add test

Signed-off-by: huabing zhao <[email protected]>

Makefile

@@ -18,6 +18,7 @@ BUILD_OPTS ?=
 TEST_OPTS  ?=
 TEST_PKGS  ?= $(shell go list ./... | grep -v /e2e)
 OUTDIR     ?= bin
+ENVTEST    ?= sigs.k8s.io/controller-runtime/tools/setup-envtest
 
 include env.mk    # Load common variables
 -include .makerc  # Pick up any local overrides.
@@ -93,8 +94,10 @@ COVERAGE_OPTS ?=
 .PHONY: coverage
 coverage:  ## Creates coverage report for all projects
 	@echo "Running test coverage"
+	@go run $(ENVTEST) use
 	@mkdir -p $(OUTDIR)/$@
 	@go test $(COVERAGE_OPTS) \
+		--tags=integration \
 		-timeout 30s \
 		-coverprofile $(OUTDIR)/$@/coverage.out \
 		-covermode atomic \

go.mod

@@ -18,6 +18,7 @@ require (
 	google.golang.org/protobuf v1.32.0
 	k8s.io/api v0.29.0
 	k8s.io/apimachinery v0.29.0
+	k8s.io/client-go v0.29.0
 	sigs.k8s.io/controller-runtime v0.17.2
 )
 
@@ -33,6 +34,7 @@ require (
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
@@ -60,6 +62,8 @@ require (
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/yuin/gopher-lua v1.1.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/oauth2 v0.16.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
@@ -70,7 +74,7 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/client-go v0.29.0 // indirect
+	k8s.io/apiextensions-apiserver v0.29.0 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect

go.sum

@@ -7,6 +7,8 @@ github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZp
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
 github.com/alicebob/miniredis/v2 v2.31.1 h1:7XAt0uUg3DtwEKW5ZAGa+K7FZV2DdKQo5K/6TTnfX8Y=
 github.com/alicebob/miniredis/v2 v2.31.1/go.mod h1:UB/T2Uztp7MlFSDakaX1sTXUv5CASoprx0wulRT6HBg=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
@@ -37,6 +39,8 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro=
 github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -54,6 +58,7 @@ github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
@@ -104,6 +109,9 @@ github.com/logrusorgru/aurora v2.0.3+incompatible h1:tOpm7WcpBTn4fjmVfgpQq0EfczG
 github.com/logrusorgru/aurora v2.0.3+incompatible/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
+github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -119,6 +127,14 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
+github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
+github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
+github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
+github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
+github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
+github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/redis/go-redis/v9 v9.4.0 h1:Yzoz33UZw9I/mFhx4MNrB6Fk+XHO1VukNcCa1+lwyKk=
 github.com/redis/go-redis/v9 v9.4.0/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
@@ -146,6 +162,8 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/gopher-lua v1.1.0 h1:BojcDhfyDWgU2f2TOzYK/g5p2gxMrku8oupLDqlnSqE=
 github.com/yuin/gopher-lua v1.1.0/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
@@ -222,6 +240,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
+gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
 google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240125205218-1f4bbc51befe h1:bQnxqljG/wqi4NTXu2+DJ3n7APcEA882QZ1JvhQAq9o=
@@ -251,6 +271,8 @@ k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o=
 k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis=
 k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8=
 k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38=
+k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s=
+k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M=
 k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
 k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=

internal/authz/oidc.go

@@ -36,6 +36,7 @@ import (
 	"google.golang.org/grpc/codes"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
@@ -346,7 +347,7 @@ func (o *oidcHandler) retrieveTokens(ctx context.Context, log telemetry.Logger,
 		"redirect_uri": []string{o.config.GetCallbackUri()},
 	}
 
-	clientSecret, err := getClientSecret(ctx, log, o.config)
+	clientSecret, err := getClientSecret(ctx, o.config)
 	if err != nil {
 		log.Error("error getting client secret", err)
 		setDenyResponse(resp, newDenyResponse(), codes.Internal)
@@ -811,11 +812,19 @@ func loadWellKnownConfig(client *http.Client, cfg *oidcv1.OIDCConfig) error {
 const clientSecretKey = "client-secret"
 const defaultNamespace = "default"
 
+// inClusterConfig is used to inject the kubeconfig for testing purposes.
+var inClusterConfig *rest.Config
+
 // getClientSecret retrieves the client secret from the given OIDCConfig.
 // The client secret can be a literal or a reference to a Kubernetes secret.
 // If the client secret is a reference to a Kubernetes secret, it retrieves the secret from the Kubernetes API.
-func getClientSecret(ctx context.Context, log telemetry.Logger, c *oidcv1.OIDCConfig) (string, error) {
+func getClientSecret(ctx context.Context, c *oidcv1.OIDCConfig) (string, error) {
 	if c.GetClientSecretRef() != nil {
+		var (
+			cfg *rest.Config
+			err error
+		)
+
 		namespace := c.GetClientSecretRef().Namespace
 		if namespace == "" {
 			namespace = defaultNamespace
@@ -825,11 +834,14 @@ func getClientSecret(ctx context.Context, log telemetry.Logger, c *oidcv1.OIDCCo
 			Name:      c.GetClientSecretRef().Name,
 		}
 
-		log.Info("get client secret from Kubernetes secret", "secret", secretName.String())
-		cfg, err := config.GetConfig()
-		if err != nil {
-			return "", fmt.Errorf("error getting rest config: %w", err)
+		cfg = inClusterConfig
+		if cfg == nil {
+			cfg, err = config.GetConfig()
+			if err != nil {
+				return "", fmt.Errorf("error getting kube config: %w", err)
+			}
 		}
+
 		cl, err := client.New(cfg, client.Options{})
 		if err != nil {
 			return "", fmt.Errorf("errot creating kube client: %w", err)

internal/authz/oidc_kubernetes_test.go

@@ -0,0 +1,197 @@
+// Copyright 2024 Tetrate
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build integration
+// +build integration
+
+package authz
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"os"
+	"testing"
+	"time"
+
+	envoy "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	"github.com/lestrrat-go/jwx/jwt"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/rest"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	oidcv1 "github.com/tetrateio/authservice-go/config/gen/go/v1/oidc"
+	"github.com/tetrateio/authservice-go/internal/oidc"
+)
+
+var (
+	oidcConfigWithSecretRef = &oidcv1.OIDCConfig{
+		IdToken: &oidcv1.TokenConfig{
+			Header:   "Authorization",
+			Preamble: "Bearer",
+		},
+		AccessToken: &oidcv1.TokenConfig{
+			Header:   "X-Access-Token",
+			Preamble: "Bearer",
+		},
+		TokenUri:         "http://idp-test-server/token",
+		AuthorizationUri: "http://idp-test-server/auth",
+		CallbackUri:      "https://localhost:443/callback",
+		ClientId:         "test-client-id",
+		Scopes:           []string{"openid", "email"},
+	}
+)
+
+func TestOIDCProcessWithKubernetesSecret(t *testing.T) {
+	// start kube test env
+	testEnv, conf, err := startEnv()
+	require.NoError(t, err)
+
+	// set inClusterConfig for the client
+	inClusterConfig = conf
+
+	// create secrets for testing
+	c, err := client.New(conf, client.Options{})
+	require.NoError(t, err)
+	err = c.Create(context.Background(), &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      "test-client-secret",
+		},
+		Data: map[string][]byte{
+			clientSecretKey: []byte("test-client-secret"),
+		},
+	})
+	require.NoError(t, err)
+	err = c.Create(context.Background(), &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      "invalid-test-client-secret",
+		},
+		Data: map[string][]byte{
+			clientSecretKey + "-invalid": []byte("test-client-secret"),
+		},
+	})
+	require.NoError(t, err)
+
+	// stop kube test env
+	defer func() {
+		require.NoError(t, testEnv.Stop())
+	}()
+
+	jwkPriv, jwkPub := newKeyPair(t)
+	bytes, err := json.Marshal(newKeySet(jwkPub))
+	require.NoError(t, err)
+	oidcConfigWithSecretRef.JwksConfig = &oidcv1.OIDCConfig_Jwks{
+		Jwks: string(bytes),
+	}
+
+	clock := oidc.Clock{}
+	sessions := &mockSessionStoreFactory{store: oidc.NewMemoryStore(&clock, time.Hour, time.Hour)}
+	store := sessions.Get(oidcConfigWithSecretRef)
+	h, err := NewOIDCHandler(oidcConfigWithSecretRef, oidc.NewJWKSProvider(), sessions, clock, oidc.NewStaticGenerator(newSessionID, newNonce, newState))
+	require.NoError(t, err)
+
+	ctx := context.Background()
+
+	callbackTests := []struct {
+		name                string
+		setup               func(config *oidcv1.OIDCConfig)
+		expectedStatusCodes int32
+	}{
+		{
+			name: "with a valid k8s secret",
+			setup: func(config *oidcv1.OIDCConfig) {
+				config.ClientSecretConfig = &oidcv1.OIDCConfig_ClientSecretRef{
+					ClientSecretRef: &oidcv1.OIDCConfig_SecretReference{
+						Namespace: "default",
+						Name:      "test-client-secret",
+					},
+				}
+			},
+			expectedStatusCodes: int32(codes.Unauthenticated),
+		},
+		{
+			name: "with a invalid k8s secret",
+			setup: func(config *oidcv1.OIDCConfig) {
+				config.ClientSecretConfig = &oidcv1.OIDCConfig_ClientSecretRef{
+					ClientSecretRef: &oidcv1.OIDCConfig_SecretReference{
+						Namespace: "default",
+						Name:      "invalid-test-client-secret",
+					},
+				}
+			},
+			expectedStatusCodes: int32(codes.Internal),
+		},
+		{
+			name: "with a non-existing k8s secret",
+			setup: func(config *oidcv1.OIDCConfig) {
+				config.ClientSecretConfig = &oidcv1.OIDCConfig_ClientSecretRef{
+					ClientSecretRef: &oidcv1.OIDCConfig_SecretReference{
+						Namespace: "default",
+						Name:      "non-existing-test-client-secret",
+					},
+				}
+			},
+			expectedStatusCodes: int32(codes.Internal),
+		},
+	}
+
+	idpServer := newServer()
+	h.(*oidcHandler).httpClient = idpServer.newHTTPClient()
+
+	for _, tt := range callbackTests {
+		t.Run("request matches callback: "+tt.name, func(t *testing.T) {
+			idpServer.Start()
+			t.Cleanup(func() {
+				idpServer.Stop()
+				require.NoError(t, store.RemoveSession(ctx, sessionID))
+			})
+
+			idpServer.tokensResponse = &idpTokensResponse{
+				IDToken:     newJWT(t, jwkPriv, jwt.NewBuilder().Audience([]string{"test-client-id"}).Claim("nonce", newNonce)),
+				AccessToken: "access-token",
+				TokenType:   "Bearer",
+			}
+			idpServer.statusCode = http.StatusOK
+
+			// Set the authorization state in the store, so it can be found by the handler
+			require.NoError(t, store.SetAuthorizationState(ctx, sessionID, validAuthState))
+
+			resp := &envoy.CheckResponse{}
+			tt.setup(oidcConfigWithSecretRef)
+			err = h.Process(ctx, callbackRequest, resp)
+			require.NoError(t, err)
+
+			// just check the status code here because this test is only used to test client secrets in k8s secret
+			require.Equal(t, tt.expectedStatusCodes, resp.GetStatus().GetCode())
+		})
+	}
+}
+
+func startEnv() (*envtest.Environment, *rest.Config, error) {
+	log.SetLogger(zap.New(zap.WriteTo(os.Stderr), zap.UseDevMode(true)))
+	env := &envtest.Environment{}
+	cfg, err := env.Start()
+	if err != nil {
+		return env, nil, err
+	}
+	return env, cfg, nil
+}