From b416398136a2e12534b47733b1f728df973b4f18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Vav=C5=99=C3=ADk?= Date: Mon, 12 Dec 2022 16:00:12 +0100 Subject: [PATCH] Enable PKCE for reactive logout SPA flow test implements https://github.com/quarkus-qe/quarkus-test-plans/pull/117 --- README.md | 6 ++++++ .../reactive/extended/LogoutSinglePageAppFlowIT.java | 2 ++ .../src/test/resources/kc-logout-realm.json | 3 ++- .../src/test/resources/logout.properties | 4 ++++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b17506a08..f6e4e8304 100644 --- a/README.md +++ b/README.md @@ -654,6 +654,12 @@ Variants: Verifies special cases of using reactive OIDC client: - Proper handling of `Authorization` request header by `OidcClientRequestReactiveFilter`: the filter should always add a single`Authorization` header, not duplicate it in multiple request attempts. +### `security/keycloak-oidc-client-reactive-extended` + +Reactive twin of the `security/keycloak-oidc-client-extended`, extends `security/keycloak-oidc-client-reactive-basic` and also covers some special cases that are common for both classic and reactive modules: + +- Verifies Proof Of Key for Code Exchange support for a Keycloak and Red Hat Single Sign-On together with OIDC Single Page Application logout flow + ### `securty/oidc-client-mutual-tls` Verifies OIDC client can be authenticated as part of the `Mutual TLS` (`mTLS`) authentication process diff --git a/security/keycloak-oidc-client-reactive-extended/src/test/java/io/quarkus/ts/security/keycloak/oidcclient/reactive/extended/LogoutSinglePageAppFlowIT.java b/security/keycloak-oidc-client-reactive-extended/src/test/java/io/quarkus/ts/security/keycloak/oidcclient/reactive/extended/LogoutSinglePageAppFlowIT.java index 0eade7747..bb9572b58 100644 --- a/security/keycloak-oidc-client-reactive-extended/src/test/java/io/quarkus/ts/security/keycloak/oidcclient/reactive/extended/LogoutSinglePageAppFlowIT.java +++ b/security/keycloak-oidc-client-reactive-extended/src/test/java/io/quarkus/ts/security/keycloak/oidcclient/reactive/extended/LogoutSinglePageAppFlowIT.java @@ -9,6 +9,7 @@ import java.io.IOException; import java.util.Objects; +import org.junit.jupiter.api.Tag; import org.junit.jupiter.api.Test; import com.gargoylesoftware.htmlunit.SilentCssErrorHandler; @@ -41,6 +42,7 @@ public class LogoutSinglePageAppFlowIT { .withProperty("keycloak.url", () -> keycloak.getURI(Protocol.HTTP).toString()) .withProperties("logout.properties"); + @Tag("QUARKUS-2491") @Test public void singlePageAppLogoutFlow() throws IOException { try (final WebClient webClient = createWebClient()) { diff --git a/security/keycloak-oidc-client-reactive-extended/src/test/resources/kc-logout-realm.json b/security/keycloak-oidc-client-reactive-extended/src/test/resources/kc-logout-realm.json index 7a26656b5..7d68d8e14 100644 --- a/security/keycloak-oidc-client-reactive-extended/src/test/resources/kc-logout-realm.json +++ b/security/keycloak-oidc-client-reactive-extended/src/test/resources/kc-logout-realm.json @@ -550,7 +550,8 @@ "post.logout.redirect.uris" : "*", "display.on.consent.screen" : "false", "oauth2.device.authorization.grant.enabled" : "false", - "backchannel.logout.revoke.offline.tokens" : "true" + "backchannel.logout.revoke.offline.tokens" : "true", + "pkce.code.challenge.method" : "S256" }, "authenticationFlowBindingOverrides" : { }, "fullScopeAllowed" : true, diff --git a/security/keycloak-oidc-client-reactive-extended/src/test/resources/logout.properties b/security/keycloak-oidc-client-reactive-extended/src/test/resources/logout.properties index f1135b192..df1afb6a3 100644 --- a/security/keycloak-oidc-client-reactive-extended/src/test/resources/logout.properties +++ b/security/keycloak-oidc-client-reactive-extended/src/test/resources/logout.properties @@ -18,3 +18,7 @@ quarkus.http.auth.permission.logout.paths=/code-flow/logout quarkus.http.auth.permission.logout.policy=authenticated quarkus.oidc.token-cache.max-size=1 + +# PKCE +quarkus.oidc.authentication.pkce-required=true +quarkus.oidc.authentication.pkce-secret=eUk1p7UB3nFiXZGUXi0uph1Y9p34YhBU \ No newline at end of file