chore: add a threat model #488

Workflow file for this run

.github/workflows/conformance.yml at 3e93b7a

	name: Conformance Checks

	permissions: {}

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	- cron: '55 11 * * 1'
	workflow_dispatch:

	jobs:
	build:
	if: ${{ github.repository == 'panva/node-oidc-provider' \|\| github.event_name == 'workflow_dispatch' }}
	uses: panva/.github/.github/workflows/build-conformance-suite.yml@main

	run:
	runs-on: ubuntu-latest
	needs:
	- build
	env:
	SUITE_BASE_URL: https://localhost.emobix.co.uk:8443
	SETUP: ${{ toJSON(matrix.setup) }}
	strategy:
	fail-fast: false
	matrix:
	setup:
	# OP Basic
	- plan: oidcc-basic-certification-test-plan

	# OP Hybrid
	- plan: oidcc-hybrid-certification-test-plan

	# OP Implicit
	- plan: oidcc-implicit-certification-test-plan

	# OP Dynamic
	- plan: oidcc-dynamic-certification-test-plan
	response_type: code
	- plan: oidcc-dynamic-certification-test-plan
	response_type: id_token
	- plan: oidcc-dynamic-certification-test-plan
	response_type: id_token token
	- plan: oidcc-dynamic-certification-test-plan
	response_type: code id_token
	- plan: oidcc-dynamic-certification-test-plan
	response_type: code token
	- plan: oidcc-dynamic-certification-test-plan
	response_type: code id_token token

	# RP-Initiated OP
	- plan: oidcc-rp-initiated-logout-certification-test-plan

	# Back-Channel OP
	- plan: oidcc-backchannel-rp-initiated-logout-certification-test-plan

	# FAPI 2.0 Security Profile Final
	- plan: fapi2-security-profile-final-test-plan
	client_auth_type: private_key_jwt
	sender_constrain: dpop
	openid: openid_connect
	- plan: fapi2-security-profile-final-test-plan
	client_auth_type: private_key_jwt
	sender_constrain: dpop
	openid: plain_oauth
	- plan: fapi2-security-profile-final-test-plan
	client_auth_type: private_key_jwt
	sender_constrain: mtls
	openid: openid_connect
	- plan: fapi2-security-profile-final-test-plan
	client_auth_type: private_key_jwt
	sender_constrain: mtls
	openid: plain_oauth
	- plan: fapi2-security-profile-final-test-plan
	client_auth_type: mtls
	sender_constrain: dpop
	openid: openid_connect
	- plan: fapi2-security-profile-final-test-plan
	client_auth_type: mtls
	sender_constrain: dpop
	openid: plain_oauth
	- plan: fapi2-security-profile-final-test-plan
	client_auth_type: mtls
	sender_constrain: mtls
	openid: openid_connect
	- plan: fapi2-security-profile-final-test-plan
	client_auth_type: mtls
	sender_constrain: mtls
	openid: plain_oauth

	# FAPI 2.0 Message Signing Final
	- plan: fapi2-message-signing-final-test-plan
	client_auth_type: private_key_jwt
	sender_constrain: dpop
	openid: openid_connect
	- plan: fapi2-message-signing-final-test-plan
	client_auth_type: private_key_jwt
	sender_constrain: dpop
	openid: plain_oauth
	- plan: fapi2-message-signing-final-test-plan
	client_auth_type: private_key_jwt
	sender_constrain: mtls
	openid: openid_connect
	- plan: fapi2-message-signing-final-test-plan
	client_auth_type: private_key_jwt
	sender_constrain: mtls
	openid: plain_oauth
	- plan: fapi2-message-signing-final-test-plan
	client_auth_type: mtls
	sender_constrain: dpop
	openid: openid_connect
	- plan: fapi2-message-signing-final-test-plan
	client_auth_type: mtls
	sender_constrain: dpop
	openid: plain_oauth
	- plan: fapi2-message-signing-final-test-plan
	client_auth_type: mtls
	sender_constrain: mtls
	openid: openid_connect
	- plan: fapi2-message-signing-final-test-plan
	client_auth_type: mtls
	sender_constrain: mtls
	openid: plain_oauth

	# FAPI 1.0 Advanced (Final)
	- plan: fapi1-advanced-final-test-plan
	fapi_auth_request_method: by_value
	client_auth_type: private_key_jwt
	fapi_response_mode: plain_response
	- plan: fapi1-advanced-final-test-plan
	fapi_auth_request_method: pushed
	client_auth_type: private_key_jwt
	fapi_response_mode: plain_response
	- plan: fapi1-advanced-final-test-plan
	fapi_auth_request_method: by_value
	client_auth_type: private_key_jwt
	fapi_response_mode: jarm
	- plan: fapi1-advanced-final-test-plan
	fapi_auth_request_method: pushed
	client_auth_type: private_key_jwt
	fapi_response_mode: jarm
	- plan: fapi1-advanced-final-test-plan
	fapi_auth_request_method: by_value
	client_auth_type: mtls
	fapi_response_mode: plain_response
	- plan: fapi1-advanced-final-test-plan
	fapi_auth_request_method: pushed
	client_auth_type: mtls
	fapi_response_mode: plain_response
	- plan: fapi1-advanced-final-test-plan
	fapi_auth_request_method: by_value
	client_auth_type: mtls
	fapi_response_mode: jarm
	- plan: fapi1-advanced-final-test-plan
	fapi_auth_request_method: pushed
	client_auth_type: mtls
	fapi_response_mode: jarm

	# FAPI RW-CIBA-ID1
	- plan: fapi-ciba-id1-test-plan
	client_auth_type: private_key_jwt
	ciba_mode: poll
	- plan: fapi-ciba-id1-test-plan
	client_auth_type: private_key_jwt
	ciba_mode: ping
	- plan: fapi-ciba-id1-test-plan
	client_auth_type: mtls
	ciba_mode: poll
	- plan: fapi-ciba-id1-test-plan
	client_auth_type: mtls
	ciba_mode: ping

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Setup node
	uses: actions/setup-node@v4
	with:
	node-version: lts/*
	cache: 'npm'
	- run: npm clean-install
	- name: Run oidc-provider (OIDC)
	run: \|
	set -o pipefail
	node certification/oidc/docker > >(tee server.log) 2>&1 &
	echo "OIDC_PROVIDER_PID=$!" >> $GITHUB_ENV
	if: ${{ startsWith(matrix.setup.plan, 'oidcc') }}
	env:
	PORT: 3000
	DEBUG: oidc-provider:*
	ISSUER: https://172.17.0.1:3000
	NODE_TLS_REJECT_UNAUTHORIZED: 0
	- name: Run oidc-provider (FAPI)
	run: \|
	set -o pipefail
	node certification/fapi > >(tee server.log) 2>&1 &
	echo "OIDC_PROVIDER_PID=$!" >> $GITHUB_ENV
	if: ${{ startsWith(matrix.setup.plan, 'fapi') }}
	env:
	ISSUER: https://172.17.0.1:3000
	PORT: 3000
	DEBUG: oidc-provider:*
	NODE_OPTIONS: --tls-cipher-list="ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384"
	NODE_TLS_REJECT_UNAUTHORIZED: 0
	- name: Load Cached Conformance Suite Build
	uses: actions/cache@v4
	id: cache
	with:
	path: ./conformance-suite
	key: ${{ needs.build.outputs.cache-key }}
	fail-on-cache-miss: true
	- name: Run Conformance Suite
	working-directory: ./conformance-suite
	env:
	COMPOSE_BAKE: true
	run: \|
	docker compose -f docker-compose-dev.yml up -d
	while ! curl -skfail https://localhost.emobix.co.uk:8443/api/runner/available >/dev/null; do sleep 2; done
	- name: Adjust configuration files for CI
	run: \|
	sed -i -e 's/op.panva.cz/172.17.0.1:3000/g' certification/oidc/plan.json
	sed -i -e 's/mtls.fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json
	sed -i -e 's/fapi.panva.cz/172.17.0.1:3000/g' certification/fapi/plan.json
	- name: Run the plan
	run: npx mocha --timeout 0 --retries 1 certification/runner
	env:
	NODE_TLS_REJECT_UNAUTHORIZED: 0
	- name: Add server log to artifact
	if: ${{ failure() }}
	run: \|
	zip -ur ${{ env.EXPORT_FILE }} server.log
	- name: Upload test artifacts
	uses: actions/upload-artifact@v4
	with:
	path: export-*.zip
	name: certification html results idx(${{ strategy.job-index }})
	if-no-files-found: ignore
	if: ${{ always() }}
	- name: Stop Conformance Suite
	working-directory: ./conformance-suite
	env:
	COMPOSE_BAKE: true
	run: \|
	if [ -n "${{ env.OIDC_PROVIDER_PID }}" ]; then
	kill -SIGINT ${{ env.OIDC_PROVIDER_PID }} \|\| true
	fi
	docker compose -f docker-compose-dev.yml down
	sudo rm -rf mongo

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore: add a threat model #488

Workflow file

chore: add a threat model #488

Uh oh!

Workflow file for this run