From ee1ad141bc17ba12741fb9933bbd96202382c0fc Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 10:39:24 -0500 Subject: [PATCH 1/9] Add endpoint oidc email to enroll response --- client.go | 14 +++++++++++--- message/message.go | 20 +++++++++++++------- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/client.go b/client.go index 2bc6a23..5001aef 100644 --- a/client.go +++ b/client.go @@ -83,9 +83,10 @@ var ErrInvalidCredentials = fmt.Errorf("invalid credentials") var ErrInvalidCode = fmt.Errorf("invalid enrollment code") type ConfigMeta struct { - Org ConfigOrg - Network ConfigNetwork - Host ConfigHost + Org ConfigOrg + Network ConfigNetwork + Host ConfigHost + EndpointOIDC ConfigEndpointOIDC } type ConfigOrg struct { @@ -104,6 +105,10 @@ type ConfigHost struct { IPAddress string } +type ConfigEndpointOIDC struct { + Email *string +} + // Enroll issues an enrollment request against the REST API using the given enrollment code, passing along a locally // generated DH X25519 public key to be signed by the CA, and an Ed 25519 public key for future API call authentication. // On success it returns the Nebula config generated by the server, a Nebula private key PEM to be inserted into the @@ -202,6 +207,9 @@ func (c *Client) Enroll(ctx context.Context, logger logrus.FieldLogger, code str Name: r.Data.Host.Name, IPAddress: r.Data.Host.IPAddress, }, + EndpointOIDC: ConfigEndpointOIDC{ + Email: r.Data.EndpointOIDCMeta.Email, + }, } // Determine the private keys to save based on the network curve type diff --git a/message/message.go b/message/message.go index a490ab3..211d757 100644 --- a/message/message.go +++ b/message/message.go @@ -152,13 +152,14 @@ type EnrollResponse struct { // EnrollResponseData is included in the EnrollResponse. type EnrollResponseData struct { - Config []byte `json:"config"` - HostID string `json:"hostID"` - Counter uint `json:"counter"` - TrustedKeys []byte `json:"trustedKeys"` - Organization HostOrgMetadata `json:"organization"` - Network HostNetworkMetadata `json:"network"` - Host HostHostMetadata `json:"host"` + Config []byte `json:"config"` + HostID string `json:"hostID"` + Counter uint `json:"counter"` + TrustedKeys []byte `json:"trustedKeys"` + Organization HostOrgMetadata `json:"organization"` + Network HostNetworkMetadata `json:"network"` + Host HostHostMetadata `json:"host"` + EndpointOIDCMeta *HostEndpointOIDCMetadata `json:"endpointOIDC,omitempty"` } // HostOrgMetadata is included in EnrollResponseData. @@ -182,6 +183,11 @@ type HostHostMetadata struct { IPAddress string `json:"ipAddress"` } +// HostEndpointOIDCMetadata is included in EnrollResponseData. +type HostEndpointOIDCMetadata struct { + Email *string `json:"email"` +} + // APIError represents a single error returned in an API error response. type APIError struct { Code string `json:"code"` From 2776d9eabe8bd3e059c9345349d4c0d02f3a3a0b Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 10:41:31 -0500 Subject: [PATCH 2/9] Add endpoint oidc email to doUpdate response --- client.go | 3 +++ message/message.go | 15 ++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/client.go b/client.go index 5001aef..51d3edc 100644 --- a/client.go +++ b/client.go @@ -388,6 +388,9 @@ func (c *Client) DoUpdate(ctx context.Context, creds keys.Credentials) ([]byte, Name: result.Host.Name, IPAddress: result.Host.IPAddress, }, + EndpointOIDC: ConfigEndpointOIDC{ + Email: result.EndpointOIDCMeta.Email, + }, } return result.Config, nebulaPrivkeyPEM, newCreds, meta, nil diff --git a/message/message.go b/message/message.go index 211d757..9447c1e 100644 --- a/message/message.go +++ b/message/message.go @@ -73,13 +73,14 @@ type DoUpdateRequest struct { // DoUpdateResponse is the response generated for a DoUpdate request. type DoUpdateResponse struct { - Config []byte `json:"config"` - Counter uint `json:"counter"` - Nonce []byte `json:"nonce"` - TrustedKeys []byte `json:"trustedKeys"` - Organization HostOrgMetadata `json:"organization"` - Network HostNetworkMetadata `json:"network"` - Host HostHostMetadata `json:"host"` + Config []byte `json:"config"` + Counter uint `json:"counter"` + Nonce []byte `json:"nonce"` + TrustedKeys []byte `json:"trustedKeys"` + Organization HostOrgMetadata `json:"organization"` + Network HostNetworkMetadata `json:"network"` + Host HostHostMetadata `json:"host"` + EndpointOIDCMeta *HostEndpointOIDCMetadata `json:"endpointOIDC,omitempty"` } // LongPollWaitResponseWrapper contains a response to LongPollWait inside "data." From abf08efe81f6046d378ee6768e7ede208ac0f8d3 Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 10:56:47 -0500 Subject: [PATCH 3/9] Make existing tests pass --- client_test.go | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/client_test.go b/client_test.go index 9d6b58a..1683779 100644 --- a/client_test.go +++ b/client_test.go @@ -50,6 +50,7 @@ func TestEnroll(t *testing.T) { hostID := "foobar" hostName := "foo host" hostIP := "192.168.100.1" + oidcEmail := "demo@defined.net" counter := uint(5) ca, _ := dnapitest.NebulaCACert() caPEM, err := ca.MarshalToPEM() @@ -92,6 +93,9 @@ func TestEnroll(t *testing.T) { Name: hostName, IPAddress: hostIP, }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, }, }) }) @@ -139,6 +143,7 @@ func TestEnroll(t *testing.T) { assert.Equal(t, hostID, meta.Host.ID) assert.Equal(t, hostName, meta.Host.Name) assert.Equal(t, hostIP, meta.Host.IPAddress) + assert.Equal(t, hostIP, meta.Host.IPAddress) // Test error handling errorMsg := "invalid enrollment code" @@ -170,6 +175,7 @@ func TestDoUpdate(t *testing.T) { t.Parallel() useragent := "testClient" + oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -217,6 +223,9 @@ func TestDoUpdate(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, }, }) }) @@ -286,6 +295,9 @@ func TestDoUpdate(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, } rawRes := jsonMarshal(newConfigResponse) @@ -341,6 +353,9 @@ func TestDoUpdate(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, } rawRes := jsonMarshal(newConfigResponse) @@ -400,6 +415,9 @@ func TestDoUpdate(t *testing.T) { Name: hostName, IPAddress: hostIP, }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, } rawRes := jsonMarshal(newConfigResponse) @@ -434,6 +452,7 @@ func TestDoUpdate_P256(t *testing.T) { t.Parallel() useragent := "testClient" + oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -481,6 +500,9 @@ func TestDoUpdate_P256(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, }, }) }) @@ -639,6 +661,9 @@ func TestDoUpdate_P256(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, } rawRes := jsonMarshal(newConfigResponse) hashed := sha256.Sum256(rawRes) @@ -674,6 +699,7 @@ func TestCommandResponse(t *testing.T) { t.Parallel() useragent := "testClient" + oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -721,6 +747,9 @@ func TestCommandResponse(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, }, }) }) @@ -776,6 +805,7 @@ func TestStreamCommandResponse(t *testing.T) { t.Parallel() useragent := "testClient" + oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -823,6 +853,9 @@ func TestStreamCommandResponse(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, }, }) }) @@ -902,6 +935,7 @@ func TestReauthenticate(t *testing.T) { t.Parallel() useragent := "testClient" + oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -949,6 +983,9 @@ func TestReauthenticate(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, + EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ + Email: &oidcEmail, + }, }, }) }) From df3f3605f720a81fee549c4bf0167708c28f5fd9 Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 10:59:30 -0500 Subject: [PATCH 4/9] Assert happy-path values --- client_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/client_test.go b/client_test.go index 1683779..d9ebf5d 100644 --- a/client_test.go +++ b/client_test.go @@ -143,7 +143,7 @@ func TestEnroll(t *testing.T) { assert.Equal(t, hostID, meta.Host.ID) assert.Equal(t, hostName, meta.Host.Name) assert.Equal(t, hostIP, meta.Host.IPAddress) - assert.Equal(t, hostIP, meta.Host.IPAddress) + assert.Equal(t, oidcEmail, *meta.EndpointOIDC.Email) // Test error handling errorMsg := "invalid enrollment code" @@ -445,6 +445,7 @@ func TestDoUpdate(t *testing.T) { assert.Equal(t, hostID, meta.Host.ID) assert.Equal(t, hostName, meta.Host.Name) assert.Equal(t, hostIP, meta.Host.IPAddress) + assert.Equal(t, oidcEmail, *meta.EndpointOIDC.Email) } From 593d2a0828f9e0025c0ae7e52c550d89783a2748 Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 11:20:21 -0500 Subject: [PATCH 5/9] Check what happens when email is nil --- client_test.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/client_test.go b/client_test.go index d9ebf5d..d7aabcf 100644 --- a/client_test.go +++ b/client_test.go @@ -50,7 +50,6 @@ func TestEnroll(t *testing.T) { hostID := "foobar" hostName := "foo host" hostIP := "192.168.100.1" - oidcEmail := "demo@defined.net" counter := uint(5) ca, _ := dnapitest.NebulaCACert() caPEM, err := ca.MarshalToPEM() @@ -94,7 +93,7 @@ func TestEnroll(t *testing.T) { IPAddress: hostIP, }, EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, + Email: nil, }, }, }) @@ -143,7 +142,7 @@ func TestEnroll(t *testing.T) { assert.Equal(t, hostID, meta.Host.ID) assert.Equal(t, hostName, meta.Host.Name) assert.Equal(t, hostIP, meta.Host.IPAddress) - assert.Equal(t, oidcEmail, *meta.EndpointOIDC.Email) + assert.Nil(t, meta.EndpointOIDC.Email) // Test error handling errorMsg := "invalid enrollment code" From cad71bc4f090df88e3cda9c6e777b7fcee9e58c0 Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 11:46:01 -0500 Subject: [PATCH 6/9] Fix nil location --- client.go | 18 ++++++++++++------ client_test.go | 37 +++++++------------------------------ message/message.go | 2 +- 3 files changed, 20 insertions(+), 37 deletions(-) diff --git a/client.go b/client.go index 51d3edc..ecf98ff 100644 --- a/client.go +++ b/client.go @@ -86,7 +86,7 @@ type ConfigMeta struct { Org ConfigOrg Network ConfigNetwork Host ConfigHost - EndpointOIDC ConfigEndpointOIDC + EndpointOIDC *ConfigEndpointOIDC } type ConfigOrg struct { @@ -106,7 +106,7 @@ type ConfigHost struct { } type ConfigEndpointOIDC struct { - Email *string + Email string } // Enroll issues an enrollment request against the REST API using the given enrollment code, passing along a locally @@ -207,9 +207,12 @@ func (c *Client) Enroll(ctx context.Context, logger logrus.FieldLogger, code str Name: r.Data.Host.Name, IPAddress: r.Data.Host.IPAddress, }, - EndpointOIDC: ConfigEndpointOIDC{ + } + + if r.Data.EndpointOIDCMeta != nil { + meta.EndpointOIDC = &ConfigEndpointOIDC{ Email: r.Data.EndpointOIDCMeta.Email, - }, + } } // Determine the private keys to save based on the network curve type @@ -388,9 +391,12 @@ func (c *Client) DoUpdate(ctx context.Context, creds keys.Credentials) ([]byte, Name: result.Host.Name, IPAddress: result.Host.IPAddress, }, - EndpointOIDC: ConfigEndpointOIDC{ + } + + if result.EndpointOIDCMeta != nil { + meta.EndpointOIDC = &ConfigEndpointOIDC{ Email: result.EndpointOIDCMeta.Email, - }, + } } return result.Config, nebulaPrivkeyPEM, newCreds, meta, nil diff --git a/client_test.go b/client_test.go index d7aabcf..73d5e61 100644 --- a/client_test.go +++ b/client_test.go @@ -50,6 +50,7 @@ func TestEnroll(t *testing.T) { hostID := "foobar" hostName := "foo host" hostIP := "192.168.100.1" + oidcEmail := "demo@defined.net" counter := uint(5) ca, _ := dnapitest.NebulaCACert() caPEM, err := ca.MarshalToPEM() @@ -93,7 +94,7 @@ func TestEnroll(t *testing.T) { IPAddress: hostIP, }, EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: nil, + Email: oidcEmail, }, }, }) @@ -142,7 +143,7 @@ func TestEnroll(t *testing.T) { assert.Equal(t, hostID, meta.Host.ID) assert.Equal(t, hostName, meta.Host.Name) assert.Equal(t, hostIP, meta.Host.IPAddress) - assert.Nil(t, meta.EndpointOIDC.Email) + assert.Equal(t, oidcEmail, meta.EndpointOIDC.Email) // Test error handling errorMsg := "invalid enrollment code" @@ -174,7 +175,6 @@ func TestDoUpdate(t *testing.T) { t.Parallel() useragent := "testClient" - oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -222,9 +222,6 @@ func TestDoUpdate(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, - EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, - }, }, }) }) @@ -294,9 +291,6 @@ func TestDoUpdate(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, - EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, - }, } rawRes := jsonMarshal(newConfigResponse) @@ -352,9 +346,6 @@ func TestDoUpdate(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, - EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, - }, } rawRes := jsonMarshal(newConfigResponse) @@ -391,6 +382,7 @@ func TestDoUpdate(t *testing.T) { hostID := "foobar" hostName := "foo host" hostIP := "192.168.100.1" + oidcEmail := "demo@defined.net" // This time sign the response with the correct CA key. ts.ExpectDNClientRequest(message.DoUpdate, http.StatusOK, func(r message.RequestWrapper) []byte { @@ -415,7 +407,7 @@ func TestDoUpdate(t *testing.T) { IPAddress: hostIP, }, EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, + Email: oidcEmail, }, } rawRes := jsonMarshal(newConfigResponse) @@ -444,7 +436,7 @@ func TestDoUpdate(t *testing.T) { assert.Equal(t, hostID, meta.Host.ID) assert.Equal(t, hostName, meta.Host.Name) assert.Equal(t, hostIP, meta.Host.IPAddress) - assert.Equal(t, oidcEmail, *meta.EndpointOIDC.Email) + assert.Equal(t, oidcEmail, meta.EndpointOIDC.Email) } @@ -501,7 +493,7 @@ func TestDoUpdate_P256(t *testing.T) { IPAddress: "192.168.100.2", }, EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, + Email: oidcEmail, }, }, }) @@ -661,9 +653,6 @@ func TestDoUpdate_P256(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, - EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, - }, } rawRes := jsonMarshal(newConfigResponse) hashed := sha256.Sum256(rawRes) @@ -699,7 +688,6 @@ func TestCommandResponse(t *testing.T) { t.Parallel() useragent := "testClient" - oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -747,9 +735,6 @@ func TestCommandResponse(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, - EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, - }, }, }) }) @@ -805,7 +790,6 @@ func TestStreamCommandResponse(t *testing.T) { t.Parallel() useragent := "testClient" - oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -853,9 +837,6 @@ func TestStreamCommandResponse(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, - EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, - }, }, }) }) @@ -935,7 +916,6 @@ func TestReauthenticate(t *testing.T) { t.Parallel() useragent := "testClient" - oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -983,9 +963,6 @@ func TestReauthenticate(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, - EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: &oidcEmail, - }, }, }) }) diff --git a/message/message.go b/message/message.go index 9447c1e..12438df 100644 --- a/message/message.go +++ b/message/message.go @@ -186,7 +186,7 @@ type HostHostMetadata struct { // HostEndpointOIDCMetadata is included in EnrollResponseData. type HostEndpointOIDCMetadata struct { - Email *string `json:"email"` + Email string `json:"email"` } // APIError represents a single error returned in an API error response. From 42bd4537830a9f34b524bd5d2c9bdaeafe27f552 Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 11:47:48 -0500 Subject: [PATCH 7/9] Remove omitempty --- message/message.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/message/message.go b/message/message.go index 12438df..cf953e1 100644 --- a/message/message.go +++ b/message/message.go @@ -80,7 +80,7 @@ type DoUpdateResponse struct { Organization HostOrgMetadata `json:"organization"` Network HostNetworkMetadata `json:"network"` Host HostHostMetadata `json:"host"` - EndpointOIDCMeta *HostEndpointOIDCMetadata `json:"endpointOIDC,omitempty"` + EndpointOIDCMeta *HostEndpointOIDCMetadata `json:"endpointOIDC"` } // LongPollWaitResponseWrapper contains a response to LongPollWait inside "data." @@ -160,7 +160,7 @@ type EnrollResponseData struct { Organization HostOrgMetadata `json:"organization"` Network HostNetworkMetadata `json:"network"` Host HostHostMetadata `json:"host"` - EndpointOIDCMeta *HostEndpointOIDCMetadata `json:"endpointOIDC,omitempty"` + EndpointOIDCMeta *HostEndpointOIDCMetadata `json:"endpointOIDC"` } // HostOrgMetadata is included in EnrollResponseData. From e6d8fad48c6cadb72b8e75a4bf481346e4b37c74 Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 11:48:12 -0500 Subject: [PATCH 8/9] Little more test cleanup --- client_test.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/client_test.go b/client_test.go index 73d5e61..e777ae3 100644 --- a/client_test.go +++ b/client_test.go @@ -444,7 +444,6 @@ func TestDoUpdate_P256(t *testing.T) { t.Parallel() useragent := "testClient" - oidcEmail := "demo@defined.net" ts := dnapitest.NewServer(useragent) t.Cleanup(func() { ts.Close() }) @@ -492,9 +491,6 @@ func TestDoUpdate_P256(t *testing.T) { Name: "foo host", IPAddress: "192.168.100.2", }, - EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{ - Email: oidcEmail, - }, }, }) }) From 2265297c41e55284f9eacaefe63e96f18d3f59c8 Mon Sep 17 00:00:00 2001 From: Ian VanSchooten Date: Fri, 7 Nov 2025 11:59:19 -0500 Subject: [PATCH 9/9] Assert nil on standard host --- client_test.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/client_test.go b/client_test.go index e777ae3..2ed70e4 100644 --- a/client_test.go +++ b/client_test.go @@ -737,7 +737,7 @@ func TestCommandResponse(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second) defer cancel() - config, pkey, creds, _, err := c.Enroll(ctx, testutil.NewTestLogger(), "foobar") + config, pkey, creds, meta, err := c.Enroll(ctx, testutil.NewTestLogger(), "foobar") require.NoError(t, err) // make sure all credential values were set @@ -750,6 +750,9 @@ func TestCommandResponse(t *testing.T) { assert.NotEmpty(t, config) assert.NotEmpty(t, pkey) + // no EndpointOIDC for standard host enrollments + assert.Nil(t, meta.EndpointOIDC) + // This time sign the response with the correct CA key. responseToken := "abc123" res := map[string]any{"msg": "Hello, world!"}