Skip to content

Keycloak auth adapter #6376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Aug 31, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
252 changes: 251 additions & 1 deletion spec/AuthenticationAdapters.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ describe('AuthenticationProviders', function () {
'weibo',
'phantauth',
'microsoft',
'keycloak',
].map(function (providerName) {
it('Should validate structure of ' + providerName, done => {
const provider = require('../lib/Adapters/Auth/' + providerName);
Expand All @@ -65,7 +66,7 @@ describe('AuthenticationProviders', function () {
});

it(`should provide the right responses for adapter ${providerName}`, async () => {
const noResponse = ['twitter', 'apple', 'gcenter', 'google'];
const noResponse = ['twitter', 'apple', 'gcenter', "google", 'keycloak'];
if (noResponse.includes(providerName)) {
return;
}
Expand Down Expand Up @@ -703,6 +704,255 @@ describe('google play games service auth', () => {
});
});

describe('keycloak auth adapter', () => {
const keycloak = require('../lib/Adapters/Auth/keycloak');
const httpsRequest = require('../lib/Adapters/Auth/httpsRequest');

it('validateAuthData should fail without access token', async () => {
const authData = {
id: 'fakeid',
};
try {
await keycloak.validateAuthData(authData);
fail();
} catch (e) {
expect(e.message).toBe('Missing access token and/or User id');
}
});

it('validateAuthData should fail without user id', async () => {
const authData = {
access_token: 'sometoken',
};
try {
await keycloak.validateAuthData(authData);
fail();
} catch (e) {
expect(e.message).toBe('Missing access token and/or User id');
}
});

it('validateAuthData should fail without config', async () => {
const options = {
keycloak: {
config: null,
},
};
const authData = {
id: 'fakeid',
access_token: 'sometoken',
};
const { adapter, providerOptions } = authenticationLoader.loadAuthAdapter(
'keycloak',
options
);
try {
await adapter.validateAuthData(authData, providerOptions);
fail();
} catch (e) {
expect(e.message).toBe('Missing keycloak configuration');
}
});

it('validateAuthData should fail connect error', async () => {
spyOn(httpsRequest, 'get').and.callFake(() => {
return Promise.reject({
text: JSON.stringify({ error: 'hosting_error' }),
});
});
const options = {
keycloak: {
config: {
'auth-server-url': 'http://example.com',
realm: 'new',
},
},
};
const authData = {
id: 'fakeid',
access_token: 'sometoken',
};
const { adapter, providerOptions } = authenticationLoader.loadAuthAdapter(
'keycloak',
options
);
try {
await adapter.validateAuthData(authData, providerOptions);
fail();
} catch (e) {
expect(e.message).toBe('Could not connect to the authentication server');
}
});

it('validateAuthData should fail with error description', async () => {
spyOn(httpsRequest, 'get').and.callFake(() => {
return Promise.reject({
text: JSON.stringify({ error_description: 'custom error message' }),
});
});
const options = {
keycloak: {
config: {
'auth-server-url': 'http://example.com',
realm: 'new',
},
},
};
const authData = {
id: 'fakeid',
access_token: 'sometoken',
};
const { adapter, providerOptions } = authenticationLoader.loadAuthAdapter(
'keycloak',
options
);
try {
await adapter.validateAuthData(authData, providerOptions);
fail();
} catch (e) {
expect(e.message).toBe('custom error message');
}
});

it('validateAuthData should fail with invalid auth', async () => {
spyOn(httpsRequest, 'get').and.callFake(() => {
return Promise.resolve({});
});
const options = {
keycloak: {
config: {
'auth-server-url': 'http://example.com',
realm: 'new',
},
},
};
const authData = {
id: 'fakeid',
access_token: 'sometoken',
};
const { adapter, providerOptions } = authenticationLoader.loadAuthAdapter(
'keycloak',
options
);
try {
await adapter.validateAuthData(authData, providerOptions);
fail();
} catch (e) {
expect(e.message).toBe('Invalid authentication');
}
});

it('validateAuthData should fail with invalid groups', async () => {
spyOn(httpsRequest, 'get').and.callFake(() => {
return Promise.resolve({
data: {
sub: 'fakeid',
roles: ['role1'],
groups: ['unknown'],
},
});
});
const options = {
keycloak: {
config: {
'auth-server-url': 'http://example.com',
realm: 'new',
},
},
};
const authData = {
id: 'fakeid',
access_token: 'sometoken',
roles: ['role1'],
groups: ['group1'],
};
const { adapter, providerOptions } = authenticationLoader.loadAuthAdapter(
'keycloak',
options
);
try {
await adapter.validateAuthData(authData, providerOptions);
fail();
} catch (e) {
expect(e.message).toBe('Invalid authentication');
}
});

it('validateAuthData should fail with invalid roles', async () => {
spyOn(httpsRequest, 'get').and.callFake(() => {
return Promise.resolve({
data: {
sub: 'fakeid',
roles: 'unknown',
groups: ['group1'],
},
});
});
const options = {
keycloak: {
config: {
'auth-server-url': 'http://example.com',
realm: 'new',
},
},
};
const authData = {
id: 'fakeid',
access_token: 'sometoken',
roles: ['role1'],
groups: ['group1'],
};
const { adapter, providerOptions } = authenticationLoader.loadAuthAdapter(
'keycloak',
options
);
try {
await adapter.validateAuthData(authData, providerOptions);
fail();
} catch (e) {
expect(e.message).toBe('Invalid authentication');
}
});

it('validateAuthData should handle authentication', async () => {
spyOn(httpsRequest, 'get').and.callFake(() => {
return Promise.resolve({
data: {
sub: 'fakeid',
roles: ['role1'],
groups: ['group1'],
},
});
});
const options = {
keycloak: {
config: {
'auth-server-url': 'http://example.com',
realm: 'new',
},
},
};
const authData = {
id: 'fakeid',
access_token: 'sometoken',
roles: ['role1'],
groups: ['group1'],
};
const { adapter, providerOptions } = authenticationLoader.loadAuthAdapter(
'keycloak',
options
);
await adapter.validateAuthData(authData, providerOptions);
expect(httpsRequest.get).toHaveBeenCalledWith({
host: 'http://example.com',
path: '/realms/new/protocol/openid-connect/userinfo',
headers: {
Authorization: 'Bearer sometoken',
},
});
});
});

describe('oauth2 auth adapter', () => {
const oauth2 = require('../lib/Adapters/Auth/oauth2');
const httpsRequest = require('../lib/Adapters/Auth/httpsRequest');
Expand Down
2 changes: 2 additions & 0 deletions src/Adapters/Auth/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ const weibo = require('./weibo');
const oauth2 = require('./oauth2');
const phantauth = require('./phantauth');
const microsoft = require('./microsoft');
const keycloak = require('./keycloak');
const ldap = require('./ldap');

const anonymous = {
Expand Down Expand Up @@ -56,6 +57,7 @@ const providers = {
weibo,
phantauth,
microsoft,
keycloak,
ldap,
};

Expand Down
Loading