search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.82k stars 2.69k forks source link

Add OIDC integration tests which use WireMockServer #10412

Closed sberyozkin closed 3 years ago

sberyozkin commented 4 years ago

Add a dedicated integration-tests/oidc-mock module which will use WireMockServer (similarly to the way it is shown in #10396) which will mock the following endpoints: Bearer tokens and code flow:

CodeFlow only

Starting from the bearer token case will be good

geoandri commented 4 years ago

I can help with this if no one else hasn't started working on it.

cemnura commented 4 years ago

Hello @geoandri,

I was going to work on this regarding to conversation with @sberyozkin on

https://groups.google.com/g/quarkus-dev/c/SVM4GDj9jM4

Would you like to work on this?

geoandri commented 4 years ago

Hi @cemnura,

no worries, I will pick up another one. Thanks for your response.

sberyozkin commented 4 years ago

@cemnura Hi Cem, thanks, I updated integration-tests/oidc-wiremock a little bit yesterday to only return a jwk key set. as nothing else is needed for verifying the bearer JWT tokens.

I was thinking that it would be helpful for others to see how to test the opaque/binary tokens, which require an introspection_path be set in the discovery doc. FYI, Keycloak introspection endpoint is called even for JWT tokens when no local matching JWK key is available, but we definitely have the users who have the opaque tokens.

So before moving to the code flow, lets add BearerOpaqueTokenAuthorizationTest (with its own Wiremock setup - note the default port is now used to avoid a port clash in CI) which will be a copy and paste of BearerTokenAuthorizationTest but it will use a token value such as 123. The discovery document should only include introspection_path, and the introspection document can be similar to what @loicmathieu used in this test, set the scope to "user admin", etc, username to alice.

But also, please enhance it a bit more, and in the introspection endpoint mock, check that the token value in the introspection request is equal to 123.

Give it a try please, and then we can move on to the code flow. thanks

sberyozkin commented 4 years ago

@geoandri Thanks, would you like to consider #11695 ? I suggested earlier to @cemnura that may be he would also be interested in #11695, but I believe we can continue in parallel :-), while we can later focus with @cemnura on @TestSecurity support for all the injection types supported in OIDC (@IdToken JsonwebToken jwt, etc), #11695 is independent of OIDC. But you are also welcome to pick up any other issue that can be of interest thanks

geoandri commented 4 years ago

@sberyozkin I could definitely give it a try.

Thanks.

cemnura commented 4 years ago

Hi @sberyozkin,

@cemnura Hi Cem, thanks, I updated integration-tests/oidc-wiremock a little bit yesterday to only return a jwk key set. as nothing else is needed for verifying the bearer JWT tokens.

I will have a look to gain a further understanding.

I was thinking that it would be helpful for others to see how to test the opaque/binary tokens, which require an introspection_path be set in the discovery doc. FYI, Keycloak introspection endpoint is called even for JWT tokens when no local matching JWK key is available, but we definitely have the users who have the opaque tokens.

So before moving to the code flow, lets add BearerOpaqueTokenAuthorizationTest (with its own Wiremock setup - note the default port is now used to avoid a port clash in CI) which will be a copy and paste of BearerTokenAuthorizationTest but it will use a token value such as 123. The discovery document should only include introspection_path, and the introspection document can be similar to what @loicmathieu used in this test, set the scope to "user admin", etc, username to alice.

Okey, I will try to implement a BearerOpaqueTokenAuthorizationTest test in a dedicated module integration-tests/oidc-mock and setup a WireMock that includes the introspection_path.

But also, please enhance it a bit more, and in the introspection endpoint mock, check that the token value in the introspection request is equal to 123.

Give it a try please, and then we can move on to the code flow. thanks

I will give it a shot and get back to you asap

sberyozkin commented 4 years ago

Hi @cemnura Thanks, to make it simpler, lets keep it within the same module you introduced, a different QuarkusTestResourceLifecycleManager should be enough :-), sorry if it is what you meant thanks

cemnura commented 4 years ago

Hi @cemnura Thanks, to make it simpler, lets keep it within the same module you introduced, a different QuarkusTestResourceLifecycleManager should be enough :-), sorry if it is what you meant thanks

I saw this comment to late unfortunately. But no worries I will merge it to the previous integration test module upon your approval.

sberyozkin commented 3 years ago

@cemnura Hi, Happy New Year, so we are very close to resolving this issue, one last exciting step remains :-) which is adding a code flow test. It should be easy compared to the opaque token test though some minor complexities would also be present here. On the Wiremock endpoint side we just need 2 more endpoints, I think they were discoverable in the first iteration, authorization and token endpoints, please add them back now.

The authorization endpoint - this is where the main complexity will be.

When this endpoint is invoked (GET request) it needs to capture the state and redirect_uri query parameters and return the HTML form challenge with the fields as expected by the HtmlUnit test - more on it below - and this form should be able to submit to another (non-discoverable) WireMock endpoint - which would redirect back to Quarkus. This HTML form should likely be used to keep those state and redirect_uri values as the hidden form properties - or may be you can use the cookies to make it simpler. Next, once HtmlUnit submits the form (username and password) - you'd redirect back to the value saved in redirect_uri but also add the saved state parameter as a query parameter and also add a code query parameter.

Next Vert.x would issue a code grant request (POST form) to the token endpoint - where that code and redirect_uri would be present - here you'd return the id token (JWT) - this token will be used to get the alice name, access token (JWT) and refresh token.

See https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint for more info.

On the test side: the simplest would be to copy some existing test code, for example, create CodeFlowAuthorizationTest and copy only the first test here - please name it simply testCodeFlow. Note the name of the form fields. Also copy the static index.html The test endpoint itself would be similar to the one you already have. The configuration is here (lines 1-13 only). And add the htmlunit dependency as in that test pom.

That should be it :-), it looks like it can be a bit complex, but it should be fun :-) Have a look please when you get some time

cemnura commented 3 years ago

I'm on it 👍

cemnura commented 3 years ago

We have a little problem unfortunately

I added the following dependencies to the pom.xml

        <dependency>
            <groupId>net.sourceforge.htmlunit</groupId>
            <artifactId>htmlunit</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.awaitility</groupId>
            <artifactId>awaitility</artifactId>
            <scope>test</scope>
        </dependency>

However, this lead to a sub dependency version mismatch.

Apparently both wiremock and htmlunit use different versions of jetty.

[INFO] Scanning for projects...
[INFO] 
[INFO] ---------< io.quarkus:quarkus-integration-test-oidc-wiremock >----------
[INFO] Building Quarkus - Integration Tests - OpenID Connect Adapter WireMock 999-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-enforcer-plugin:3.0.0-M3:enforce (enforce) @ quarkus-integration-test-oidc-wiremock ---
[WARNING] 
Dependency convergence error for org.eclipse.jetty:jetty-xml:9.4.20.v20190813 paths to dependency are:
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-webapp:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-xml:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-net.sourceforge.htmlunit:htmlunit:2.40.0
    +-org.eclipse.jetty.websocket:websocket-client:9.4.28.v20200408
      +-org.eclipse.jetty:jetty-xml:9.4.28.v20200408

[WARNING] 
Dependency convergence error for org.eclipse.jetty:jetty-http:9.4.20.v20190813 paths to dependency are:
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-server:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-http:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-servlets:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-http:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty.http2:http2-server:9.4.20.v20190813
      +-org.eclipse.jetty.http2:http2-common:9.4.20.v20190813
        +-org.eclipse.jetty.http2:http2-hpack:9.4.20.v20190813
          +-org.eclipse.jetty:jetty-http:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-net.sourceforge.htmlunit:htmlunit:2.40.0
    +-org.eclipse.jetty.websocket:websocket-client:9.4.28.v20200408
      +-org.eclipse.jetty:jetty-client:9.4.28.v20200408
        +-org.eclipse.jetty:jetty-http:9.4.28.v20200408

[WARNING] 
Dependency convergence error for org.eclipse.jetty:jetty-util:9.4.20.v20190813 paths to dependency are:
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-server:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-http:9.4.20.v20190813
        +-org.eclipse.jetty:jetty-util:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-server:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-io:9.4.20.v20190813
        +-org.eclipse.jetty:jetty-util:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-servlets:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-util:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-webapp:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-xml:9.4.20.v20190813
        +-org.eclipse.jetty:jetty-util:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty.http2:http2-server:9.4.20.v20190813
      +-org.eclipse.jetty.http2:http2-common:9.4.20.v20190813
        +-org.eclipse.jetty.http2:http2-hpack:9.4.20.v20190813
          +-org.eclipse.jetty:jetty-util:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-net.sourceforge.htmlunit:htmlunit:2.40.0
    +-org.eclipse.jetty.websocket:websocket-client:9.4.28.v20200408
      +-org.eclipse.jetty:jetty-util:9.4.28.v20200408
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-net.sourceforge.htmlunit:htmlunit:2.40.0
    +-org.eclipse.jetty.websocket:websocket-client:9.4.28.v20200408
      +-org.eclipse.jetty.websocket:websocket-common:9.4.28.v20200408
        +-org.eclipse.jetty:jetty-util:9.4.28.v20200408

[WARNING] 
Dependency convergence error for org.eclipse.jetty:jetty-io:9.4.20.v20190813 paths to dependency are:
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-server:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-http:9.4.20.v20190813
        +-org.eclipse.jetty:jetty-io:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-server:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-io:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-servlets:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-io:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty.http2:http2-server:9.4.20.v20190813
      +-org.eclipse.jetty.http2:http2-common:9.4.20.v20190813
        +-org.eclipse.jetty.http2:http2-hpack:9.4.20.v20190813
          +-org.eclipse.jetty:jetty-io:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-alpn-conscrypt-server:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-io:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-com.github.tomakehurst:wiremock-jre8:2.26.3
    +-org.eclipse.jetty:jetty-alpn-conscrypt-client:9.4.20.v20190813
      +-org.eclipse.jetty:jetty-alpn-client:9.4.20.v20190813
        +-org.eclipse.jetty:jetty-io:9.4.20.v20190813
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-net.sourceforge.htmlunit:htmlunit:2.40.0
    +-org.eclipse.jetty.websocket:websocket-client:9.4.28.v20200408
      +-org.eclipse.jetty:jetty-client:9.4.28.v20200408
        +-org.eclipse.jetty:jetty-io:9.4.28.v20200408
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-net.sourceforge.htmlunit:htmlunit:2.40.0
    +-org.eclipse.jetty.websocket:websocket-client:9.4.28.v20200408
      +-org.eclipse.jetty:jetty-io:9.4.28.v20200408
and
+-io.quarkus:quarkus-integration-test-oidc-wiremock:999-SNAPSHOT
  +-net.sourceforge.htmlunit:htmlunit:2.40.0
    +-org.eclipse.jetty.websocket:websocket-client:9.4.28.v20200408
      +-org.eclipse.jetty.websocket:websocket-common:9.4.28.v20200408
        +-org.eclipse.jetty:jetty-io:9.4.28.v20200408

[WARNING] Rule 0: org.apache.maven.plugins.enforcer.DependencyConvergence failed with message:
Failed while enforcing releasability. See above detailed error message.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  4.828 s
[INFO] Finished at: 2021-01-08T00:20:57+03:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M3:enforce (enforce) on project quarkus-integration-test-oidc-wiremock: Some Enforcer rules have failed. Look above for specific messages explaining why the rule failed. -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
cemnura commented 3 years ago

Interestingly these configurations break the previous BearerOpaqueTokenAuthorizationTest & BearerTokenAuthorizationTest

quarkus.oidc.token.principal-claim=email
quarkus.oidc.authentication.scopes=profile,email,phone
quarkus.oidc.authentication.redirect-path=/web-app
# Several tests here start from /index.html (state cookie is available)
# and next they try /web-app/* (when a state cookie might not be available)
# Adding 'cookie-path=/' may prevent the intermittent CI failures to do with the missing state cookie
quarkus.oidc.authentication.cookie-path=/
quarkus.oidc.authentication.cookie-domain=localhost
quarkus.oidc.authentication.extra-params.max-age=60
quarkus.oidc.application-type=web-app

Error log

[INFO] -------------------------------------------------------
[INFO]  T E S T S
[INFO] -------------------------------------------------------
[INFO] Running io.quarkus.it.keycloak.BearerOpaqueTokenAuthorizationTest
2021-01-08 01:18:17,034 WARN  [io.qua.dep.QuarkusAugmentor] (main) Using Java versions older than 11 to build Quarkus applications is deprecated and will be disallowed in a future release!
2021-01-08 01:18:18,880 INFO  [org.ecl.jet.uti.log] (main) Logging initialized @3749ms to org.eclipse.jetty.util.log.Slf4jLog
2021-01-08 01:18:19,019 INFO  [org.ecl.jet.ser.Server] (main) jetty-9.4.30.v20200611; built: 2020-06-11T12:34:51.929Z; git: 271836e4c1f4612f12b7bb13ef5a92a927634b0d; jvm 1.8.0_242-b08
2021-01-08 01:18:19,040 INFO  [org.ecl.jet.ser.han.ContextHandler] (main) Started o.e.j.s.ServletContextHandler@1a6f5124{/__admin,null,AVAILABLE}
2021-01-08 01:18:19,043 INFO  [org.ecl.jet.ser.han.ContextHandler] (main) Started o.e.j.s.ServletContextHandler@7bdf6bb7{/,null,AVAILABLE}
2021-01-08 01:18:19,071 INFO  [org.ecl.jet.ser.AbstractConnector] (main) Started NetworkTrafficServerConnector@fac80{HTTP/1.1, (http/1.1)}{0.0.0.0:57497}
2021-01-08 01:18:19,071 INFO  [org.ecl.jet.ser.Server] (main) Started @3940ms
2021-01-08 01:18:19,096 INFO  [io.qua.it.key.KeycloakTestResource] (main) Keycloak started in mock mode: http://localhost:57497
2021-01-08 01:18:20,049 INFO  [org.ecl.jet.ser.han.Con.ROOT] (qtp1160652496-45) RequestHandlerClass from context returned com.github.tomakehurst.wiremock.http.StubRequestHandler. Normalized mapped under returned 'null'
2021-01-08 01:18:20,243 INFO  [io.quarkus] (main) Quarkus 999-SNAPSHOT on JVM started in 3.370s. Listening on: http://localhost:8081
2021-01-08 01:18:20,244 INFO  [io.quarkus] (main) Profile test activated. 
2021-01-08 01:18:20,244 INFO  [io.quarkus] (main) Installed features: [cdi, oidc, resteasy, resteasy-jackson, security]
2021-01-08 01:18:21,456 ERROR [io.qua.ver.htt.run.QuarkusErrorHandler] (executor-thread-1) HTTP Request to /opaque/api/users/preferredUserName failed, error id: f0309006-0eca-432c-99fe-9310ae544849-1: java.lang.NullPointerException
    at io.vertx.ext.auth.oauth2.impl.flow.AuthCodeImpl.authorizeURL(AuthCodeImpl.java:64)
    at io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl.authorizeURL(OAuth2AuthProviderImpl.java:326)
    at io.quarkus.oidc.runtime.CodeAuthenticationMechanism.getChallengeInternal(CodeAuthenticationMechanism.java:228)
    at io.quarkus.oidc.runtime.CodeAuthenticationMechanism$6.apply(CodeAuthenticationMechanism.java:189)
    at io.quarkus.oidc.runtime.CodeAuthenticationMechanism$6.apply(CodeAuthenticationMechanism.java:186)
    at io.smallrye.mutiny.operators.UniOnItemTransformToUni.invokeAndSubstitute(UniOnItemTransformToUni.java:31)
    at io.smallrye.mutiny.operators.UniOnItemTransformToUni$2.onItem(UniOnItemTransformToUni.java:74)
    at io.smallrye.mutiny.operators.UniSerializedSubscriber.onItem(UniSerializedSubscriber.java:86)
    at io.smallrye.mutiny.operators.uni.builders.KnownItemUni.subscribing(KnownItemUni.java:25)
    at io.smallrye.mutiny.operators.UniSerializedSubscriber.subscribe(UniSerializedSubscriber.java:54)
    at io.smallrye.mutiny.operators.UniSerializedSubscriber.subscribe(UniSerializedSubscriber.java:49)
    at io.smallrye.mutiny.operators.AbstractUni.subscribe(AbstractUni.java:30)
    at io.smallrye.mutiny.operators.UniOnItemTransformToUni.subscribing(UniOnItemTransformToUni.java:65)
    at io.smallrye.mutiny.operators.UniSerializedSubscriber.subscribe(UniSerializedSubscriber.java:54)
    at io.smallrye.mutiny.operators.UniSerializedSubscriber.subscribe(UniSerializedSubscriber.java:49)
    at io.smallrye.mutiny.operators.AbstractUni.subscribe(AbstractUni.java:30)
    at io.smallrye.mutiny.operators.UniBlockingAwait.await(UniBlockingAwait.java:53)
    at io.smallrye.mutiny.groups.UniAwait.atMost(UniAwait.java:61)
    at io.smallrye.mutiny.groups.UniAwait.indefinitely(UniAwait.java:42)
    at io.quarkus.resteasy.runtime.UnauthorizedExceptionMapper.toResponse(UnauthorizedExceptionMapper.java:45)
    at io.quarkus.resteasy.runtime.UnauthorizedExceptionMapper.toResponse(UnauthorizedExceptionMapper.java:23)
    at org.jboss.resteasy.core.ExceptionHandler.executeExceptionMapper(ExceptionHandler.java:137)
    at org.jboss.resteasy.core.ExceptionHandler.unwrapException(ExceptionHandler.java:183)
    at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:104)
    at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:372)
    at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:218)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:519)
    at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
    at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
    at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
    at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
    at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
    at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:138)
    at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.access$000(VertxRequestHandler.java:41)
    at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler$1.run(VertxRequestHandler.java:93)
    at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2415)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
    at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
    at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
    at java.lang.Thread.run(Thread.java:748)
    at org.jboss.threads.JBossThread.run(JBossThread.java:501)
cemnura commented 3 years ago

I got the CodeFlowAuthorizationTest to at least run by excluding htmlunit jetty subdependency such as

<dependency>
            <groupId>net.sourceforge.htmlunit</groupId>
            <artifactId>htmlunit</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.eclipse.jetty</groupId>
                    <artifactId>*</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

Excluding via

             <exclusions>
                <exclusion>
                    <groupId>*</groupId>
                    <artifactId>*</artifactId>
                </exclusion>
            </exclusions>

Lead to htmlunit not finding classes

Error:(60,18) java: cannot access com.gargoylesoftware.css.parser.CSSErrorHandler
sberyozkin commented 3 years ago

@cemnura I see, It may be to do with the fact the configuration is visible somehow across multiple Wiremock runs. The fact that the opaque bearer token request is activating it is suggesting it. Can you try to set application-type=hybrid in all 3 application.properties file - it should dynamically select the correct authentication module. (multi-tenancy is another option- but it would complicate the tests) If that does not help then we will likely need to isolate the code flow tests in the integration-test/oidc-code-flow-wiremock module... See also some PR comments - lets continue the discussion there :-)