question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Roles vs authorities in @WithMockKeycloackAuth

See original GitHub issue

Hello, I have started using your utils and I am very happy with it. Thank you for sharing your code. I experience the following difficulty:

  • In @WithMockKeycloackAuth all roles get prefixed with ROLE_. For my purpose this is unwanted behavior, since I would like pass authorities like true authorities w/o the ROLE_ part. The ROLE_ prefix is added in roles() method of KeycloakAuthenticationTokenTestingBuilder and I do not see away to suppress this behavior. The docs at the top of the WithMockKeycloackAuth class suggest that the ROLE_ prefix should be added manually (which is not the case). Also, the default OIDC fields "offline_access", "uma_authorization" seem incompatible with this approach.
 * Sample usage:
 *
 * <pre>
 * &#64;Test
 * &#64;WithMockKeycloackAuth({"ROLE_USER", "ROLE_ADMIN"})
 * public void test() {
 *     ...
 * }
 * </pre>

I see two solutions to this problem:

  1. Remove automatic addition of the ROLE_ prefix. Roles passed are interpreted as-is.
  2. The @WithMockKeycloackAuth handles an additional authorities parameter. Names passed in via this prop are added to the Auth object w/o the ROLE_ prefix.

I base the distinction between roles and authorizations on the Spring Security naming convention (see https://www.baeldung.com/spring-security-granted-authority-vs-role)

If needed I can do a proposal in a PR. Just let me know whether you have time to work on this.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
pvannieropcommented, Apr 28, 2020

That means that authorities should be like ‘offline_access’ in the JWT claims and ‘ROLE_offline_access’ in KeycloakAuthenticationToken granted-authorities.

Yeah, the behavior is correct. It was me that was not understanding it correctly. I am rather new to Spring Security so please excuse my ignorance. The renaming of roles to authorities helps to understand.

I propose to update the doc at the top of the @WithMockKeycloakUser class and remove the ROLE_ prefixes:

 * &#64;WithMockKeycloakAuth({"ROLE_USER", "ROLE_ADMIN"})

becomes

 * &#64;WithMockKeycloakAuth({"USER", "ADMIN"})
0reactions
pvannieropcommented, Apr 29, 2020

@ch4mpy Sure!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Keycloak with Spring Boot #4 – Simple guide for roles and ...
Learn the basic principles of mapping user roles between Spring Boot and ... in our Keycloak server as roles or authorities in Spring...
Read more >
How to test Keycloak authentication in Spring Boot application?
I only run such tests and e2e tests (including rich client front-end and actual authorization-server). It includes a @WithMockKeycloackAuth ...
Read more >
Implement Role-based authorization in Spring Boot with ...
Explore how to use Keycloak to implement role-based authorization in a Spring Boot application.
Read more >
Granted Authority vs Role in Spring Security
In this article of Spring security, we will look at the significant difference between granted authority vs role in Spring security.
Read more >
testcontainers-keycloak | Identity Management library
... @Test @WithMockKeycloackAuth(name = "ch4mpy", roles = "TESTER") public void ... getAuthorities().stream().map(GrantedAuthority::getAuthority).collect( ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found