modkit_auth/

dispatcher.rs

use crate::{
    auth_mode::PluginRegistry,
    claims::Claims,
    claims_error::ClaimsError,
    config::AuthConfig,
    config_error::ConfigError,
    errors::AuthError,
    plugin_traits::{ClaimsPlugin, IntrospectionProvider, KeyProvider},
    traits::TokenValidator,
    validation::{ValidationConfig, validate_claims},
};
use async_trait::async_trait;
use std::sync::Arc;
use uuid::Uuid;

/// Truncate UUID to first 8 characters for safe logging
fn truncate_uuid(uuid: &Uuid) -> String {
    let s = uuid.to_string();
    s.chars().take(8).collect()
}

/// Central dispatcher for JWT and opaque token validation
///
/// Orchestrates key providers and claims plugins to validate tokens
/// using a single configured plugin.
#[must_use]
pub struct AuthDispatcher {
    /// Registered key providers (JWKS, etc.)
    key_providers: Vec<Arc<dyn KeyProvider>>,

    /// Registered introspection providers (for opaque tokens)
    introspection_providers: Vec<Arc<dyn IntrospectionProvider>>,

    /// The authentication plugin to use for claims normalization
    plugin: Arc<dyn ClaimsPlugin>,

    /// Common validation configuration
    validation_config: ValidationConfig,
}

impl AuthDispatcher {
    /// Create a new dispatcher with validation config and plugin.
    ///
    /// # Errors
    /// Returns `ConfigError::UnknownPlugin` if the configured provider is not in the registry.
    pub fn new(
        validation_config: ValidationConfig,
        config: &AuthConfig,
        registry: &PluginRegistry,
    ) -> Result<Self, ConfigError> {
        // Get the configured plugin
        let plugin = registry.get(&config.mode.provider)?.clone();

        Ok(Self {
            key_providers: Vec::new(),
            introspection_providers: Vec::new(),
            plugin,
            validation_config,
        })
    }

    /// Add a key provider
    pub fn with_key_provider(mut self, provider: Arc<dyn KeyProvider>) -> Self {
        self.key_providers.push(provider);
        self
    }

    /// Add an introspection provider
    pub fn with_introspection_provider(mut self, provider: Arc<dyn IntrospectionProvider>) -> Self {
        self.introspection_providers.push(provider);
        self
    }

    /// Try to validate and decode JWT with key providers
    async fn try_validate_with_providers(
        &self,
        token: &str,
    ) -> Result<(jsonwebtoken::Header, serde_json::Value), ClaimsError> {
        let mut last_error = None;
        let mut result = None;

        for provider in &self.key_providers {
            match provider.validate_and_decode(token).await {
                Ok(r) => {
                    tracing::debug!(
                        provider = provider.name(),
                        kid = ?r.0.kid,
                        "Successfully validated token signature"
                    );
                    result = Some(r);
                    break;
                }
                Err(e) => {
                    tracing::debug!(
                        provider = provider.name(),
                        error = %e,
                        "Provider failed to validate token"
                    );
                    last_error = Some(e);
                }
            }
        }

        result.ok_or_else(|| last_error.unwrap_or(ClaimsError::NoMatchingProvider))
    }

    /// Extract issuer from raw claims or introspection result
    fn extract_issuer_from_claims(raw_claims: &serde_json::Value) -> Result<&str, ClaimsError> {
        raw_claims
            .get("iss")
            .and_then(|v| v.as_str())
            .ok_or_else(|| ClaimsError::Malformed("missing iss claim".into()))
    }

    /// Normalize claims using the configured plugin
    fn normalize_claims_with_logging(
        &self,
        raw_claims: &serde_json::Value,
        issuer: &str,
    ) -> Result<Claims, ClaimsError> {
        let plugin = &self.plugin;

        tracing::debug!(
            plugin = plugin.name(),
            issuer = issuer,
            "Using configured plugin"
        );

        plugin.normalize(raw_claims).map_err(|e| {
            tracing::error!(
                plugin = plugin.name(),
                error = %e,
                issuer = issuer,
                "Failed to normalize claims"
            );
            e
        })
    }

    /// Validate claims and log errors
    fn validate_claims_with_logging(
        claims: &Claims,
        validation_config: &ValidationConfig,
    ) -> Result<(), ClaimsError> {
        validate_claims(claims, validation_config).map_err(|e| {
            tracing::warn!(
                error = %e,
                sub_prefix = %truncate_uuid(&claims.subject),
                issuer = %claims.issuer,
                "Common validation failed"
            );
            e
        })
    }

    /// Log successful JWT validation
    fn log_jwt_success(claims: &Claims, plugin_name: &str, kid: Option<&String>) {
        tracing::debug!(
            sub_prefix = %truncate_uuid(&claims.subject),
            issuer = %claims.issuer,
            plugin = plugin_name,
            kid = ?kid,
            num_permissions = claims.permissions.len(),
            tenant_id = %claims.tenant_id,
            "Token validation successful"
        );
    }

    /// Validate a JWT token.
    ///
    /// Workflow:
    /// 1. Try each `KeyProvider` until one successfully validates the signature
    /// 2. Extract issuer from token
    /// 3. Use the configured plugin to normalize claims
    /// 4. Run common validation (issuer, audience, exp, nbf, UUIDs)
    /// 5. Return normalized claims
    ///
    /// # Errors
    /// Returns `ClaimsError` if signature validation, claim normalization, or validation fails.
    pub async fn validate_jwt(&self, token: &str) -> Result<Claims, ClaimsError> {
        // Step 1: Try to validate signature with each key provider
        let (header, raw_claims) = self.try_validate_with_providers(token).await?;

        // Step 2: Extract issuer for logging
        let issuer = Self::extract_issuer_from_claims(&raw_claims)?;

        // Step 3: Normalize claims using the configured plugin
        let normalized = self.normalize_claims_with_logging(&raw_claims, issuer)?;

        // Step 4: Run common validation
        Self::validate_claims_with_logging(&normalized, &self.validation_config)?;

        // Step 5: Log success and return
        Self::log_jwt_success(&normalized, self.plugin.name(), header.kid.as_ref());

        Ok(normalized)
    }

    /// Try to introspect a token with each provider until one succeeds
    async fn try_introspect_with_providers(
        &self,
        token: &str,
    ) -> Result<serde_json::Value, ClaimsError> {
        let mut last_error = None;
        let mut result = None;

        for provider in &self.introspection_providers {
            match provider.introspect(token).await {
                Ok(r) => {
                    tracing::debug!(
                        provider = provider.name(),
                        "Successfully introspected token"
                    );
                    result = Some(r);
                    break;
                }
                Err(e) => {
                    tracing::debug!(
                        provider = provider.name(),
                        error = %e,
                        "Provider failed to introspect token"
                    );
                    last_error = Some(e);
                }
            }
        }

        result.ok_or_else(|| {
            last_error.unwrap_or_else(|| {
                ClaimsError::Provider("No introspection provider available".into())
            })
        })
    }

    /// Verify that an introspection response indicates an active token
    fn verify_token_active(introspection_result: &serde_json::Value) -> Result<(), ClaimsError> {
        if let Some(active) = introspection_result
            .get("active")
            .and_then(serde_json::Value::as_bool)
            && !active
        {
            return Err(ClaimsError::IntrospectionDenied);
        }
        Ok(())
    }

    /// Normalize claims with error logging (for opaque tokens)
    fn normalize_with_logging(
        &self,
        introspection_result: &serde_json::Value,
        issuer: &str,
    ) -> Result<Claims, ClaimsError> {
        self.plugin.normalize(introspection_result).map_err(|e| {
            tracing::error!(
                plugin = self.plugin.name(),
                error = %e,
                issuer = issuer,
                "Failed to normalize introspection response"
            );
            e
        })
    }

    /// Validate claims with error logging
    fn validate_and_log(claims: &Claims, config: &ValidationConfig) -> Result<(), ClaimsError> {
        validate_claims(claims, config).map_err(|e| {
            tracing::warn!(
                error = %e,
                sub_prefix = %truncate_uuid(&claims.subject),
                issuer = %claims.issuer,
                "Common validation failed"
            );
            e
        })
    }

    /// Log successful validation
    fn log_validation_success(claims: &Claims, plugin_name: &str) {
        tracing::debug!(
            sub_prefix = %truncate_uuid(&claims.subject),
            issuer = %claims.issuer,
            plugin = plugin_name,
            num_permissions = claims.permissions.len(),
            tenant_id = %claims.tenant_id,
            "Opaque token validation successful"
        );
    }

    /// Validate an opaque token via introspection
    ///
    /// Workflow:
    /// 1. Try each `IntrospectionProvider` until one succeeds
    /// 2. Extract issuer from introspection response
    /// 3. Use the configured plugin to normalize claims
    /// 4. Run common validation
    /// 5. Return normalized claims
    ///
    /// # Errors
    /// Returns `ClaimsError` if introspection, claim normalization, or validation fails.
    pub async fn validate_opaque(&self, token: &str) -> Result<Claims, ClaimsError> {
        // Step 1: Try to introspect with each provider
        let introspection_result = self.try_introspect_with_providers(token).await?;

        // Step 2: Check if token is active
        Self::verify_token_active(&introspection_result)?;

        // Step 3: Extract issuer for logging
        let issuer = Self::extract_issuer_from_claims(&introspection_result)?;

        // Step 4: Log plugin usage
        tracing::debug!(
            plugin = self.plugin.name(),
            issuer = issuer,
            "Using configured plugin for introspection"
        );

        // Step 5: Normalize claims
        let normalized = self.normalize_with_logging(&introspection_result, issuer)?;

        // Step 6: Run common validation
        Self::validate_and_log(&normalized, &self.validation_config)?;

        // Step 7: Log success
        Self::log_validation_success(&normalized, self.plugin.name());

        Ok(normalized)
    }

    /// Get validation config (for inspection/testing)
    #[must_use]
    pub fn validation_config(&self) -> &ValidationConfig {
        &self.validation_config
    }

    /// Get the configured authentication plugin (for inspection/testing)
    #[must_use]
    pub fn plugin(&self) -> &Arc<dyn ClaimsPlugin> {
        &self.plugin
    }

    /// Trigger key refresh for all key providers.
    ///
    /// # Errors
    /// Returns a vector of `ClaimsError` if any provider fails to refresh keys.
    pub async fn refresh_keys(&self) -> Result<(), Vec<ClaimsError>> {
        let mut errors = Vec::new();

        for provider in &self.key_providers {
            if let Err(e) = provider.refresh_keys().await {
                tracing::warn!(
                    provider = provider.name(),
                    error = %e,
                    "Key refresh failed"
                );
                errors.push(e);
            }
        }

        if errors.is_empty() {
            Ok(())
        } else {
            Err(errors)
        }
    }
}

/// Implement `TokenValidator` trait for `AuthDispatcher`
#[async_trait]
impl TokenValidator for AuthDispatcher {
    async fn validate_and_parse(&self, token: &str) -> Result<Claims, AuthError> {
        // All JWT validation errors should result in 401 Unauthenticated
        self.validate_jwt(token)
            .await
            .map_err(|_| AuthError::Unauthenticated)
    }
}

#[cfg(test)]
#[cfg_attr(coverage_nightly, coverage(off))]
mod tests {
    use super::*;
    use crate::auth_mode::AuthModeConfig;
    use crate::config::PluginConfig;
    use serde_json::json;
    use std::collections::HashMap;

    #[test]
    fn test_dispatcher_creation() {
        let mut plugins = HashMap::new();
        plugins.insert(
            "oidc".to_owned(),
            PluginConfig::Oidc {
                tenant_claim: "tenants".to_owned(),
                roles_claim: "roles".to_owned(),
            },
        );

        let config = AuthConfig {
            mode: AuthModeConfig {
                provider: "oidc".to_owned(),
            },
            plugins,
            ..Default::default()
        };

        // This would need a real plugin in registry to work
        // Just testing that the structure compiles
        let _ = &config;
    }

    // ===== Test Mocks =====

    /// Mock `KeyProvider` for testing
    struct MockKeyProvider {
        name: String,
        response: Option<(jsonwebtoken::Header, serde_json::Value)>,
        error_msg: Option<String>,
    }

    impl MockKeyProvider {
        fn success(header: jsonwebtoken::Header, claims: serde_json::Value) -> Self {
            Self {
                name: "mock-key-provider".to_owned(),
                response: Some((header, claims)),
                error_msg: None,
            }
        }

        fn failure(error_msg: String) -> Self {
            Self {
                name: "mock-key-provider".to_owned(),
                response: None,
                error_msg: Some(error_msg),
            }
        }
    }

    #[async_trait::async_trait]
    impl KeyProvider for MockKeyProvider {
        fn name(&self) -> &str {
            &self.name
        }

        async fn validate_and_decode(
            &self,
            _token: &str,
        ) -> Result<(jsonwebtoken::Header, serde_json::Value), ClaimsError> {
            if let Some(msg) = &self.error_msg {
                Err(ClaimsError::Provider(msg.clone()))
            } else {
                Ok(self.response.clone().unwrap())
            }
        }

        async fn refresh_keys(&self) -> Result<(), ClaimsError> {
            Ok(())
        }
    }

    /// Mock `IntrospectionProvider` for testing
    struct MockIntrospectionProvider {
        response: Option<serde_json::Value>,
        error_msg: Option<String>,
        name: String,
    }

    impl MockIntrospectionProvider {
        fn success(response: serde_json::Value) -> Self {
            Self {
                response: Some(response),
                error_msg: None,
                name: "mock-introspection".to_owned(),
            }
        }

        fn failure(error_msg: String) -> Self {
            Self {
                response: None,
                error_msg: Some(error_msg),
                name: "mock-introspection".to_owned(),
            }
        }
    }

    #[async_trait::async_trait]
    impl IntrospectionProvider for MockIntrospectionProvider {
        fn name(&self) -> &str {
            &self.name
        }

        async fn introspect(&self, _token: &str) -> Result<serde_json::Value, ClaimsError> {
            if let Some(msg) = &self.error_msg {
                Err(ClaimsError::Provider(msg.clone()))
            } else {
                Ok(self.response.clone().unwrap())
            }
        }
    }

    /// Mock `ClaimsPlugin` for testing
    struct MockClaimsPlugin {
        name: String,
        normalized: Option<Claims>,
        error_msg: Option<String>,
    }

    impl MockClaimsPlugin {
        fn success(normalized: Claims) -> Self {
            Self {
                name: "mock-plugin".to_owned(),
                normalized: Some(normalized),
                error_msg: None,
            }
        }

        fn failure(error_msg: String) -> Self {
            Self {
                name: "mock-plugin".to_owned(),
                normalized: None,
                error_msg: Some(error_msg),
            }
        }
    }

    impl ClaimsPlugin for MockClaimsPlugin {
        fn name(&self) -> &str {
            &self.name
        }

        fn normalize(&self, _raw: &serde_json::Value) -> Result<Claims, ClaimsError> {
            if let Some(msg) = &self.error_msg {
                Err(ClaimsError::Malformed(msg.clone()))
            } else {
                Ok(self.normalized.clone().unwrap())
            }
        }
    }

    /// Helper to create test claims
    fn test_claims() -> Claims {
        Claims {
            issuer: "https://test.example.com".to_owned(),
            subject: Uuid::new_v4(),
            audiences: vec!["test-api".to_owned()],
            expires_at: Some(time::OffsetDateTime::now_utc() + time::Duration::hours(1)),
            not_before: None,
            issued_at: None,
            jwt_id: None,
            tenant_id: Uuid::new_v4(),
            permissions: vec![],
            extras: serde_json::Map::new(),
        }
    }

    // ===== Tests for validate_jwt =====

    #[tokio::test]
    async fn test_validate_jwt_success() {
        // Given: A dispatcher with mock key provider and plugin
        let claims = test_claims();
        let raw_claims = json!({
            "iss": claims.issuer.clone(),
            "sub": claims.subject.to_string(),
            "aud": claims.audiences.clone(),
            "exp": claims.expires_at.unwrap().unix_timestamp()
        });

        let header = jsonwebtoken::Header::default();
        let key_provider = Arc::new(MockKeyProvider::success(header.clone(), raw_claims));
        let plugin = Arc::new(MockClaimsPlugin::success(claims.clone()));

        let validation_config = ValidationConfig {
            allowed_issuers: vec!["https://test.example.com".to_owned()],
            allowed_audiences: vec!["test-api".to_owned()],
            leeway_seconds: 60,
            require_uuid_subject: true,
            require_uuid_tenants: true,
        };

        let dispatcher = AuthDispatcher {
            key_providers: vec![key_provider],
            introspection_providers: Vec::new(),
            plugin,
            validation_config,
        };

        // When: We validate a JWT token
        let result = dispatcher.validate_jwt("test-token").await;

        // Then: Validation succeeds
        assert!(result.is_ok());
        let normalized = result.unwrap();
        assert_eq!(normalized.issuer, claims.issuer);
    }

    #[tokio::test]
    async fn test_validate_jwt_no_matching_provider() {
        // Given: A dispatcher with no key providers
        let plugin = Arc::new(MockClaimsPlugin::success(test_claims()));
        let validation_config = ValidationConfig::default();

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: Vec::new(),
            plugin,
            validation_config,
        };

        // When: We validate a JWT token
        let result = dispatcher.validate_jwt("test-token").await;

        // Then: Validation fails with NoMatchingProvider
        assert!(result.is_err());
        assert!(matches!(
            result.unwrap_err(),
            ClaimsError::NoMatchingProvider
        ));
    }

    #[tokio::test]
    async fn test_validate_jwt_provider_failure_fallback() {
        // Given: Two providers, first fails, second succeeds
        let claims = test_claims();
        let raw_claims = json!({
            "iss": claims.issuer.clone(),
            "sub": claims.subject.to_string(),
            "aud": claims.audiences.clone(),
            "exp": claims.expires_at.unwrap().unix_timestamp()
        });

        let failing_provider =
            Arc::new(MockKeyProvider::failure("First provider failed".to_owned()));
        let header = jsonwebtoken::Header::default();
        let success_provider = Arc::new(MockKeyProvider::success(header, raw_claims));
        let plugin = Arc::new(MockClaimsPlugin::success(claims.clone()));

        let validation_config = ValidationConfig {
            allowed_issuers: vec!["https://test.example.com".to_owned()],
            allowed_audiences: vec!["test-api".to_owned()],
            leeway_seconds: 60,
            require_uuid_subject: true,
            require_uuid_tenants: true,
        };

        let dispatcher = AuthDispatcher {
            key_providers: vec![failing_provider, success_provider],
            introspection_providers: Vec::new(),
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_jwt("test-token").await;

        // Then: Validation succeeds with second provider
        assert!(result.is_ok());
        let normalized = result.unwrap();
        assert_eq!(normalized.issuer, claims.issuer);
    }

    #[tokio::test]
    async fn test_validate_jwt_missing_issuer() {
        // Given: Raw claims without issuer
        let raw_claims = json!({
            "sub": "user-123"
        });

        let header = jsonwebtoken::Header::default();
        let key_provider = Arc::new(MockKeyProvider::success(header, raw_claims));
        let plugin = Arc::new(MockClaimsPlugin::success(test_claims()));

        let validation_config = ValidationConfig::default();

        let dispatcher = AuthDispatcher {
            key_providers: vec![key_provider],
            introspection_providers: Vec::new(),
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_jwt("test-token").await;

        // Then: Validation fails with Malformed
        assert!(result.is_err());
        assert!(matches!(result.unwrap_err(), ClaimsError::Malformed(_)));
    }

    #[tokio::test]
    async fn test_validate_jwt_normalization_failure() {
        // Given: A plugin that fails normalization
        let raw_claims = json!({
            "iss": "https://test.example.com",
            "sub": "user-123"
        });

        let header = jsonwebtoken::Header::default();
        let key_provider = Arc::new(MockKeyProvider::success(header, raw_claims));
        let plugin = Arc::new(MockClaimsPlugin::failure("Normalization failed".to_owned()));

        let validation_config = ValidationConfig::default();

        let dispatcher = AuthDispatcher {
            key_providers: vec![key_provider],
            introspection_providers: Vec::new(),
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_jwt("test-token").await;

        // Then: Validation fails with normalization error
        assert!(result.is_err());
        assert!(matches!(result.unwrap_err(), ClaimsError::Malformed(_)));
    }

    #[tokio::test]
    async fn test_validate_jwt_validation_failure() {
        // Given: Claims that fail common validation (wrong issuer)
        let mut claims = test_claims();
        claims.issuer = "https://wrong.example.com".to_owned();

        let raw_claims = json!({
            "iss": "https://wrong.example.com",
            "sub": claims.subject.to_string(),
            "aud": claims.audiences.clone(),
            "exp": claims.expires_at.unwrap().unix_timestamp()
        });

        let header = jsonwebtoken::Header::default();
        let key_provider = Arc::new(MockKeyProvider::success(header, raw_claims));
        let plugin = Arc::new(MockClaimsPlugin::success(claims));

        let validation_config = ValidationConfig {
            allowed_issuers: vec!["https://test.example.com".to_owned()],
            allowed_audiences: vec!["test-api".to_owned()],
            leeway_seconds: 60,
            require_uuid_subject: true,
            require_uuid_tenants: true,
        };

        let dispatcher = AuthDispatcher {
            key_providers: vec![key_provider],
            introspection_providers: Vec::new(),
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_jwt("test-token").await;

        // Then: Validation fails with InvalidIssuer
        assert!(result.is_err());
        assert!(matches!(
            result.unwrap_err(),
            ClaimsError::InvalidIssuer { .. }
        ));
    }

    // ===== Regression Tests for validate_opaque =====

    #[tokio::test]
    async fn test_validate_opaque_success() {
        // Given: A dispatcher with mock provider and plugin
        let introspection_response = json!({
            "active": true,
            "iss": "https://test.example.com",
            "sub": "user-123"
        });

        let claims = test_claims();
        let provider = Arc::new(MockIntrospectionProvider::success(introspection_response));
        let plugin = Arc::new(MockClaimsPlugin::success(claims.clone()));

        let validation_config = ValidationConfig {
            allowed_issuers: vec!["https://test.example.com".to_owned()],
            allowed_audiences: vec!["test-api".to_owned()],
            leeway_seconds: 60,
            require_uuid_subject: true,
            require_uuid_tenants: true,
        };

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: vec![provider],
            plugin,
            validation_config,
        };

        // When: We validate an opaque token
        let result = dispatcher.validate_opaque("test-token").await;

        // Then: Validation succeeds
        assert!(result.is_ok());
        let normalized = result.unwrap();
        assert_eq!(normalized.issuer, claims.issuer);
    }

    #[tokio::test]
    async fn test_validate_opaque_inactive_token() {
        // Given: A response with active=false
        let introspection_response = json!({
            "active": false,
            "iss": "https://test.example.com"
        });

        let provider = Arc::new(MockIntrospectionProvider::success(introspection_response));
        let plugin = Arc::new(MockClaimsPlugin::success(test_claims()));

        let validation_config = ValidationConfig {
            allowed_issuers: vec!["https://test.example.com".to_owned()],
            allowed_audiences: vec!["test-api".to_owned()],
            leeway_seconds: 60,
            require_uuid_subject: true,
            require_uuid_tenants: true,
        };

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: vec![provider],
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_opaque("test-token").await;

        // Then: Validation fails with IntrospectionDenied
        assert!(result.is_err());
        assert!(matches!(
            result.unwrap_err(),
            ClaimsError::IntrospectionDenied
        ));
    }

    #[tokio::test]
    async fn test_validate_opaque_missing_issuer() {
        // Given: A response without issuer
        let introspection_response = json!({
            "active": true,
            "sub": "user-123"
        });

        let provider = Arc::new(MockIntrospectionProvider::success(introspection_response));
        let plugin = Arc::new(MockClaimsPlugin::success(test_claims()));

        let validation_config = ValidationConfig::default();

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: vec![provider],
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_opaque("test-token").await;

        // Then: Validation fails with Malformed
        assert!(result.is_err());
        assert!(matches!(result.unwrap_err(), ClaimsError::Malformed(_)));
    }

    #[tokio::test]
    async fn test_validate_opaque_provider_failure() {
        // Given: A provider that fails
        let provider = Arc::new(MockIntrospectionProvider::failure(
            "Provider error".to_owned(),
        ));
        let plugin = Arc::new(MockClaimsPlugin::success(test_claims()));

        let validation_config = ValidationConfig::default();

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: vec![provider],
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_opaque("test-token").await;

        // Then: Validation fails with Provider error
        assert!(result.is_err());
        assert!(matches!(result.unwrap_err(), ClaimsError::Provider(_)));
    }

    #[tokio::test]
    async fn test_validate_opaque_no_providers() {
        // Given: A dispatcher with no providers
        let plugin = Arc::new(MockClaimsPlugin::success(test_claims()));
        let validation_config = ValidationConfig::default();

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: Vec::new(),
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_opaque("test-token").await;

        // Then: Validation fails
        assert!(result.is_err());
    }

    #[tokio::test]
    async fn test_validate_opaque_normalization_failure() {
        // Given: A plugin that fails normalization
        let introspection_response = json!({
            "active": true,
            "iss": "https://test.example.com",
            "sub": "user-123"
        });

        let provider = Arc::new(MockIntrospectionProvider::success(introspection_response));
        let plugin = Arc::new(MockClaimsPlugin::failure("Normalization failed".to_owned()));

        let validation_config = ValidationConfig::default();

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: vec![provider],
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_opaque("test-token").await;

        // Then: Validation fails with normalization error
        assert!(result.is_err());
        assert!(matches!(result.unwrap_err(), ClaimsError::Malformed(_)));
    }

    #[tokio::test]
    async fn test_validate_opaque_validation_failure() {
        // Given: Claims that fail common validation (wrong issuer)
        let introspection_response = json!({
            "active": true,
            "iss": "https://wrong.example.com",
            "sub": "user-123"
        });

        let mut claims = test_claims();
        claims.issuer = "https://wrong.example.com".to_owned();

        let provider = Arc::new(MockIntrospectionProvider::success(introspection_response));
        let plugin = Arc::new(MockClaimsPlugin::success(claims));

        let validation_config = ValidationConfig {
            allowed_issuers: vec!["https://test.example.com".to_owned()],
            allowed_audiences: vec!["test-api".to_owned()],
            leeway_seconds: 60,
            require_uuid_subject: true,
            require_uuid_tenants: true,
        };

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: vec![provider],
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_opaque("test-token").await;

        // Then: Validation fails with InvalidIssuer
        assert!(result.is_err());
        assert!(matches!(
            result.unwrap_err(),
            ClaimsError::InvalidIssuer { .. }
        ));
    }

    #[tokio::test]
    async fn test_validate_opaque_provider_fallback() {
        // Given: Two providers, first fails, second succeeds
        let failing_provider = Arc::new(MockIntrospectionProvider::failure(
            "First provider failed".to_owned(),
        ));

        let introspection_response = json!({
            "active": true,
            "iss": "https://test.example.com",
            "sub": "user-123"
        });

        let success_provider = Arc::new(MockIntrospectionProvider::success(introspection_response));
        let claims = test_claims();
        let plugin = Arc::new(MockClaimsPlugin::success(claims.clone()));

        let validation_config = ValidationConfig {
            allowed_issuers: vec!["https://test.example.com".to_owned()],
            allowed_audiences: vec!["test-api".to_owned()],
            leeway_seconds: 60,
            require_uuid_subject: true,
            require_uuid_tenants: true,
        };

        let dispatcher = AuthDispatcher {
            key_providers: Vec::new(),
            introspection_providers: vec![failing_provider, success_provider],
            plugin,
            validation_config,
        };

        // When: We validate the token
        let result = dispatcher.validate_opaque("test-token").await;

        // Then: Validation succeeds with second provider
        assert!(result.is_ok());
        let normalized = result.unwrap();
        assert_eq!(normalized.issuer, claims.issuer);
    }
}