Devservices Keycloak breaks integration tests #45793
Labels
Comments
|
/cc @geoand (devservices), @pedroigor (keycloak), @sberyozkin (keycloak), @stuartwdouglas (devservices) |
|
@constantin-ungureanu-github Can you please create a basic reproducer ? There are a few integration tests running in Quarkus with the Keycloak devservices |
|
https://github.com/constantin-ungureanu-github/quarkus-oidc-example Let me know if you need anything more. |
|
Thanks @constantin-ungureanu-github, that is helpful, it is a shared container case. #42509 related to it but as it happens, #42509 is currently blocked, hopefully not for too long. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
With the quarkus-oidc in place, the restriction to the REST API are added.
The @QuarkusTest run okay. all of them.
The @QuarkusIntegrationTest do no run okay.
So adding quarkus-oidc to a quarkus project, adding few REST API restrictions (as in security-keycloak-authorization-quickstart demo), and @QuarkusTest runs fine, both with/withouth oidc restrictions, also healthchecks.
Same tests run as @quarkusIntegrationTest fail. (build native but is not related to the build as I understand)
The difference observed is that --hostname-port is sent when running the integration tests. Please remove this because was deprecated (25) and with keycloak 26+ was removed and now the keycloak is failing to start.
Workaround found for this was to:
quarkus.keycloak.devservices.service-name=keycloak
quarkus.keycloak.devservices.start-command=start --http-enabled=true --hostname=keycloak --hostname-strict=false --spi-user-profile-declarative-user-profile-config-file=/opt/keycloak/upconfig.json --features=hostname:v1
However, this works only with quarkus less than 3.18 (CR1), and it fails still in case of healthchecks (integration tests only). Sure, the keyloack can be downgraded but that still doesn't completely fix the issues.
For keycloak the v1 is replaced with v2 (--features=hostname:v2) . However, that does not work anymore, container fails to start.
The 3.17.7 with the workaround fails for the API that don't include oidc restrictions and also for the healthcheck IT tests.
This is what I get from the keycloak container (when running IT tests that fail):
Changes detected in configuration. Updating the server image.
Updating the configuration and installing your custom providers, if any. Please wait.
2025-01-22 12:56:41,951 INFO [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 6640ms
Server configuration updated and persisted. Run the following command to review the configuration:
Next time you run the server, just run:
� kc.sh start --http-enabled=true --hostname-debug=true --hostname=localhost --spi-user-profile-declarative-user-profile-config-file=/opt/keycloak/upconfig.json --hostname-port=53483 --optimized
Unknown option: '--hostname-port'
Possible solutions: --hostname, --hostname-admin, --hostname-backchannel-dynamic, --hostname-strict, --hostname-debug
Try 'kc.sh start --help' for more information on the available options.
Expected behavior
All test run nicely.
Actual behavior
Integration tests fails
I see there is a difference that the --hostname-port option has been removed
How to Reproduce?
Run integration tests involving devservices keycloak and this pops up immediately.
Also test this when endpoints are healtchecks and there are no restrictions and when the management port is used (with healthchecks on that port).
Output of
uname -aorverNo response
Output of
java -versionjava 21
Quarkus version or git rev
3.18 CR1 and also lower (3.17)
Build tool (ie. output of
mvnw --versionorgradlew --version)maven 3.9.9
Additional information
I see for the version 3.18 there were numerous improvements related to OIDC, so would be nice to have the fix for quarkus-oidc running IT tests in 3.18. If needed, more details can be provided, but if you just run IT tests with OIDC this should pop-up.
The text was updated successfully, but these errors were encountered: