[PM-25949] ExternalCallback Integration tests for SSO Project

[ike-kottlowski]

🎟️ Tracking

PM-25949

📔 Objective

In order to support a refactor coming down the pipe from the Admin Console team we needed to ensure that the Just-In-Time provisioning will have parity with the new work.

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 4378aa66-8d15-40ff-9523-a36a3e8b36bd

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 511

[claude]

Claude finished @ike-kottlowski's task in 2m 49s —— View job

---

Review Status: Re-review Complete

This is a re-review following commit 77562a6 which addressed the previous naming convention feedback.

Summary

Good work fixing the _IsSelfHosted → _isSelfHosted naming convention issue from the previous review. The integration tests are comprehensive and well-structured, providing excellent coverage of the SSO ExternalCallback flow.

Changes Since Last Review

• Fixed private field naming convention in SsoTestDataBuilder.cs (_IsSelfHosted → _isSelfHosted)

Review Findings

Parameter Naming Convention

File: bitwarden_license/test/Sso.IntegrationTest/Controllers/AccountControllerTests.cs
Line: 459

The parameter UserIdentifier should follow camelCase naming convention for parameters: userIdentifier

public async Task ExternalCallback_WithInvalidUserIdentifierFormat_ReturnsError(
    string UserIdentifier  // Should be: userIdentifier
)

Overall Assessment

The PR successfully adds comprehensive integration test coverage for SSO ExternalCallback scenarios, including:

• 25+ error path tests covering validation, authentication failures, and edge cases
• 5 success path tests including JIT provisioning and native client flows
• Well-documented test scenarios with clear AAA pattern
• Good use of builder pattern in test utilities

The minor production code changes (typo fix + TODO comment) are appropriate and low-risk.

---

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.70%. Comparing base (e705fe3) to head (2cffedf).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6809      +/-   ##
==========================================
+ Coverage   55.26%   55.70%   +0.44%     
==========================================
  Files        1939     1939              
  Lines       86224    86224              
  Branches     7705     7705              
==========================================
+ Hits        47655    48035     +380     
+ Misses      36777    36379     -398     
- Partials     1792     1810      +18     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.