feat: add provider conformance fixtures and tests for identity resolution across providers#12
Merged
Conversation
…tion across providers
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a shared provider conformance testing setup to validate that identity normalization (and downstream access-policy evaluation) behaves consistently across Entra, Okta, and Auth0, using standardized JWT fixture data.
Changes:
- Added shared provider conformance fixtures (loader + JSON fixtures + notes) and linked them into multiple test projects.
- Introduced new conformance tests for provider adapters (CLI) and access-policy evaluation (auth core).
- Refactored
EntraAuthServiceto support an injectable token resolver for deterministic testing.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/aria-cli/Services/EntraAuthService.cs | Adds injectable token resolver path for deterministic identity parsing in tests. |
| src/aria-cli/Aria.Cli.Tests/ProviderAdapterConformanceTests.cs | New conformance test ensuring each provider adapter produces the expected normalized identity from shared fixtures. |
| src/aria-cli/Aria.Cli.Tests/Aria.Cli.Tests.csproj | Links shared fixture code/data into CLI test output for execution-time loading. |
| src/aria-auth-core/TestFixtures/ProviderConformanceFixtures.cs | Adds reusable fixture loader and JWT builder for cross-provider conformance tests. |
| src/aria-auth-core/TestFixtures/provider-conformance-notes.txt | Documents intended normalization expectations for the shared fixtures. |
| src/aria-auth-core/TestFixtures/provider-conformance-fixtures.json | Adds standardized JWT claim fixtures and expected normalized identity contracts. |
| src/aria-auth-core/Aria.Auth.Core.Tests/Aria.Auth.Core.Tests.csproj | New test project for auth-core access-policy conformance validation. |
| src/aria-auth-core/Aria.Auth.Core.Tests/AccessPolicyConformanceTests.cs | New test ensuring access-policy evaluation is consistent across provider-normalized identities. |
| src/aria-auth-core/Aria.Auth.Core.csproj | Excludes test/fixture sources from the core library compilation. |
…s and normalization notes
Collaborator
Author
|
@copilot apply changes based on the comments in this thread |
…tra scopes Agent-Logs-Url: https://github.com/aria-fx/aria/sessions/01cc60b0-c135-4b44-8deb-fa34d4fed350 Co-authored-by: jgarverick <2940856+jgarverick@users.noreply.github.com>
Contributor
Applied the requested review-thread fixes in commit |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Josh Garverick <jgarverick@github.com>
Comment on lines
+23
to
+37
|
|
||
| Assert.NotNull(identity); | ||
| Assert.Equal(fixture.Expected.Provider, identity!.Provider); | ||
| Assert.Equal(fixture.Expected.ObjectId, identity.ObjectId); | ||
| Assert.Equal(fixture.Expected.TenantId, identity.TenantId); | ||
| Assert.Equal(fixture.Expected.UserPrincipalName, identity.UserPrincipalName); | ||
|
|
||
| foreach (var group in fixture.Expected.Groups) | ||
| Assert.Contains(group, identity.Groups); | ||
|
|
||
| foreach (var role in fixture.Expected.Roles) | ||
| Assert.Contains(role, identity.Roles); | ||
| } | ||
| } | ||
|
|
Comment on lines
+60
to
+84
| private static async Task<ResolvedIdentity?> ResolveOktaAsync(string token) | ||
| { | ||
| await EnvironmentVariableLock.WaitAsync(); | ||
| var previousToken = Environment.GetEnvironmentVariable("OKTA_ACCESS_TOKEN"); | ||
| Environment.SetEnvironmentVariable("OKTA_ACCESS_TOKEN", token); | ||
|
|
||
| try | ||
| { | ||
| var config = new AriaConfig | ||
| { | ||
| Okta = new OktaConfig | ||
| { | ||
| Enabled = true, | ||
| Issuer = "https://example.okta.com" | ||
| } | ||
| }; | ||
|
|
||
| var provider = new OktaIdentityProvider(); | ||
| return await provider.GetIdentityAsync(config); | ||
| } | ||
| finally | ||
| { | ||
| Environment.SetEnvironmentVariable("OKTA_ACCESS_TOKEN", previousToken); | ||
| EnvironmentVariableLock.Release(); | ||
| } |
Comment on lines
+1
to
+24
| <Project Sdk="Microsoft.NET.Sdk"> | ||
|
|
||
| <PropertyGroup> | ||
| <TargetFramework>net9.0</TargetFramework> | ||
| <ImplicitUsings>enable</ImplicitUsings> | ||
| <Nullable>enable</Nullable> | ||
| <IsPackable>false</IsPackable> | ||
| </PropertyGroup> | ||
|
|
||
| <ItemGroup> | ||
| <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" /> | ||
| <PackageReference Include="xunit" Version="2.9.2" /> | ||
| <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2" /> | ||
| </ItemGroup> | ||
|
|
||
| <ItemGroup> | ||
| <ProjectReference Include="../Aria.Auth.Core.csproj" /> | ||
| </ItemGroup> | ||
|
|
||
| <ItemGroup> | ||
| <Compile Include="../TestFixtures/ProviderConformanceFixtures.cs" Link="Shared/ProviderConformanceFixtures.cs" /> | ||
| <Content Include="../TestFixtures/provider-conformance-fixtures.json" Link="provider-conformance-fixtures.json" CopyToOutputDirectory="PreserveNewest" /> | ||
| <Content Include="../TestFixtures/provider-conformance-notes.txt" Link="provider-conformance-notes.txt" CopyToOutputDirectory="PreserveNewest" /> | ||
| </ItemGroup> |
…semaphore Agent-Logs-Url: https://github.com/aria-fx/aria/sessions/730ce815-f1e3-4c3b-862b-294e94adf60c Co-authored-by: jgarverick <2940856+jgarverick@users.noreply.github.com>
Collaborator
Author
|
@copilot apply changes based on the comments in this thread |
Agent-Logs-Url: https://github.com/aria-fx/aria/sessions/fe0258e6-597d-486d-ae21-ae2004f46f3f Co-authored-by: jgarverick <2940856+jgarverick@users.noreply.github.com>
Contributor
Applied all review feedback in commit 98fd083:
All tests pass and validation is clean. |
This was referenced May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a comprehensive, shared provider conformance test suite for identity normalization and access policy evaluation across multiple authentication providers (Entra, Okta, Auth0). It adds reusable test fixtures, standardized JSON fixture data, and shared logic to ensure that all supported providers produce consistent, normalized identity contracts used by access policy logic. The changes also refactor the
EntraAuthServiceto support injectable token resolvers for improved testability.Key changes include:
Shared Provider Conformance Test Infrastructure
ProviderConformanceFixtures.cs, which provides a reusable loader and builder for provider-specific JWT fixtures and expected normalized identity results, and exposes normalization logic for use in tests.provider-conformance-fixtures.jsonandprovider-conformance-notes.txtas standardized, documented test data and guidance for provider normalization expectations. [1] [2]Test Coverage for Identity Normalization
AccessPolicyConformanceTestsinAria.Auth.Core.Tests, which verifies that access policy evaluation produces consistent results across providers using the shared fixtures.ProviderAdapterConformanceTestsinAria.Cli.Tests, ensuring all provider adapters (Entra, Okta, Auth0) produce the expected normalized identity contract as defined in the shared fixtures.Project and Build System Updates
Aria.Auth.Core.Testswith references to shared fixtures and content, and updated.csprojfiles in both core and CLI test projects to include or exclude test fixture files as appropriate. [1] [2] [3]Refactoring for Testability
EntraAuthServiceto allow injection of a custom token resolver function, enabling deterministic testing with fixture JWTs. [1] [2]