic-key e2e (WOR-1560). Boots the
release binary with key_management.oidc_claim_map plus a jwt auth provider
on an AI origin (dead upstream), mints a key capped at 1 rpm, then sends an
HS256 JWT whose key_ref claim names that key: the first request passes the
gate and the second is 429, proving the JWT identity resolved to the key and
its rate limit was enforced. A JWT signed with the wrong secret is 401 at the
gate.

Local only (e2e is excluded from the required CI gate). Verified green
against a freshly built release binary.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01X19S6eQzKKExZ9RUPAHuGy
@rickcrawford rickcrawford merged commit 5bbe8aa into main Jun 28, 2026
4 checks passed
@rickcrawford rickcrawford deleted the rickcrawford/wor-1560-oidc-map-e2e branch June 28, 2026 01:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant