Generate certificates in the OIDC integration test #45095
Conversation
sberyozkin
force-pushed
the
oidc_test_generate_certs
branch
from
831b5d0 to
ffcd797
Compare
|
Just fixed some formatting issues |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Sorry if I am slow Sergey, but you say that old certs are gone (except for one test in the oidc-client/deployments) and that you generate certificates now, but I still can see them here https://github.com/quarkusio/quarkus/tree/ffcd797ca9127b9a02eca170481ffa2988b831a4/integration-tests/oidc/src/main/resources. Maybe they should be removed?
|
@michalvavrik Yeah, forgot to drop them as resources, will do, thanks |
sberyozkin
force-pushed
the
oidc_test_generate_certs
branch
from
ffcd797 to
80d1a2d
Compare
| @@ -1,23 +1,24 @@ | |||
| quarkus.keycloak.devservices.create-realm=false | |||
| quarkus.keycloak.devservices.start-command=start --https-client-auth=required --hostname-strict=false --https-key-store-file=/etc/server-keystore.p12 --https-trust-store-file=/etc/server-truststore.p12 --https-trust-store-password=password --spi-user-profile-declarative-user-profile-config-file=/opt/keycloak/upconfig.json | |||
| quarkus.keycloak.devservices.resource-aliases.keystore=server-keystore.p12 | |||
There was a problem hiding this comment.
as you are removing upconfig.json, I am not certain if this spi-user-profile-declarative-user-profile-config-file still exists and needs to be set judging by this https://www.keycloak.org/server/all-provider-config#_user_profile, but https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/userprofile/DeclarativeUserProfileProviderFactory.java is complex for me to determine. we can keep it if you know it does something.
There was a problem hiding this comment.
@michalvavrik This resource is shipped with the devservice, I used to keep it here because the devservice was not used in this test earlier. This upconfig.json is about avoiding Keycloak insisting on configuring additional properties for users like email, etc
There was a problem hiding this comment.
alright, thanks for info. strange it is not listed but I probably looked at the wrong page.
There was a problem hiding this comment.
@michalvavrik That is because it is undocumented, it is a non-official property :-)
There was a problem hiding this comment.
@michalvavrik You may recall you were dealing with QE tests started suddenly failing with the upgrade to the next KC version and this is the resource which helps dealing with those issues :-)
Status for workflow
|
It proved a bit harder than I thought, interestingly these generated certificates trigger the hostname verification, the older ones don't, but in any case, it is goodbye to the old certificates. I know of one more test with the pregenerated cert, in the oidc-client/deployments, will deal with it a bit later.
It won't backport to 3.15 though, but the old certs are valid till 2029 :-)