feat(auth): add EntraId integration tests

- Add integration tests for token renewal and re-authentication flows
- Update credentials provider to use uniqueId as username instead of account username
- Add test utilities for loading Redis endpoint configurations
- Split TypeScript configs into separate files for samples and integration tests

Author: bobymicroby

packages/authx/lib/token-manager.ts

@@ -105,7 +105,6 @@ export class TokenManager<T> {
    */
   public start(listener: TokenStreamListener<T>, initialDelayMs: number = 0): Disposable {
     if (this.listener) {
-      console.log('TokenManager is already running, stopping the previous instance');
       this.stop();
     }
 

packages/client/lib/client/index.ts

@@ -399,14 +399,12 @@ export default class RedisClient<
       onNext: credentials => {
         this.reAuthenticate(credentials).catch(error => {
           const errorMessage = error instanceof Error ? error.message : String(error);
-          console.error('Error during re-authentication', errorMessage);
           cp.onReAuthenticationError(new CredentialsError(errorMessage));
         });
 
       },
       onError: (e: Error) => {
         const errorMessage = `Error from streaming credentials provider: ${e.message}`;
-        console.error(errorMessage);
         cp.onReAuthenticationError(new UnableToObtainNewCredentialsError(errorMessage));
       }
     });

packages/entraid/integration-tests/entraid-integration.spec.ts

@@ -0,0 +1,202 @@
+import { BasicAuth } from '@redis/authx';
+import { createClient } from '@redis/client';
+import { EntraIdCredentialsProviderFactory } from '../lib/entra-id-credentials-provider-factory';
+import { strict as assert } from 'node:assert';
+import { spy, SinonSpy } from 'sinon';
+import { randomUUID } from 'crypto';
+import { loadFromJson, RedisEndpointsConfig } from '@redis/test-utils/lib/cae-client-testing';
+import { EntraidCredentialsProvider } from '../lib/entraid-credentials-provider';
+
+describe('EntraID Integration Tests', () => {
+
+  it('client configured with client secret should be able to authenticate/re-authenticate', async () => {
+    const config = readConfigFromEnv();
+    await runAuthenticationTest(() =>
+      EntraIdCredentialsProviderFactory.createForClientCredentials({
+        clientId: config.clientId,
+        clientSecret: config.clientSecret,
+        authorityConfig: { type: 'multi-tenant', tenantId: config.tenantId },
+        tokenManagerConfig: {
+          expirationRefreshRatio: 0.0001
+        }
+      })
+    );
+  });
+
+  it('client configured with client certificate should be able to authenticate/re-authenticate', async () => {
+    const config = readConfigFromEnv();
+    await runAuthenticationTest(() =>
+      EntraIdCredentialsProviderFactory.createForClientCredentialsWithCertificate({
+        clientId: config.clientId,
+        certificate: {
+          privateKey: config.privateKey,
+          thumbprint: config.cert
+        },
+        authorityConfig: { type: 'multi-tenant', tenantId: config.tenantId },
+        tokenManagerConfig: {
+          expirationRefreshRatio: 0.0001
+        }
+      })
+    );
+  });
+
+  it('client with system managed identity should be able to authenticate/re-authenticate', async () => {
+    const config = readConfigFromEnv();
+    await runAuthenticationTest(() =>
+      EntraIdCredentialsProviderFactory.createForSystemAssignedManagedIdentity({
+        clientId: config.clientId,
+        authorityConfig: { type: 'multi-tenant', tenantId: config.tenantId },
+        tokenManagerConfig: {
+          expirationRefreshRatio: 0.0001
+        }
+      })
+    );
+  });
+
+  it('client with user managed system identity should be able to authenticate/re-authenticate', async () => {
+    const config = readConfigFromEnv();
+    await runAuthenticationTest(() =>
+      EntraIdCredentialsProviderFactory.createForUserAssignedManagedIdentity({
+        clientId: config.clientId,
+        userAssignedClientId : config.userAssignedManagedId,
+        authorityConfig: { type: 'multi-tenant', tenantId: config.tenantId },
+        tokenManagerConfig: {
+          expirationRefreshRatio: 0.0001
+        }
+      })
+    );
+  });
+
+  interface TestConfig {
+    clientId: string;
+    clientSecret: string;
+    authority: string;
+    tenantId: string;
+    redisScopes: string;
+    cert: string;
+    privateKey: string;
+    userAssignedManagedId: string;
+    endpoints: RedisEndpointsConfig;
+  }
+
+  const readConfigFromEnv = (): TestConfig => {
+    const requiredEnvVars = {
+      AZURE_CLIENT_ID: process.env.AZURE_CLIENT_ID,
+      AZURE_CLIENT_SECRET: process.env.AZURE_CLIENT_SECRET,
+      AZURE_AUTHORITY: process.env.AZURE_AUTHORITY,
+      AZURE_TENANT_ID: process.env.AZURE_TENANT_ID,
+      AZURE_REDIS_SCOPES: process.env.AZURE_REDIS_SCOPES,
+      AZURE_CERT: process.env.AZURE_CERT,
+      AZURE_PRIVATE_KEY: process.env.AZURE_PRIVATE_KEY,
+      AZURE_USER_ASSIGNED_MANAGED_ID: process.env.AZURE_USER_ASSIGNED_MANAGED_ID,
+      REDIS_ENDPOINTS_CONFIG_PATH: process.env.REDIS_ENDPOINTS_CONFIG_PATH
+    };
+
+    Object.entries(requiredEnvVars).forEach(([key, value]) => {
+      if (value == undefined) {
+        throw new Error(`${key} environment variable must be set`);
+      }
+    });
+
+    return {
+      endpoints: loadFromJson(requiredEnvVars.REDIS_ENDPOINTS_CONFIG_PATH),
+      clientId: requiredEnvVars.AZURE_CLIENT_ID,
+      clientSecret: requiredEnvVars.AZURE_CLIENT_SECRET,
+      authority: requiredEnvVars.AZURE_AUTHORITY,
+      tenantId: requiredEnvVars.AZURE_TENANT_ID,
+      redisScopes: requiredEnvVars.AZURE_REDIS_SCOPES,
+      cert: requiredEnvVars.AZURE_CERT,
+      privateKey: requiredEnvVars.AZURE_PRIVATE_KEY,
+      userAssignedManagedId: requiredEnvVars.AZURE_USER_ASSIGNED_MANAGED_ID
+    };
+  };
+
+  interface TokenDetail {
+    token: string;
+    exp: number;
+    iat: number;
+    lifetime: number;
+    uti: string;
+  }
+
+  const setupTestClient = (credentialsProvider: EntraidCredentialsProvider) => {
+    const config = readConfigFromEnv();
+    const client = createClient({
+      url: config.endpoints['standalone-entraid-acl'].endpoints[0],
+      credentialsProvider
+    });
+
+    const clientInstance = (client as any)._self;
+    const reAuthSpy: SinonSpy = spy(clientInstance, 'reAuthenticate');
+
+    return { client, reAuthSpy };
+  };
+
+  const runClientOperations = async (client: any) => {
+    const startTime = Date.now();
+    while (Date.now() - startTime < 1000) {
+      const key = randomUUID();
+      await client.set(key, 'value');
+      const value = await client.get(key);
+      assert.equal(value, 'value');
+      await client.del(key);
+    }
+  };
+
+  const validateTokens = (reAuthSpy: SinonSpy) => {
+    assert(reAuthSpy.callCount >= 1,
+      `reAuthenticate should have been called at least once, but was called ${reAuthSpy.callCount} times`);
+
+    const tokenDetails: TokenDetail[] = reAuthSpy.getCalls().map(call => {
+      const creds = call.args[0] as BasicAuth;
+      const tokenPayload = JSON.parse(
+        Buffer.from(creds.password.split('.')[1], 'base64').toString()
+      );
+
+      return {
+        token: creds.password,
+        exp: tokenPayload.exp,
+        iat: tokenPayload.iat,
+        lifetime: tokenPayload.exp - tokenPayload.iat,
+        uti: tokenPayload.uti
+      };
+    });
+
+    // Verify unique tokens
+    const uniqueTokens = new Set(tokenDetails.map(detail => detail.token));
+    assert.equal(
+      uniqueTokens.size,
+      reAuthSpy.callCount,
+      `Expected ${reAuthSpy.callCount} different tokens, but got ${uniqueTokens.size} unique tokens`
+    );
+
+    // Verify all tokens are not cached (i.e. have the same lifetime)
+    const uniqueLifetimes = new Set(tokenDetails.map(detail => detail.lifetime));
+    assert.equal(
+      uniqueLifetimes.size,
+      1,
+      `Expected all tokens to have the same lifetime, but found ${uniqueLifetimes.size} different lifetimes: ${[uniqueLifetimes].join(', ')} seconds`
+    );
+
+    // Verify that all tokens have different uti (unique token identifier)
+    const uniqueUti = new Set(tokenDetails.map(detail => detail.uti));
+    assert.equal(
+      uniqueUti.size,
+      reAuthSpy.callCount,
+      `Expected all tokens to have different uti, but found ${uniqueUti.size} different uti in: ${[uniqueUti].join(', ')}`
+    );
+  };
+
+  const runAuthenticationTest = async (setupCredentialsProvider: () => any) => {
+    const { client, reAuthSpy } = setupTestClient(setupCredentialsProvider());
+
+    try {
+      await client.connect();
+      await runClientOperations(client);
+      validateTokens(reAuthSpy);
+    } finally {
+      await client.destroy();
+    }
+  };
+
+});

packages/entraid/lib/entra-id-credentials-provider-factory.ts

@@ -72,9 +72,9 @@ export class EntraIdCredentialsProviderFactory {
    * @param params
    */
   static createForUserAssignedManagedIdentity(
-    params: CredentialParams
+    params: CredentialParams & { userAssignedClientId: string }
   ): EntraidCredentialsProvider {
-    return this.createManagedIdentityProvider(params, params.clientId);
+    return this.createManagedIdentityProvider(params, params.userAssignedClientId);
   }
 
   private static _createForClientCredentials(
@@ -101,7 +101,22 @@ export class EntraIdCredentialsProviderFactory {
     );
 
     return new EntraidCredentialsProvider(new TokenManager(idp, params.tokenManagerConfig), idp,
-      { onReAuthenticationError: params.onReAuthenticationError });
+      {
+        onReAuthenticationError: params.onReAuthenticationError,
+        credentialsMapper: (token) => {
+
+          // Client credentials flow is app-only authentication (no user context),
+          // so only access token is provided without user-specific claims (uniqueId, idToken, ...)
+          // this means that we need to extract the oid from the access token manually
+          const accessToken = JSON.parse(Buffer.from(token.accessToken.split('.')[1], 'base64').toString());
+
+          return ({
+            username: accessToken.oid,
+            password: token.accessToken
+          })
+
+        }
+      });
   }
 
   /**
@@ -257,7 +272,7 @@ const loggerOptions = {
     if (!containsPii) console.log(message);
   },
   piiLoggingEnabled: false,
-  logLevel: LogLevel.Verbose
+  logLevel: LogLevel.Error
 }
 
 /**

packages/entraid/lib/entraid-credentials-provider.spec.ts

@@ -134,15 +134,15 @@ describe('EntraID CredentialsProvider Subscription Behavior', () => {
       private readonly tokenSequence: AuthenticationResult[] = [
         {
           accessToken: 'initial-token',
-          account: { username: 'test-user' }
+          uniqueId: 'test-user'
         } as AuthenticationResult,
         {
           accessToken: 'refresh-token-1',
-          account: { username: 'test-user' }
+          uniqueId: 'test-user'
         } as AuthenticationResult,
         {
           accessToken: 'refresh-token-2',
-          account: { username: 'test-user' }
+          uniqueId: 'test-user'
         } as AuthenticationResult
       ]
     ) {}

packages/entraid/lib/entraid-credentials-provider.ts

@@ -24,20 +24,16 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
   }> = [];
 
   constructor(
-    private readonly tokenManager: TokenManager<AuthenticationResult>,
-    private readonly idp: IdentityProvider<AuthenticationResult>,
-    options: {
-      onReAuthenticationError?: (error: ReAuthenticationError) => void
-      credentialsMapper?: (token: AuthenticationResult) => BasicAuth
+    public readonly tokenManager: TokenManager<AuthenticationResult>,
+    public readonly idp: IdentityProvider<AuthenticationResult>,
+    private readonly options: {
+      onReAuthenticationError?: (error: ReAuthenticationError) => void;
+      credentialsMapper?: (token: AuthenticationResult) => BasicAuth;
+      onTransientError?: (error: string) => void;
     } = {}
   ) {
-    this.onReAuthenticationError = options.onReAuthenticationError ??
-      ((error) => console.error('ReAuthenticationError', error));
-    this.credentialsMapper = options.credentialsMapper ?? ((token) => ({
-      username: token.account?.username ?? undefined,
-      password: token.accessToken
-    }));
-
+    this.onReAuthenticationError = options.onReAuthenticationError ?? DEFAULT_ERROR_HANDLER;
+    this.credentialsMapper = options.credentialsMapper ?? DEFAULT_CREDENTIALS_MAPPER;
   }
 
   async subscribe(
@@ -81,7 +77,7 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
         if (error.isFatal) {
           subscribers.forEach(listener => listener.onError(error));
         } else {
-          console.log('Transient identity provider error', error);
+          this.options.onTransientError?.(error.message);
         }
       },
       onNext: (token: { value: AuthenticationResult }): void => {
@@ -124,4 +120,16 @@ export class EntraidCredentialsProvider implements StreamingCredentialsProvider
     return this.listeners.size;
   }
 
-}
+  public getTokenManager() {
+    return this.tokenManager;
+  }
+
+}
+
+const DEFAULT_CREDENTIALS_MAPPER = (token: AuthenticationResult): BasicAuth => ({
+  username: token.uniqueId,
+  password: token.accessToken
+});
+
+const DEFAULT_ERROR_HANDLER = (error: ReAuthenticationError) =>
+  console.error('ReAuthenticationError', error);

packages/entraid/lib/msal-identity-provider.ts

@@ -22,7 +22,6 @@ export class MSALIdentityProvider implements IdentityProvider<AuthenticationResu
         ttlMs: result.expiresOn.getTime() - Date.now()
       };
     } catch (error) {
-      console.error('Error acquiring token:', error);
       throw error;
     }
   }

packages/entraid/package.json

@@ -11,7 +11,8 @@
   "scripts": {
     "clean": "rimraf dist",
     "build": "npm run clean && tsc",
-    "start:auth-pkce": "npm run build && node dist/samples/auth-code-pkce/index.js",
+    "start:auth-pkce": "tsx --tsconfig tsconfig.samples.json ./samples/auth-code-pkce/index.ts",
+    "test-integration": "mocha -r tsx --tsconfig tsconfig.integration-tests.json './integration-tests/**/*.spec.ts'",
     "test": "nyc -r text-summary -r lcov mocha -r tsx './lib/**/*.spec.ts'"
   },
   "dependencies": {

packages/entraid/samples/auth-code-pkce/index.ts

@@ -82,10 +82,6 @@ app.get('/login', async (req: AuthRequest, res: Response) => {
 
 app.get('/redirect', async (req: AuthRequest, res: Response) => {
   try {
-    // Debug log to see exactly what we're receiving
-    console.log('Full request query:', req.query);
-    console.log('Code from request:', req.query.code);
-    console.log('Session state:', req.session);
 
     // The authorization code is in req.query.code
     const { code, client_info } = req.query;

packages/entraid/tsconfig.integration-tests.json

@@ -0,0 +1,10 @@
+{
+  "extends": "./tsconfig.json",
+  "include": [
+    "./integration-tests/**/*.ts",
+    "./lib/**/*.ts"
+  ],
+  "compilerOptions": {
+    "noEmit": true
+  },
+}