Roles vs authorities in @WithMockKeycloackAuth
See original GitHub issueHello, I have started using your utils and I am very happy with it. Thank you for sharing your code. I experience the following difficulty:
- In @WithMockKeycloackAuth all roles get prefixed with
ROLE_
. For my purpose this is unwanted behavior, since I would like pass authorities like true authorities w/o theROLE_
part. TheROLE_
prefix is added in roles() method of KeycloakAuthenticationTokenTestingBuilder and I do not see away to suppress this behavior. The docs at the top of the WithMockKeycloackAuth class suggest that theROLE_
prefix should be added manually (which is not the case). Also, the default OIDC fields"offline_access", "uma_authorization"
seem incompatible with this approach.
* Sample usage:
*
* <pre>
* @Test
* @WithMockKeycloackAuth({"ROLE_USER", "ROLE_ADMIN"})
* public void test() {
* ...
* }
* </pre>
I see two solutions to this problem:
- Remove automatic addition of the
ROLE_
prefix. Roles passed are interpreted as-is. - The @WithMockKeycloackAuth handles an additional
authorities
parameter. Names passed in via this prop are added to the Auth object w/o theROLE_
prefix.
I base the distinction between roles and authorizations on the Spring Security naming convention (see https://www.baeldung.com/spring-security-granted-authority-vs-role)
If needed I can do a proposal in a PR. Just let me know whether you have time to work on this.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Keycloak with Spring Boot #4 – Simple guide for roles and ...
Learn the basic principles of mapping user roles between Spring Boot and ... in our Keycloak server as roles or authorities in Spring...
Read more >How to test Keycloak authentication in Spring Boot application?
I only run such tests and e2e tests (including rich client front-end and actual authorization-server). It includes a @WithMockKeycloackAuth ...
Read more >Implement Role-based authorization in Spring Boot with ...
Explore how to use Keycloak to implement role-based authorization in a Spring Boot application.
Read more >Granted Authority vs Role in Spring Security
In this article of Spring security, we will look at the significant difference between granted authority vs role in Spring security.
Read more >testcontainers-keycloak | Identity Management library
... @Test @WithMockKeycloackAuth(name = "ch4mpy", roles = "TESTER") public void ... getAuthorities().stream().map(GrantedAuthority::getAuthority).collect( ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yeah, the behavior is correct. It was me that was not understanding it correctly. I am rather new to Spring Security so please excuse my ignorance. The renaming of roles to authorities helps to understand.
I propose to update the doc at the top of the @WithMockKeycloakUser class and remove the
ROLE_
prefixes:becomes
@ch4mpy Sure!