feat: support OIDC endpoints (#1630)

jorwoods · jacalata · commit c19f5818d9a8 · 2026-02-03T11:39:48.000-08:00
* feat: support OIDC endpoints

Add support for remaining OIDC endpoints, including getting an
OIDC configuration by ID, removing the configuration, creating,
and updating configurations.

* feat: add str and repr to oidc item

---------

Co-authored-by: Jordan Woods &lt;13803242+jorwoods@users.noreply.github.com&gt;
diff --git a/tableauserverclient/server/request_factory.py b/tableauserverclient/server/request_factory.py
@@ -1665,64 +1665,6 @@ def update_req(self, xml_request: ET.Element, oidc_item: SiteOIDCConfiguration)
         return ET.tostring(xml_request)
 
 
-class ExtensionsRequest:
-    @_tsrequest_wrapped
-    def update_server_extensions(self, xml_request: ET.Element, extensions_server: "ExtensionsServer") -> None:
-        extensions_element = ET.SubElement(xml_request, "extensionsServerSettings")
-        if not isinstance(extensions_server.enabled, bool):
-            raise ValueError(f"Extensions Server missing enabled: {extensions_server}")
-        enabled_element = ET.SubElement(extensions_element, "extensionsGloballyEnabled")
-        enabled_element.text = str(extensions_server.enabled).lower()
-
-        if extensions_server.block_list is None:
-            return
-        for blocked in extensions_server.block_list:
-            blocked_element = ET.SubElement(extensions_element, "blockList")
-            blocked_element.text = blocked
-        return
-
-    @_tsrequest_wrapped
-    def update_site_extensions(self, xml_request: ET.Element, extensions_site_settings: ExtensionsSiteSettings) -> None:
-        ext_element = ET.SubElement(xml_request, "extensionsSiteSettings")
-        if not isinstance(extensions_site_settings.enabled, bool):
-            raise ValueError(f"Extensions Site Settings missing enabled: {extensions_site_settings}")
-        enabled_element = ET.SubElement(ext_element, "extensionsEnabled")
-        enabled_element.text = str(extensions_site_settings.enabled).lower()
-        if not isinstance(extensions_site_settings.use_default_setting, bool):
-            raise ValueError(
-                f"Extensions Site Settings missing use_default_setting: {extensions_site_settings.use_default_setting}"
-            )
-        default_element = ET.SubElement(ext_element, "useDefaultSetting")
-        default_element.text = str(extensions_site_settings.use_default_setting).lower()
-        if extensions_site_settings.allow_trusted is not None:
-            allow_trusted_element = ET.SubElement(ext_element, "allowTrusted")
-            allow_trusted_element.text = str(extensions_site_settings.allow_trusted).lower()
-        if extensions_site_settings.include_sandboxed is not None:
-            include_sandboxed_element = ET.SubElement(ext_element, "includeSandboxed")
-            include_sandboxed_element.text = str(extensions_site_settings.include_sandboxed).lower()
-        if extensions_site_settings.include_tableau_built is not None:
-            include_tableau_built_element = ET.SubElement(ext_element, "includeTableauBuilt")
-            include_tableau_built_element.text = str(extensions_site_settings.include_tableau_built).lower()
-        if extensions_site_settings.include_partner_built is not None:
-            include_partner_built_element = ET.SubElement(ext_element, "includePartnerBuilt")
-            include_partner_built_element.text = str(extensions_site_settings.include_partner_built).lower()
-
-        if extensions_site_settings.safe_list is None:
-            return
-
-        safe_element = ET.SubElement(ext_element, "safeList")
-        for safe in extensions_site_settings.safe_list:
-            if safe.url is not None:
-                url_element = ET.SubElement(safe_element, "url")
-                url_element.text = safe.url
-            if safe.full_data_allowed is not None:
-                full_data_element = ET.SubElement(safe_element, "fullDataAllowed")
-                full_data_element.text = str(safe.full_data_allowed).lower()
-            if safe.prompt_needed is not None:
-                prompt_element = ET.SubElement(safe_element, "promptNeeded")
-                prompt_element.text = str(safe.prompt_needed).lower()
-
-
 class RequestFactory:
     Auth = AuthRequest()
     Connection = Connection()
diff --git a/tableauserverclient/server/server.py b/tableauserverclient/server/server.py
@@ -39,7 +39,6 @@
     Tags,
     VirtualConnections,
     OIDC,
-    Extensions,
 )
 from tableauserverclient.server.exceptions import (
     ServerInfoEndpointNotFoundError,
@@ -186,7 +185,6 @@ def __init__(self, server_address, use_server_version=False, http_options=None,
         self.tags = Tags(self)
         self.virtual_connections = VirtualConnections(self)
         self.oidc = OIDC(self)
-        self.extensions = Extensions(self)
 
         self._session = self._session_factory()
         self._http_options = dict()  # must set this before making a server call
diff --git a/test/test_oidc.py b/test/test_oidc.py
@@ -1,8 +1,7 @@
+import unittest
 import requests_mock
 from pathlib import Path
 
-import pytest
-
 import tableauserverclient as TSC
 
 assets = Path(__file__).parent / "assets"
@@ -12,148 +11,143 @@
 OIDC_CREATE = assets / "oidc_create.xml"
 
 
-@pytest.fixture(scope="function")
-def server():
-    """Fixture to create a TSC.Server instance for testing."""
-    server = TSC.Server("http://test", False)
-
-    # Fake signin
-    server._site_id = "dad65087-b08b-4603-af4e-2887b8aafc67"
-    server._auth_token = "j80k54ll2lfMZ0tv97mlPvvSCRyD0DOM"
-    server.version = "3.24"
-
-    return server
-
-
-def test_oidc_get_by_id(server: TSC.Server) -> None:
-    luid = "6561daa3-20e8-407f-ba09-709b178c0b4a"
-    with requests_mock.mock() as m:
-        m.get(f"{server.oidc.baseurl}/{luid}", text=OIDC_GET.read_text())
-        oidc = server.oidc.get_by_id(luid)
-
-    assert oidc.enabled is True
-    assert (
-        oidc.test_login_url
-        == "https://sso.online.tableau.com/public/testLogin?alias=8a04d825-e5d4-408f-bbc2-1042b8bb4818&authSetting=OIDC&idpConfigurationId=78c985b4-5494-4436-bcee-f595e287ba4a"
-    )
-    assert oidc.known_provider_alias == "Google"
-    assert oidc.allow_embedded_authentication is False
-    assert oidc.use_full_name is False
-    assert oidc.idp_configuration_name == "GoogleOIDC"
-    assert oidc.idp_configuration_id == "78c985b4-5494-4436-bcee-f595e287ba4a"
-    assert oidc.client_id == "ICcGeDt3XHwzZ1D0nCZt"
-    assert oidc.client_secret == "omit"
-    assert oidc.authorization_endpoint == "https://myidp.com/oauth2/v1/authorize"
-    assert oidc.token_endpoint == "https://myidp.com/oauth2/v1/token"
-    assert oidc.userinfo_endpoint == "https://myidp.com/oauth2/v1/userinfo"
-    assert oidc.jwks_uri == "https://myidp.com/oauth2/v1/keys"
-    assert oidc.end_session_endpoint == "https://myidp.com/oauth2/v1/logout"
-    assert oidc.custom_scope == "openid, email, profile"
-    assert oidc.prompt == "login,consent"
-    assert oidc.client_authentication == "client_secret_basic"
-    assert oidc.essential_acr_values == "phr"
-    assert oidc.email_mapping == "email"
-    assert oidc.first_name_mapping == "given_name"
-    assert oidc.last_name_mapping == "family_name"
-    assert oidc.full_name_mapping == "name"
-
-
-def test_oidc_delete(server: TSC.Server) -> None:
-    luid = "6561daa3-20e8-407f-ba09-709b178c0b4a"
-    with requests_mock.mock() as m:
-        m.put(f"{server.baseurl}/sites/{server.site_id}/disable-site-oidc-configuration")
-        server.oidc.delete_configuration(luid)
-        history = m.request_history[0]
-
-    assert "idpconfigurationid" in history.qs
-    assert history.qs["idpconfigurationid"][0] == luid
-
-
-def test_oidc_update(server: TSC.Server) -> None:
-    luid = "6561daa3-20e8-407f-ba09-709b178c0b4a"
-    oidc = TSC.SiteOIDCConfiguration()
-    oidc.idp_configuration_id = luid
-
-    # Only include the required fields for updates
-    oidc.enabled = True
-    oidc.idp_configuration_name = "GoogleOIDC"
-    oidc.client_id = "ICcGeDt3XHwzZ1D0nCZt"
-    oidc.client_secret = "omit"
-    oidc.authorization_endpoint = "https://myidp.com/oauth2/v1/authorize"
-    oidc.token_endpoint = "https://myidp.com/oauth2/v1/token"
-    oidc.userinfo_endpoint = "https://myidp.com/oauth2/v1/userinfo"
-    oidc.jwks_uri = "https://myidp.com/oauth2/v1/keys"
-
-    with requests_mock.mock() as m:
-        m.put(f"{server.oidc.baseurl}/{luid}", text=OIDC_UPDATE.read_text())
-        oidc = server.oidc.update(oidc)
-
-    assert oidc.enabled is True
-    assert (
-        oidc.test_login_url
-        == "https://sso.online.tableau.com/public/testLogin?alias=8a04d825-e5d4-408f-bbc2-1042b8bb4818&authSetting=OIDC&idpConfigurationId=78c985b4-5494-4436-bcee-f595e287ba4a"
-    )
-    assert oidc.known_provider_alias == "Google"
-    assert oidc.allow_embedded_authentication is False
-    assert oidc.use_full_name is False
-    assert oidc.idp_configuration_name == "GoogleOIDC"
-    assert oidc.idp_configuration_id == "78c985b4-5494-4436-bcee-f595e287ba4a"
-    assert oidc.client_id == "ICcGeDt3XHwzZ1D0nCZt"
-    assert oidc.client_secret == "omit"
-    assert oidc.authorization_endpoint == "https://myidp.com/oauth2/v1/authorize"
-    assert oidc.token_endpoint == "https://myidp.com/oauth2/v1/token"
-    assert oidc.userinfo_endpoint == "https://myidp.com/oauth2/v1/userinfo"
-    assert oidc.jwks_uri == "https://myidp.com/oauth2/v1/keys"
-    assert oidc.end_session_endpoint == "https://myidp.com/oauth2/v1/logout"
-    assert oidc.custom_scope == "openid, email, profile"
-    assert oidc.prompt == "login,consent"
-    assert oidc.client_authentication == "client_secret_basic"
-    assert oidc.essential_acr_values == "phr"
-    assert oidc.email_mapping == "email"
-    assert oidc.first_name_mapping == "given_name"
-    assert oidc.last_name_mapping == "family_name"
-    assert oidc.full_name_mapping == "name"
-
-
-def test_oidc_create(server: TSC.Server) -> None:
-    oidc = TSC.SiteOIDCConfiguration()
-
-    # Only include the required fields for creation
-    oidc.enabled = True
-    oidc.idp_configuration_name = "GoogleOIDC"
-    oidc.client_id = "ICcGeDt3XHwzZ1D0nCZt"
-    oidc.client_secret = "omit"
-    oidc.authorization_endpoint = "https://myidp.com/oauth2/v1/authorize"
-    oidc.token_endpoint = "https://myidp.com/oauth2/v1/token"
-    oidc.userinfo_endpoint = "https://myidp.com/oauth2/v1/userinfo"
-    oidc.jwks_uri = "https://myidp.com/oauth2/v1/keys"
-
-    with requests_mock.mock() as m:
-        m.put(server.oidc.baseurl, text=OIDC_CREATE.read_text())
-        oidc = server.oidc.create(oidc)
-
-    assert oidc.enabled is True
-    assert (
-        oidc.test_login_url
-        == "https://sso.online.tableau.com/public/testLogin?alias=8a04d825-e5d4-408f-bbc2-1042b8bb4818&authSetting=OIDC&idpConfigurationId=78c985b4-5494-4436-bcee-f595e287ba4a"
-    )
-    assert oidc.known_provider_alias == "Google"
-    assert oidc.allow_embedded_authentication is False
-    assert oidc.use_full_name is False
-    assert oidc.idp_configuration_name == "GoogleOIDC"
-    assert oidc.idp_configuration_id == "78c985b4-5494-4436-bcee-f595e287ba4a"
-    assert oidc.client_id == "ICcGeDt3XHwzZ1D0nCZt"
-    assert oidc.client_secret == "omit"
-    assert oidc.authorization_endpoint == "https://myidp.com/oauth2/v1/authorize"
-    assert oidc.token_endpoint == "https://myidp.com/oauth2/v1/token"
-    assert oidc.userinfo_endpoint == "https://myidp.com/oauth2/v1/userinfo"
-    assert oidc.jwks_uri == "https://myidp.com/oauth2/v1/keys"
-    assert oidc.end_session_endpoint == "https://myidp.com/oauth2/v1/logout"
-    assert oidc.custom_scope == "openid, email, profile"
-    assert oidc.prompt == "login,consent"
-    assert oidc.client_authentication == "client_secret_basic"
-    assert oidc.essential_acr_values == "phr"
-    assert oidc.email_mapping == "email"
-    assert oidc.first_name_mapping == "given_name"
-    assert oidc.last_name_mapping == "family_name"
-    assert oidc.full_name_mapping == "name"
+class Testoidc(unittest.TestCase):
+    def setUp(self) -> None:
+        self.server = TSC.Server("http://test", False)
+
+        # Fake signin
+        self.server._site_id = "dad65087-b08b-4603-af4e-2887b8aafc67"
+        self.server._auth_token = "j80k54ll2lfMZ0tv97mlPvvSCRyD0DOM"
+        self.server.version = "3.24"
+
+        self.baseurl = self.server.oidc.baseurl
+
+    def test_oidc_get_by_id(self) -> None:
+        luid = "6561daa3-20e8-407f-ba09-709b178c0b4a"
+        with requests_mock.mock() as m:
+            m.get(f"{self.baseurl}/{luid}", text=OIDC_GET.read_text())
+            oidc = self.server.oidc.get_by_id(luid)
+
+        assert oidc.enabled is True
+        assert (
+            oidc.test_login_url
+            == "https://sso.online.tableau.com/public/testLogin?alias=8a04d825-e5d4-408f-bbc2-1042b8bb4818&authSetting=OIDC&idpConfigurationId=78c985b4-5494-4436-bcee-f595e287ba4a"
+        )
+        assert oidc.known_provider_alias == "Google"
+        assert oidc.allow_embedded_authentication is False
+        assert oidc.use_full_name is False
+        assert oidc.idp_configuration_name == "GoogleOIDC"
+        assert oidc.idp_configuration_id == "78c985b4-5494-4436-bcee-f595e287ba4a"
+        assert oidc.client_id == "ICcGeDt3XHwzZ1D0nCZt"
+        assert oidc.client_secret == "omit"
+        assert oidc.authorization_endpoint == "https://myidp.com/oauth2/v1/authorize"
+        assert oidc.token_endpoint == "https://myidp.com/oauth2/v1/token"
+        assert oidc.userinfo_endpoint == "https://myidp.com/oauth2/v1/userinfo"
+        assert oidc.jwks_uri == "https://myidp.com/oauth2/v1/keys"
+        assert oidc.end_session_endpoint == "https://myidp.com/oauth2/v1/logout"
+        assert oidc.custom_scope == "openid, email, profile"
+        assert oidc.prompt == "login,consent"
+        assert oidc.client_authentication == "client_secret_basic"
+        assert oidc.essential_acr_values == "phr"
+        assert oidc.email_mapping == "email"
+        assert oidc.first_name_mapping == "given_name"
+        assert oidc.last_name_mapping == "family_name"
+        assert oidc.full_name_mapping == "name"
+
+    def test_oidc_delete(self) -> None:
+        luid = "6561daa3-20e8-407f-ba09-709b178c0b4a"
+        with requests_mock.mock() as m:
+            m.put(f"{self.server.baseurl}/sites/{self.server.site_id}/disable-site-oidc-configuration")
+            self.server.oidc.delete_configuration(luid)
+            history = m.request_history[0]
+
+        assert "idpconfigurationid" in history.qs
+        assert history.qs["idpconfigurationid"][0] == luid
+
+    def test_oidc_update(self) -> None:
+        luid = "6561daa3-20e8-407f-ba09-709b178c0b4a"
+        oidc = TSC.SiteOIDCConfiguration()
+        oidc.idp_configuration_id = luid
+
+        # Only include the required fields for updates
+        oidc.enabled = True
+        oidc.idp_configuration_name = "GoogleOIDC"
+        oidc.client_id = "ICcGeDt3XHwzZ1D0nCZt"
+        oidc.client_secret = "omit"
+        oidc.authorization_endpoint = "https://myidp.com/oauth2/v1/authorize"
+        oidc.token_endpoint = "https://myidp.com/oauth2/v1/token"
+        oidc.userinfo_endpoint = "https://myidp.com/oauth2/v1/userinfo"
+        oidc.jwks_uri = "https://myidp.com/oauth2/v1/keys"
+
+        with requests_mock.mock() as m:
+            m.put(f"{self.baseurl}/{luid}", text=OIDC_UPDATE.read_text())
+            oidc = self.server.oidc.update(oidc)
+
+        assert oidc.enabled is True
+        assert (
+            oidc.test_login_url
+            == "https://sso.online.tableau.com/public/testLogin?alias=8a04d825-e5d4-408f-bbc2-1042b8bb4818&authSetting=OIDC&idpConfigurationId=78c985b4-5494-4436-bcee-f595e287ba4a"
+        )
+        assert oidc.known_provider_alias == "Google"
+        assert oidc.allow_embedded_authentication is False
+        assert oidc.use_full_name is False
+        assert oidc.idp_configuration_name == "GoogleOIDC"
+        assert oidc.idp_configuration_id == "78c985b4-5494-4436-bcee-f595e287ba4a"
+        assert oidc.client_id == "ICcGeDt3XHwzZ1D0nCZt"
+        assert oidc.client_secret == "omit"
+        assert oidc.authorization_endpoint == "https://myidp.com/oauth2/v1/authorize"
+        assert oidc.token_endpoint == "https://myidp.com/oauth2/v1/token"
+        assert oidc.userinfo_endpoint == "https://myidp.com/oauth2/v1/userinfo"
+        assert oidc.jwks_uri == "https://myidp.com/oauth2/v1/keys"
+        assert oidc.end_session_endpoint == "https://myidp.com/oauth2/v1/logout"
+        assert oidc.custom_scope == "openid, email, profile"
+        assert oidc.prompt == "login,consent"
+        assert oidc.client_authentication == "client_secret_basic"
+        assert oidc.essential_acr_values == "phr"
+        assert oidc.email_mapping == "email"
+        assert oidc.first_name_mapping == "given_name"
+        assert oidc.last_name_mapping == "family_name"
+        assert oidc.full_name_mapping == "name"
+
+    def test_oidc_create(self) -> None:
+        oidc = TSC.SiteOIDCConfiguration()
+
+        # Only include the required fields for creation
+        oidc.enabled = True
+        oidc.idp_configuration_name = "GoogleOIDC"
+        oidc.client_id = "ICcGeDt3XHwzZ1D0nCZt"
+        oidc.client_secret = "omit"
+        oidc.authorization_endpoint = "https://myidp.com/oauth2/v1/authorize"
+        oidc.token_endpoint = "https://myidp.com/oauth2/v1/token"
+        oidc.userinfo_endpoint = "https://myidp.com/oauth2/v1/userinfo"
+        oidc.jwks_uri = "https://myidp.com/oauth2/v1/keys"
+
+        with requests_mock.mock() as m:
+            m.put(self.baseurl, text=OIDC_CREATE.read_text())
+            oidc = self.server.oidc.create(oidc)
+
+        assert oidc.enabled is True
+        assert (
+            oidc.test_login_url
+            == "https://sso.online.tableau.com/public/testLogin?alias=8a04d825-e5d4-408f-bbc2-1042b8bb4818&authSetting=OIDC&idpConfigurationId=78c985b4-5494-4436-bcee-f595e287ba4a"
+        )
+        assert oidc.known_provider_alias == "Google"
+        assert oidc.allow_embedded_authentication is False
+        assert oidc.use_full_name is False
+        assert oidc.idp_configuration_name == "GoogleOIDC"
+        assert oidc.idp_configuration_id == "78c985b4-5494-4436-bcee-f595e287ba4a"
+        assert oidc.client_id == "ICcGeDt3XHwzZ1D0nCZt"
+        assert oidc.client_secret == "omit"
+        assert oidc.authorization_endpoint == "https://myidp.com/oauth2/v1/authorize"
+        assert oidc.token_endpoint == "https://myidp.com/oauth2/v1/token"
+        assert oidc.userinfo_endpoint == "https://myidp.com/oauth2/v1/userinfo"
+        assert oidc.jwks_uri == "https://myidp.com/oauth2/v1/keys"
+        assert oidc.end_session_endpoint == "https://myidp.com/oauth2/v1/logout"
+        assert oidc.custom_scope == "openid, email, profile"
+        assert oidc.prompt == "login,consent"
+        assert oidc.client_authentication == "client_secret_basic"
+        assert oidc.essential_acr_values == "phr"
+        assert oidc.email_mapping == "email"
+        assert oidc.first_name_mapping == "given_name"
+        assert oidc.last_name_mapping == "family_name"
+        assert oidc.full_name_mapping == "name"
