From 5d72a2b31917a10f2e8b07b77483b0313b5deac8 Mon Sep 17 00:00:00 2001
From: Mark Laing <mark.laing@canonical.com>
Date: Mon, 17 Feb 2025 17:30:54 +0000
Subject: [PATCH] test/suites: Test enforcement of issuer URL being compatible
 with discovery.

Signed-off-by: Mark Laing <mark.laing@canonical.com>
---
 test/suites/oidc.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/test/suites/oidc.sh b/test/suites/oidc.sh
index 6b3190ea7fa1..d1f3a54cba99 100644
--- a/test/suites/oidc.sh
+++ b/test/suites/oidc.sh
@@ -12,10 +12,14 @@ test_oidc() {
   lxc config set oidc.scopes "my-scope email openid" # Valid
   lxc config unset oidc.scopes # Should reset to include profile and offline access claims
 
+  lxc config set "oidc.client.id=device"
+
+  # Cannot set issuer to a URL that cannot perform discovery.
+  ! lxc config set "oidc.issuer=http://127.0.0.1:$(local_tcp_port)/" || false
+
   # Setup OIDC
   spawn_oidc
   lxc config set "oidc.issuer=http://127.0.0.1:$(cat "${TEST_DIR}/oidc.port")/"
-  lxc config set "oidc.client.id=device"
 
   # Expect this to fail. No user set.
   ! BROWSER=curl lxc remote add --accept-certificate oidc "${LXD_ADDR}" --auth-type oidc || false