Keycloak-FranceConnect icon indicating copy to clipboard operation
Keycloak-FranceConnect copied to clipboard
verified publisher icon InseeFr

[FEAT] Add integration tests to detect breaking changes with new keycloak versions

Open mboisnard opened this issue 5 years ago • 7 comments

Is your feature request related to a problem? Please describe. We don't check if the plugin is compatible with new keycloak versions

Describe the solution you'd like

  • Add some integration tests (plugin is deployed, FC theme works, plugin configuration is ok, ...) using Keycloak TestContainers dependency (it starts a Keycloak container only for testing)

  • Retrieve Keycloak existing versions (using Docker Hub Api: https://hub.docker.com/v2/repositories/jboss/keycloak/tags/?page_size=100)

  • Execute tests foreach Keycloak Docker Image (from 9.0.2 to latest)

  • Trigger Github actions workflow every week

mboisnard avatar Feb 15 '21 21:02 mboisnard

We could use https://github.com/dasniko/testcontainers-keycloak for this. The real stopper now is a way to test FranceConnect. We could use the test env but this requires to use fixed url for the integration test (and a way to override dns resolution).

micedre avatar Nov 09 '21 20:11 micedre

FranceConnect and AgentConnect source here https://github.com/france-connect/sources. Maybe we can use it for integration test.

micedre avatar Nov 23 '21 14:11 micedre

We could use https://github.com/dasniko/testcontainers-keycloak for this. The real stopper now is a way to test FranceConnect. We could use the test env but this requires to use fixed url for the integration test (and a way to override dns resolution).

@micedre Is it possible to configure a static localhost authorized redirect / logout uri for FC+ / AC integration accounts ? I think I can create acceptance tests with codeceptjs and selenium to configure Keycloak and start a session using FC inside an headless Chrome. I still have a pain point with Github Action to run a Keycloak container with latest FC plugin but I will find a solution :)

mboisnard avatar Dec 12 '21 16:12 mboisnard

FC+ or AC disallow the use of localhost as authorized redirect_uri. For local tests, they recommend to use a complete domain (localhost.test or other) by modifying the hosts file.

micedre avatar Dec 13 '21 06:12 micedre

Ok, is http scheme authorized? I think this Github Action can work for our usecase: https://github.com/mboisnard/Keycloak-FranceConnect/blob/master/.github/workflows/acceptance-tests.yml (redirect uri: http://localhost.test:8080/auth/realms/test/broker/franceconnect-particulier/endpoint)

mboisnard avatar Dec 13 '21 12:12 mboisnard

I'll ask, but I don't think it will be accepted. That said, generating a certificate would be hard?

micedre avatar Dec 14 '21 08:12 micedre

It can be painful but it's possible ^^ I have a question about the JWE workflow: How does FC know the rsa public key used for encryption? Is it manually added on FC platform? Is Keycloak Jwks endpoint called by FC?

mboisnard avatar Dec 15 '21 00:12 mboisnard