Oliver Bertuch (May 21 2023 at 23:59): Oliver Bertuch (May 21 2023 at 23:59):Here we are: I want to contribute the first real integration test. It is using Testcontainers (of course) and ensures that configurability of an OIDC provider via MPCONFIG as well as using that provider with a Keycloak instance in a container for a Bearer Token Access to the API @Johannes D
Oliver Bertuch (May 22 2023 at 00:00):Anyone feeling adventurous enough to try mvn clean verify on the PR branch? https://github.com/IQSS/dataverse/pull/9273 Only Docker, Java and Maven required!
Oliver Bertuch (May 22 2023 at 00:01):Here's the test code BTW https://github.com/IQSS/dataverse/pull/9273/files#diff-104cf13998a3494cd46bf6cd92eba934c96744f84d4330ae378fcbf222bf58ea
Oliver Bertuch (May 22 2023 at 00:03):BTW @Guillermo Portas I have had a strange experience: when importing the realm you created to Keycloak 20 or 21, I could no longer access Keycloak userinfo endpoint with the retrieved access token. (Works perfectly fine with Keycloak 19) I'm a bit puzzled about that and wondering if we need to re-export or re-create our test realm from a more modern version. It says it was created with Keycloak 16, so maybe something is not right here?
Oliver Bertuch (May 22 2023 at 00:06):@Guillermo Portas as this PR does (try to) add PKCE support for the OIDC provider, maybe we need to alter the realm anyway? I would like to add an integration test for that as well!
Oliver Bertuch (May 22 2023 at 07:26):Aaaand I have a working integration test with PKCE for the normal Auth Code Flow. Had to re-create the realm though. The exported realm from Keycloak 16 seems not be fully compatible with Keycloak 19. We'll see if that fixes the upgrade issue, too
Oliver Bertuch (May 22 2023 at 07:27):@Philip Durbin I would like to create some more users in the realm. I'd go for some users following our role model if that is OK. (admin, curator, user)
Philip Durbin ๐ (May 22 2023 at 10:43):[INFO] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0
Philip Durbin ๐ (May 22 2023 at 10:44):INFO: STDOUT: 2023-05-22 10:39:16,653 INFO [org.keycloak.services] (main) KC-SERVICES0009: Added user 'kcuser' to realm 'master'
Philip Durbin ๐ (May 22 2023 at 10:45):Seems promising!
Philip Durbin ๐ (May 22 2023 at 10:47):@Oliver Bertuch I would suggest making some noise in #dv-rearchitecture-auth as well.
Philip Durbin ๐ (May 22 2023 at 10:50):@Oliver Bertuch sure, please go ahead and create users. You're using the default master realm instead of the realm we're adding with a JSON file?
Oliver Bertuch (May 22 2023 at 11:01):No, you shall (and cannot) use the master realm for that
Oliver Bertuch (May 22 2023 at 11:01):I created a new realm "test"
Oliver Bertuch (May 22 2023 at 11:01):And I'm loading it as JSON
Philip Durbin ๐ (May 22 2023 at 11:29):Gotcha. I wonder why we have that out above then. :thinking: Added user 'kcuser' to realm 'master'
Oliver Bertuch (May 22 2023 at 11:44):That is completely normal and fine
Oliver Bertuch (May 22 2023 at 11:44):Oh wait no it might not be
Oliver Bertuch (May 22 2023 at 11:45):That is the "normal" user...
Oliver Bertuch (May 22 2023 at 11:45):Anyway - I am setting up a nice and clean realm
Oliver Bertuch (May 22 2023 at 11:45):admin, user, curator and affiliate as users
Oliver Bertuch (May 22 2023 at 11:46):even created groups for them, although the OIDC provider doesn't support groups (yet!)
Oliver Bertuch (May 22 2023 at 11:46):That must change...
Oliver Bertuch (May 22 2023 at 11:47):We might need to edit the realm again later when we start testing things like attribute mapping for affiliatons etc
Philip Durbin ๐ (May 22 2023 at 12:40):Awesome. Go, go, go! 
Oliver Bertuch (May 22 2023 at 14:15):There you go :-) Replaced the realm, added the third test and pushed the changes
Oliver Bertuch (May 22 2023 at 14:15):Even updated the docs :-D
Philip Durbin ๐ (May 22 2023 at 16:27):No longer a draft! Great!
Oliver Bertuch (May 22 2023 at 16:28):Now let's see if you're trigger happy again :stuck_out_tongue_wink:
Guillermo Portas (May 22 2023 at 16:48):Yes @Oliver Bertuch, It may be a version incompatibility by having exported the original realm json file with an older version of Keycloak. I see in your PR that you have included a new realm, I guess exporting a new one from the new version has fixed the problem.
Guillermo Portas (May 22 2023 at 16:51):If I remember correctly, the PKCE configuration is exported to the realm file with the rest of the config values of the realm, so I guess that you have included the new PKCE config in the realm file as well.
Oliver Bertuch (May 22 2023 at 18:14):Guillermo Portas said:
If I remember correctly, the PKCE configuration is exported to the realm file with the rest of the config values of the realm, so I guess that you have included the new PKCE config in the realm file as well.
No, I didn't add any PKCE in the realm. I looked for it but could not find any option to enforce it. Maybe because I only added a confidential client so far and no public client?
Oliver Bertuch (May 22 2023 at 18:14):PKCE as an addendum works though - the integration test sends the challenge so that should be fine.
Oliver Bertuch (May 22 2023 at 18:16):If you happen to know where to enforce PKCE plz let me know! Happy to include it
Oliver Bertuch (May 22 2023 at 18:32):Ha I might just have found it... looks like you need to activate an enforcing policy.
Oliver Bertuch (May 22 2023 at 18:32):Will look I to that when back at desk
Philip Durbin ๐ (May 22 2023 at 18:43):What about real integration tests for S3 direct upload? Discuss here or in a new topic?
Oliver Bertuch (May 22 2023 at 19:17):Sounds like you got a taste for it now!
Oliver Bertuch (May 22 2023 at 19:18):What can I say... IIRC there is a LocalStack Testcontainers module, so it should be easy to use.
Philip Durbin ๐ (May 22 2023 at 20:28):Yeah, that's the one @Don Sizemore keeps reminding me of. Or maybe we could use Minio.
Don Sizemore (May 22 2023 at 20:33):"real" integration testing? for when that fake integration testing just won't do?
Oliver Bertuch (May 23 2023 at 08:15):More like "cover more than just the API" :wink:
Philip Durbin ๐ (May 23 2023 at 11:15):@Oliver Bertuch currently the title of your PR is this: 9268 mpconfig OIDC provider #9273
It does more than that, though, right?
Philip Durbin ๐ (May 23 2023 at 11:15):@Johannes D have you had a chance to take a look?
Oliver Bertuch (May 23 2023 at 11:16):Yes, it contains more.
Oliver Bertuch (May 23 2023 at 11:16):What should I write?
Philip Durbin ๐ (May 23 2023 at 11:16):"OIDC and OAuth refactor, MPCONFIG, more tests"?
Oliver Bertuch (May 23 2023 at 12:32):Hope ya like "9268 - OIDC auth: MPCONFIG provisioning, PKCE support and integration tests"
Philip Durbin ๐ (May 23 2023 at 13:09):Much better! Thanks!
Philip Durbin ๐ (May 23 2023 at 13:09):(We could probably drop 9268 since we have it under "closes".)
Oliver Bertuch (May 23 2023 at 13:28):But but but when I joined you lot in 2018 you wanted me to add the issue number! Is this yesterdays news?
Philip Durbin ๐ (May 23 2023 at 13:36):Oh, I love, love, love, the issue number in the name of the branch. :heart: But in the title it's a bit noisy if you ask me. Sorry for the miscommunication!
Oliver Bertuch (May 23 2023 at 14:06):D'Oh!
Philip Durbin ๐ (May 23 2023 at 21:25):@Oliver Bertuch nice demo at tech hours! Thanks!
Oliver Bertuch (May 23 2023 at 21:26):Glad you liked it
Oliver Bertuch (May 23 2023 at 21:26):May it be an icebreaker for more!
Oliver Bertuch (May 23 2023 at 21:26):I'm hacking in this very moment on combined coverage reports...
Oliver Bertuch (May 23 2023 at 21:49):Pre:
image.png
Oliver Bertuch (May 23 2023 at 21:50):Post:
image.png
Philip Durbin ๐ (May 23 2023 at 22:42):Nice! As usual, go, go, go!
Oliver Bertuch (May 23 2023 at 22:49):Waiting on CI....
image.png
Oliver Bertuch (May 23 2023 at 22:56):Smooooooooth operator
image.png
Philip Durbin ๐ (May 24 2023 at 11:21):Nice! If I'm reading Coveralls right, in develop OIDCAuthProvider.java has 1.3% coverage but in the PR you're working on (#9273), it now has 69.5% coverage.
Last updated: Nov 01 2025 at 14:11 UTC