How to do integration tests when using Quarkus OIDC code flow authentication?

[douglas444]

Here is how I am testing my authenticated endpoints using org.htmlunit:

@QuarkusTest
class AddDraftQuarkusTest {

    @Test
    void success() {

        Map<String, String> cookies = new HashMap<>();
        try (final WebClient webClient = createWebClient()) {

            HtmlPage page = webClient.getPage("http://localhost:8081/drafts");
            HtmlForm loginForm = page.getForms().getFirst();
            
            loginForm.getInputByName("username").setValueAttribute("bob");
            loginForm.getInputByName("password").setValueAttribute("bob");
            loginForm.getInputByName("login").click();

            webClient.getCookieManager().getCookies()
                    .forEach(cookie -> cookies.put(cookie.getName(), cookie.getValue()));

        } catch (IOException e) {
            throw new RuntimeException(e);
        }

        given()
                .contentType("application/json")
                .accept("application/json")
                .cookies(cookies)
                .body(new AddDraft.Input())
                .when()
                .post("/drafts")
                .then()
                .statusCode(200);

    }

    private WebClient createWebClient() {
        WebClient webClient = new WebClient();
        webClient.setCssErrorHandler(new SilentCssErrorHandler());
        return webClient;
    }

}

It feels hacky to depend on elements of the HTML page as it is Keycloak's not mine, but I guess there is no other way.

Also, sending the cookies like that feels like brute force, is there another option?

I could just send the "q_session" but I am still not sure where this cookie name is defined and which Quarkus OIDC configuration is responsible for defining the session strategy (I'm guessing the one that I am using is stateless and encrypted in the cookie).

Also, writing the http://localhost:8081 URI is bad. Sure, there must be alternatives, but is there a convention?

I wish there were something as simple as RestAssured.given().auth().oauth2(keycloakClient.getAccessToken(userName)) for code flow authentication.

For reference, here's what my properties look like:

%dev,test.quarkus.keycloak.devservices.realm-path=realm.json
%dev,test.quarkus.keycloak.devservices.enabled=true

quarkus.oidc.client-id=${OIDC_CLIENT_ID}
quarkus.oidc.authentication.redirect-path=${REDIRECT_PATH}
quarkus.oidc.authentication.scopes=openid
quarkus.oidc.application-type=web-app
quarkus.oidc.credentials.client-secret.provider.name=oidc-credentials-provider
quarkus.oidc.credentials.client-secret.provider.key=secret

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

@douglas444, to test OIDC code flow, we offer https://quarkus.io/guides/security-oidc-code-flow-authentication#code-flow-integration-testing-wiremock.

Several default stubs are available there, for the auto-discovery, key acquisition, code flow redirect which is a tricky part. Additionally you can add more stubs directly in the test code, inject first, and then set required stubs like this one, etc.

It feels hacky to depend on elements of the HTML page as it is Keycloak's not mine, but I guess there is no other way.

It indeed does not matter, the default Wiremock stub presents it as if if it were a challenge from Keycloak, but it is not what is tested, this page only supports the test flow, the actual Quarkus OIDC authorization code flow is working end to end and it is what being tested

It feels hacky to depend on elements of the HTML page as it is Keycloak's not mine, but I guess there is no other way.

Yes, this should be managed automatically by Htmlunit web client, there is no need to introduce RestAssured in this flow, it is now aware of the cookies that WebClient is holding...

Also, writing the http://localhost:8081 URI is bad. Sure, there must be alternatives, but is there a convention?

Sure, if you'd like to avoid typing the address directly then you can do it as shown here. That gives http://localhost:8081

I wish there were something as simple as RestAssured.given().auth().oauth2(keycloakClient.getAccessToken(userName)) for code flow authentication.

It can't work for the code flow authentication, the token acquisition goes via the direct Quarkus to the OIDC wiremock channel.
The code you suggest is about the bearer token testing.

The test client can only handle cookies, use HtmlUnit WebClient - it takes care of dealing with cookies, and you can introspect them, we use it everywhere for the code flow testing.

Does it answer your questions ?

[douglas444]

Yes, fully answered. Thank you! Funny that I was copying the cookies to a restassured request when I could just use the webclient to make the post to the target endpoint

[sberyozkin]

@douglas444 Great. Yeah, I actually use it sometimes, mix RestAssured calls, for example, to emulate a backchannel logout request, but otherwise, indeed, WebClient should be used, thanks