Skip to content

fix: resolve Postman test failures (OIDC URL, redirect URI, auth code skip)#8

Merged
stupidly-logical merged 1 commit intomainfrom
fix/postman-test-failures
Apr 4, 2026
Merged

fix: resolve Postman test failures (OIDC URL, redirect URI, auth code skip)#8
stupidly-logical merged 1 commit intomainfrom
fix/postman-test-failures

Conversation

@stupidly-logical
Copy link
Copy Markdown
Owner

@stupidly-logical stupidly-logical commented Apr 4, 2026
edited
Loading

Summary

  • Fix OIDC discovery URL typo — Postman collection used openid_configuration (underscore); Spring AS serves openid-configuration (hyphen per RFC 8414)
  • Register Postman redirect URI — Added https://oauth.pstmn.io/v1/callback to test-client so Postman's OAuth2 callback is accepted during manual auth code flow testing
  • Disable PKCE requirement on test-client (requireProofKey: false) so the auth code flow can be tested from Postman without a code challenge
  • Skip auth code / refresh token requests gracefully — Added pm.execution.skipRequest() pre-request guards so these requests skip instead of fail when no authorization_code or refresh_token is present (they require a manual browser login step)

What's still open

Token introspection returning active: false immediately after a successful client credentials token issue is not yet fixed — it requires live server debugging (suggested: add TRACE logging on org.springframework.security.oauth2.server.authorization and inspect the save()/findByToken() call pair).

Test plan

  • Run the Postman collection — OIDC Configuration request should now return 200
  • Verify Exchange Code for Token and Refresh Access Token are skipped (not failed) in automated runs
  • Restart server, manually complete browser login, paste auth code into authorization_code env var, re-run collection — full auth code + refresh flow should succeed
  • Confirm token introspection behavior with TRACE logging enabled

🤖 Generated with Claude Code

@stupidly-logical @claude
fix: resolve 3 of 4 Postman test failure categories
708e92c 
- Fix OIDC discovery URL typo in Postman collection (openid_configuration
  → openid-configuration); the hyphenated path is what Spring AS serves
- Add https://oauth.pstmn.io/v1/callback to registered client redirect
  URIs so Postman's built-in OAuth2 callback is accepted
- Disable requireProofKey on test-client so the auth code flow can be
  tested from Postman without PKCE (development client only)
- Add pm.execution.skipRequest() guards to Exchange Code and Refresh
  Token requests so they skip gracefully instead of failing when no
  authorization_code / refresh_token is available in the environment
  (these flows require a manual browser login step)

Introspection returning active=false for the client-credentials token
is not yet resolved — requires live server debugging to identify whether
the root cause is JDBC BLOB comparison, token persistence, or a stale
env variable.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@stupidly-logical stupidly-logical merged commit 1744246 into main Apr 4, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stupidly-logical