OIDCWiremockTestResource and password authorisation

[Tusenka]

Discussed in #30079

^{Originally posted by Tusenka December 27, 2022}
OIDCWiremockTestResource and application.yml
Could you please get OIDCWiremockTestResource

What is the best way to integrate OIDCWiremockTestResource with password and user authentification?
There are five pathways in quarks OIDC WireMock:
CLIENT
PASSWORD
CODE/EXCHANGE/REFRESH

I am using CODE the OIDCWIremockTestResource works fine.
When I try to use password or secret it throw out 401 exception from the rest client. On token retrivement it wrouts that endpoint ${keycloak.url}/realms/quarkus doesn't match as it expects authentification_code

May I need some additional setup provided for the server? I just Autowire it and use.

My config:

quarkus.oidc.auth-server-url=${keycloak.url}/realms/quarkus/
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.secret=secret

quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
quarkus.oidc-client.grant.type=password
quarkus.oidc-client.grant-options.password.username=alice
quarkus.oidc-client.grant-options.password.password=alice

quarkus.oidc-client.early-tokens-acquisition=false

io.quarkus.oidc.client.ProtectedResourceService/mp-rest/url=http://localhost:8081/protected

quarks.oidc-client.early-tokens-acquisition=false

io.quarkus.oidc.client.ProtectedResourceService/mp-rest/url=http://localhost:8081/protected

My compact code
oidc-client: credentials: secret: secret grant: type: code application-type: service auth-server-url: ${keycloak.url}/realms/quarkus id: quarkus-app client-id: quarkus-app

Maybe I need to do some additional adjustments to the OIDCWIremockTestResource?
I am using WireMock for the application to mock requests from the client.

Thank you, Irina

[quarkus-bot]

/cc @pedroigor(oidc), @sberyozkin(oidc)

[sberyozkin]

@Tusenka Right, as far as OIDCWiremockTestResource is concerned it supports the authorization code flow grant only and other various OIDC functions. Writing a wiremock stub which will support various variations of the form requests to accept multiple grants, all on the same address, can be tricky, might be possible, might make sense to try via the custom stub request matcher, https://wiremock.org/docs/extending-wiremock/.

Can you try this option with having a custom stub created in the test class, with

@OidcWireMock
WireMockServer wireMockServer;

See the example at the very end of
https://quarkus.io/guides/security-openid-connect#integration-testing-wiremock.

If it can work then I can extend OIDCWiremockTestResource to support not only the authorization code flow but also password, client_credentials, etc. If you'd like please consider opening a PR directly against OIDCWiremockTestResource.

The other option is to create your own custom Wiremock resource, for example, here is how it is done for testing OidcClient: https://github.com/quarkusio/quarkus/blob/main/integration-tests/oidc-client-wiremock/src/test/java/io/quarkus/it/keycloak/KeycloakRealmResourceManager.java