feat(auth): add EntraId integration tests

- Add integration tests for token renewal and re-authentication flows
- Update credentials provider to use uniqueId as username instead of account username
- Add test utilities for loading Redis endpoint configurations
- Split TypeScript configs into separate files for samples and integration tests

Author: bobymicroby

packages/entraid/integration-tests/entraid-integration.spec.ts

@@ -0,0 +1,202 @@
+import { BasicAuth } from '@redis/authx';
+import { createClient } from '@redis/client';
+import { EntraIdCredentialsProviderFactory } from '../lib/entra-id-credentials-provider-factory';
+import { strict as assert } from 'node:assert';
+import { spy, SinonSpy } from 'sinon';
+import { randomUUID } from 'crypto';
+import { loadFromJson, RedisEndpointsConfig } from '@redis/test-utils/lib/cae-client-testing';
+import { EntraidCredentialsProvider } from '../lib/entraid-credentials-provider';
+
+describe('EntraID Integration Tests', () => {
+
+  it('client configured with client secret should be able to authenticate/re-authenticate', async () => {
+    const config = readConfigFromEnv();
+    await runAuthenticationTest(() =>
+      EntraIdCredentialsProviderFactory.createForClientCredentials({
+        clientId: config.clientId,
+        clientSecret: config.clientSecret,
+        authorityConfig: { type: 'multi-tenant', tenantId: config.tenantId },
+        tokenManagerConfig: {
+          expirationRefreshRatio: 0.0001
+        }
+      })
+    );
+  });
+
+  it('client configured with client certificate should be able to authenticate/re-authenticate', async () => {
+    const config = readConfigFromEnv();
+    await runAuthenticationTest(() =>
+      EntraIdCredentialsProviderFactory.createForClientCredentialsWithCertificate({
+        clientId: config.clientId,
+        certificate: {
+          privateKey: config.privateKey,
+          thumbprint: config.cert
+        },
+        authorityConfig: { type: 'multi-tenant', tenantId: config.tenantId },
+        tokenManagerConfig: {
+          expirationRefreshRatio: 0.0001
+        }
+      })
+    );
+  });
+
+  it('client with system managed identity should be able to authenticate/re-authenticate', async () => {
+    const config = readConfigFromEnv();
+    await runAuthenticationTest(() =>
+      EntraIdCredentialsProviderFactory.createForSystemAssignedManagedIdentity({
+        clientId: config.clientId,
+        authorityConfig: { type: 'multi-tenant', tenantId: config.tenantId },
+        tokenManagerConfig: {
+          expirationRefreshRatio: 0.0001
+        }
+      })
+    );
+  });
+
+  it('client with user managed system identity should be able to authenticate/re-authenticate', async () => {
+    const config = readConfigFromEnv();
+    await runAuthenticationTest(() =>
+      EntraIdCredentialsProviderFactory.createForUserAssignedManagedIdentity({
+        clientId: config.clientId,
+        userAssignedClientId : config.userAssignedManagedId,
+        authorityConfig: { type: 'multi-tenant', tenantId: config.tenantId },
+        tokenManagerConfig: {
+          expirationRefreshRatio: 0.0001
+        }
+      })
+    );
+  });
+
+  interface TestConfig {
+    clientId: string;
+    clientSecret: string;
+    authority: string;
+    tenantId: string;
+    redisScopes: string;
+    cert: string;
+    privateKey: string;
+    userAssignedManagedId: string;
+    endpoints: RedisEndpointsConfig;
+  }
+
+  const readConfigFromEnv = (): TestConfig => {
+    const requiredEnvVars = {
+      AZURE_CLIENT_ID: process.env.AZURE_CLIENT_ID,
+      AZURE_CLIENT_SECRET: process.env.AZURE_CLIENT_SECRET,
+      AZURE_AUTHORITY: process.env.AZURE_AUTHORITY,
+      AZURE_TENANT_ID: process.env.AZURE_TENANT_ID,
+      AZURE_REDIS_SCOPES: process.env.AZURE_REDIS_SCOPES,
+      AZURE_CERT: process.env.AZURE_CERT,
+      AZURE_PRIVATE_KEY: process.env.AZURE_PRIVATE_KEY,
+      AZURE_USER_ASSIGNED_MANAGED_ID: process.env.AZURE_USER_ASSIGNED_MANAGED_ID,
+      REDIS_ENDPOINTS_CONFIG_PATH: process.env.REDIS_ENDPOINTS_CONFIG_PATH
+    };
+
+    Object.entries(requiredEnvVars).forEach(([key, value]) => {
+      if (value == undefined) {
+        throw new Error(`${key} environment variable must be set`);
+      }
+    });
+
+    return {
+      endpoints: loadFromJson(requiredEnvVars.REDIS_ENDPOINTS_CONFIG_PATH),
+      clientId: requiredEnvVars.AZURE_CLIENT_ID,
+      clientSecret: requiredEnvVars.AZURE_CLIENT_SECRET,
+      authority: requiredEnvVars.AZURE_AUTHORITY,
+      tenantId: requiredEnvVars.AZURE_TENANT_ID,
+      redisScopes: requiredEnvVars.AZURE_REDIS_SCOPES,
+      cert: requiredEnvVars.AZURE_CERT,
+      privateKey: requiredEnvVars.AZURE_PRIVATE_KEY,
+      userAssignedManagedId: requiredEnvVars.AZURE_USER_ASSIGNED_MANAGED_ID
+    };
+  };
+
+  interface TokenDetail {
+    token: string;
+    exp: number;
+    iat: number;
+    lifetime: number;
+    uti: string;
+  }
+
+  const setupTestClient = (credentialsProvider: EntraidCredentialsProvider) => {
+    const config = readConfigFromEnv();
+    const client = createClient({
+      url: config.endpoints['standalone-entraid-acl'].endpoints[0],
+      credentialsProvider
+    });
+
+    const clientInstance = (client as any)._self;
+    const reAuthSpy: SinonSpy = spy(clientInstance, 'reAuthenticate');
+
+    return { client, reAuthSpy };
+  };
+
+  const runClientOperations = async (client: any) => {
+    const startTime = Date.now();
+    while (Date.now() - startTime < 1000) {
+      const key = randomUUID();
+      await client.set(key, 'value');
+      const value = await client.get(key);
+      assert.equal(value, 'value');
+      await client.del(key);
+    }
+  };
+
+  const validateTokens = (reAuthSpy: SinonSpy) => {
+    assert(reAuthSpy.callCount >= 1,
+      `reAuthenticate should have been called at least once, but was called ${reAuthSpy.callCount} times`);
+
+    const tokenDetails: TokenDetail[] = reAuthSpy.getCalls().map(call => {
+      const creds = call.args[0] as BasicAuth;
+      const tokenPayload = JSON.parse(
+        Buffer.from(creds.password.split('.')[1], 'base64').toString()
+      );
+
+      return {
+        token: creds.password,
+        exp: tokenPayload.exp,
+        iat: tokenPayload.iat,
+        lifetime: tokenPayload.exp - tokenPayload.iat,
+        uti: tokenPayload.uti
+      };
+    });
+
+    // Verify unique tokens
+    const uniqueTokens = new Set(tokenDetails.map(detail => detail.token));
+    assert.equal(
+      uniqueTokens.size,
+      reAuthSpy.callCount,
+      `Expected ${reAuthSpy.callCount} different tokens, but got ${uniqueTokens.size} unique tokens`
+    );
+
+    // Verify all tokens are not cached (i.e. have the same lifetime)
+    const uniqueLifetimes = new Set(tokenDetails.map(detail => detail.lifetime));
+    assert.equal(
+      uniqueLifetimes.size,
+      1,
+      `Expected all tokens to have the same lifetime, but found ${uniqueLifetimes.size} different lifetimes: ${[uniqueLifetimes].join(', ')} seconds`
+    );
+
+    // Verify that all tokens have different uti (unique token identifier)
+    const uniqueUti = new Set(tokenDetails.map(detail => detail.uti));
+    assert.equal(
+      uniqueUti.size,
+      reAuthSpy.callCount,
+      `Expected all tokens to have different uti, but found ${uniqueUti.size} different uti in: ${[uniqueUti].join(', ')}`
+    );
+  };
+
+  const runAuthenticationTest = async (setupCredentialsProvider: () => any) => {
+    const { client, reAuthSpy } = setupTestClient(setupCredentialsProvider());
+
+    try {
+      await client.connect();
+      await runClientOperations(client);
+      validateTokens(reAuthSpy);
+    } finally {
+      await client.destroy();
+    }
+  };
+
+});

packages/entraid/lib/entra-id-credentials-provider-factory.ts

@@ -72,9 +72,9 @@ export class EntraIdCredentialsProviderFactory {
    * @param params
    */
   static createForUserAssignedManagedIdentity(
-    params: CredentialParams
+    params: CredentialParams & { userAssignedClientId: string }
   ): EntraidCredentialsProvider {
-    return this.createManagedIdentityProvider(params, params.clientId);
+    return this.createManagedIdentityProvider(params, params.userAssignedClientId);
   }
 
   private static _createForClientCredentials(
@@ -101,7 +101,22 @@ export class EntraIdCredentialsProviderFactory {
     );
 
     return new EntraidCredentialsProvider(new TokenManager(idp, params.tokenManagerConfig), idp,
-      { onReAuthenticationError: params.onReAuthenticationError });
+      {
+        onReAuthenticationError: params.onReAuthenticationError,
+        credentialsMapper: (token) => {
+
+          // Client credentials flow is app-only authentication (no user context),
+          // so only access token is provided without user-specific claims (uniqueId, idToken, ...)
+          // this means that we need to extract the oid from the access token manually
+          const accessToken = JSON.parse(Buffer.from(token.accessToken.split('.')[1], 'base64').toString());
+
+          return ({
+            username: accessToken.oid,
+            password: token.accessToken
+          })
+
+        }
+      });
   }
 
   /**

packages/entraid/lib/entraid-credentials-provider.spec.ts

@@ -134,15 +134,15 @@ describe('EntraID CredentialsProvider Subscription Behavior', () => {
       private readonly tokenSequence: AuthenticationResult[] = [
         {
           accessToken: 'initial-token',
-          account: { username: 'test-user' }
+          uniqueId: 'test-user'
         } as AuthenticationResult,
         {
           accessToken: 'refresh-token-1',
-          account: { username: 'test-user' }
+          uniqueId: 'test-user'
         } as AuthenticationResult,
         {
           accessToken: 'refresh-token-2',
-          account: { username: 'test-user' }
+          uniqueId: 'test-user'
         } as AuthenticationResult
       ]
     ) {}

packages/entraid/lib/entraid-credentials-provider.ts

@@ -24,8 +24,8 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
   }> = [];
 
   constructor(
-    private readonly tokenManager: TokenManager<AuthenticationResult>,
-    private readonly idp: IdentityProvider<AuthenticationResult>,
+    public readonly tokenManager: TokenManager<AuthenticationResult>,
+    public readonly idp: IdentityProvider<AuthenticationResult>,
     options: {
       onReAuthenticationError?: (error: ReAuthenticationError) => void
       credentialsMapper?: (token: AuthenticationResult) => BasicAuth
@@ -34,7 +34,7 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
     this.onReAuthenticationError = options.onReAuthenticationError ??
       ((error) => console.error('ReAuthenticationError', error));
     this.credentialsMapper = options.credentialsMapper ?? ((token) => ({
-      username: token.account?.username ?? undefined,
+      username: token.uniqueId,
       password: token.accessToken
     }));
 
@@ -124,4 +124,8 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
     return this.listeners.size;
   }
 
+  public getTokenManager() {
+    return this.tokenManager;
+  }
+
 }

packages/entraid/package.json

@@ -11,7 +11,8 @@
   "scripts": {
     "clean": "rimraf dist",
     "build": "npm run clean && tsc",
-    "start:auth-pkce": "npm run build && node dist/samples/auth-code-pkce/index.js",
+    "start:auth-pkce": "tsx --tsconfig tsconfig.samples.json ./samples/auth-code-pkce/index.ts",
+    "test-integration": "mocha -r tsx --tsconfig tsconfig.integration-tests.json './integration-tests/**/*.spec.ts'",
     "test": "nyc -r text-summary -r lcov mocha -r tsx './lib/**/*.spec.ts'"
   },
   "dependencies": {

packages/entraid/tsconfig.integration-tests.json

@@ -0,0 +1,10 @@
+{
+  "extends": "./tsconfig.json",
+  "include": [
+    "./integration-tests/**/*.ts",
+    "./lib/**/*.ts"
+  ],
+  "compilerOptions": {
+    "noEmit": true
+  },
+}

packages/entraid/tsconfig.json

@@ -4,17 +4,14 @@
     "outDir": "./dist"
   },
   "include": [
-    "./samples/**/*.ts",
     "./lib/**/*.ts"
   ],
   "exclude": [
-    "./lib/test-utils.ts",
     "./lib/**/*.spec.ts",
-    "./lib/sentinel/test-util.ts"
+    "./lib/test-util.ts",
   ],
   "typedocOptions": {
     "entryPoints": [
-      "./index.ts",
       "./lib"
     ],
     "entryPointStrategy": "expand",

packages/entraid/tsconfig.samples.json

@@ -0,0 +1,10 @@
+{
+  "extends": "./tsconfig.json",
+  "include": [
+    "./samples/**/*.ts",
+    "./lib/**/*.ts"
+  ],
+  "compilerOptions": {
+    "noEmit": true
+  }
+}

packages/test-utils/lib/cae-client-testing.ts

@@ -0,0 +1,16 @@
+interface RawRedisEndpoint {
+  username?: string;
+  password?: string;
+  tls: boolean;
+  endpoints: string[];
+}
+
+export type RedisEndpointsConfig = Record<string, RawRedisEndpoint>;
+
+export function loadFromJson(jsonString: string): RedisEndpointsConfig {
+  try {
+    return JSON.parse(jsonString) as RedisEndpointsConfig;
+  } catch (error) {
+    throw new Error(`Invalid JSON configuration: ${error}`);
+  }
+}