We now review the integration testing of embedded Keycloak. This is facilitated with the help of a Keycloak Spring security adapter. The adapter is installed by declaring a dependency on the Maven POM or Gradle build using the artifact Id of keycloak-spring-security-adapter. The adapter does not get included in the web.xml. Instead a keycloak.json is provided.
Since we are using Spring security, Keycloak conforms with a convenient base class KeycloakWebSecurityConfigurerAdapter with which we can instantiate the security context configuration. This class provides methods to configure HTTPSecurity, register the Keycloak authentication provider as the global authentication provider and the session authentication strategy. A NullAuthenticatedSessionStrategy used for bearer-only applications is sufficient for integration testing.
This Keycloak adapter also supports multi-tenancy. This refers to using the same application to secure multiple Keycloak realms. Each realm is supported with the help of an instance that implements the KeycloakConfigResolver interface. Typically, a resolver requires to lookup a Keycloak.json specific to a realm and the resolver is mentioned in the web.xml file of the Spring application.
All Spring applications have a naming convention. This includes Security Roles. Keycloak security roles must conform using the ROLE_ prefix. Since bearer tokens can be passed between clients, Keycloak provides an extension of Spring’s RestTemplate which can be invoked by Spring SecurityConfig
Note that Keycloak as a standalone instance requires the user interface for registering users and clients and requesting access before bearer tokens can be issued. It is only in the embedded form, that we avoid using this configuration Therefore, embedded is not really a hack on the Keycloak product but one sufficiently modified for testing purposes.
Since we are using Spring security, Keycloak conforms with a convenient base class KeycloakWebSecurityConfigurerAdapter with which we can instantiate the security context configuration. This class provides methods to configure HTTPSecurity, register the Keycloak authentication provider as the global authentication provider and the session authentication strategy. A NullAuthenticatedSessionStrategy used for bearer-only applications is sufficient for integration testing.
This Keycloak adapter also supports multi-tenancy. This refers to using the same application to secure multiple Keycloak realms. Each realm is supported with the help of an instance that implements the KeycloakConfigResolver interface. Typically, a resolver requires to lookup a Keycloak.json specific to a realm and the resolver is mentioned in the web.xml file of the Spring application.
All Spring applications have a naming convention. This includes Security Roles. Keycloak security roles must conform using the ROLE_ prefix. Since bearer tokens can be passed between clients, Keycloak provides an extension of Spring’s RestTemplate which can be invoked by Spring SecurityConfig
Note that Keycloak as a standalone instance requires the user interface for registering users and clients and requesting access before bearer tokens can be issued. It is only in the embedded form, that we avoid using this configuration Therefore, embedded is not really a hack on the Keycloak product but one sufficiently modified for testing purposes.
No comments:
Post a Comment