test(e2e): add OIDC E2E test variant with real Zitadel provider#2369
Open
test(e2e): add OIDC E2E test variant with real Zitadel provider#2369
Conversation
…e cleanup timeout - In users.spec.ts: add waitForURL after fill so nuqs async navigate completes before asserting filtered counts - In debug-bundle-page.ts: increase cleanup Promise.race timeout from 60s to 90s for slower CI environments Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add zitadel-setup.mjs that provisions a complete Zitadel v4 OIDC environment using testcontainers (PostgreSQL + API + Login + nginx proxy). Handles machine key auth, project/role/user creation, action scripts for group claims injection, and config rewriting. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extend shared E2E infrastructure with `needsZitadel` flag: - global-setup: Start Zitadel containers, rewrite Console config with real OIDC credentials, run backend as host process for localhost access - global-teardown: Clean up Zitadel proxy/login/API/DB containers - Consolidate container cleanup into data-driven loop Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add console-enterprise-oidc Playwright test variant that exercises the full browser OIDC login flow through a real Zitadel v4 identity provider. Tests cover: - Admin OIDC login (platform-admins group) with full UI access - Viewer OIDC login (analysts group) with read-only access - Denied access for users with no matching group binding - Unauthenticated user redirect to login page Uses shared loginViaOIDC helper for the Zitadel login flow (username → password → MFA skip → Console callback → overview redirect). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
|
||
| setup('authenticate viewer via OIDC', async ({ page }) => { | ||
| await loginViaOIDC(page, 'viewer-user'); | ||
| await page.context().storageState({ path: authFile }); |
| test('can view topic list page', async ({ page }) => { | ||
| await page.goto('/topics'); | ||
| // Viewer should see the topics page heading | ||
| await expect(page.getByRole('heading', { name: /topics/i })).toBeVisible({ timeout: 15_000 }); |
Contributor
There was a problem hiding this comment.
why would it take 15s to run?
Comment on lines
+37
to
+38
| // Handle any intermediate Zitadel screens (MFA setup, consent, etc.) | ||
| await page.waitForTimeout(1_000); |
Contributor
There was a problem hiding this comment.
is this why you mention optimistic queries?
Comment on lines
+43
to
+47
| // After OIDC callback, Console should either: | ||
| // 1. Redirect to /login with an error (token_exchange_failed, etc.) | ||
| // 2. Show permission denied on any page the user tries to access | ||
| // Wait for the redirect back to Console | ||
| await page.waitForURL('**/*', { timeout: 30_000 }); |
Contributor
There was a problem hiding this comment.
You can use .or() to check for different scenarios/paths that could occur
Comment on lines
+26
to
+28
| const createButton = page.getByTestId('create-topic-button'); | ||
| await expect(createButton).toBeVisible({ timeout: 15_000 }); | ||
| await createButton.click(); |
Contributor
There was a problem hiding this comment.
I know we have a lot of timeouts everywhere in the past already but the problem with having so many timeouts means we would make tests run longer even if they are already inherently broken. Ideally we should audit all our tests and try to find a better assertion whenever we have to reach out for timeouts. This is how tests can be made flaky unfortunately (not having proper assertions, what if this takes 16s?) but if we were to assert against a network request happening, a redirect, a URL search param, or some other action user could take, it would be more stable long term.
| for (const [key, label] of [ | ||
| ['sourceBackendId', 'source backend'], | ||
| ['backendId', 'backend'], | ||
| ['connectId', 'Kafka Connect'], |
Contributor
There was a problem hiding this comment.
is this only kafka connect or also potentially redpanda connect
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
zitadel-setup.mjs: provisions a complete Zitadel v4.13.1 OIDC environment (PostgreSQL + API + Login app + nginx proxy) using testcontainersglobal-setup.mjs/global-teardown.mjswithneedsZitadelflag for Zitadel container lifecycletest-variant-console-enterprise-oidcPlaywright variant with 11 tests covering:Test plan
npm run e2e-test:variant console-enterprise-oidc— 11/11 PASSconsole-enterprisevariant unaffected (needsZitadel defaults to false)Related
🤖 Generated with Claude Code