Keycloak auth with custom access token (or id token) about spring-addons HOT 8 CLOSED

@pvannierop What IDE are you using ?
STS (Eclipse) auto-completion does a pretty good job in this domain.

from spring-addons.

I am using IntelliJ. If I look carefully it suggests WithAccessToken, but when selecting it is difficult to guess what to do next if you do not know what to do. I, for instance, for the first time encountered an annotation used as variable inside another annotation. I discovered that this is the correct approach by a wild guess in a final desperate attempt :) I posted this because I would like to spare others this discovery process. This is as far as IntelliJ brought me:

    @Test
    @WithMockKeycloakAuth(
            name = "testuser",
            authorities = "study_es_0",
            accessToken = WithAccessToken <-- no additional suggestions from here
            )

from spring-addons.

Hi @pvannierop, can you please confirm what I added to https://github.com/ch4mpy/spring-addons/tree/master/spring-security-oauth2-test-addons README meets your expectations ?

from spring-addons.

Hi @ch4mpy, thank you for updating the documentation. I find the section on the @WithAccessToken annotation very informative. Not that alone, but the whole readme is a very nice addition. I have several comments:

you need to unit test a @service with an OAuth2 security-context (or just prefer annotations over flow APIs)

This is not resticted to @service beans, but applies to @controller and @component as well (that is how I used your lib at least). My propsal is to remove the specific reference to @service not to confuse users.

Why unit-testing security at all?

If you see it as your task to educate the reader on what should be tested (and I like this attitude), it would be nice here to write a small block of (pseudo-)code that tests the three elements in ~2 tests (e.g. deny/redirect when not authenticated, access when authenticated, behavior) in combination with a security config that specified tested behavior. Not essential, but helpful.

Thats where this lib jumps in: providing with annotations and helpers to build not only test jwt, but also quite a few other OAuth2 Authentication implementations (and elements it contains).

This is new to me. Sounds very interesting. To assist new users I think it would be a great addition to list these implementations (helps new users in the right direction) and provide an example.

I favor annotations because it enables to test any kind of @component when both MockMvc post-processors and WebTestClient configurers are limited to @controllers.

You do not have to explain yourself here :) The user can take it or leave it ...

And another addition would be to mention that @WithMockAuthentication is an equivalent of @WithMockUser. Possibly make a remark that @WithMockUser does not work with OAuth2 security-context (that is correct, isn't it?).

And finally, overall I would suggest to use somewhat more formal language, but this is all nitpicking. I would be open to provide a PR with my version of the README.md if you are interested.

Overall, great work on this repo. It has been very useful to me and I will be using it in future projects.

from spring-addons.

@WithMockAuthentication is an equivalent of @WithMockUser

Well... no.
@WithMockAuthentication can be used with any Authentication implementation, including JwtAuthenticationToken, KeycloakAuthenticationToken and many more.
Only @WithMockAuthentication(UsernamePasswordAuthenticationToken.class) is close to @WithMockUser() (you'd get
a UsernamePasswordAuthenticationToken mock in security context with the first instead of a real instance with the later).

I would be open to provide a PR with my version of the README.md if you are interested.

I'll keep this ticket open, then.

from spring-addons.

from spring-addons.

@pvannierop may we close this issue?

I think I improved the docs on most of the points you reported (and adapted to 2.3.0 breaking changes).
If you still feel like submitting a PR later, you can do it even without a bug report.

from spring-addons.

@ch4mpy Yeah sure. Thnx for your work.

from spring-addons.